Securing your SQL Server Gabriel Villa email:  [email_address] blog:  www.extofer. com twitter:  @extofer
About Gabriel <ul><li>MCPD, ASP.NET Developer </li></ul><ul><li>MCTS, SQL Server 2008 Database Development </li></ul><ul><...
Outline to Securing SQL Server <ul><ul><ul><li>Security Model </li></ul></ul></ul><ul><ul><ul><li>SQL Server Threats </li>...
“ Yes, I am a criminal. My crime is that of curiosity... My crime is that of outsmarting you, something that you will neve...
SQL Server Security Model <ul><li>Principal </li></ul><ul><ul><li>Windows Users </li></ul></ul><ul><ul><li>SQL Logins </li...
Authentication <ul><li>Windows Authentications </li></ul><ul><ul><li>Active Directory Integration </li></ul></ul><ul><ul><...
Authentication <ul><li>Mixed Authentication </li></ul><ul><ul><li>Legacy or Hard Coded Referenced Logins </li></ul></ul><u...
Authentication
Roles <ul><li>Group users roles based on usage </li></ul><ul><li>Database Roles and Server Roles </li></ul><ul><li>Server ...
Securables <ul><li>Using Schema to secure database objects </li></ul><ul><ul><li>Schema is a name space container </li></u...
SQL Server Threats <ul><li>Social Engineering </li></ul><ul><ul><li>Manipulating people  to gather data </li></ul></ul><ul...
SQL Injection
Write Secure Code <ul><li>Check for Valid Input </li></ul><ul><li>DDL Triggers </li></ul><ul><li>Use Stored Procedures </l...
Auditing <ul><li>Server and Database Level Events </li></ul><ul><ul><li>Server Operations </li></ul></ul><ul><ul><li>Datab...
Passwords <ul><li>DO NOT hardcode passwords </li></ul><ul><ul><li>ASP.Net encrypt web.config </li></ul></ul><ul><ul><li>En...
Physical Security <ul><li>Lock server room or rack when not in use </li></ul><ul><li>Restrict access to unauthorized indiv...
Security Patches <ul><li>Second Tuesday of every month </li></ul><ul><li>Test updates or hotfixes immediately on non-produ...
Network Security <ul><li>Avoid network shares on servers </li></ul><ul><li>Don’t surf the Web on the server </li></ul><ul>...
Best Practices Resources <ul><li>Encrypt your DB backups  </li></ul><ul><ul><li>third party tools </li></ul></ul><ul><li>R...
Questions?? <ul><ul><li>Please evaluate this sessions at http://speakerrate.com/extofer </li></ul></ul><ul><ul><li>Slide D...
Upcoming SlideShare
Loading in …5
×

Securing you SQL Server - Denver, RMTT

749
-1

Published on

Become aware of some commonly overlooked practices in securing you SQL Server databases. Learn about physical security, passwords, privileges and roles, restricting or disabling system stored procedures and preventative best practices. And most importantly, discuss the most commonly used security threat: SQL

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
749
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing you SQL Server - Denver, RMTT

