   Recently moved to Colorado Springs   SQL Server 7, 2000, 2005 and 2008   .Net Developer VB.Net and C#   www.extofer...
 Security Model Authentication Passwords Threats Physical Security and other best practices
   Principal         Windows Users                        SQL Login     Windows Users     SQL Logins                   ...
   Windows Authentications     Domain or local Windows Account     Active Directory Integration     Supports Groups   ...
   Mixed Authentication     Legacy or Hard Coded Referenced Logins     Non Windows Clients     Connections over Internet
   Strong Password     10 – 12 characters in length     Use Upper and Lower Case     Numbers     Special Characters (...
   DO NOT hardcode passwords     ASP.Net encrypt web.config     Encrypt password in your code SQLPing checks for defau...
 Social Engineering SQL Injection Beware of Port Sniffers
   Social Engineering     Manipulating people to gather data     Not using technical cracking tools or techniques
   SQL Injection     Vulnerable to any RDBMS, not just MS SQL      Server     Attacker post SQL commands via front end ...
   Check for Valid Input   DDL Triggers   Use Stored Procedures   Use Parameters   Customize Error Messages     Avoi...
   Change default port
 Lock server room or rack when not in use Restrict access to unauthorized individuals If feasible, use security cameras
 Second Tuesday of every month Test updates or hotfixes immediately  on non-production servers Schedule patches soon af...
 Avoid network shares on servers Don’t surf the Web on the server Only enable required protocols Keep servers behind a...
 Encrypt your DB backups Test backups by restoring Restrict System Stored Proc’s and  XP
http://www.sqlservercentral.com/Books/     Defensive Database Programming by Alex Kuznetsov     Protecting SQL Server Da...
Slide Deck at http://www.extofer.com          Gabriel Villa       email: extofer@gmail.com        blog: www.extofer. com  ...
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
Upcoming SlideShare
Loading in …5
×

SQL Server Security and Intrusion Prevention

2,655
-1

Published on

Is your data secured? Are you a victim of a SQL injection hack?

In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,655
On Slideshare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SQL Server Security and Intrusion Prevention

  1. 1.  Recently moved to Colorado Springs SQL Server 7, 2000, 2005 and 2008 .Net Developer VB.Net and C# www.extofer.com twitter: @extofer
  2. 2.  Security Model Authentication Passwords Threats Physical Security and other best practices
  3. 3.  Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users Roles DB Roles  Groups Securables Schemas  Schemas
  4. 4.  Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
  5. 5.  Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
  6. 6.  Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols) l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
  7. 7.  DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code SQLPing checks for default passwords Change passwords frequently Do Not use the same passwords
  8. 8.  Social Engineering SQL Injection Beware of Port Sniffers
  9. 9.  Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
  10. 10.  SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
  11. 11.  Check for Valid Input DDL Triggers Use Stored Procedures Use Parameters Customize Error Messages  Avoid errors returning securable names
  12. 12.  Change default port
  13. 13.  Lock server room or rack when not in use Restrict access to unauthorized individuals If feasible, use security cameras
  14. 14.  Second Tuesday of every month Test updates or hotfixes immediately on non-production servers Schedule patches soon after tested
  15. 15.  Avoid network shares on servers Don’t surf the Web on the server Only enable required protocols Keep servers behind a firewall
  16. 16.  Encrypt your DB backups Test backups by restoring Restrict System Stored Proc’s and XP
  17. 17. http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
  18. 18. Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer

×