Hardening a SQL Server 2008
Implementation
Ross Mistry, Principal Consultant,
Convergent Computing (CCO)

Ross Mistry – Bio Summary
 Ross Mistry, Principal Consultant & Partner w/ Convergent Computing (CCO)
 Convergent Computing, CCO is located in the San Francisco Bay Area / Silicon Valley.
 Specialize in SQL Server Database Administration, High Availability, Active Directory,
Exchange, and Operations Manager
 Lead Author on “SQL Server 2005 Management and Administration” Based on Service
Pack 2
 Co-Author on “Windows Server 2008 Unleashed”
 Contributing Writer on “Exchange Server 2007 Unleashed” and “SharePoint Server
2007 Unleashed”
 Technical Editor on “SQL 2005 Unleashed” and “SQL 2005 Changing the Paradigm”
 Upcoming Books “SQL Server 2008 Management and Administration”
 Frequent Speaker for PASS, Connections and SQL User Groups
 Blog Site: http://www.networkworld.com/community/mistry
3

Topics
 Purpose & Challenges
 General Hardening and Security Techniques
 Security Configuration Tools
 Encryption
4

Purpose of Securing Data and it’s
Challenges
 Data Explosion
 Hosts Mission Critical Information
 Repository for Sensitive Data
 Regulatory Compliance
 Responsible DBA
 Job Security
 Where do I start?
5

General Hardening and Security
Techniques
PART 1

Understanding Authentication
Windows Authentication
• Default Setting
• Leverages Active Directory Accounts / Groups
• User & Service Accounts are governed by Active Directory
Policies
• Active Directory Audit Policies are Applied
• Multiple Password Policies – W2K8 Enhancement
• Domain Level Must be Windows Server 2008
• Only one set of passwords can be applied
• Kerberos Available with ALL protocols – SQL2K8 Enhancement
7

Understanding Authentication Cont’d
SQL Server Authentication (Mixed Mode)
• Leverages AD or SQL Server Accounts
• SQL Server continues to offer Password and Lockout Policies
based on the following items:
Password Complexity
Password Expiration
Account Lockouts
Force Users to Change
Password on Next Logon
8

Which Authentication Mode Should I
Select?
Windows Authentication is Recommended
• Additional Level of Protection w\\ Kerberos
• More Mature and Robust
• Best Practice – If possible use Windows Authentication
Mixed Mode may be Required
• Need to Support Legacy Applications / Clients
• Separation of Duties
9

SQL Server Account Policies
Screenshots
10

Hardening the SA Account
 Enforce a Strong Password:
Uppercase
& Length
Lowercase
Non
Contain
Alphanumeric
Numbers
Characters
 Disable and Rename the SA Account
 Best Practice – Do NOT use SA for Daily Admin or for
Application Authentication – BIG NO NO!!!!
11

Hardening SQL Server Service
Accounts
 Security Context:
 Domain
 Local
 Built-In
 Understand the Limitations
 Use the Principle of Least Privilege
 Service Account Isolation
 Best Practice – Use Configuration Tools to make Service
Account Changes
12

Ongoing Patch Management
 Install Service Packs and Critical Fixes
 Test in Isolated Lab
 Patch Management Strategies:
• Microsoft Update
• Download and Install
• Automate with System Center Configuration Manager 2007 or
WSUS
 Best Practice – Patch as soon as possible and Backup
System before Patching
13

Leverage SQL Server Security Logs
Understanding the Types of Logs Available:
• None
• Successful Logins Only
• Failed Logins Only
• Both Failed and Successful Logins
Best Practice – Capture both Failed and Successful Logins
and use a Solution such as ACS w\\ System Center
Operations Manager 2007 to Centralize Logging
14

SQL Server Security Logs Screen Shot
15

Enhanced Auditing Functionality
• Log Every SQL Server Action
• Two New Auditing Objects:
• Audit Object
• Audit Specification Object
• Save Actions to:
• Windows Application Log
• Windows Security Log
• File
• Consolidate to Satisfy Compliance
16

Enhanced Auditing Process
• Create Audit & Specify a Location
• Create One or More Audit Specifications
• Select a SQL Server Audit Action – 35 Groups
• Review Audit Logs
17

Use a Firewall to Filter Unwanted
Traffic
 Enable Firewall
 Place Server on Dedicated VLAN
 Integrated Windows Server 2008 Firewall is Sufficient
 New w\\ Windows Server 2008
• Supports both Inbound & Outbound Rules
• Integrated with Server Manager
• Dynamic Control with Group Policies
 If More Advanced is required then use ISA 2006
18