  1. 2. Securing your SQL Server Gabriel Villa email: [email_address] blog: www.extofer. com twitter: @extofer
  2. 3. About Gabriel <ul><li>MCPD, ASP.NET Developer </li></ul><ul><li>MCTS, SQL Server 2008 Database Development </li></ul><ul><li>SQL Server 7, 2000, 2005 and 2008 </li></ul><ul><li>.Net Developer VB.Net and C# </li></ul>
  3. 4. Outline to Securing SQL Server <ul><ul><ul><li>Security Model </li></ul></ul></ul><ul><ul><ul><li>SQL Server Threats </li></ul></ul></ul><ul><ul><ul><li>Write Secure Code </li></ul></ul></ul><ul><ul><ul><li>Auditing </li></ul></ul></ul><ul><ul><ul><li>Passwords </li></ul></ul></ul><ul><ul><ul><li>Physical Security </li></ul></ul></ul><ul><ul><ul><li>Security Patches </li></ul></ul></ul><ul><ul><ul><li>Network Security </li></ul></ul></ul><ul><ul><ul><li>Best Practices Resources </li></ul></ul></ul>
  4. 5. “ Yes, I am a criminal. My crime is that of curiosity... My crime is that of outsmarting you, something that you will never forgive me for.” - The Mentor Written January 8, 1986
  5. 6. SQL Server Security Model <ul><li>Principal </li></ul><ul><ul><li>Windows Users </li></ul></ul><ul><ul><li>SQL Logins </li></ul></ul><ul><li>Roles </li></ul><ul><ul><li>Groups </li></ul></ul><ul><li>Securables </li></ul><ul><ul><li>Schemas </li></ul></ul>Windows Users SQL Login Database Users DB Roles Schemas
  6. 7. Authentication <ul><li>Windows Authentications </li></ul><ul><ul><li>Active Directory Integration </li></ul></ul><ul><ul><li>Supports Groups </li></ul></ul><ul><ul><li>Use Whenever Possible </li></ul></ul>
  7. 8. Authentication <ul><li>Mixed Authentication </li></ul><ul><ul><li>Legacy or Hard Coded Referenced Logins </li></ul></ul><ul><ul><li>Non Windows Clients </li></ul></ul><ul><ul><li>Connections over Internet </li></ul></ul>
  8. 9. Authentication
  9. 10. Roles <ul><li>Group users roles based on usage </li></ul><ul><li>Database Roles and Server Roles </li></ul><ul><li>Server Level Roles </li></ul><ul><ul><li>Sysadmin, bulkadmin, securityadmin, dbcreator </li></ul></ul>
  10. 11. Securables <ul><li>Using Schema to secure database objects </li></ul><ul><ul><li>Schema is a name space container </li></ul></ul><ul><ul><li>Simplify Access Permissions </li></ul></ul><ul><li>Group objects into Schemas </li></ul><ul><li>Grant permissions to schemas, not objects </li></ul>
  11. 12. SQL Server Threats <ul><li>Social Engineering </li></ul><ul><ul><li>Manipulating people to gather data </li></ul></ul><ul><ul><li>Not using technical cracking tools or techniques </li></ul></ul><ul><li>SQL Injection </li></ul><ul><ul><li>Vulnerable to any RDBMS, not just MS SQL Server </li></ul></ul><ul><ul><li>Attacker post SQL commands via front end applications </li></ul></ul><ul><ul><li>Tools: ‘ , --, ; </li></ul></ul>
  12. 13. SQL Injection
  13. 14. Write Secure Code <ul><li>Check for Valid Input </li></ul><ul><li>DDL Triggers </li></ul><ul><li>Use Stored Procedures </li></ul><ul><li>Use Parameters </li></ul><ul><li>Customize Error Messages </li></ul><ul><ul><li>Avoid errors returning securable names </li></ul></ul><ul><li>Source Control </li></ul>
  14. 15. Auditing <ul><li>Server and Database Level Events </li></ul><ul><ul><li>Server Operations </li></ul></ul><ul><ul><li>Database Actions </li></ul></ul><ul><li>Audit Failed Login Attempts </li></ul>
  15. 16. Passwords <ul><li>DO NOT hardcode passwords </li></ul><ul><ul><li>ASP.Net encrypt web.config </li></ul></ul><ul><ul><li>Encrypt password in your code </li></ul></ul><ul><li>Strong Passwords </li></ul><ul><ul><li>6 to 8 minimum characters </li></ul></ul><ul><ul><li>Leak speak or special characters (i.e s = 5 or 3 = E) </li></ul></ul><ul><li>SQLPing checks for default passwords </li></ul><ul><li>Change passwords frequently </li></ul>
  16. 17. Physical Security <ul><li>Lock server room or rack when not in use </li></ul><ul><li>Restrict access to unauthorized individuals </li></ul><ul><li>If feasible, use security cameras </li></ul>
  17. 18. Security Patches <ul><li>Second Tuesday of every month </li></ul><ul><li>Test updates or hotfixes immediately on non-production servers </li></ul><ul><li>Schedule patches soon after tested </li></ul>
  18. 19. Network Security <ul><li>Avoid network shares on servers </li></ul><ul><li>Don’t surf the Web on the server </li></ul><ul><li>Only enable required protocols </li></ul><ul><li>Keep servers behind a firewall </li></ul>
  19. 20. Best Practices Resources <ul><li>Encrypt your DB backups </li></ul><ul><ul><li>third party tools </li></ul></ul><ul><li>Restrict System Stored Proc’s and XP </li></ul><ul><li>Download HP Scrawlr </li></ul><ul><li>Discover Wizard </li></ul><ul><li>http://www.sqlservercentral.com/Books/ </li></ul><ul><ul><li>Defensive Database Programming by Alex Kuznetsov </li></ul></ul><ul><ul><li>Protecting SQL Server Data by John Magnabosco </li></ul></ul><ul><ul><li>SQL Server Tacklebox by Rodney Landrum </li></ul></ul>
  20. 21. Questions?? <ul><ul><li>Please evaluate this sessions at http://speakerrate.com/extofer </li></ul></ul><ul><ul><li>Slide Deck at http://www.extofer.com </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×