Presentation is loading. Please wait.

Presentation is loading. Please wait.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Published byNorman Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade."— Presentation transcript:

1 Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade

2 Avanade is the leading technology integrator specialising in the Microsoft platform. Our people help customers around the world maximise their IT investment and create comprehensive solutions that dive business results. Additional information can be found at www.avanade.com

3 Agenda Unbreakable SQL Server? Background Baseline security Server installation Service Account Selection AuthenticationPatching Surface area reduction Demo : Security Configuration Wizard Demo : SQL Server 2005 Best Practices Analyzer Network connectivity Demo : IPSec

4 Unbreakable SQL Server? SQL Server 2005 has zero vulnerabilities disclosed or fixed since launch! IIS 6.0 has only two Important patches since launch MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537) MS04-030 Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151)

5 Unbreakable SQL Server? This does not mean we’re safe! …. remember This session will cover the stuff you forget to do outside of SQL "There is no 'patch' for stupidity.“ www.sqlsecurity.com

6 Background Why are we securing our systems? Risk management Identify the appropriate level of security for assets according to their data classification Determine the most appropriate and cost- effective measures to mitigate security threats Establish regular security risk reviews In mixed classification, apply protection requirements of the more sensitive class Make the asset owner accountable

7 Background Asset Classification Define levels of security for assets based on confidentiality, integrity, and availability Restrict access to High Business Impact (HBI) data to only the most trusted parties Apply strict rules to the use and management of Medium Business Impact (MBI) data Low Business Impact (LBI) data has no formal classification or protection requirements

8 Server installation Install while not connected directly to the internet (doh) Always use latest slipstreamed installation media Windows Server 2003 with Service pack 2 If required – deploy antivirus software Remember: Antivirus software can not always help you!

9 Service Account Selection Use a specific user account or domain account rather than a shared account for SQL Server services. Use a separate account for each service. Do not give any special privileges to the SQL Server service account; they will be assigned by group membership. Manage privileges through the SQL Server supplied group account rather than through individual service user accounts. Always use SQL Server Configuration Manager to change service accounts. Change the service account password at regular intervals.

10 Authentication Always use Windows Authentication mode if possible. Use Mixed Mode Authentication only for legacy applications and non-Windows users. Change the sa account password to a known value if you might ever need to use it. Always use a strong password for the sa account and change the sa account password periodically. Do not manage SQL Server by using the sa login account; assign sysadmin privilege to a knows user or group.

11 Patching Always stay as current as possible. Yes that means installing patches over time – not only during first install Enable automatic updates whenever feasible but test them before applying to production systems. Microsoft update provides patches for SQL Windows update does not! Deploy WSUS / SMS for internal control over patch deployment

12 Surface area reduction Install only those components that you will immediately use Additional components can always be installed as needed. Enable only the optional features that you will immediately use. Develop a policy with respect to permitted network connectivity choices Use SQL Server Surface Area Configuration Turn off unneeded services by setting the service to either Manual startup or Disabled Use Security Configuration Wizard

13 Security Configuration Wizard

14 Microsoft Baseline Security Analyzer and SQL Server Best Practices Analyzer Regularly run BPA against SQL Server 2005 Regularly run MBSA 2.0 to ensure latest SQL Server 2005 patch level Regularly run MBSA 2.0 for SQL Server 2000 instances

15 SQL Server 2005 Best Practices Analyzer

16 Network connectivity Limit the network protocols supported. Do not enable network protocols unless they are needed. Do not expose a server that is running SQL Server to the public Internet. Configure named instances of SQL Server to use specific port assignments for TCP/IP rather than dynamic ports. Use the built in Windows Firewall (or third party) Use IPSec for additional layer of protection where needed

17 IPSec

18 References SQL Server 2005 Security Best Practices - Operational and Administrative Tasks http://www.microsoft.com/technet/prodtechnol/sql/2005/sql2005s ecbestpract.mspx http://www.microsoft.com/technet/prodtechnol/sql/2005/sql2005s ecbestpract.mspx Security Configuration Wizard Documentation http://www.microsoft.com/downloads/details.aspx?FamilyID=903 fd496-9eb9-4a45-aa00-3f2f20fd6171&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=903 fd496-9eb9-4a45-aa00-3f2f20fd6171&DisplayLang=en SQL Server 2005 Best Practices Analyzer http://www.microsoft.com/downloads/details.aspx?FamilyID=da0531e 4-e94c-4991-82fa-f0e3fbd05e63&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=da0531e 4-e94c-4991-82fa-f0e3fbd05e63&DisplayLang=en Server and Domain Isolation Using IPsec and Group Policy http://www.microsoft.com/downloads/details.aspx?FamilyID=404fb62f -7cf7-48b5-a820-b881f63bc005&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=404fb62f -7cf7-48b5-a820-b881f63bc005&DisplayLang=en

19

Download ppt "Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade."

Similar presentations

Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.

Windows Server 2003 SP1. Windows Server™ 2003 Service Pack 1 Technical Overview Jill Steinberg: Added TM Jill Steinberg: Added TM.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Paula Kiernan Senior Consultant Ward Solutions

Paula Kiernan Senior Consultant Ward Solutions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd

Managing a Windows Server 2003 Environment - SMS and MOM Michael Kleef IT Pro Evangelist Microsoft Pty Ltd
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
EPM 2007 Implementation and Upgrade Tips Summary June 18th, 2008 Brendan Giles, PMP, MCP.

EPM 2007 Implementation and Upgrade Tips Summary June 18th, 2008 Brendan Giles, PMP, MCP.
The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera.

The Deep Technical Audit: How to Identify and Mitigate Risks Presented in Other Sessions David J. Goldman Joseph Nocera.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Similar presentations

Ads by Google