Network Connectivity Best Practices
 Limit the Network Protocols Supported
 Do not expose SQL Server to the Internet
 Use Specific Port Assignments
 Use SSL when using SQL Authentication
 Use “Allow Only Encrypted Connections”
19

Built-in / Administrators Group
 In the Past, this group had full control
 Allows all Local Administrators Full Access
 No longer Associated with the SysAdmin Role
 Best Practice
 Delete the Group
 Have a Backdoor
20

SQL Server Browser Service
 Listens to Incoming Requests
 Provides Instance Name, Port and Version Number
 Best Practice – Disable Service
 Manually Pass SQL information when connecting
21

DEMONSTRATIONS
General Hardening and Security
Techniques
22

Security Configuration Tools
PART 2

SQL Server Configuration Manager
Tool
Lock Down
• Services
• Network Configurations
• Native Client Configurations
• Client Protocols
• Aliases
• Hide Instances
24

Configuration Manager Tool Screen
Shots
25

Reducing SQL Server Surface Area
 SQL Server Tasks During and After Installation
• Install required components
• Configure and Lock Down Unnecessary Services
• Remove / Disable Unnecessary Features
 SAC has been depreciated in SQL Server 2008
 Replaced with Policy Based Management
 Best Practice – ONLY INSTALL WHAT YOU NEED!!!!
26

Policy Based Management
 Based on DMF Framework included in SQL Server 2008
 Create Configuration Policies for the Database Engine
 Replaces deprecated SAC Tool
 Reasons for Policy Based Management:
• Centralized Administration is more common
• Data Center Consolidation
• Proliferation of SQL Server instances and remote databases
• Reduce complexity for managing many servers
27

Policy Based Management
Components
Policy
Management
Explicit
Execution Modes
Administration
28

Policy Based Management Process
• Select a Policy-Based Management facet
1
• Define a Condition
2
• Define a Policy that Contains the Condition
3
• Validate Compliance against Policy
4
29

Policy Based Management Execution
Modes
On Demand
On
On
Change -
Schedule
Prevent
On Change - Log
Only
30

Hardening with Security Configuration
Wizard
 Included with Windows Server 2003 SP1 and / or
Windows Server 2008
 Build Custom Role Templates
 Integrate Templates with Active Directory
 Best Practice – Convert XML Template to GPO and Link
to OU
 Scwcmd.exe
31

Using Microsoft Baseline Security
Analyzer (MBSA)
Free download tool from MS
Identifies Security Vulnerabilities:
• User Accounts
• Missing Patches
• Weak Passwords
Caveat –SQL Server 2008 or Windows Server
2008 is not yet supported
32

SQL Server Best Practice Analyzer
Free download tool from Microsoft
Scans SQL Server Components
Identifies Common Configuration Anomalies
Best Practice – Schedule on a Periodic Basis such
as once a Month
Caveat – BPA for SQL Server 2008 has not been
released
33

IIS 7.0 & Lockdown Tool
IIS 7.0 on Windows Server 2008 is Slim and
Efficient
Modular Based Installation with Roles & Features
Templates Readily Available
Best Practice - Only Install Required Features for
SSRS
34

IIS 7.0 Features Installation
Screenshot
35

Demonstrations
Security Configuration Tools
36

Securing Physical Data including
Data in Transit
PART 3

SQL Server 2008 Data Encryption
Supports Native Encryption out of the box
Encryption can be applied at the:
• Database Level
• Granular - Cell Level
• Data in Transit
• Authentication
• File Folder
• Hard disks
38

Types of SQL Server 2008 Encryption
 Extensible Key Management (EKM) - SQL2K8 Enhancement
 Transparent Data Encryption (TPE) – SQL2K8 Enhancement
39

Transparent Data Encryption Process
 Create Master Key
 Create Certificate
 Create Database, Encryption Key
 Alter Database…, Set Encryption On
40

Types of SQL Server 2008 Encryption
Con’t
 Bitlocker Drive Encryption – W2K8 Enhancement
 Use PKI to secure Data in Transit
 Use SSL to secure SQL User Account Authentication
 EFS can be used to protect data at the folder level
41

Demonstrations
Data Encryption
42

Resources
 SQL Server 2005 Management & Administration
• Covers Administration, Monitoring, Management and Security
• 3 Chapters Dedicated to Security
• Available on amazon.com
 Windows Server 2008 Unleashed
• Available on amazon.com
 SQL Server 2008 Management & Administration
• Scheduled for September 2008 Release Date
43

Questions?

Thank you!