Securing your SQL ServerInstallationCharley Hanania, QS2 AGB.Sc (Computing), MCP, MCDBA, MCITP, MCTS, MCT, Microsoft MVP: ...
My Background• Now:– Microsoft MVP: SQL Server– Database Consultant (again, and very happy) at QS2 AG• Formerly:– Producti...
Contact Info• Email: Charley.Hanania@sqlpass.org• Website: http://www.sqlpass.ch• Twitter: http://www.twitter.com/CharleyH...
Session Outline• General areas of focus dealing with Security• Windows & SQL Server – “Secure By Default”• 80 :: 20 – Simp...
General Areas• Areas Generally looked at when speaking about security– Physical Access– Network– Application– Operating Sy...
Windows Server – “Secure By Default”• Since Windows 2008, Microsoft focussed on theidea of Secure by Default.• When Window...
SQL Server – “Secure By Default”• Since SQL Server 2005, Microsoft focussed onthe idea of Secure by Default.• When SQL Ser...
Scopes of ProtectionWindows ServerSQL Server InstanceSQL Server InstanceSQL Server InstanceSQL Server SystemDatabasesSQL S...
DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename ...
{DEMOObfuscation :: Changing the RDP Port
Windows Disables RDP by default.Enabling requires firewall port opening too…
Windows Firewall
Enabling RDP App (& Port)
- Open Regedt32- Search For “PortNumber”
- Change the port number- Create a new firewall rule for the new Port- Reboot
Use RDP with “<Server>:<PortNumber>”
DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename ...
{DEMOObfuscation :: Rename Win Admin Account
Open Computer Management Local Users and Groups Users
Rename the Account
Open PropertiesChange the Account Details
DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename ...
{DEMOObfuscation :: Changing Instance & Port
During SQL Server Install Select an instance instead of default
Named Instance…
Network Protocols…
This Stops SQL Browser from Broadcasting theInstance Name
Network Port for TCP/IP…
Change the Port (review free ports first!)
Effects ::- No (local) Instance- Instance Listens on New Port
DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename ...
{DEMOObfuscation :: Rename SA Account
Basically, we change the login label (external)
Rename the Account
Additionally – Strong Passwords• Renaming Accounts is a great 1st step• Disable the account from being useable forlogin.– ...
How Much Security is Enough?1. Estimate value of data and objects– Intellectual Property– Customer Data– Marketing/Sales p...
How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised– Closed System vs E...
How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised3. Estimate cost of ...
How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised3. Estimate cost of ...
Practices to Consider• Physical Security– Limiting access to the machine itself, backups, and copies of data– Encryption o...
Summary• Security is an Operational Consideration• Data Security is a cornerstone of Security Operations• SQL Server and W...
Links and Resources• SQL Server Security Team Blog• http://blogs.msdn.com/sqlsecurity• Microsoft Patterns and Practices• h...
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Upcoming SlideShare
Loading in …5
×

Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia

403 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
403
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia

