一、身份鉴别(8.1.4.1)
1.1 登录账户与密码策略
-- 1. 查看所有SQL Server登录账户(SQL认证)
SELECT
name AS[登录名],
sid AS[安全标识],
create_date AS[创建时间],
modify_date AS[修改时间],
is_policy_checked AS[已检查密码策略],
is_expiration_checked AS[已检查密码过期],
is_disabled AS[是否禁用]
FROM sys.sql_logins
ORDERBY name;
-- 2. 查看所有服务器主体(包含Windows认证)
SELECT
name,
type_desc AS[类型],
is_disabled,
create_date,
modify_date,
default_database_name
FROM sys.server_principals
WHEREtypeIN('S','U','G','R')-- S=SQL用户, U=Windows用户, G=Windows组, R=角色
ORDERBY type_desc, name;
-- 3. 检查密码策略未启用的登录(高风险)
SELECT
name,
is_policy_checked,
is_expiration_checked,
CASE
WHEN is_policy_checked =0THEN'未启用密码策略'
WHEN is_expiration_checked =0THEN'未启用密码过期'
ELSE'合规'
ENDAS[状态]
FROM sys.sql_logins
WHERE is_policy_checked =0OR is_expiration_checked =0;
-- 4. 检查sa账户状态(必须禁用或强密码)
SELECT
name,
is_disabled,
is_policy_checked,
is_expiration_checked,
modify_date
FROM sys.sql_logins
WHERE name ='sa';
-- 5. 查看最近登录失败记录(需启用登录审计)
SELECT
login_time,
program_name,
client_net_address,
status_desc
FROM sys.dm_exec_sessions s
JOIN sys.dm_exec_connections c ON s.session_id = c.session_id
LEFTJOIN sys.dm_exec_requests r ON s.session_id = r.session_id
WHERE s.status='sleeping'
ORDERBY s.login_time DESC;
1.2 密码复杂度与有效期
-- 6. 查看SQL Server密码策略配置(依赖Windows策略或SQL Server策略)
-- 检查是否强制实施密码策略
SELECT
SERVERPROPERTY('IsIntegratedSecurityOnly')AS[仅Windows认证],
SERVERPROPERTY('InstanceDefaultDataPath')AS[默认数据路径];
-- 7. 查看登录密码最后修改时间
SELECT
name,
modify_date AS[密码最后修改时间],
DATEDIFF(day, modify_date, GETDATE())AS[密码使用天数],
CASE
WHEN DATEDIFF(day, modify_date, GETDATE())>90THEN'建议更换'
ELSE'正常'
ENDAS[状态]
FROM sys.sql_logins
WHERE is_policy_checked =1;
-- 8. 检查空密码或弱密码登录(通过登录属性)
SELECT
name,
LOGINPROPERTY(name,'PasswordHash')AS[密码哈希],
LOGINPROPERTY(name,'PasswordLastSetTime')AS[密码设置时间],
LOGINPROPERTY(name,'BadPasswordCount')AS[错误密码次数],
LOGINPROPERTY(name,'BadPasswordTime')AS[最后错误时间],
LOGINPROPERTY(name,'HistoryLength')AS[历史密码长度],
LOGINPROPERTY(name,'LockoutTime')AS[锁定时间]
FROM sys.sql_logins
WHERE is_policy_checked =1;
1.3 登录失败处理与会话超时
-- 9. 查看当前被锁定的登录账户
SELECT
name,
LOGINPROPERTY(name,'IsLocked')AS[是否锁定],
LOGINPROPERTY(name,'LockoutTime')AS[锁定时间],
LOGINPROPERTY(name,'BadPasswordCount')AS[失败次数]
FROM sys.sql_logins
WHERE LOGINPROPERTY(name,'IsLocked')=1;
-- 10. 查看SQL Server高级配置(超时相关)
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'remote query timeout (s)';
EXEC sp_configure 'remote login timeout (s)';
EXEC sp_configure 'query wait (s)';
-- 11. 查看用户连接选项(空闲超时)
DBCC USEROPTIONS;
-- 12. 查看当前活动连接和空闲时间
SELECT
s.session_id,
s.login_name,
s.program_name,
s.login_time,
s.last_request_start_time,
s.last_request_end_time,
DATEDIFF(second, s.last_request_end_time, GETDATE())AS[空闲秒数],
c.client_net_address
FROM sys.dm_exec_sessions s
LEFTJOIN sys.dm_exec_connections c ON s.session_id = c.session_id
WHERE s.status='sleeping'
AND DATEDIFF(second, s.last_request_end_time, GETDATE())>600-- 空闲超过10分钟
ORDERBY[空闲秒数]DESC;