secure sql server configuration pat larkin ward solutions [email protected]
TRANSCRIPT
Secure SQL Server configuration
Pat Larkin
Ward Solutions
Session Prerequisites
Understanding of network security essentials
Hands-on experience with Windows® 2000 Server or Windows Server™ 2003
Experience with Windows management tools
Hands-on experience with SQL Server 2000 and management tools
Level 300Level 300
Agenda
Introduction
Protecting the application layer
Protecting SQL Server
Defense in Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update OS hardening, update management, authentication, HIDSmanagement, authentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
NetworkNetwork segments, IPSec, NIDS segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
UserUser education education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Why Application Security Matters
Perimeter defenses provide limited protection
Many host-based defenses are not application specific
Most modern attacks occur at the application layer
Why Data Security Matters
Secure your data as the last line of defense
Configure file permissions
Configure data encryption
Protects the confidentiality of information when physical security is compromised
Application Server Best Practices
Configure security on the base operating system
Apply operating system and application service packs and patches
Install or enable only those services that are required
Application accounts should be assigned minimal permissions
Apply defense-in-depth principles to increase protection
Assign only those permissions needed to perform required tasks
Defense in Depth
Efficiency Continuity
Performance TuningSQL ServerPoliciesCapacity Management
Security
StorageManagement
Hardware UpgradesPerformanceMonitoring
Disaster RecoverySupportAntivirus
Event MonitoringChange
Management
Security PoliciesFirewall Issues
SQL Server PoliciesAD Group Membership
UPSRecovery TestingAvailability MonitoringAvailability Management
Group Policies Backup
Agenda
Introduction
Protecting the application layer
Protecting SQL Server
Basic Security Configuration
Apply service packs and patches
Use MBSA to detect missing SQL updates
Use SQL Critical Update Kit
Disable unused services
MSSQLSERVER (required)
SQLSERVERAGENT
MSSQLServerADHelper
Microsoft Search
Microsoft DTC
What MSBA typically checks on SQL Server
Too many members of the sysadmin fixed server role.
Granting of right to create CmdExec jobs to roles other than sysadmin.
Blank or trivial passwords.
Weak authentication mode.
Excessive rights granted to the Administrators group
Incorrect ACLs on SQL Server data directories.
Plain-text sa password in setup files
Excessive rights granted to the guest account.
SQL Server running on a system that is also a domain controller.
Improper configuration of the Everyone group, providing access to certain registry keys.
Improper configuration of SQL Server service accounts.
Missing service packs and security updates
Common Database Server Threats and Countermeasures
SQL Server
Browser Web App
Unauthorized External Access
SQL Injection
Password Cracking Network
Eavesdropping
Network VulnerabilitiesFailure to block SQL ports
Configuration Vulnerabilities
Over-privileged service account
Week permissionsNo certificate
Web App VulnerabilitiesOver-privileged accounts
Week input validationInternal Firewall
Perimeter Firewall
Database Server Security Categories
Net
wo
rkO
per
atin
g S
yste
mS
QL
Ser
ver
Pat
ches
an
d U
pd
ates
Shares
Services
Accounts
Auditing and Logging
Files and Directories
Registry
Protocols Ports
SQL Server Security
Database ObjectsLogins, Users, and
Roles
Network Security
Restrict SQL to TCP/IP
Harden the TCP/IP stack
Restrict ports
Operating System Security
Isolate SQL from all other server roles
Configure the SQL Server service account with the lowest possible permissions
Delete or disable unused accounts
Secure authentication traffic
Logins, Users, and Roles
Use a strong system administrator (sa) password
Remove the SQL guest user account
Remove the BUILTIN\Administrators server login
Do not grant permissions for the public role
Access & Permission Models
Alternate Model
Files, Directories, and Shares
Use NTFS (EFS) & non system volumes
Verify permissions on SQL Server installation directories
