admin tech ed presentation hardening sql server
TRANSCRIPT
![Page 1: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/1.jpg)
![Page 3: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/3.jpg)
Key Session takeaways
Understand the many views of SQL Server
Look at hardening SQL ServerAt the network level
At the access level
At the data level
At the application level
Tools and features for hardening
Best practices
![Page 4: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/4.jpg)
Background#
o
f C
VE
–So
ftw
are
Flaw
s
Notes: Update as of 4/21/2009. Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 , SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g)Query for Oracle was run with vendor name: ‘Oracle’ , and product name: ‘any’ (all database product name variations were queried) .Query for Microsoft was run with vendor name: ‘Microsoft ‘ ; product name: ‘Microsoft SQL Server’; version name: ’Any’We are counting NIST CVE – Software Flaws (Each CVE might include more than one Oracle vulnerabilities)
Source: NIST National Vulnerability Database
24
3 0 0 0 011
0
46
1225
61
144
4148
36
0
40
80
120
160
2002 2003 2004 2005 2006 2007 2008 2009
SQL Server Oracle
![Page 5: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/5.jpg)
Brief look at history
SQL Slammer worm (2003)Exploit on UDP port 1434
Buffer overflow in service resolution
Spida worm (2002)Exploit on TCP port 1433
Collect system info and email password hash
![Page 6: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/6.jpg)
The many views of SQL Server
I. Network service
SQL Server offers a network service.
Attacks on the network and port E.g.
Port Sniffing, DoS attack
II. Access service
SQL Server requires login/password
to connect and execute queries.
Attacks on blank passwords,
improper roles/permissions
III. Data service
SQL Server data in mdf, ldf, log files.
Attempts to capture data either directly
from the host or from backup disk
IV. Application service
T-SQL queries interact with the
instance may be poorly written. E.g.
SQL Injection and elevation of
privileges
![Page 7: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/7.jpg)
Let’s look at each view….
Highlight the Concepts
Understand the Tools used
Demo features in SQL Server 2008
Summarize the Best Practices
![Page 8: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/8.jpg)
Protocol Stack
I. Network serviceConcepts
SMUX
TLS/SSL
TCP/IP
stack
TDS
Named
PipesVIA
Network Transport
Network Channel Encryption
Session MUX protocol for MARS
Tabular Data Stream
![Page 9: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/9.jpg)
Network serviceSQL Server Tools
SQL Scan: scans individual computer, a Windows domain, or a range of IP addresses for SQL Server 2000 and MSDE 2000
SQL Check: scans the computer on which it is running for instances of SQL Server 2000 and MSDE 2000
SQL Server Critical Update: Detect and update vulnerable files through a wizard
Other 3rd party tools
![Page 10: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/10.jpg)
Network serviceLock down
Verify instance patch level
Disable unused features DatabaseMail, XPCmdShell
Prefer Windows mode Authentication
Revoke permissions not needed for user
Remove sample databases
![Page 12: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/12.jpg)
Network serviceBest Practices
Ensure patch level is up-to-date
Use TCP/IP as the preferred network protocol
Not exposing TCP/IP ports over the Internet
Using SSL encrypted communication
Disabling protocols that are not required
Lock down SQL Server
![Page 13: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/13.jpg)
II. Access serviceConcepts
Windows vs. SQL Authentication
Fixed vs. Flexible Roles
Users and Application Role
Statement vs. Object permissions
![Page 14: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/14.jpg)
Access serviceSQL Server 2008 Tools
XEvent: scalable and configurable asynchronous eventing infrastructure
SQL Server 2008 Auditing: unified box wide solution to audit DDL for configuration and management purpose
![Page 15: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/15.jpg)
XEvent Session
PackageA
Target1
PackageB
Event1
Target2
PackageC
Action1
Session1
Target1
Event1
Target2
Action1
Session2
Target1
Event1
![Page 16: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/16.jpg)
Capturing events using XEventKarthik BharathyProgram ManagerMicrosoft
![Page 17: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/17.jpg)
SQL Server AuditingSpecifications
Scope
Actions
Target
Audit
Server Audit
Specification
Database Audit
Specification
Database Audit
Specification
Db2Db1
Schema
Server
Database
Object spTbl Vw
Granular Actions
Group Actions
select, insert, update,
delete, execute,
references
Login failed, Database
Change, Audit Change,
Backup Restore
File
App
Lo
g
Sec
Lo
g
![Page 18: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/18.jpg)
Access checks using SQL Server AuditingKarthik BharathyProgram ManagerMicrosoft
![Page 19: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/19.jpg)
Access serviceBest Practices
Enable Audits on SQL Server access, failed logins
Strong sa passwords
Prefer Windows Authentication over SQL Authentication
Restrict PUBLIC role
Consider no guest access on production boxes
![Page 20: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/20.jpg)
III. Data serviceConcepts
SQL Server data store mdf, ndf, ldf files
SQL Server logs from audit, database mail, maintenance plans
SQL Policy files
![Page 21: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/21.jpg)
Data serviceSQL Server 2008 Tools
Transparent Data Encryption: Encryption and Decryption at the database level using Database Encryption Key (DEK)
Transparent to the user application
Extensible Key ManagementEncryption key is stored and managed on an external device (Hardware Storage Module)
Encryption Decryption by HSM
![Page 22: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/22.jpg)
Data encryption using TDEKarthik BharathyProgram ManagerMicrosoft
![Page 23: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/23.jpg)
Data serviceBest Practices
Drop sample databases
Built-in encryption functions
T-SQL Procedure encryption
Database encryption
Extensible Key Management
![Page 24: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/24.jpg)
IV. Application serviceConcepts
SQL Injection: Injecting vulnerable SQL code into an application query
TypesIncorrectly escaped quotes
Time delays during execution
Conditional errors
![Page 25: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/25.jpg)
SQL Injection sample code
' or 1=1 --
' union select @@VERSION
declare @query varchar (8000)set @query = 0x73656C656374202A2066726F6D207379732E7365727665725F7072696E636970616C73207768657265207479706520696E20282753272C27552729exec(@query)
--select * from sys.server_principals where type in ('S','U')
select 1/0 from sys.server_principals where type in ('S','U') and name='admin'
![Page 26: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/26.jpg)
Application serviceBest Practices
Validate data passed as query inputEscape single quotes
Use parameterization
Check query strings composed on a ad-hoc basisUse stored procedures
Use tools like Microsoft Source Code Analyzer for SQL Injection
Configure error reporting
![Page 27: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/27.jpg)
SummaryTake advantage of SQL Server 2008 security features
Understand the different levels of threat in your environment
Not every tool and configuration may be necessary
Finally, note the chain is as strong as the weakest link
![Page 28: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/28.jpg)
![Page 30: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/30.jpg)
Related Content
Breakout Sessions (session codes and titles)
Interactive Theater Sessions (session codes and titles)
Hands-on Labs (session codes and titles)
Hands-on Labs (session codes and titles)
![Page 31: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/31.jpg)
Track Resources
Resource 1
Resource 2
Resource 3
Resource 4
![Page 32: Admin Tech Ed Presentation Hardening Sql Server](https://reader034.vdocuments.mx/reader034/viewer/2022052523/55666e67d8b42ad5798b4638/html5/thumbnails/32.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.