Hardening a SQL Server 2008 Implementation
•
5 likes•2,823 views
Hardening a SQL Server 2008 Implementation by Ross Mistry. Presented at the European PASS Conference in April 2008.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Hardening a SQL Server 2008 Implementation
Similar to Hardening a SQL Server 2008 Implementation (20)
More from Mark Ginnebaugh
More from Mark Ginnebaugh (20)
Recently uploaded
Recently uploaded (20)
Hardening a SQL Server 2008 Implementation
- 2. Hardening a SQL Server 2008 Implementation Ross Mistry, Principal Consultant, Convergent Computing (CCO)
- 3. Ross Mistry – Bio Summary Ross Mistry, Principal Consultant & Partner w/ Convergent Computing (CCO) Convergent Computing, CCO is located in the San Francisco Bay Area / Silicon Valley. Specialize in SQL Server Database Administration, High Availability, Active Directory, Exchange, and Operations Manager Lead Author on “SQL Server 2005 Management and Administration” Based on Service Pack 2 Co-Author on “Windows Server 2008 Unleashed” Contributing Writer on “Exchange Server 2007 Unleashed” and “SharePoint Server 2007 Unleashed” Technical Editor on “SQL 2005 Unleashed” and “SQL 2005 Changing the Paradigm” Upcoming Books “SQL Server 2008 Management and Administration” Frequent Speaker for PASS, Connections and SQL User Groups Blog Site: http://www.networkworld.com/community/mistry 3
- 4. Topics Purpose & Challenges General Hardening and Security Techniques Security Configuration Tools Encryption 4
- 5. Purpose of Securing Data and it’s Challenges Data Explosion Hosts Mission Critical Information Repository for Sensitive Data Regulatory Compliance Responsible DBA Job Security Where do I start? 5
- 6. General Hardening and Security Techniques PART 1
- 7. Understanding Authentication Windows Authentication • Default Setting • Leverages Active Directory Accounts / Groups • User & Service Accounts are governed by Active Directory Policies • Active Directory Audit Policies are Applied • Multiple Password Policies – W2K8 Enhancement • Domain Level Must be Windows Server 2008 • Only one set of passwords can be applied • Kerberos Available with ALL protocols – SQL2K8 Enhancement 7
- 8. Understanding Authentication Cont’d SQL Server Authentication (Mixed Mode) • Leverages AD or SQL Server Accounts • SQL Server continues to offer Password and Lockout Policies based on the following items: Password Complexity Password Expiration Account Lockouts Force Users to Change Password on Next Logon 8
- 9. Which Authentication Mode Should I Select? Windows Authentication is Recommended • Additional Level of Protection w Kerberos • More Mature and Robust • Best Practice – If possible use Windows Authentication Mixed Mode may be Required • Need to Support Legacy Applications / Clients • Separation of Duties 9
- 10. SQL Server Account Policies Screenshots 10
- 11. Hardening the SA Account Enforce a Strong Password: Uppercase & Length Lowercase Non Contain Alphanumeric Numbers Characters Disable and Rename the SA Account Best Practice – Do NOT use SA for Daily Admin or for Application Authentication – BIG NO NO!!!! 11
- 12. Hardening SQL Server Service Accounts Security Context: Domain Local Built-In Understand the Limitations Use the Principle of Least Privilege Service Account Isolation Best Practice – Use Configuration Tools to make Service Account Changes 12
- 13. Ongoing Patch Management Install Service Packs and Critical Fixes Test in Isolated Lab Patch Management Strategies: • Microsoft Update • Download and Install • Automate with System Center Configuration Manager 2007 or WSUS Best Practice – Patch as soon as possible and Backup System before Patching 13
- 14. Leverage SQL Server Security Logs Understanding the Types of Logs Available: • None • Successful Logins Only • Failed Logins Only • Both Failed and Successful Logins Best Practice – Capture both Failed and Successful Logins and use a Solution such as ACS w System Center Operations Manager 2007 to Centralize Logging 14
- 15. SQL Server Security Logs Screen Shot 15
- 16. Enhanced Auditing Functionality • Log Every SQL Server Action • Two New Auditing Objects: • Audit Object • Audit Specification Object • Save Actions to: • Windows Application Log • Windows Security Log • File • Consolidate to Satisfy Compliance 16
- 17. Enhanced Auditing Process • Create Audit & Specify a Location • Create One or More Audit Specifications • Select a SQL Server Audit Action – 35 Groups • Review Audit Logs 17
- 18. Use a Firewall to Filter Unwanted Traffic Enable Firewall Place Server on Dedicated VLAN Integrated Windows Server 2008 Firewall is Sufficient New w Windows Server 2008 • Supports both Inbound & Outbound Rules • Integrated with Server Manager • Dynamic Control with Group Policies If More Advanced is required then use ISA 2006 18
- 19. Network Connectivity Best Practices Limit the Network Protocols Supported Do not expose SQL Server to the Internet Use Specific Port Assignments Use SSL when using SQL Authentication Use “Allow Only Encrypted Connections” 19
- 20. Built-in / Administrators Group In the Past, this group had full control Allows all Local Administrators Full Access No longer Associated with the SysAdmin Role Best Practice Delete the Group Have a Backdoor 20
- 21. SQL Server Browser Service Listens to Incoming Requests Provides Instance Name, Port and Version Number Best Practice – Disable Service Manually Pass SQL information when connecting 21
- 22. DEMONSTRATIONS General Hardening and Security Techniques 22
- 23. Security Configuration Tools PART 2
- 24. SQL Server Configuration Manager Tool Lock Down • Services • Network Configurations • Native Client Configurations • Client Protocols • Aliases • Hide Instances 24
- 25. Configuration Manager Tool Screen Shots 25
- 26. Reducing SQL Server Surface Area SQL Server Tasks During and After Installation • Install required components • Configure and Lock Down Unnecessary Services • Remove / Disable Unnecessary Features SAC has been depreciated in SQL Server 2008 Replaced with Policy Based Management Best Practice – ONLY INSTALL WHAT YOU NEED!!!! 26
- 27. Policy Based Management Based on DMF Framework included in SQL Server 2008 Create Configuration Policies for the Database Engine Replaces deprecated SAC Tool Reasons for Policy Based Management: • Centralized Administration is more common • Data Center Consolidation • Proliferation of SQL Server instances and remote databases • Reduce complexity for managing many servers 27
- 28. Policy Based Management Components Policy Management Explicit Execution Modes Administration 28
- 29. Policy Based Management Process • Select a Policy-Based Management facet 1 • Define a Condition 2 • Define a Policy that Contains the Condition 3 • Validate Compliance against Policy 4 29
- 30. Policy Based Management Execution Modes On Demand On On Change - Schedule Prevent On Change - Log Only 30
- 31. Hardening with Security Configuration Wizard Included with Windows Server 2003 SP1 and / or Windows Server 2008 Build Custom Role Templates Integrate Templates with Active Directory Best Practice – Convert XML Template to GPO and Link to OU Scwcmd.exe 31
- 32. Using Microsoft Baseline Security Analyzer (MBSA) Free download tool from MS Identifies Security Vulnerabilities: • User Accounts • Missing Patches • Weak Passwords Caveat –SQL Server 2008 or Windows Server 2008 is not yet supported 32
- 33. SQL Server Best Practice Analyzer Free download tool from Microsoft Scans SQL Server Components Identifies Common Configuration Anomalies Best Practice – Schedule on a Periodic Basis such as once a Month Caveat – BPA for SQL Server 2008 has not been released 33
- 34. IIS 7.0 & Lockdown Tool IIS 7.0 on Windows Server 2008 is Slim and Efficient Modular Based Installation with Roles & Features Templates Readily Available Best Practice - Only Install Required Features for SSRS 34
- 35. IIS 7.0 Features Installation Screenshot 35
- 36. Demonstrations Security Configuration Tools 36
- 37. Securing Physical Data including Data in Transit PART 3
- 38. SQL Server 2008 Data Encryption Supports Native Encryption out of the box Encryption can be applied at the: • Database Level • Granular - Cell Level • Data in Transit • Authentication • File Folder • Hard disks 38
- 39. Types of SQL Server 2008 Encryption Extensible Key Management (EKM) - SQL2K8 Enhancement Transparent Data Encryption (TPE) – SQL2K8 Enhancement 39
- 40. Transparent Data Encryption Process Create Master Key Create Certificate Create Database, Encryption Key Alter Database…, Set Encryption On 40
- 41. Types of SQL Server 2008 Encryption Con’t Bitlocker Drive Encryption – W2K8 Enhancement Use PKI to secure Data in Transit Use SSL to secure SQL User Account Authentication EFS can be used to protect data at the folder level 41
- 42. Demonstrations Data Encryption 42
- 43. Resources SQL Server 2005 Management & Administration • Covers Administration, Monitoring, Management and Security • 3 Chapters Dedicated to Security • Available on amazon.com Windows Server 2008 Unleashed • Available on amazon.com SQL Server 2008 Management & Administration • Scheduled for September 2008 Release Date 43
- 44. Questions?
- 45. Thank you!