Verify that Everyone group does not have permissions to SQL Server files
Secure setup log files
Secure or remove tools, utilities, and SDKs
Remove unnecessary shares
Restrict access to required shares
Secure registry keys with ACLs
SQL Security
Set authentication to Windows only
If you must use SQL Server authentication, ensure that authentication traffic is encrypted
Authentication Modes
SQL Auditing
Log all failed Windows login attempts
Log successful and failed actions across the file system
Enable SQL Server login auditing
Enable SQL Server general auditing
Securing Database Objects
Remove the sample databases
Secure stored procedures
Secure extended stored procedures
Restrict cmdExec access to the sysadmin role
Using Views and Stored Procedures
SQL queries may contain confidential information
Use stored procedures whenever possible
Use views instead of direct table access
Implement security best practices for Web-based applications
Restrict Remote Administration
Restrict number of Windows Administration accounts
Restrict the tools
Internet services manager
Terminal Services
SQL Server Enterprise Manager – restrict to a single windows user
Restrict the computers using IPSec
Securing Web Applications
Validate all data input
Secure authentication and authorization
Secure sensitive data
Use least-privileged process and service accounts
Close all unneeded DB connections
Configure auditing and logging
Use structured exception handling
Knocking Down The Side Door//Three mistakes in this statement alone://Three mistakes in this statement alone:SqlConnection conn =SqlConnection conn = new SqlConnection();new SqlConnection();conn.ConnectionString =conn.ConnectionString =
"data source=PYN-SQL;" +"data source=PYN-SQL;" + "initial catalog=pubs;" +"initial catalog=pubs;" + "user id=sa;" +"user id=sa;" + "password=password;" +"password=password;" + "persist security "persist security
info=True;“+info=True;“+ "packet size=4096";"packet size=4096";
conn.Open();conn.Open();//Don't do this at home folks: SQL Query //Don't do this at home folks: SQL Query CompositionCompositionstring strQuery;string strQuery;strQuery = "select * from Users where UserName = '" strQuery = "select * from Users where UserName = '" ++
username.Text + username.Text + "' and Password ='" + "' and Password ='" +
password.Text + "';";password.Text + "';";
Completely un-Completely un-validated user input!validated user input!
Completely un-Completely un-validated user input!validated user input!
Oh, that’s bad, not using DSNsOh, that’s bad, not using DSNs
Worse, privileged user…Worse, privileged user…
……with a lame passwordwith a lame password
But Wait It Gets Better
int rowCount = ds.Tables["Users"].Rows.Count;if(rowCount > 0) // If we get back something...{
//...we must be succesfully logged inSession["LoggedIn"] = true;// Store the username in a session variableSession["username"] = username.Text;
...
<body><asp:Label id="Username" runat="server">
Label</asp:Label>
...private void Page_Load(object sender, System.EventArgs e){...
Username.Text = Session["username"].ToString();}
This is the This is the user name user name
from the formfrom the form
Which we cross-site Which we cross-site script onto the page!script onto the page!
Top Ten Things to Protect SQL Server
Install the most recent service pack
Run MBSA
Configure Windows authentication
Isolate the server and back it up
Check the sa password
Limit privileges of SQL services
Block ports at your firewall
Use NTFS
Remove setup files and sample databases
Audit connections
1
2
3
4
5
6
7
8
9
10
Next Steps
1. Stay informed about security Sign up for security bulletins:
http://www.microsoft.com/security/security_bulletins/alerts2.asp Get the latest Microsoft security guidance:
http://www.microsoft.com/security/guidance/
2. Get additional security training Find online and in-person training seminars:
http://www.microsoft.com/seminar/events/security.mspx Find a local CTEC for hands-on training:
http://www.microsoft.com/learning/
For More Information
Microsoft Security Site (all audiences)
http://www.microsoft.com/security
TechNet Security Site (IT professionals)
http://www.microsoft.com/technet/security
MSDN Security Site (developers)
http://msdn.microsoft.com/security
Questions and Answers