08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Hardening a SQL Server 2008 Implementation
1.
2. Hardening a SQL Server 2008
Implementation
Ross Mistry, Principal Consultant,
Convergent Computing (CCO)
3. Ross Mistry – Bio Summary
Ross Mistry, Principal Consultant & Partner w/ Convergent Computing (CCO)
Convergent Computing, CCO is located in the San Francisco Bay Area / Silicon Valley.
Specialize in SQL Server Database Administration, High Availability, Active Directory,
Exchange, and Operations Manager
Lead Author on “SQL Server 2005 Management and Administration” Based on Service
Pack 2
Co-Author on “Windows Server 2008 Unleashed”
Contributing Writer on “Exchange Server 2007 Unleashed” and “SharePoint Server
2007 Unleashed”
Technical Editor on “SQL 2005 Unleashed” and “SQL 2005 Changing the Paradigm”
Upcoming Books “SQL Server 2008 Management and Administration”
Frequent Speaker for PASS, Connections and SQL User Groups
Blog Site: http://www.networkworld.com/community/mistry
3
4. Topics
Purpose & Challenges
General Hardening and Security Techniques
Security Configuration Tools
Encryption
4
5. Purpose of Securing Data and it’s
Challenges
Data Explosion
Hosts Mission Critical Information
Repository for Sensitive Data
Regulatory Compliance
Responsible DBA
Job Security
Where do I start?
5
7. Understanding Authentication
Windows Authentication
• Default Setting
• Leverages Active Directory Accounts / Groups
• User & Service Accounts are governed by Active Directory
Policies
• Active Directory Audit Policies are Applied
• Multiple Password Policies – W2K8 Enhancement
• Domain Level Must be Windows Server 2008
• Only one set of passwords can be applied
• Kerberos Available with ALL protocols – SQL2K8 Enhancement
7
8. Understanding Authentication Cont’d
SQL Server Authentication (Mixed Mode)
• Leverages AD or SQL Server Accounts
• SQL Server continues to offer Password and Lockout Policies
based on the following items:
Password Complexity
Password Expiration
Account Lockouts
Force Users to Change
Password on Next Logon
8
9. Which Authentication Mode Should I
Select?
Windows Authentication is Recommended
• Additional Level of Protection w Kerberos
• More Mature and Robust
• Best Practice – If possible use Windows Authentication
Mixed Mode may be Required
• Need to Support Legacy Applications / Clients
• Separation of Duties
9
11. Hardening the SA Account
Enforce a Strong Password:
Uppercase
& Length
Lowercase
Non
Contain
Alphanumeric
Numbers
Characters
Disable and Rename the SA Account
Best Practice – Do NOT use SA for Daily Admin or for
Application Authentication – BIG NO NO!!!!
11
12. Hardening SQL Server Service
Accounts
Security Context:
Domain
Local
Built-In
Understand the Limitations
Use the Principle of Least Privilege
Service Account Isolation
Best Practice – Use Configuration Tools to make Service
Account Changes
12
13. Ongoing Patch Management
Install Service Packs and Critical Fixes
Test in Isolated Lab
Patch Management Strategies:
• Microsoft Update
• Download and Install
• Automate with System Center Configuration Manager 2007 or
WSUS
Best Practice – Patch as soon as possible and Backup
System before Patching
13
14. Leverage SQL Server Security Logs
Understanding the Types of Logs Available:
• None
• Successful Logins Only
• Failed Logins Only
• Both Failed and Successful Logins
Best Practice – Capture both Failed and Successful Logins
and use a Solution such as ACS w System Center
Operations Manager 2007 to Centralize Logging
14
16. Enhanced Auditing Functionality
• Log Every SQL Server Action
• Two New Auditing Objects:
• Audit Object
• Audit Specification Object
• Save Actions to:
• Windows Application Log
• Windows Security Log
• File
• Consolidate to Satisfy Compliance
16
17. Enhanced Auditing Process
• Create Audit & Specify a Location
• Create One or More Audit Specifications
• Select a SQL Server Audit Action – 35 Groups
• Review Audit Logs
17
18. Use a Firewall to Filter Unwanted
Traffic
Enable Firewall
Place Server on Dedicated VLAN
