Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

Published byMilton Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance"— Presentation transcript:

1 SQL Server Security The Low Hanging Fruit

2 Lindsay Clark Database Administrator at American Credit Acceptance Twitter: @LindsayOClark Email: sirwrenitey1@gmail.comsirwrenitey1@gmail.com

3 What are we going to cover An outside in approach to covering a few of your SQL Server security issues Network Level Server Level Database Level

4 Network Level Security

5 Network Level Make friends with your Network Admins I. Discover the security protocols for your data centers and find out the location of all of your servers. II. Verify that your SQL Server Service accounts DO NOT have VPN access. III. Use Windows Authentication where possible. IV. Create AD groups specifically for SQL Server access to prevent unauthorized inclusion into AD groups that provide database access. V. DO NOT nest your AD groups.

6 Server Level Security Service Accounts I. One Master Account for all SQL Server instances II. One Account for each SQL Server instance III. One Account for each SQL Server service

7 What is a Service Account you say? It is a start up account used to start and run SQL Server and can be domain user accounts, local user accounts, managed service accounts, virtual accounts, or build in system accounts. Each of the following uses a login to start up the service: SQL Server Agent SQL Server Database Engine Analysis Services Reporting Services Integration Services SQL Server Distributed Replay Client SQL Server Distributed Replay Controller SQL Server Full-text Filter Daemon Launcher SQL Server Browser

8 Configuration Manager and Service Accounts

9 One Account for All SQL Servers I. Least secure method II. Quickest for maintenance one batch rebooting for all SQL Servers III. Ease of maintaining passwords

10 One Account for Each SQL Server Instance I. More secure II. Smaller batches for reboots after password changes III. Going to require password maintenance

11 One Account for Each SQL Server Service I. Most secure II. Smaller batches for reboots after password changes will require a plan III. Password maintenance is a must at this point and should require a secure password management tool

12 Operating System Rights needed by SQL I. The service account will need to be able to log on to the server as a service II. Adjust memory for allocation to SQL Server III. Prior to 2008 permission to the data files necessary. Previously it had to be manually adjusted this is no longer the case.

13 Server Level Roles I. Fixed roles these come preconfigured and cannot be adjusted prior to 2012 II. bulkadmin: can run the BULK INSERT statement on any database III. dbcreator: can create, alter, drop, and restore any database IV. diskadmin: can manage disk files V. Processadmin: can end processes that are running in an instance VI. Public: Every login belongs to this role if permissions are granted to this role every login has permissions to the object. ** VII. Securityadmin: manage logins and properties and can provide server and database level permissions as well as reset passwords VIII. Serveradmin: can shut down the server and make server wide configuration changes. IX. Setupadmin: can add and remove linked server servers using TSQL X. Sysadmin: can perform any activity in the server

14 Server Level Security tidbits I. Do not grant permissions to the public role II. Encrypt your backups and secure the location of your backups. Why? Ask the State of South Carolina. III. Harden the sa account IV. Use passphrases as your passwords. Get super tricky and use Extended ASCII to baffle a lot of the password cracking scripts. These additional characters reportedly do not show up in key loggers. V. Use windows authentication versus sql authentication. VI. Do NOT browse web from a SQL Server instance

15 Database Level Security

16 I. Fixed database roles these come preconfigured but new ones can be created II. dbaccessadmin: can add or remove access database III. db_backupoperator: can backup the database IV. db_datareader: can read all data in the database V. db_datawriter: can add, delete, or change data in all user tables VI. db_ddladmin: can run any data definition language command in db VII. db_denydatareader : denies read access to the database VIII. db_denydatawriter: denies write access to the database IX. Db_owner: perform all config and maint on the database plus drop X. Db_securityadmin: modify role memembership and manage perms XI. Public: every database user belongs to the public role ** Database Level Roles

17 Database Level Security I. DB_OWNER role, know this database role allows members to give access to the database it is assigned to. This takes the management of access to your databases out of your hands as a DBA and puts it into the hands of potentially someone that doesn’t know how to administer access the SQL Server database. II. At every possible avenue use views and stored procedures instead giving users query rights to the database. The goal with security is to provide only the permissions required to perform the necessary duties. IV. If dynamic SQL is necessary parameterize your queries as a security measure against SQL Injections.

18 Questions? I’d like to open the floor to discuss some of additional areas where you can harden your SQL server against would be attackers.

19 References: Must read: Securing SQL Server: Protecting Your Databases From Attackers by Denny Cherry Security : https://www.simple-talk.com/sql/database-administration/brads-sure-dba- checklist/#_Toc209585591https://www.simple-talk.com/sql/database-administration/brads-sure-dba- checklist/#_Toc209585591 Backup encrypting: http://www.sqlservercentral.com/blogs/brian_kelley/2012/11/27/are-your- protecting-your-db-backups/http://www.sqlservercentral.com/blogs/brian_kelley/2012/11/27/are-your- protecting-your-db-backups/

Download ppt "SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance"

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,

SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.

1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Similar presentations

Ads by Google