Presentation is loading. Please wait.

Presentation is loading. Please wait.

Limiting SQL Server Exposure

Published byBethany Gray Modified over 5 years ago

Similar presentations

Presentation on theme: "Limiting SQL Server Exposure"— Presentation transcript:

1 Limiting SQL Server Exposure
Presented by H. Ross Reed

2 About Me DBA for 20 Years SQL Server (since 6.5) DB2 Oracle
Developer prior to being a DBA Sr Database Administrator for The OCC. CO-President Chicago SQL Server Users Group

3 OPTIONS CLEARING CORPORATION
SIFMU Systemically Important Financial Market Utility Designation by the SEC CFTC FED We are audited to assure we meet standards for a secure environment

4 Exposure from Who ? External … Internet facing servers ..
Internal Exposure Dishonest Associate The individual that’s curious about the environment The one that doesn’t want to take the time to go through proper channels

5 Name this Account This account is known for administrating SQL Server and is the first account in Syslogins with an internal id of X’01’.

6 SA When using Windows Only Authentication this isn’t used
DBA’s use a Windows authentication ID Disable SA Rename SA to a different name Available since SQL 2005 Longer names are better Complex Password Change it Often

7 Lab Renaming and Disabling SA

8 OS Rights Needed by Instance Account
Does not need to be Local System Administrator and should not be. Installer will automatically grant the rights needed. SQL Server Configuration Manager will grant the same rights when used to change the Instance ID . Rights Needed Logon as a Service Replace process level token Adjust memory quotas for a process More information can be found here : us/sql/database-engine/configure-windows/configure-windows-service- accounts-and-permissions

9 Instance Account Additional
Use a Domain Id and use a different id for each Instance and Each SQL Server Service. Don’t do this !!!

10 SYSADMIN Fixed Server Role
When Installing Make sure DBA’s are installed in SYSADMIN Most powerful role on the Instance Most System Stored Procedures check if the id running is SYSADMIN and then bypasses security checks. Third Party Applications “We need to run as SYSADMIN” Probably don’t need that level of security to run just to install Probably run as DB Owner

11 What is Default TCP/IP Port for SQL Server

12 SQL Server Configuration Manager
Used for changing SQL Server Communication Protocol Defaults Changing SQL Server Services Changing Account ID for Running SQL Server Services Changing Start up Parameters Any change using this tool is not dynamic … Must Restart Instance

13 Change Default Port Number
Change to port number other than well known port for TCP protocol

14 Named Pipes Vs TCP/IP TCP/IP supports Kerberos authentication better security protocol than NTLM (NT Lan Manager) Named Pipes has to use NTLM Usually Named Pipes and TCP/IP aren’t needed So disable Named Pipes

15 Disable Named Pipes

16 Hide an Instance Hides instance from Network
Won’t display in the dropdown box

17 Before and After Hiding Instance

18 Disable SQL Server Browser
Has information on Instance Name and Port Number of Instances Allows to connect with ServerName \InstanceName

19 Connection To Instance
Server Name,Port HRREED,4050

20 Surface Area Configuration Settings Remain Disabled
OLE Automation – Sp_OA stored procedures can be used to access OS files. sp_OACreate, sp_OADestroy, sp_OAMethod, sp_OASetProperty, sp_OAGetProperty XP_CMDSHELL - Executes Dos Shell commands using service account rights Adhoc Remote Queries – Use Linked Server , SSIS, or PowerShell Database Mail XP’s SQL Mail XP’s – Allows user to send s

21 Guest Account Any User who can connect to the server has access to a database where Guest is enabled Master, MSDB, TempDB require the Guest user enabled Disable Guest in Model Database so that user Databases created will have Guest Disabled Revoke Connect from guest

22 Backups Encrypt Backups Use Virtual Tape instead of Physical Tape
Transparent Data Encryption Third Party Tools Quest Litespeed Redgate Backup Idera SQL Safe Backup Use Virtual Tape instead of Physical Tape Data Domain Guard access to Backups - Access to the File System should be restricted

23 Policy Based Management
Introduced with SQL Server 2008 Allows DBA to create conditions and Policies to block changes or report changes

24 Lab # 2 Policy Based Management

25 Auditing -Scan Error Log
Error Log look for Login Failures Make sure setting is set to capture failed Logins Restart is required for the change in Login Auditing to take effect

26 Server Side Auditing Available since SQL Server 2008
Allows Auditing Login’s and other items such as schema changes

27 Login Failures using Server Side Auditing
Defining The Audit Choices for Destination File, Application Log, Security Log

28 Login Audits More than Failures

29 Set up Audit for Logins Failures and Changes
Lab # 3 Set up Audit for Logins Failures and Changes

30 Schema Changes CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecification] FOR SERVER AUDIT [SchemaChangeTrack] ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (SCHEMA_OBJECT_CHANGE_GROUP), ADD (SERVER_OBJECT_CHANGE_GROUP), ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP) WITH (STATE = ON) GO

31 Separation of Duties Windows System Administrator
Installs SQL Server Patches SQL Server Security Administrator Creates Instance ID Creates SQL Authenticated ID Database Administrator Responsible for Backup and Recovery Schema Changes Instance Configuration

32 Some Things External to SQL Server
Segregation of Networks Separate Production / Test / Dev Separate Network for IoT Heating and Air Conditioning Target Stores Change Control Separate ID’s Every Day Id used to Change Dev, Test, Read Only in Production Production Change ID is Sysadmin in Production

33 Sources Securing SQL Server – Denny Cherry
Center for Internet Security Pinal Dave

Download ppt "Limiting SQL Server Exposure"

Similar presentations

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.

Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.
Week 2 - Installation SQL SERVER2000 ENTERPRISE EDITION INSTALLATION.

Week 2 - Installation SQL SERVER2000 ENTERPRISE EDITION INSTALLATION.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Similar presentations

Ads by Google