SlideShare a Scribd company logo

SQL Server Security and Intrusion Prevention

Download as PPTX, PDF
Gabriel Villa
Gabriel Villa

Is your data secured? Are you a victim of a SQL injection hack? In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.

1 of 24
 Recently moved to Colorado Springs  SQL Server 7, 2000, 2005 and 2008  .Net Developer VB.Net and C#  www.extofer.com  twitter: @extofer
 Security Model  Authentication  Passwords  Threats  Physical Security and other best practices
 Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users  Roles DB Roles  Groups  Securables Schemas  Schemas
 Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
 Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
 Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols)  l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
 DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code  SQLPing checks for default passwords  Change passwords frequently  Do Not use the same passwords
 Social Engineering  SQL Injection  Beware of Port Sniffers
 Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
 SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
 Check for Valid Input  DDL Triggers  Use Stored Procedures  Use Parameters  Customize Error Messages  Avoid errors returning securable names
 Change default port
 Lock server room or rack when not in use  Restrict access to unauthorized individuals  If feasible, use security cameras
 Second Tuesday of every month  Test updates or hotfixes immediately on non-production servers  Schedule patches soon after tested
 Avoid network shares on servers  Don’t surf the Web on the server  Only enable required protocols  Keep servers behind a firewall
 Encrypt your DB backups  Test backups by restoring  Restrict System Stored Proc’s and XP
http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer

Recommended

Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
Gianluca Sartori
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
LearnNowOnline
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
Vinod Kumar
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security TaskYaakub Idris
 

Recommended

Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
Gianluca Sartori
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
LearnNowOnline
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
Vinod Kumar
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security TaskYaakub Idris
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
Mikhail Shcherbakov
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure website
Click Ripple Solutions
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
Eng Teong Cheah
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Securing you SQL Server
Securing you SQL ServerSecuring you SQL Server
Securing you SQL Server
Gabriel Villa
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
Bert Wagner
 
t r
t rt r
t relectronicmingle01
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azure
saitoserge
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
Sql injection
Sql injectionSql injection
Sql injection
Tech Bikram
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
Md Syed Ahamad
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
Dr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 

More Related Content

What's hot

Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
Mikhail Shcherbakov
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure website
Click Ripple Solutions
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
Eng Teong Cheah
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 
Sql injection
Sql injectionSql injection
Sql injection
The Avi Sharma
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Securing you SQL Server
Securing you SQL ServerSecuring you SQL Server
Securing you SQL Server
Gabriel Villa
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
Bert Wagner
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azure
saitoserge
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
Sql injection
Sql injectionSql injection
Sql injection
Tech Bikram
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
Md Syed Ahamad
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 

What's hot (20)

Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure website
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Sql injection
Sql injectionSql injection
Sql injection
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
 
Securing you SQL Server
Securing you SQL ServerSecuring you SQL Server
Securing you SQL Server
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
 
t r
t rt r
t r
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azure
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 

Viewers also liked

Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
Dr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of stroke
Ashwin Haridas
 
Basic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brainBasic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brainaViVian
 
Approach to a patient with stroke
Approach to a patient with stroke Approach to a patient with stroke
Approach to a patient with stroke
Ashwin Haridas
 
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
Arlyn Valencia, M.D.
 
BASICS of CT Head
BASICS of CT HeadBASICS of CT Head
BASICS of CT Head
Kunal Mahajan
 

Viewers also liked (11)

Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
 
BRAIN CT SCAN
BRAIN CT SCANBRAIN CT SCAN
BRAIN CT SCAN
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of stroke
 
Basic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brainBasic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brain
 
Approach to a patient with stroke
Approach to a patient with stroke Approach to a patient with stroke
Approach to a patient with stroke
 
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
 
Stroke
StrokeStroke
Stroke
 
Approach to head ct
Approach to head ctApproach to head ct
Approach to head ct
 
Stroke syndromes
Stroke syndromesStroke syndromes
Stroke syndromes
 
BASICS of CT Head
BASICS of CT HeadBASICS of CT Head
BASICS of CT Head
 

Similar to SQL Server Security and Intrusion Prevention

SqlSa94
SqlSa94SqlSa94
SqlSa94
Gabriel Villa
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
amiable_indian
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
Michael Noel
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
Kaustav Sengupta
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
Tobias Koprowski
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hydewebhostingguy
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developerswebhostingguy
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
Aleksandar Bozinovski
 

Similar to SQL Server Security and Intrusion Prevention (20)

SqlSa94
SqlSa94SqlSa94
SqlSa94
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
Day2
Day2Day2
Day2
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Windows network
Windows networkWindows network
Windows network
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 

Recently uploaded

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 

Recently uploaded (20)

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 

SQL Server Security and Intrusion Prevention

  • 1.
  • 2.
  • 3. Recently moved to Colorado Springs  SQL Server 7, 2000, 2005 and 2008  .Net Developer VB.Net and C#  www.extofer.com  twitter: @extofer
  • 4.  Security Model  Authentication  Passwords  Threats  Physical Security and other best practices
  • 5. Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users  Roles DB Roles  Groups  Securables Schemas  Schemas
  • 6. Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
  • 7. Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
  • 8.
  • 9. Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols)  l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
  • 10. DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code  SQLPing checks for default passwords  Change passwords frequently  Do Not use the same passwords
  • 11.  Social Engineering  SQL Injection  Beware of Port Sniffers
  • 12. Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
  • 13.
  • 14. SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
  • 15. Check for Valid Input  DDL Triggers  Use Stored Procedures  Use Parameters  Customize Error Messages  Avoid errors returning securable names
  • 16. Change default port
  • 17.
  • 18.
  • 19.  Lock server room or rack when not in use  Restrict access to unauthorized individuals  If feasible, use security cameras
  • 20.  Second Tuesday of every month  Test updates or hotfixes immediately on non-production servers  Schedule patches soon after tested
  • 21.  Avoid network shares on servers  Don’t surf the Web on the server  Only enable required protocols  Keep servers behind a firewall
  • 22.  Encrypt your DB backups  Test backups by restoring  Restrict System Stored Proc’s and XP
  • 23. http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
  • 24. Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer