SqlSa94

531 views

Published on

Is your data secured? Are you a victim of SQL Injection? You'll discover some commonly overlooked practices in securing your SQL Server databases. Learn about physical security, passwords, privileges and roles, and preventative best practices. I'll demonstrate auditing and we will take a quick look at some .Net code samples to use on your applications. Get up to speed on the new security features in "Denali", the next version of SQL Server. Takeaway the 20/20 vision to identify SQL Injection and other database vulnerabilities and how to prevent them.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
531
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SqlSa94

  1. 1. SQL Server Security & Intrusion Prevention<br />
  2. 2. “Please allow me to introduce myself” … Rolling Stones<br />Gabriel Villa<br /><ul><li>SQL Server 7, 2000, 2005 and 2008
  3. 3. .Net Developer VB.Net and C#
  4. 4. www.extofer.com
  5. 5. twitter: @extofer</li></li></ul><li>Session Outline<br /><ul><li>SQL Server Threats
  6. 6. Security Model
  7. 7. Auditing
  8. 8. Write Secure Code
  9. 9. Best Practices
  10. 10. Physical Security
  11. 11. Security Patches
  12. 12. Network Security
  13. 13. Resources</li></li></ul><li>SQL Server Threats<br /><ul><li>Social Engineering
  14. 14. Manipulating people to gather data
  15. 15. Not using technical cracking tools or techniques
  16. 16. SQL Injection
  17. 17. Vulnerable to any RDBMS, not just MS SQL Server
  18. 18. Attacker post SQL commands via front end applications
  19. 19. Tools: ‘ , --, ; </li></li></ul><li>SQL Injection<br />
  20. 20. SQL Server Security Model<br /><ul><li>Principal
  21. 21. Windows Users
  22. 22. SQL Logins
  23. 23. Roles
  24. 24. Groups
  25. 25. Securables
  26. 26. Schemas</li></ul>Windows Users<br />SQL Login<br />Database Users<br />DB Roles<br />Schemas<br />
  27. 27. Authentication<br /><ul><li>Windows Authentications
  28. 28. Active Directory Integration
  29. 29. Supports Groups
  30. 30. Use Whenever Possible</li></li></ul><li>Authentication<br /><ul><li>Mixed Authentication
  31. 31. Legacy or Hard Coded Referenced Logins
  32. 32. Non Windows Clients
  33. 33. Connections over Internet</li></li></ul><li>Authentication<br />
  34. 34. Passwords<br /><ul><li>DO NOT hardcode passwords
  35. 35. ASP.Net encrypt web.config
  36. 36. Encrypt password in your code
  37. 37. Strong Passwords
  38. 38. 8 to 10 minimum characters
  39. 39. L33t speak or special characters (i.e s = 5 or 3 = E)
  40. 40. SQLPing checks for default passwords
  41. 41. Change passwords frequently</li></li></ul><li>Roles<br /><ul><li>Group users roles based on usage
  42. 42. Database Roles and Server Roles
  43. 43. Server Level Roles
  44. 44. Sysadmin, bulkadmin, securityadmin, dbcreator</li></li></ul><li>Roles and “Denali” Roles<br /><ul><li>Group users roles based on usage
  45. 45. Database Roles and Server Roles
  46. 46. Server Level Roles
  47. 47. sysadmin, bulkadmin, securityadmin, dbcreator
  48. 48. “Denali” User Defined Server Roles
  49. 49. Allow creation of new Server Roles
  50. 50. Help prevent the use of sysadmin</li></li></ul><li>Securables<br /><ul><li>Using Schema to secure database objects
  51. 51. Schema is a name space container
  52. 52. Simplify Access Permissions
  53. 53. Group objects into Schemas
  54. 54. Grant permissions to schemas, not objects</li></li></ul><li>Auditing<br /><ul><li>Server and Database Level Events
  55. 55. Server Operations
  56. 56. Database Actions
  57. 57. Audit Specifications
  58. 58. Server Audit Specification
  59. 59. Audit Failed Login Attempts</li></li></ul><li>New “Denali” Auditing Features<br /><ul><li>SQL Auditing for all editions
  60. 60. User Defined Audit – applications write customer events to audit logs
  61. 61. Filtering – filter unwanted events
  62. 62. Resilience – recover auditing data from temporary file of network issues</li></li></ul><li>Write Secure Code<br /><ul><li>Check for Valid Input
  63. 63. DDL Triggers
  64. 64. Use Stored Procedures
  65. 65. Use Parameters
  66. 66. Customize Error Messages
  67. 67. Avoid errors returning securable names
  68. 68. Source Control</li></li></ul><li>Best Practices<br /><ul><li>Physical Security
  69. 69. Windows Updates
  70. 70. Network Security</li></li></ul><li>Physical Security<br /><ul><li>Lock server room or rack when not in use
  71. 71. Restrict access to unauthorized individuals
  72. 72. If feasible, use security cameras</li></li></ul><li>Security Patches<br /><ul><li>Second Tuesday of every month
  73. 73. Test updates or hotfixes immediately on non-production servers
  74. 74. Schedule patches soon after tested</li></li></ul><li>Network Security<br /><ul><li>Avoid network shares on servers
  75. 75. Don’t surf the Web on the server
  76. 76. Only enable required protocols
  77. 77. Keep servers behind a firewall</li></li></ul><li>Other Tips<br /><ul><li>Encrypt your DB backups
  78. 78. Test backups by restoring
  79. 79. Restrict System Stored Proc’s and XP</li></li></ul><li>Best Practices Resources<br /><ul><li>http://www.sqlservercentral.com/Books/
  80. 80. Defensive Database Programming by Alex Kuznetsov
  81. 81. Protecting SQL Server Data by John Magnabosco
  82. 82. SQL Server Tacklebox by Rodney Landrum</li></li></ul><li>Questions??<br />Slide Deck at http://www.extofer.com<br />Gabriel Villa<br />email: extofer@gmail.com<br />blog: www.extofer. com<br />twitter: @extofer<br />

×