Integrated Windows Server 2008 Firewall is Sufficient
New w Windows Server 2008
• Supports both Inbound & Outbound Rules
• Integrated with Server Manager
• Dynamic Control with Group Policies
If More Advanced is required then use ISA 2006
18
19. Network Connectivity Best Practices
Limit the Network Protocols Supported
Do not expose SQL Server to the Internet
Use Specific Port Assignments
Use SSL when using SQL Authentication
Use “Allow Only Encrypted Connections”
19
20. Built-in / Administrators Group
In the Past, this group had full control
Allows all Local Administrators Full Access
No longer Associated with the SysAdmin Role
Best Practice
Delete the Group
Have a Backdoor
20
21. SQL Server Browser Service
Listens to Incoming Requests
Provides Instance Name, Port and Version Number
Best Practice – Disable Service
Manually Pass SQL information when connecting
21
22. DEMONSTRATIONS
General Hardening and Security
Techniques
22
26. Reducing SQL Server Surface Area
SQL Server Tasks During and After Installation
• Install required components
• Configure and Lock Down Unnecessary Services
• Remove / Disable Unnecessary Features
SAC has been depreciated in SQL Server 2008
Replaced with Policy Based Management
Best Practice – ONLY INSTALL WHAT YOU NEED!!!!
26
27. Policy Based Management
Based on DMF Framework included in SQL Server 2008
Create Configuration Policies for the Database Engine
Replaces deprecated SAC Tool
Reasons for Policy Based Management:
• Centralized Administration is more common
• Data Center Consolidation
• Proliferation of SQL Server instances and remote databases
• Reduce complexity for managing many servers
27
29. Policy Based Management Process
• Select a Policy-Based Management facet
1
• Define a Condition
2
• Define a Policy that Contains the Condition
3
• Validate Compliance against Policy
4
29
30. Policy Based Management Execution
Modes
On Demand
On
On
Change -
Schedule
Prevent
On Change - Log
Only
30
31. Hardening with Security Configuration
Wizard
Included with Windows Server 2003 SP1 and / or
Windows Server 2008
Build Custom Role Templates
Integrate Templates with Active Directory
Best Practice – Convert XML Template to GPO and Link
to OU
Scwcmd.exe
31
32. Using Microsoft Baseline Security
Analyzer (MBSA)
Free download tool from MS
Identifies Security Vulnerabilities:
• User Accounts
• Missing Patches
• Weak Passwords
Caveat –SQL Server 2008 or Windows Server
2008 is not yet supported
32
33. SQL Server Best Practice Analyzer
Free download tool from Microsoft
Scans SQL Server Components
Identifies Common Configuration Anomalies
Best Practice – Schedule on a Periodic Basis such
as once a Month
Caveat – BPA for SQL Server 2008 has not been
released
33
34. IIS 7.0 & Lockdown Tool
IIS 7.0 on Windows Server 2008 is Slim and
Efficient
Modular Based Installation with Roles & Features
Templates Readily Available
Best Practice - Only Install Required Features for
SSRS
34
38. SQL Server 2008 Data Encryption
Supports Native Encryption out of the box
Encryption can be applied at the:
• Database Level
• Granular - Cell Level
• Data in Transit
• Authentication
• File Folder
• Hard disks
38
39. Types of SQL Server 2008 Encryption
Extensible Key Management (EKM) - SQL2K8 Enhancement
Transparent Data Encryption (TPE) – SQL2K8 Enhancement
39
40. Transparent Data Encryption Process
Create Master Key
Create Certificate
Create Database, Encryption Key
Alter Database…, Set Encryption On
40
41. Types of SQL Server 2008 Encryption
Con’t
Bitlocker Drive Encryption – W2K8 Enhancement
Use PKI to secure Data in Transit
Use SSL to secure SQL User Account Authentication
EFS can be used to protect data at the folder level
41
43. Resources
SQL Server 2005 Management & Administration
• Covers Administration, Monitoring, Management and Security
• 3 Chapters Dedicated to Security
• Available on amazon.com
Windows Server 2008 Unleashed
• Available on amazon.com
SQL Server 2008 Management & Administration
• Scheduled for September 2008 Release Date
43