securing you sql server - denver, rmtt
DESCRIPTION
Become aware of some commonly overlooked practices in securing you SQL Server databases. Learn about physical security, passwords, privileges and roles, restricting or disabling system stored procedures and preventative best practices. And most importantly, discuss the most commonly used security threat: SQLTRANSCRIPT
Securing your SQL ServerSecuring your SQL ServerGabriel VillaGabriel Villa
email: email: [email protected]@gmail.com
blog: blog: www.extofer. comwww.extofer. com
twitter: twitter: @extofer@extofer
About GabrielAbout Gabriel MCPD, ASP.NET DeveloperMCPD, ASP.NET Developer
MCTS, SQL Server 2008 Database DevelopmentMCTS, SQL Server 2008 Database Development
SQL Server 7, 2000, 2005 and 2008SQL Server 7, 2000, 2005 and 2008
.Net Developer VB.Net and C#.Net Developer VB.Net and C#
Outline to Securing SQL ServerOutline to Securing SQL Server Security ModelSecurity Model SQL Server ThreatsSQL Server ThreatsWrite Secure CodeWrite Secure CodeAuditingAuditingPasswordsPasswordsPhysical SecurityPhysical Security Security PatchesSecurity PatchesNetwork SecurityNetwork SecurityBest Practices ResourcesBest Practices Resources
“Yes, I am a criminal. My crime is that of curiosity... My crime is that of outsmarting you, something that you will never forgive me for.”
- The MentorWritten January 8, 1986
SQL Server Security ModelSQL Server Security Model PrincipalPrincipal
Windows UsersWindows Users SQL LoginsSQL Logins
RolesRoles GroupsGroups
SecurablesSecurables SchemasSchemas
Windows UsersSQL Login
Database UsersDB Roles
Schemas
AuthenticationAuthentication
Windows AuthenticationsWindows Authentications Active Directory IntegrationActive Directory Integration
Supports GroupsSupports Groups
Use Whenever PossibleUse Whenever Possible
AuthenticationAuthentication
Mixed AuthenticationMixed Authentication Legacy or Hard Coded Referenced LoginsLegacy or Hard Coded Referenced Logins
Non Windows ClientsNon Windows Clients
Connections over InternetConnections over Internet
AuthenticationAuthentication
RolesRoles
Group users roles based on usageGroup users roles based on usage
Database Roles and Server RolesDatabase Roles and Server Roles
Server Level RolesServer Level Roles Sysadmin, bulkadmin, securityadmin, dbcreatorSysadmin, bulkadmin, securityadmin, dbcreator
SecurablesSecurables
Using Schema to secure database objectsUsing Schema to secure database objects Schema is a name space containerSchema is a name space container
Simplify Access PermissionsSimplify Access Permissions
Group objects into SchemasGroup objects into Schemas
Grant permissions to schemas, not objectsGrant permissions to schemas, not objects
SQL Server ThreatsSQL Server Threats Social EngineeringSocial Engineering
Manipulating people to gather dataManipulating people to gather data Not using technical cracking tools or techniquesNot using technical cracking tools or techniques
SQL InjectionSQL Injection Vulnerable to any RDBMS, not just MS SQL ServerVulnerable to any RDBMS, not just MS SQL Server Attacker post SQL commands via front end Attacker post SQL commands via front end
applicationsapplications Tools: ‘ , --, ; Tools: ‘ , --, ;
SQL InjectionSQL Injection
Write Secure CodeWrite Secure Code Check for Valid InputCheck for Valid Input DDL TriggersDDL Triggers Use Stored ProceduresUse Stored Procedures Use ParametersUse Parameters Customize Error MessagesCustomize Error Messages
Avoid errors returning securable namesAvoid errors returning securable names
Source ControlSource Control
AuditingAuditing
Server and Database Level EventsServer and Database Level Events Server OperationsServer Operations
Database ActionsDatabase Actions
Audit Failed Login AttemptsAudit Failed Login Attempts
PasswordsPasswords DO NOT hardcode passwordsDO NOT hardcode passwords
ASP.Net encrypt web.configASP.Net encrypt web.config Encrypt password in your codeEncrypt password in your code
Strong PasswordsStrong Passwords 6 to 8 minimum characters6 to 8 minimum characters Leak speak or special characters (i.e s = 5 or 3 = E)Leak speak or special characters (i.e s = 5 or 3 = E)
SQLPing checks for default passwords SQLPing checks for default passwords Change passwords frequentlyChange passwords frequently
Physical SecurityPhysical Security Lock server room or rack when not in useLock server room or rack when not in use Restrict access to unauthorized individualsRestrict access to unauthorized individuals If feasible, use security camerasIf feasible, use security cameras
Security PatchesSecurity Patches Second Tuesday of every monthSecond Tuesday of every month Test updates or hotfixes immediately on Test updates or hotfixes immediately on
non-production serversnon-production servers Schedule patches soon after testedSchedule patches soon after tested
Network SecurityNetwork Security Avoid network shares on serversAvoid network shares on servers Don’t surf the Web on the serverDon’t surf the Web on the server Only enable required protocolsOnly enable required protocols Keep servers behind a firewallKeep servers behind a firewall
Best Practices ResourcesBest Practices Resources Encrypt your DB backups Encrypt your DB backups
third party toolsthird party tools
Restrict System Stored Proc’s and XPRestrict System Stored Proc’s and XP Download HP ScrawlrDownload HP Scrawlr Discover WizardDiscover Wizard http://www.sqlservercentral.com/Books/http://www.sqlservercentral.com/Books/
Defensive Database Programming by Alex KuznetsovDefensive Database Programming by Alex Kuznetsov Protecting SQL Server Data by John MagnaboscoProtecting SQL Server Data by John Magnabosco SQL Server Tacklebox by Rodney LandrumSQL Server Tacklebox by Rodney Landrum
Questions??Questions??
Please evaluate this sessions at Please evaluate this sessions at
http://speakerrate.com/extoferhttp://speakerrate.com/extofer
Slide Deck at http://www.extofer.comSlide Deck at http://www.extofer.com