  1. 1. Securing your SQL ServerInstallationCharley Hanania, QS2 AGB.Sc (Computing), MCP, MCDBA, MCITP, MCTS, MCT, Microsoft MVP: SQL ServerSenior Database Specialist
  2. 2. My Background• Now:– Microsoft MVP: SQL Server– Database Consultant (again, and very happy) at QS2 AG• Formerly:– Production Product Owner of MS SQL Server Platform at UBS Investment Bank• ITIL v3 Certified• SQL Server Certified since 1988– On SQL Server since 1995– Version 4 on OS/2• IT Professional since 1992• PASS– Chapter Leader – Switzerland– Regional Mentor – Europe– European PASS Conference Lead– Event Speaker– Database Days Conference Switzerland
  3. 3. Contact Info• Email: Charley.Hanania@sqlpass.org• Website: http://www.sqlpass.ch• Twitter: http://www.twitter.com/CharleyHanania• Blog: http://blogs.mssqltips.com/blogs/charleyhanania• Linked-in: http://www.linkedin.com/in/charleyhanania
  4. 4. Session Outline• General areas of focus dealing with Security• Windows & SQL Server – “Secure By Default”• 80 :: 20 – Simple items that make big difference• How Much Security is Enough?• Practices to Consider
  5. 5. General Areas• Areas Generally looked at when speaking about security– Physical Access– Network– Application– Operating System– DBMS– Intellectual Property (IP)– Data Privacy (Customer Data Usage)– Segregation of duties• Privileged access• Privileged information
  6. 6. Windows Server – “Secure By Default”• Since Windows 2008, Microsoft focussed on theidea of Secure by Default.• When Windows is installed– Only the Roles and Features needed are installed– Only essential connections are enabled– Password Policies are more explicit
  7. 7. SQL Server – “Secure By Default”• Since SQL Server 2005, Microsoft focussed onthe idea of Secure by Default.• When SQL Server is installed– Only the features needed to run are enabled– Only essential connections are configured– Connection Methodologies are also influenced.
  8. 8. Scopes of ProtectionWindows ServerSQL Server InstanceSQL Server InstanceSQL Server InstanceSQL Server SystemDatabasesSQL Server UserDatabasesSchemasObjectsSchemasObjectsAccountsGroupsRightsPermissionsRolesEndpointsLoginsRolesUsers RolesUsersPermissions Permissions
  9. 9. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  10. 10. {DEMOObfuscation :: Changing the RDP Port
  11. 11. Windows Disables RDP by default.Enabling requires firewall port opening too…
  12. 12. Windows Firewall
  13. 13. Enabling RDP App (& Port)
  14. 14. - Open Regedt32- Search For “PortNumber”
  15. 15. - Change the port number- Create a new firewall rule for the new Port- Reboot
  16. 16. Use RDP with “<Server>:<PortNumber>”
  17. 17. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  18. 18. {DEMOObfuscation :: Rename Win Admin Account
  19. 19. Open Computer Management Local Users and Groups Users
  20. 20. Rename the Account
  21. 21. Open PropertiesChange the Account Details
  22. 22. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  23. 23. {DEMOObfuscation :: Changing Instance & Port
  24. 24. During SQL Server Install Select an instance instead of default
  25. 25. Named Instance…
  26. 26. Network Protocols…
  27. 27. This Stops SQL Browser from Broadcasting theInstance Name
  28. 28. Network Port for TCP/IP…
  29. 29. Change the Port (review free ports first!)
  30. 30. Effects ::- No (local) Instance- Instance Listens on New Port
  31. 31. DEMO• Obfuscation• Change the RDP Port• Rename the Windows Administrator Account• Use Non-Default Instance / Port• Rename the SA Account
  32. 32. {DEMOObfuscation :: Rename SA Account
  33. 33. Basically, we change the login label (external)
  34. 34. Rename the Account
  35. 35. Additionally – Strong Passwords• Renaming Accounts is a great 1st step• Disable the account from being useable forlogin.– Enable when needed…• Additionally, you should ensure the passwordis VERY strong.– Why? Because shorter/simple passwords arecracked easily• Ref: Electrical Alchemy Information Security– See http://www.goodpassword.com/
  36. 36. How Much Security is Enough?1. Estimate value of data and objects– Intellectual Property– Customer Data– Marketing/Sales plans– Cost to redevelop– Corporate image– Compliance2. Estimate risk of being compromised3. Estimate cost of implementation4. Estimate cost of on-going operations
  37. 37. How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised– Closed System vs External Facing– High Street Brand vs Bunkered BackOperations– New Hair Growth vs Lemon Stand Formula– China / Russia vs Switzerland3. Estimate cost of implementation4. Estimate cost of ongoing operations
  38. 38. How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised3. Estimate cost of implementation– Layered Security Expert Team at the NSA(Personnel)– Mixed Hardware / Software Implementation(Complexity)– Existing vs Customised Solutions (Expense)– Three Month vs Three Year Fulfillment (Time)4. Estimate cost of ongoing operations
  39. 39. How Much Security is Enough?1. Estimate value of data and objects2. Estimate risk of being compromised3. Estimate cost of implementation4. Estimate cost of ongoing operations– Fail-safes vs Recoverability– Secure Backup (on and off-site)– Personnel needed for maintenance andsustainability– Troubleshooting issues– Performance Tuning
  40. 40. Practices to Consider• Physical Security– Limiting access to the machine itself, backups, and copies of data– Encryption of data files and backups – Transparent Data Encryption• Authentication– Logins – Windows Authentication, SQL Server Authentication• Strong passwords, password expiration policies– Endpoints – restrict connections by protocol, login, etc.– Encryption – More needed than just to get in.• Authorization– Separation of duties• Permissions, users, roles, access through SPs or views only– No direct access to tables– No permissions directly to users; grant to roles and put users in roles– Separation of data• Instances, databases, schemas, views – or perhaps encrypt it with certificates or keys– Principle of least privilege• from service accounts to users and execution contexts• Auditing– tracking who did what when – Built into SQL Server 2008
  41. 41. Summary• Security is an Operational Consideration• Data Security is a cornerstone of Security Operations• SQL Server and Windows employ various techniques tosecure the database environment• Obfuscation is Step One• How much Security?– It Depends!
  42. 42. Links and Resources• SQL Server Security Team Blog• http://blogs.msdn.com/sqlsecurity• Microsoft Patterns and Practices• http://msdn.microsoft.com/en-gb/practices/default.aspx• SQL Server Security Website• http://www.sqlsecurity.com• Security Best Practices - Operational and Administrative Tasks.• http://sqlcat.com/whitepapers/archive/2007/12/16/sql-server-2005-security-best-practices-operational-and-administrative-tasks.aspx• SQL Server Security Forum• http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads• How to Change the RDP Port• http://support.microsoft.com/kb/306759

×