denali sql server security
DESCRIPTION
Get up to speed on the new security features in "Denali", the next version of SQL Server. Disclose the new permissions, roles and encryption added to Denali. You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and .Net code samples to use on your applications to prevent vulnerabilities.TRANSCRIPT
![Page 1: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/1.jpg)
101: Intro to
Security
![Page 2: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/2.jpg)
SQL Server 7, 2000, 2005 and 2008
.Net Developer VB.Net and C#
www.extofer.com
twitter: @extofer
“Please allow me to introduce myself” … Rolling Stones
Gabriel Villa
![Page 3: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/3.jpg)
101 Session Outline
SQL Server Threats
Write Secure Code
Auditing
Roles
Best Practices
Passwords
Physical Security
Security Patches
Network Security
Best Practices Resources
![Page 4: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/4.jpg)
SQL Server Threats
Social Engineering
Manipulating people to gather data
Not using technical cracking tools or techniques
SQL Injection
Vulnerable to any RDBMS, not just MS SQL Server
Attacker post SQL commands via front end applications
Tools: ‘ , --, ;
![Page 5: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/5.jpg)
SQL Injection
![Page 6: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/6.jpg)
Write Secure Code
Check for Valid Input
DDL Triggers
Use Stored Procedures
Use Parameters
Customize Error Messages Avoid errors returning securable names
Source Control
![Page 7: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/7.jpg)
New “Denali” Auditing Features
SQL Auditing for all editions
User Defined Audit – applications write
customer events to audit logs
Filtering – filter unwanted events
Resilience – recover auditing data from
temporary file of network issues
![Page 8: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/8.jpg)
Roles and “Denali” Roles
Group users roles based on usage
Database Roles and Server Roles
Server Level Roles
sysadmin, bulkadmin, securityadmin, dbcreator
“Denali” User Defined Server Roles
Allow creation of new Server Roles
Help prevent the use of sysadmin
![Page 9: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/9.jpg)
Tip: Authentication
Windows Authentications
Active Directory Integration
Supports Groups
Use Whenever Possible
![Page 10: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/10.jpg)
Authentication
Mixed Authentication
Legacy or Hard Coded Referenced Logins
Non Windows Clients
Connections over Internet
![Page 11: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/11.jpg)
Authentication
![Page 12: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/12.jpg)
Passwords
DO NOT hardcode passwords
ASP.Net encrypt web.config
Encrypt password in your code
Strong Passwords
8 to 10 minimum characters
Leak speak or special characters (i.e s = 5 or 3 = E)
SQLPing checks for default passwords
Change passwords frequently
![Page 13: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/13.jpg)
Physical Security
Lock server room or rack when not in use
Restrict access to unauthorized individuals
If feasible, use security cameras
![Page 14: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/14.jpg)
Security Patches
Second Tuesday of every month
Test updates or hotfixes immediately on non-production servers
Schedule patches soon after tested
![Page 15: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/15.jpg)
Network Security
Avoid network shares on servers
Don’t surf the Web on the server
Only enable required protocols
Keep servers behind a firewall
![Page 16: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/16.jpg)
Questions??
Slide Deck at http://www.extofer.com
Gabriel Villa
email: [email protected]
blog: www.extofer. com
twitter: @extofer
![Page 17: Denali Sql Server Security](https://reader033.vdocuments.net/reader033/viewer/2022052910/559b30e21a28ab4f0a8b47be/html5/thumbnails/17.jpg)
Auditing
Server and Database Level Events
Server Operations
Database Actions
Audit Specifications
Server Audit Specification
Audit Failed Login Attempts