opass – march 8, 2012
DESCRIPTION
The Dirty Business of Auditing. oPASS – March 8, 2012. Auditing SQL Server (2000 – 2008R2). K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server. My Background. Database Administrator / Architect Infrastructure and security architect Incident response team lead - PowerPoint PPT PresentationTRANSCRIPT
OPASS – MARCH 8, 2012
K. Brian KelleyMCSE, CISA, Security+, MVP-SQL Server
The Dirty Business of AuditingAuditing SQL Server (2000 – 2008R2)
MY BACKGROUND Database Administrator / Architect Infrastructure and security architect Incident response team lead
Certified Information Systems Auditor (CISA)
SQL Server security columnist / blogger
Co-Author of: How to Cheat at Securing SQL Server 2005 (Syngress) Professional SQL Server 2008 Administration (Wrox) Introduction to SQL Server (Texas Publishing)
CONTACT INFORMATION Mail: [email protected] Twitter: @kbriankelley Blogs:
SQL Server Central http://gkdba.wordpress.com/
AGENDA FOR TONIGHT Why auditors can’t audit SQL Server: “Tag, you’re
It” SQL Server Surface Area Server Level Auditing Database Level Auditing
INFORMATION DISCLOSURE ISSUE SQL Server 2000 – Access to DB, you can
audit But so can anyone… Catch-22
SQL Server 2005+, you must have permissions to object.
Recommendation: Automate the auditing. Use service account with proper permissions.
SURFACE AREA – FROM REMOTE Quest Discovery Wizard SQL Ping MS Assessment and Planning (MAP) tool nmap General scanner – Qualys, Nessus
SURFACE AREA – ON THE SERVER SQL Server 2000:
SQL Server Server Network Utility
SQL Server 2005 only: SQL Server Surface Area Configuration
SQL Server 2005 and above: SQL Server Configuration Manager
WHAT TO LOOK FOR What network protocols What ports SQL Server is listening on Whether remote connections are allowed
SERVER LEVEL CONCERNS SQL Server 2000 and above SQL Server 2005 and above
ALL VERSIONS Logins
SQL Server logins Windows users Windows groups
Server Roles
WHAT TO LOOK FOR Windows users (not service accounts) A lot of SQL Server logins Members of:
sysadmin securityadmin serveradmin Processadmin
Use of sa or sysadmin level accounts
SQL SERVER 2005 AND ABOVE Server level securables DAC (remote) OLE automation SQL Mail xp_cmdshell Password policy enforcement Impersonation of Logins
VISUALIZING SECURABLES
WHAT TO LOOK FOR (2005+) Everything in all versions list CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins SQL logins without full password policy
enforcement: No enforcement at all Password never expires
DATABASE LEVEL CONCERNS SQL Server 2000 and above SQL Server 2005 and above
ALL VERSIONS How database users map to server logins Use of guest user (except system DBs) Database Owner (maps as dbo) Members of database roles:
db_owner db_ddladmin db_securityadmin
Database level permissions (CREATE)
SQL SERVER 2005+ Permissions at database securable level Permissions at schema securable level Encryption key escrow
WHAT TO LOOK FOR Use of database owner by application Use of db_owner by application End users with too many rights Developers in the following roles in prod:
db_owner db_ddladmin db_securityadmin
QUESTIONS & ANSWERS