SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

Slides:



Advertisements
Similar presentations
Understand Database Security Concepts
Advertisements

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.
SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Chapter 9 Auditing Database Activities
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Overview What is SQL Server? Creating databases Administration Security Backup.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
Module 14 Configuring Security for SQL Server Agent.
October 1-2 Ølensvåg. AppFrame SQL – Security Session Code: SQL-201-Security Speaker(s): Jekaterina Golouchova.
Module 1: Exploring Replication. Overview Understanding SQL Server Replication Setting Up Replication Understanding Agents in Replication Securing Replication.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
2. SQL Security Objectives –Learn SQL Server 2000 components Contents –Understanding the Authentication Process –Understanding the Authorization Process.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
INTRO TO SQL SERVER SECURITY By Robert Biddle
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
SQL Server Administration. Overview  Security  Server roles  Database roles  Object permissions  Application roles  Managing data  Backups  Restoration.
1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
Introduction to SQL Server  Working with MS SQL Server and SQL Server Management Studio.
Introduction to SQL Server for Windows Administrators Presented to WiNSUG 02/05/09 Bret Stateham Owner, Net Connex Blogs.netconnex.com.
Security, Security, Secuirty =tg= Thomas Grohser, NTT Data SQL Server MVP SQL Server Performance Engineering SQL Saturday #506 BI Edition April 30 th 2016,
SQL Server.  logins/users  roles  certificate  assymetric key 
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
19 Copyright © 2008, Oracle. All rights reserved. Security.
SQL Database Management
SQL Implementation & Administration
Security, Security, Secuirty
Administrating a Database
Review of IT General Controls
Securing and Administering the Data
SQL Server Security & Intrusion Prevention
Microsoft SQL Server 2014 for Oracle DBAs Module 8
Access, Users, Permissions
SQL Server Security For Everyone
Introduction to SQL Server 2000 Security
Security, Security, Secuirty
Limiting SQL Server Exposure
The Dirty Business of Auditing
SQL Server Security from the ground up
Bảo mật trong cơ sở dữ liệu
Limiting SQL Server Exposure
Copyright © 2013 – 2018 by Curt Hill
PT2520 Unit 8: Database Security I
Designing IIS Security (IIS – Internet Information Service)
Administrating a Database
SQL Server Security from the ground up
We Need To Talk Security
Presentation transcript:

SQL Server Security The Low Hanging Fruit

Lindsay Clark Database Administrator at American Credit Acceptance

What are we going to cover An outside in approach to covering a few of your SQL Server security issues Network Level Server Level Database Level

Network Level Security

Network Level Make friends with your Network Admins I. Discover the security protocols for your data centers and find out the location of all of your servers. II. Verify that your SQL Server Service accounts DO NOT have VPN access. III. Use Windows Authentication where possible. IV. Create AD groups specifically for SQL Server access to prevent unauthorized inclusion into AD groups that provide database access. V. DO NOT nest your AD groups.

Server Level Security Service Accounts I. One Master Account for all SQL Server instances II. One Account for each SQL Server instance III. One Account for each SQL Server service

What is a Service Account you say? It is a start up account used to start and run SQL Server and can be domain user accounts, local user accounts, managed service accounts, virtual accounts, or build in system accounts. Each of the following uses a login to start up the service: SQL Server Agent SQL Server Database Engine Analysis Services Reporting Services Integration Services SQL Server Distributed Replay Client SQL Server Distributed Replay Controller SQL Server Full-text Filter Daemon Launcher SQL Server Browser

Configuration Manager and Service Accounts

One Account for All SQL Servers I. Least secure method II. Quickest for maintenance one batch rebooting for all SQL Servers III. Ease of maintaining passwords

One Account for Each SQL Server Instance I. More secure II. Smaller batches for reboots after password changes III. Going to require password maintenance

One Account for Each SQL Server Service I. Most secure II. Smaller batches for reboots after password changes will require a plan III. Password maintenance is a must at this point and should require a secure password management tool

Operating System Rights needed by SQL I. The service account will need to be able to log on to the server as a service II. Adjust memory for allocation to SQL Server III. Prior to 2008 permission to the data files necessary. Previously it had to be manually adjusted this is no longer the case.

Server Level Roles I. Fixed roles these come preconfigured and cannot be adjusted prior to 2012 II. bulkadmin: can run the BULK INSERT statement on any database III. dbcreator: can create, alter, drop, and restore any database IV. diskadmin: can manage disk files V. Processadmin: can end processes that are running in an instance VI. Public: Every login belongs to this role if permissions are granted to this role every login has permissions to the object. ** VII. Securityadmin: manage logins and properties and can provide server and database level permissions as well as reset passwords VIII. Serveradmin: can shut down the server and make server wide configuration changes. IX. Setupadmin: can add and remove linked server servers using TSQL X. Sysadmin: can perform any activity in the server

Server Level Security tidbits I. Do not grant permissions to the public role II. Encrypt your backups and secure the location of your backups. Why? Ask the State of South Carolina. III. Harden the sa account IV. Use passphrases as your passwords. Get super tricky and use Extended ASCII to baffle a lot of the password cracking scripts. These additional characters reportedly do not show up in key loggers. V. Use windows authentication versus sql authentication. VI. Do NOT browse web from a SQL Server instance

Database Level Security

I. Fixed database roles these come preconfigured but new ones can be created II. dbaccessadmin: can add or remove access database III. db_backupoperator: can backup the database IV. db_datareader: can read all data in the database V. db_datawriter: can add, delete, or change data in all user tables VI. db_ddladmin: can run any data definition language command in db VII. db_denydatareader : denies read access to the database VIII. db_denydatawriter: denies write access to the database IX. Db_owner: perform all config and maint on the database plus drop X. Db_securityadmin: modify role memembership and manage perms XI. Public: every database user belongs to the public role ** Database Level Roles

Database Level Security I. DB_OWNER role, know this database role allows members to give access to the database it is assigned to. This takes the management of access to your databases out of your hands as a DBA and puts it into the hands of potentially someone that doesn’t know how to administer access the SQL Server database. II. At every possible avenue use views and stored procedures instead giving users query rights to the database. The goal with security is to provide only the permissions required to perform the necessary duties. IV. If dynamic SQL is necessary parameterize your queries as a security measure against SQL Injections.

Questions? I’d like to open the floor to discuss some of additional areas where you can harden your SQL server against would be attackers.

References: Must read: Securing SQL Server: Protecting Your Databases From Attackers by Denny Cherry Security : checklist/#_Toc https:// checklist/#_Toc Backup encrypting: protecting-your-db-backups/ protecting-your-db-backups/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.