securing you sql server
DESCRIPTION
Become aware of some commonly overlooked practices in securing you SQL Server databases. Learn about physical security, passwords, privileges and roles, restricting or disabling system stored procedures and preventative best practices. And most importantly, discuss the most commonly used security threat: SQL injection and learn how to prevent them.TRANSCRIPT
# 66# 66
Securing your SQL Server
Gabriel Villaemail: [email protected]
blog: www.extofer. com
twitter: @extofer
# 66# 66
# 66# 66
About Gabriel
MCPD, ASP.NET Developer
MCTS, SQL Server 2008 Database Development
SQL Server 7, 2000, 2005 and 2008
.Net Developer VB.Net and C#
# 66# 66
Outline to Securing SQL ServerSQL Server Threats
Security Model
Authentication
Write Secure Code
Passwords
Physical Security
Security Patches
Network Security
Best Practices
# 66# 66
“Yes, I am a criminal. My crime is that of curiosity... My crime is that of outsmarting you, something that you will never forgive me for.”
- The MentorWritten January 8, 1986
# 66# 66
SQL Server Threats Social Engineering
Manipulating people to gather data
Not using technical cracking tools or techniques
SQL Injection Vulnerable to any RDBMS, not just MS SQL Server
Attacker post SQL commands via front end applications
Tools: ‘ , --, ;
# 66# 66
SQL Injection
# 66# 66
SQL Server Security Model Principal
Windows Users
SQL Logins
Roles Groups
Securable Schemas
Windows UsersSQL Login
Database UsersDB Roles
Schemas
# 66# 66
Authentication Windows Authentications
Active Directory Integration
Supports Groups
Use Whenever Possible
# 66# 66
Authentication Mixed Authentication
Legacy or Hard Coded Referenced Logins
Non Windows Clients
Connections over Internet
# 66# 66
Authentication
# 66# 66
Write Secure Code Valid SQL
Check for Valid Input
Use Stored Procedures
Use Parameters
Customize Error Messages Avoid errors returning securable names
Source Control
# 66# 66
Passwords DO NOT hardcode passwords
ASP.Net encrypt web.config
Encrypt password in your code
Strong Passwords 6 to 8 minimum characters
Leak speak or special characters (i.e s = 5 or 3 = E)
SQLPing checks for default passwords
Change passwords frequently
# 66# 66
Physical Security Lock server room or rack when not in use
Restrict access to unauthorized individuals
If feasible, use security cameras
# 66# 66
Security Patches Second Tuesday of every month
Test updates or hotfixes immediately on non-production servers
Schedule patches soon after tested
# 66# 66
Network Security Avoid network shares on servers
Don’t surf the Web on the server
Only enable required protocols
Keep servers behind a firewall
# 66# 66
Best Practices Encrypt your DB backups with third party
tools
Monitor Failed attempts
Disable System SP
# 66# 66
Questions??
Please evaluate this sessions at
http://speakerrate.com/extofer
Thank you and Feedback
Thank you for attending “Secure your SQL Server” at SQL Saturday #66
Please make sure to fill out the session evaluation and place it in the box in the back of the room
# 66# 66