common sql server security mistakes
TRANSCRIPT
![Page 1: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/1.jpg)
COMMON SECURITY MISTAKES
SQL Server Webcast
Michael K. Campbell
![Page 2: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/2.jpg)
Michael K. Campbell Independent Consultant
Former DBA and Database Developer
Author, Contributing Editor, and Presenter
Contact web: http://www.overachiever.net
email: [email protected]
twitter: AngryPets
Common Security Mistakes
![Page 3: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/3.jpg)
In this Webcast
Focus
Core SQL Server Security Concepts
Horror Stories (and how to avoid them)
Road Map
Session Overview
![Page 4: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/4.jpg)
Core SQL Server Security Concepts
File System / Data Files
Simultaneous Requests
SQL Server
SQL Server’s Job: PROXY REQUESTS to RESOURCES • Transactional Safety • Performance Optimizations • Security
• Authentication • Authorization
![Page 5: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/5.jpg)
SQL Server Authentication
Windows (i.e. SQL Hosting Environment)
SQL Server
LOGINS
SQL Server Managed Logins (usernames/passwords)
Windows Logins
(Trusted from OS)
Win
do
ws
Se
curi
ty
Pri
nci
pa
ls /
Lo
gin
s
(Use
rs a
nd
Gro
up
s)
![Page 6: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/6.jpg)
SQL Server Authorization / Mapping
Windows (i.e. SQL Hosting Environment)
SQL Server
LOGINS
SQL Server Managed Logins (usernames/passwords)
Windows Logins
(Trusted from OS)
Win
do
ws
Se
curi
ty
Pri
nci
pa
ls /
Lo
gin
s
(Use
rs a
nd
Gro
up
s)
Databases
DB Level: Users and Roles (Mapped to Logins)
DB Level: Users and Roles (Mapped to Logins)
![Page 7: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/7.jpg)
Core Security Concepts
Synopsis
Authorization:
Handled By SQL Server
Managed with Users and Roles
Authentication
User are Validated via:
The OS (Integrated Authentication)
The OS AND SQL Server (Mixed Mode-Authentication)
![Page 8: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/8.jpg)
Attack Vectors
Threat Modeling / Threat Categories
STRIDE
Spoofing Identity
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
![Page 9: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/9.jpg)
Common Mistakes / Areas of Focus
Repudiation
Escalation
Circumvention
http://failblog.org/2009/02/28/
![Page 10: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/10.jpg)
Repudiation
http://www.flickr.com/photos/miskan/7240060/ (Creative Commons)
![Page 11: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/11.jpg)
COMMON MISTAKE: Not Understanding Auditing
Examples
Bad Example: Overbearing Security Practices
Good Example: Banking
Negatives:
Waste of Security Attention/Effort
(Largely) Ignores Hackers
Makes Users Mistrust/Hate Security
![Page 12: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/12.jpg)
Auditing Options
Built-In Options SQL Server C2 Audit Mode (Deprecated)
SQL Server 2008 Auditing (Powerful/Versatile)
Triggers Audit Changes (not access) to Data
Ensure users are denied access to Audits/Logs
3rd Party Solutions Wide Variety of Solutions
Simple Auditing Solutions Sometimes Simple Solutions are Enough
![Page 13: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/13.jpg)
Simple Auditing Solutions
http://www.flickr.com/photos/lara604/2610313357/ (Creative Commons)
![Page 14: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/14.jpg)
Escalation
![Page 15: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/15.jpg)
SQL Injection
Comic by XKCD: http://xkcd.com/327/
![Page 16: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/16.jpg)
COMMON MISTAKE: Confusing Sprocs with Unicorns
![Page 17: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/17.jpg)
The Fix
![Page 18: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/18.jpg)
Applies To:
Services, Applications, Users
Horror Story:
Hospital
Cluster
Domain Admin
NULL SID
Solution:
The Principle of Least Privilege
COMMON MISTAKE: Excessive / Elevated Permissions
![Page 19: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/19.jpg)
Least Privilege: Service Accounts
Account Types
Local or Domain Accounts.
NEVER as LOCAL SYSTEM
Isolate Accounts (don’t re-use service accounts)
Locked Down:
Deny Rights to login, login via RDP, etc.
Never need to be Admins, Power Users, or even Users.
MIMIMUM perms and rights only.
Don’t forget about Proxies and Credentials
![Page 20: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/20.jpg)
Demoting Existing Installations
SQL Server 2000
Rights and Permissions (Binaries and Data)
SQL Server 2005/2008/2008 R2
Use SQL Server Configuration Manager
![Page 21: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/21.jpg)
Troubleshooting / Execution
Troubleshooting:
Use Windows Event Logs.
SysInternals / Process Monitor.
Execution
Requires Reboot of SQL Server Service.
Plan Accordingly.
Monty Python: “Run Away! Run Away!”
The BADGER is an option.
Keep an Eye on Backups over next few days.
![Page 22: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/22.jpg)
Least Privilege: Applications
Application Are Easy
Restrict to db_datareader/db_datawriter.
Explicitly Restrict to just Sprocs
Or Use a ‘Sprocs’ Role:
Create a new role: db_executeproc.
Script that GRANTs EXECUTE on all sprocs to Role.
Schedule the Job to run regularly.
![Page 23: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/23.jpg)
Least Privilege: Users
Users are Harder Egos Are Involved.
Implementation Roles are your friend.
Techniques Social Engineering.
![Page 24: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/24.jpg)
Circumvention
http://failblog.org/2008/03/13/
![Page 25: Common SQL Server Security Mistakes](https://reader034.vdocuments.net/reader034/viewer/2022042623/547784f85906b57d318b45a3/html5/thumbnails/25.jpg)
Properly Secured = Harder to Recover Logins and Credentials.
Mappings to Users and Roles.
Certificates.
Encrypted Backups.
Test Your Backups Regularly
Document
http://www.flickr.com/photos/jeremybrooks/3132893543/ (Creative Commons)
COMMON MISTAKE: Not Adjusting Disaster Recovery Plans