Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing you SQL Server


Published on

Become aware of some commonly overlooked practices in securing you SQL Server databases. Learn about physical security, passwords, privileges and roles, restricting or disabling system stored procedures and preventative best practices. And most importantly, discuss the most commonly used security threat: SQL injection and learn how to prevent them.

Published in: Technology
  • My struggles with my dissertation were long gone since the day I contacted Emily for my dissertation help. Great assistance by guys from ⇒⇒⇒ ⇐⇐⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Securing you SQL Server

  1. 1. # 66
  2. 2. Securing your SQL Server Gabriel Villa email: [email_address] blog: www.extofer. com twitter: @extofer # 66
  3. 3. About Gabriel <ul><li>MCPD, ASP.NET Developer </li></ul><ul><li>MCTS, SQL Server 2008 Database Development </li></ul><ul><li>SQL Server 7, 2000, 2005 and 2008 </li></ul><ul><li>.Net Developer VB.Net and C# </li></ul># 66
  4. 4. Outline to Securing SQL Server <ul><ul><ul><li>SQL Server Threats </li></ul></ul></ul><ul><ul><ul><li>Security Model </li></ul></ul></ul><ul><ul><ul><li>Authentication </li></ul></ul></ul><ul><ul><ul><li>Write Secure Code </li></ul></ul></ul><ul><ul><ul><li>Passwords </li></ul></ul></ul><ul><ul><ul><li>Physical Security </li></ul></ul></ul><ul><ul><ul><li>Security Patches </li></ul></ul></ul><ul><ul><ul><li>Network Security </li></ul></ul></ul><ul><ul><ul><li>Best Practices </li></ul></ul></ul># 66
  5. 5. # 66 “ Yes, I am a criminal. My crime is that of curiosity... My crime is that of outsmarting you, something that you will never forgive me for.” - The Mentor Written January 8, 1986
  6. 6. SQL Server Threats <ul><li>Social Engineering </li></ul><ul><ul><li>Manipulating people to gather data </li></ul></ul><ul><ul><li>Not using technical cracking tools or techniques </li></ul></ul><ul><li>SQL Injection </li></ul><ul><ul><li>Vulnerable to any RDBMS, not just MS SQL Server </li></ul></ul><ul><ul><li>Attacker post SQL commands via front end applications </li></ul></ul><ul><ul><li>Tools: ‘ , --, ; </li></ul></ul># 66
  7. 7. SQL Injection # 66
  8. 8. SQL Server Security Model <ul><li>Principal </li></ul><ul><ul><li>Windows Users </li></ul></ul><ul><ul><li>SQL Logins </li></ul></ul><ul><li>Roles </li></ul><ul><ul><li>Groups </li></ul></ul><ul><li>Securable </li></ul><ul><ul><li>Schemas </li></ul></ul># 66 Windows Users SQL Login Database Users DB Roles Schemas
  9. 9. Authentication <ul><li>Windows Authentications </li></ul><ul><ul><li>Active Directory Integration </li></ul></ul><ul><ul><li>Supports Groups </li></ul></ul><ul><ul><li>Use Whenever Possible </li></ul></ul># 66
  10. 10. Authentication <ul><li>Mixed Authentication </li></ul><ul><ul><li>Legacy or Hard Coded Referenced Logins </li></ul></ul><ul><ul><li>Non Windows Clients </li></ul></ul><ul><ul><li>Connections over Internet </li></ul></ul># 66
  11. 11. Authentication # 66
  12. 12. Write Secure Code <ul><li>Valid SQL </li></ul><ul><li>Check for Valid Input </li></ul><ul><li>Use Stored Procedures </li></ul><ul><li>Use Parameters </li></ul><ul><li>Customize Error Messages </li></ul><ul><ul><li>Avoid errors returning securable names </li></ul></ul><ul><li>Source Control </li></ul># 66
  13. 13. Passwords <ul><li>DO NOT hardcode passwords </li></ul><ul><ul><li>ASP.Net encrypt web.config </li></ul></ul><ul><ul><li>Encrypt password in your code </li></ul></ul><ul><li>Strong Passwords </li></ul><ul><ul><li>6 to 8 minimum characters </li></ul></ul><ul><ul><li>Leak speak or special characters (i.e s = 5 or 3 = E) </li></ul></ul><ul><li>SQLPing checks for default passwords </li></ul><ul><li>Change passwords frequently </li></ul># 66
  14. 14. Physical Security <ul><li>Lock server room or rack when not in use </li></ul><ul><li>Restrict access to unauthorized individuals </li></ul><ul><li>If feasible, use security cameras </li></ul># 66
  15. 15. Security Patches <ul><li>Second Tuesday of every month </li></ul><ul><li>Test updates or hotfixes immediately on non-production servers </li></ul><ul><li>Schedule patches soon after tested </li></ul># 66
  16. 16. Network Security <ul><li>Avoid network shares on servers </li></ul><ul><li>Don’t surf the Web on the server </li></ul><ul><li>Only enable required protocols </li></ul><ul><li>Keep servers behind a firewall </li></ul># 66
  17. 17. Best Practices <ul><li>Encrypt your DB backups with third party tools </li></ul><ul><li>Monitor Failed attempts </li></ul><ul><li>Disable System SP </li></ul># 66
  18. 18. Questions?? <ul><ul><li>Please evaluate this sessions at </li></ul></ul># 66
  19. 19. Thank you and Feedback <ul><li>Thank you for attending “Secure your SQL Server” at SQL Saturday #66 </li></ul><ul><li>Please make sure to fill out the session evaluation and place it in the box in the back of the room </li></ul># 66