Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Server Security and Intrusion Prevention


Published on

Is your data secured? Are you a victim of a SQL injection hack?

In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.

Published in: Technology
  • Be the first to comment

SQL Server Security and Intrusion Prevention

  1. 1.  Recently moved to Colorado Springs SQL Server 7, 2000, 2005 and 2008 .Net Developer VB.Net and C# twitter: @extofer
  2. 2.  Security Model Authentication Passwords Threats Physical Security and other best practices
  3. 3.  Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users Roles DB Roles  Groups Securables Schemas  Schemas
  4. 4.  Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
  5. 5.  Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
  6. 6.  Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols) l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
  7. 7.  DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code SQLPing checks for default passwords Change passwords frequently Do Not use the same passwords
  8. 8.  Social Engineering SQL Injection Beware of Port Sniffers
  9. 9.  Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
  10. 10.  SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
  11. 11.  Check for Valid Input DDL Triggers Use Stored Procedures Use Parameters Customize Error Messages  Avoid errors returning securable names
  12. 12.  Change default port
  13. 13.  Lock server room or rack when not in use Restrict access to unauthorized individuals If feasible, use security cameras
  14. 14.  Second Tuesday of every month Test updates or hotfixes immediately on non-production servers Schedule patches soon after tested
  15. 15.  Avoid network shares on servers Don’t surf the Web on the server Only enable required protocols Keep servers behind a firewall
  16. 16.  Encrypt your DB backups Test backups by restoring Restrict System Stored Proc’s and XP
  17. 17.  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
  18. 18. Slide Deck at Gabriel Villa email: blog: www.extofer. com twitter: @extofer