Your SlideShare is downloading. ×
0
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia

126

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
126
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing your SQL ServerInstallationCharley Hanania, QS2 AGB.Sc (Computing), MCP, MCDBA, MCITP, MCTS, MCT, Microsoft MVP: SQL ServerSenior Database Specialist
  • 2. My Background• Now:– Microsoft MVP: SQL Server– Database Consultant (again, and very happy) at QS2 AG• Formerly:– Production Product Owner of MS SQL Server Platform at UBS Investment Bank• ITIL v3 Certified• SQL Server Certified since 1988– On SQL Server since 1995– Version 4 on OS/2• IT Professional since 1992• PASS– Chapter Leader – Switzerland– Regional Mentor – Europe– European PASS Conference Lead– Event Speaker– Database Days Conference Switzerland
  • 3. Contact Info• Email: Charley.Hanania@sqlpass.org• Website: http://www.sqlpass.ch• Twitter: http://www.twitter.com/CharleyHanania• Blog: http://blogs.mssqltips.com/blogs/charleyhanania• Linked-in: http://www.linkedin.com/in/charleyhanania
  • 4. Session Outline• General areas of focus dealing with Security• Windows & SQL Server – “Secure By Default”• 80 :: 20 – Simple items that make big difference• How Much Security is Enough?• Practices to Consider
  • 5. General Areas• Areas Generally looked at when speaking about security– Physical Access– Network– Application– Operating System– DBMS– Intellectual Property (IP)– Data Privacy (Customer Data Usage)– Segregation of duties• Privileged access• Privileged information
  • 6. Windows Server – “Secure By Default”• Since Windows 2008, Microsoft focussed on theidea of Secure by Default.• When Windows is installed– Only the Roles and Features needed are installed– Only essential connections are enabled– Password Policies are more explicit
  • 7. SQL Server – “Secure By Default”• Since SQL Server 2005, Microsoft focussed onthe idea of Secure by Default.• When SQL Server is installed– Only the features needed to run are enabled– Only essential connections are configured– Connection Methodologies are also influenced.
  • 8. Scopes of ProtectionWindows ServerSQL Server InstanceSQL Server InstanceSQL Server InstanceSQL Server SystemDatabasesSQL Server UserDatabasesSchemasObjectsSchemasObjectsAccountsGroupsRightsPermissionsRolesEndpointsLoginsRolesUsers RolesUsersPermissions Permissions
  • 9. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  • 10. {DEMOObfuscation :: Changing the RDP Port
  • 11. Windows Disables RDP by default.Enabling requires firewall port opening too…
  • 12. Windows Firewall
  • 13. Enabling RDP App (& Port)
  • 14. - Open Regedt32- Search For “PortNumber”
  • 15. - Change the port number- Create a new firewall rule for the new Port- Reboot
  • 16. Use RDP with “<Server>:<PortNumber>”
  • 17. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  • 18. {DEMOObfuscation :: Rename Win Admin Account
  • 19. Open Computer Management Local Users and Groups Users
  • 20. Rename the Account
  • 21. Open PropertiesChange the Account Details
  • 22. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  • 23. {DEMOObfuscation :: Changing Instance & Port
  • 24. During SQL Server Install Select an instance instead of default
  • 25. Named Instance…
  • 26. Network Protocols…
  • 27. This Stops SQL Browser from Broadcasting theInstance Name
  • 28. Network Port for TCP/IP…
  • 29. Change the Port (review free ports first!)
  • 30. Effects ::- No (local) Instance- Instance Listens on New Port
  • 31. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  • 32. {DEMOObfuscation :: Rename SA Account
  • 33. Basically, we change the login label (external)
  • 34. Rename the Account
  • 35. Additionally – Strong Passwords• Renaming Accounts is a great 1st step• Disable the account from being useable forlogin.– Enable when needed…• Additionally, you should ensure the passwordis VERY strong.– Why? Because shorter/simple passwords arecracked easily• Ref: Electrical Alchemy Information Security– See http://www.goodpassword.com/
  • 36. How Much Security is Enough?1. Estimate value of data and objects– Intellectual Property– Customer Data– Marketing/Sales plans– Cost to redevelop– Corporate image– Compliance2. Estimate risk of being compromised3. Estimate cost of implementation4. Estimate cost of on-going operations
  • 37. How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised– Closed System vs External Facing– High Street Brand vs Bunkered BackOperations– New Hair Growth vs Lemon Stand Formula– China / Russia vs Switzerland3. Estimate cost of implementation4. Estimate cost of ongoing operations
  • 38. How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised3. Estimate cost of implementation– Layered Security Expert Team at the NSA(Personnel)– Mixed Hardware / Software Implementation(Complexity)– Existing vs Customised Solutions (Expense)– Three Month vs Three Year Fulfillment (Time)4. Estimate cost of ongoing operations
  • 39. How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised3. Estimate cost of implementation4. Estimate cost of ongoing operations– Fail-safes vs Recoverability– Secure Backup (on and off-site)– Personnel needed for maintenance andsustainability– Troubleshooting issues– Performance Tuning
  • 40. Practices to Consider• Physical Security– Limiting access to the machine itself, backups, and copies of data– Encryption of data files and backups – Transparent Data Encryption• Authentication– Logins – Windows Authentication, SQL Server Authentication• Strong passwords, password expiration policies– Endpoints – restrict connections by protocol, login, etc.– Encryption – More needed than just to get in.• Authorization– Separation of duties• Permissions, users, roles, access through SPs or views only– No direct access to tables– No permissions directly to users; grant to roles and put users in roles– Separation of data• Instances, databases, schemas, views – or perhaps encrypt it with certificates or keys– Principle of least privilege• from service accounts to users and execution contexts• Auditing– tracking who did what when – Built into SQL Server 2008
  • 41. Summary• Security is an Operational Consideration• Data Security is a cornerstone of Security Operations• SQL Server and Windows employ various techniques tosecure the database environment• Obfuscation is Step One• How much Security?– It Depends!
  • 42. Links and Resources• SQL Server Security Team Blog• http://blogs.msdn.com/sqlsecurity• Microsoft Patterns and Practices• http://msdn.microsoft.com/en-gb/practices/default.aspx• SQL Server Security Website• http://www.sqlsecurity.com• Security Best Practices - Operational and Administrative Tasks.• http://sqlcat.com/whitepapers/archive/2007/12/16/sql-server-2005-security-best-practices-operational-and-administrative-tasks.aspx• SQL Server Security Forum• http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads• How to Change the RDP Port• http://support.microsoft.com/kb/306759

×