o pass – m arch 8, 2012 k. brian kelley mcse, cisa, security+, mvp-sql server the dirty business...
TRANSCRIPT
![Page 1: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/1.jpg)
OPASS – MARCH 8, 2012
K. Brian Kelley
MCSE, CISA, Security+, MVP-SQL Server
The Dirty Business of AuditingAuditing SQL Server (2000 – 2008R2)
![Page 2: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/2.jpg)
MY BACKGROUND
Database Administrator / Architect Infrastructure and security architect Incident response team lead
Certified Information Systems Auditor (CISA)
SQL Server security columnist / blogger
Co-Author of: How to Cheat at Securing SQL Server 2005
(Syngress) Professional SQL Server 2008 Administration (Wrox) Introduction to SQL Server (Texas Publishing)
![Page 3: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/3.jpg)
CONTACT INFORMATION
Mail: [email protected] Twitter: @kbriankelley Blogs:
SQL Server Central http://gkdba.wordpress.com/
![Page 4: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/4.jpg)
AGENDA FOR TONIGHT
Why auditors can’t audit SQL Server: “Tag, you’re It”
SQL Server Surface Area Server Level Auditing Database Level Auditing
![Page 5: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/5.jpg)
INFORMATION DISCLOSURE ISSUE
SQL Server 2000 – Access to DB, you can audit But so can anyone… Catch-22
SQL Server 2005+, you must have permissions to object.
Recommendation: Automate the auditing. Use service account with proper permissions.
![Page 6: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/6.jpg)
SURFACE AREA – FROM REMOTE
Quest Discovery Wizard SQL Ping MS Assessment and Planning (MAP) tool nmap General scanner – Qualys, Nessus
![Page 7: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/7.jpg)
SURFACE AREA – ON THE SERVER
SQL Server 2000: SQL Server Server Network Utility
SQL Server 2005 only: SQL Server Surface Area Configuration
SQL Server 2005 and above: SQL Server Configuration Manager
![Page 8: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/8.jpg)
WHAT TO LOOK FOR
What network protocols What ports SQL Server is listening on Whether remote connections are allowed
![Page 9: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/9.jpg)
SERVER LEVEL CONCERNS
SQL Server 2000 and above SQL Server 2005 and above
![Page 10: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/10.jpg)
ALL VERSIONS
Logins SQL Server logins Windows users Windows groups
Server Roles
![Page 11: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/11.jpg)
WHAT TO LOOK FOR
Windows users (not service accounts) A lot of SQL Server logins Members of:
sysadmin securityadmin serveradmin Processadmin
Use of sa or sysadmin level accounts
![Page 12: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/12.jpg)
SQL SERVER 2005 AND ABOVE
Server level securables DAC (remote) OLE automation SQL Mail xp_cmdshell Password policy enforcement Impersonation of Logins
![Page 13: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/13.jpg)
VISUALIZING SECURABLES
![Page 14: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/14.jpg)
WHAT TO LOOK FOR (2005+)
Everything in all versions list CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins SQL logins without full password policy
enforcement: No enforcement at all Password never expires
![Page 15: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/15.jpg)
DATABASE LEVEL CONCERNS
SQL Server 2000 and above SQL Server 2005 and above
![Page 16: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/16.jpg)
ALL VERSIONS
How database users map to server logins Use of guest user (except system DBs) Database Owner (maps as dbo) Members of database roles:
db_owner db_ddladmin db_securityadmin
Database level permissions (CREATE)
![Page 17: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/17.jpg)
SQL SERVER 2005+
Permissions at database securable level Permissions at schema securable level Encryption key escrow
![Page 18: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/18.jpg)
WHAT TO LOOK FOR
Use of database owner by application Use of db_owner by application End users with too many rights Developers in the following roles in prod:
db_owner db_ddladmin db_securityadmin
![Page 19: O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)](https://reader036.vdocuments.net/reader036/viewer/2022070401/56649f165503460f94c2cbb7/html5/thumbnails/19.jpg)
QUESTIONS & ANSWERS