Hello all, I come to all of you today because apparently someone is trying to sabotage our SQL Server and Windows Server 2003 because we are seen as somewhat of a competition. It appears the person has broken into our server without using RDP, but by CMD? I don't quite understand how someone could do so as I am fairly new in the security department. I am usually creating programs and not securing my server because it simply isn't my forte, yet. Anyhow, three questions: 1. Is there someone who could explain how someone can break into a server without means of brute forcing? The password for our users are 42 characters long each randomly generated. We only use the SQL server on the server so there should be no other default threats unless its defaulted by Windows Server 2003. 2. I want to create an IP Policy for Windows Server 2003 which would allow only people with certain IPs to be on the server without disrupting the incoming and outgoing traffic of SQL Server, is this possible? And I have seen one or two articles but I haven't exactly seen as to "How" to use IPSec but not in a situation that I am having. 3. Is there any defaulted security flaws for MSSQL2005 which anyone could remotely access the server without being on the dedicated server? We do not use "sa", and the password for sa is unable to be brute forced. I was wondering if there is something I should look at in order to understand if its properly working. Note: If it affects anything, we use logmein to log into our server instead of RDP. RDP is turned off as we thought that was the reason for people getting into our server, unfortunately we were wrong. Note2: The people whom have access to the server have NOT given out any password or information. And please, be nice in helping me, I have been really miserable trying to figure out how to solve this and I want to avoid this from happening again. If anyone is able to help then please help. Thankfully, Charles

1. Is there someone who could explain how someone can break into a server without means of brute forcing? The password for our users are 42 characters long each randomly generated. We only use the SQL server on the server so there should be no other default threats unless its defaulted by Windows Server 2003. Any Domain Admin or local admin by default have complete access to your SQL Server. All of these accounts would need to be secured as well. 2. I want to create an IP Policy for Windows Server 2003 which would allow only people with certain IPs to be on the server without disrupting the incoming and outgoing traffic of SQL Server, is this possible? And I have seen one or two articles but I haven't exactly seen as to "How" to use IPSec but not in a situation that I am having. Its possible, but not recommended. Also, solutions like these are better off done by dedicated Firewalls and by people with experience....given your introduction you don't fit that mold. Turn it over to people that do. For you i would recommend implementing some Auditing and finding the weak link your armour first. 3. Is there any defaulted security flaws for MSSQL2005 which anyone could remotely access the server without being on the dedicated server? We do not use "sa", and the password for sa is unable to be brute forced. I was wondering if there is something I should look at in order to understand if its properly working. No flaws, by design people can install the SQL Management Studio or issue commands via the SQL command line utilities. FYI: Given your post, i think its more likely you have bad security practices in place, and someone accessed it that wasn't suppose to, and or you are completely mistaken about being hacked.