Microsoft SQL Dedicated Admin Connection (DAC)
DESCRIPTION:
Microsoft SQL Server 2005/2008/2012 provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. This feature requires pre-allocating dedicated resources during server startup like additional memory ~3.5 megs. Because of this extra resource, in SQL Express scenarios the DAC feature is disabled. You can enable it by starting SQL Server service with a trace flag. By default, the DAC is only available from a client on the server. To enable client applications on remote computers to use the DAC, use the remote admin connections option of sp_configure.
SQL Server listens for the DAC on TCP port 1434 if available or a TCP port dynamically assigned upon Database Engine startup. The error log contains the port number the DAC is listening on. By default the DAC listener accepts connection on only the local port. To activate remote administration connections, see the remote admin connections Server Configuration Option below.
The following example enables the DAC from a remote computer.
sp_configure 'remote admin connections', 1;
GO
RECONFIGURE;
GO
EXAMPLE:
In this example, an administrator notices that server 172.16.x.x is not responding and wants to diagnose the problem. To do this, the user activates the sqlcmd command prompt utility and connects to server 172.16.x.x using -A to indicate the DAC.
C:\Users\Win7>sqlcmd -A -S 172.16.x.x -U sa -P Bob$yourUncl3
RISK:
DAC with remote admin connections permitted may allow an attacker to bypass access controls, logon triggers, perform brute force attacks or run unauthorized queries.
RECOMMENDATION:
Ensure DAC is configured per your Microsoft SQL Server Build and Hardening Documentation and Policies.
To determine the state of the DAC:
sp_configure 'remote admin connections'
0: Indicates only local connections are allowed by using the DAC.
1: Indicates remote connections are allowed by using the DAC.
DETERMINE IF DAC IS ENABLED AND AVAILABLE ON THE NETWORK:
Detecting DAC using NMap:
bash-3.2$ nmap 172.16.1-3.1-254 -p1434 -vv --open -Pn -n
Starting Nmap 5.51 ( http://nmap.org ) at 2012-06-28 09:56 PDT
Initiating Connect Scan at 09:56
Scanning 762 hosts [1 port/host]
Discovered open port 1434/tcp on 172.16.x.1
Discovered open port 1434/tcp on 172.16.x.2
MONITORING FOR ATTACKS AGAINST DAC:
Failed Logons will appear in the Windows Application Event Log:
Windows Event Log:
Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18456
Date: 6/28/2012
Time: 10:08:18 AM
User: N/A
Computer: SQL01PRD
Description:
Login failed for user 'sa'. [CLIENT: 10.16.x.x]
Additional DAC related messages to monitor for:
17199
Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag %d. This is an informational message only. No user action is required.
17200
Changing the remote access settings for the Dedicated Admin Connection failed with error 0x%lx, status code 0x%lx.
17202
Dedicated admin connection support was established for listening remotely on port %d.
17810
Could not connect because the maximum number of '%ld' dedicated administrator connections already exists. Before a new connection can be made, the existing dedicated administrator connection must be dropped, either by logging off or ending the process.%.*ls
DESCRIPTION:
Microsoft SQL Server 2005/2008/2012 provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. This feature requires pre-allocating dedicated resources during server startup like additional memory ~3.5 megs. Because of this extra resource, in SQL Express scenarios the DAC feature is disabled. You can enable it by starting SQL Server service with a trace flag. By default, the DAC is only available from a client on the server. To enable client applications on remote computers to use the DAC, use the remote admin connections option of sp_configure.
SQL Server listens for the DAC on TCP port 1434 if available or a TCP port dynamically assigned upon Database Engine startup. The error log contains the port number the DAC is listening on. By default the DAC listener accepts connection on only the local port. To activate remote administration connections, see the remote admin connections Server Configuration Option below.
The following example enables the DAC from a remote computer.
sp_configure 'remote admin connections', 1;
GO
RECONFIGURE;
GO
EXAMPLE:
In this example, an administrator notices that server 172.16.x.x is not responding and wants to diagnose the problem. To do this, the user activates the sqlcmd command prompt utility and connects to server 172.16.x.x using -A to indicate the DAC.
C:\Users\Win7>sqlcmd -A -S 172.16.x.x -U sa -P Bob$yourUncl3
RISK:
DAC with remote admin connections permitted may allow an attacker to bypass access controls, logon triggers, perform brute force attacks or run unauthorized queries.
RECOMMENDATION:
Ensure DAC is configured per your Microsoft SQL Server Build and Hardening Documentation and Policies.
To determine the state of the DAC:
sp_configure 'remote admin connections'
0: Indicates only local connections are allowed by using the DAC.
1: Indicates remote connections are allowed by using the DAC.
DETERMINE IF DAC IS ENABLED AND AVAILABLE ON THE NETWORK:
Detecting DAC using NMap:
bash-3.2$ nmap 172.16.1-3.1-254 -p1434 -vv --open -Pn -n
Starting Nmap 5.51 ( http://nmap.org ) at 2012-06-28 09:56 PDT
Initiating Connect Scan at 09:56
Scanning 762 hosts [1 port/host]
Discovered open port 1434/tcp on 172.16.x.1
Discovered open port 1434/tcp on 172.16.x.2
MONITORING FOR ATTACKS AGAINST DAC:
Failed Logons will appear in the Windows Application Event Log:
Windows Event Log:
Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18456
Date: 6/28/2012
Time: 10:08:18 AM
User: N/A
Computer: SQL01PRD
Description:
Login failed for user 'sa'. [CLIENT: 10.16.x.x]
Additional DAC related messages to monitor for:
17199
Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag %d. This is an informational message only. No user action is required.
17200
Changing the remote access settings for the Dedicated Admin Connection failed with error 0x%lx, status code 0x%lx.
17202
Dedicated admin connection support was established for listening remotely on port %d.
17810
Could not connect because the maximum number of '%ld' dedicated administrator connections already exists. Before a new connection can be made, the existing dedicated administrator connection must be dropped, either by logging off or ending the process.%.*ls
No comments:
Post a Comment
Thanks for adding to the conversation. I'll update your post shortly.