Secure SQL Server
configuration
Pat Larkin
Ward Solutions
Pat.larkin@ward.ie
Session Prerequisites
Understanding of network security essentials
Hands-on experience with Windows® 2000 Server or
Windows Server™ 2003
Experience with Windows management tools
Hands-on experience with SQL Server 2000 and
management tools
Level 300
Agenda
Introduction
Protecting the application layer
Protecting SQL Server
Defense in Depth
Using a layered approach:
 Increases an attacker’s risk of detection
 Reduces an attacker’s chance of success
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
ACL, encryption
Application hardening, antivirus
OS hardening, update
management, authentication, HIDS
Network segments, IPSec, NIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
User education
Why Application Security Matters
Perimeter defenses provide limited protection
Many host-based defenses are not application
specific
Most modern attacks occur at the application
layer
Why Data Security Matters
Secure your data as the last line of defense
Configure file permissions
Configure data encryption
 Protects the confidentiality of information when physical
security is compromised
Application Server Best Practices
Configure security on the base operating system
Apply operating system and application service
packs and patches
Install or enable only those services that are
required
Assign only those permissions needed to perform
required tasks
Application accounts should be assigned minimal
permissions
Apply defense-in-depth principles to increase
protection
Defense in Depth
Efficiency
Continuity
Performance Tuning
SQL Server
Policies
Capacity Management
Storage
Management
Hardware Upgrades
Performance
Monitoring
Disaster Recovery
Support
Antivirus
Event Monitoring
Change
Group Policies
Management
Security Policies
Firewall Issues
SQL Server Policies
AD Group Membership
Security
UPS
Recovery Testing
Availability Monitoring
Availability Management
Backup
Agenda
Introduction
Protecting the application layer
Protecting SQL Server
Basic Security Configuration
Apply service packs and patches
 Use MBSA to detect missing SQL updates
 Use SQL Critical Update Kit
Disable unused services
 MSSQLSERVER (required)
 SQLSERVERAGENT
 MSSQLServerADHelper
 Microsoft Search
 Microsoft DTC
What MSBA typically checks on SQL Server
Too many members of the
sysadmin fixed server role.
Granting of right to create
CmdExec jobs to roles other
than sysadmin.
Blank or trivial passwords.
Weak authentication mode.
Excessive rights granted to the
Administrators group
Incorrect ACLs on SQL Server
data directories.
Plain-text sa password in setup
files
Excessive rights granted to
the guest account.
SQL Server running on a
system that is also a domain
controller.
Improper configuration of
the Everyone group,
providing access to certain
registry keys.
Improper configuration of
SQL Server service
accounts.
Missing service packs and
security updates
Common Database Server Threats and Countermeasures
Password
Cracking
SQL
Injection
Web App Vulnerabilities
Network
Over-privileged accounts Eavesdropping
Week input validation
Perimeter
Firewall
Internal
Firewall
SQL Server
Browser
Unauthorized
External
Access
Web App
Network Vulnerabilities
Failure to block SQL ports
Configuration
Vulnerabilities
Over-privileged service
account
Week permissions
No certificate
SQL Server Security
Logins, Users, and
Roles
Database Objects
Shares
Auditing and Logging
Services
Files and Directories
Accounts
Registry
Protocols
Ports
Patches and Updates
Network Operating System
SQL Server
Database Server Security Categories
Network Security
Restrict SQL to TCP/IP
Harden the TCP/IP stack
Restrict ports
Operating System Security
Isolate SQL from all other server roles
Configure the SQL Server service account with the
lowest possible permissions
Delete or disable unused accounts
Secure authentication traffic
Logins, Users, and Roles
Use a strong system administrator (sa) password
Remove the SQL guest user account
Remove the BUILTIN\Administrators server login
Do not grant permissions for the public role
Access & Permission Models
Alternate Model
Files, Directories, and Shares
Use NTFS (EFS) & non system volumes
Verify permissions on SQL Server installation
directories
Verify that Everyone group does not have permissions
to SQL Server files
Secure setup log files
Secure or remove tools, utilities, and SDKs
Remove unnecessary shares
Restrict access to required shares
Secure registry keys with ACLs
SQL Security
Set authentication to
Windows only
If you must use SQL Server
authentication, ensure that
authentication traffic is
encrypted
Authentication Modes
SQL Auditing
Log all failed Windows login attempts
Log successful and failed actions across the file system
Enable SQL Server login auditing
Enable SQL Server general auditing
Securing Database Objects
Remove the sample databases
Secure stored procedures
Secure extended stored procedures
Restrict cmdExec access to the sysadmin role
Using Views and Stored Procedures
SQL queries may contain confidential information
 Use stored procedures whenever possible
 Use views instead of direct table access
Implement security best practices for Web-based
applications
Restrict Remote Administration
Restrict number of Windows Administration accounts
Restrict the tools
 Internet services manager
 Terminal Services
 SQL Server Enterprise Manager – restrict to a single
windows user
Restrict the computers using IPSec
Securing Web Applications
Validate all data input
Secure authentication and authorization
Secure sensitive data
Use least-privileged process and service accounts
Close all unneeded DB connections
Configure auditing and logging
Use structured exception handling
Knocking Down The Side Door
//Three mistakes in this statement alone:
SqlConnection conn = new SqlConnection();
conn.ConnectionString =
"data source=PYN-SQL;" +
Oh, that’s bad, not using DSNs
"initial catalog=pubs;" +
"user id=sa;" +
Worse, privileged user…
"password=password;" +
…with a lame password
"persist security
info=True;“+
"packet size=4096";
conn.Open();
//Don't do this at home folks: SQL Query
Composition
string strQuery;
strQuery = "select * from Users where Completely
UserName un= '"
+
validated user input!
username.Text +
"' and Password ='" +
password.Text + "';";
But Wait It Gets Better
int rowCount = ds.Tables["Users"].Rows.Count;
if(rowCount > 0) // If we get back something...
{
//...we must be succesfully logged in
Session["LoggedIn"] = true;
// Store the username in a session variable
Session["username"] = username.Text;
This is the
...
user name
from the form
<body>
<asp:Label id="Username" runat="server">
Label
</asp:Label>
...
Which we cross-site
private void Page_Load(object sender, System.EventArgs e)
script onto the page!
{
...
Username.Text = Session["username"].ToString();
}
Top Ten Things to Protect SQL Server
1
Install the most recent service pack
2
Run MBSA
3
Configure Windows authentication
4
Isolate the server and back it up
5
Check the sa password
6
Limit privileges of SQL services
7
Block ports at your firewall
8
Use NTFS
9
Remove setup files and sample databases
10 Audit connections
Next Steps
1.
Stay informed about security

Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asp

Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/
2.
Get additional security training

Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx

Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
For More Information
Microsoft Security Site (all audiences)
 http://www.microsoft.com/security
TechNet Security Site (IT professionals)
 http://www.microsoft.com/technet/security
MSDN Security Site (developers)
 http://msdn.microsoft.com/security
Questions and Answers