The document outlines secure practices for SQL Server management, emphasizing the importance of a robust security model to mitigate threats such as social engineering and SQL injection. It recommends using secure coding techniques, proper user authentication, and regular auditing of server and database activities. Additionally, physical security measures and timely application of security patches are advised to enhance overall database protection.

2. Securing your SQL Server Gabriel Villa email: [email_address] blog: www.extofer. com twitter: @extofer

3. About Gabriel MCPD, ASP.NET Developer MCTS, SQL Server 2008 Database Development SQL Server 7, 2000, 2005 and 2008 .Net Developer VB.Net and C#

4. Outline to Securing SQL Server Security Model SQL Server Threats Write Secure Code Auditing Passwords Physical Security Security Patches Network Security Best Practices Resources

5. “ Yes, I am a criminal. My crime is that of curiosity... My crime is that of outsmarting you, something that you will never forgive me for.” - The Mentor Written January 8, 1986

6. SQL Server Security Model Principal Windows Users SQL Logins Roles Groups Securables Schemas Windows Users SQL Login Database Users DB Roles Schemas

7. Authentication Windows Authentications Active Directory Integration Supports Groups Use Whenever Possible

8. Authentication Mixed Authentication Legacy or Hard Coded Referenced Logins Non Windows Clients Connections over Internet

9. Authentication

10. Roles Group users roles based on usage Database Roles and Server Roles Server Level Roles Sysadmin, bulkadmin, securityadmin, dbcreator

11. Securables Using Schema to secure database objects Schema is a name space container Simplify Access Permissions Group objects into Schemas Grant permissions to schemas, not objects

12. SQL Server Threats Social Engineering Manipulating people to gather data Not using technical cracking tools or techniques SQL Injection Vulnerable to any RDBMS, not just MS SQL Server Attacker post SQL commands via front end applications Tools: ‘ , --, ;

13. SQL Injection

14. Write Secure Code Check for Valid Input DDL Triggers Use Stored Procedures Use Parameters Customize Error Messages Avoid errors returning securable names Source Control

15. Auditing Server and Database Level Events Server Operations Database Actions Audit Failed Login Attempts

16. Passwords DO NOT hardcode passwords ASP.Net encrypt web.config Encrypt password in your code Strong Passwords 6 to 8 minimum characters Leak speak or special characters (i.e s = 5 or 3 = E) SQLPing checks for default passwords Change passwords frequently

17. Physical Security Lock server room or rack when not in use Restrict access to unauthorized individuals If feasible, use security cameras

18. Security Patches Second Tuesday of every month Test updates or hotfixes immediately on non-production servers Schedule patches soon after tested

19. Network Security Avoid network shares on servers Don’t surf the Web on the server Only enable required protocols Keep servers behind a firewall

20. Best Practices Resources Encrypt your DB backups third party tools Restrict System Stored Proc’s and XP Download HP Scrawlr Discover Wizard http://www.sqlservercentral.com/Books/ Defensive Database Programming by Alex Kuznetsov Protecting SQL Server Data by John Magnabosco SQL Server Tacklebox by Rodney Landrum

21. Questions?? Please evaluate this sessions at http://speakerrate.com/extofer Slide Deck at http://www.extofer.com