Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections."— Presentation transcript:

1 Security in SQL Jon Holmes CIS 407 Fall 2007

2 Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections

3 Reduce Surface Area Database Engine Analysis Service Engine Reporting Services Integration Services Notification Services Documentation and Samples

4 Reduce Surface Area SQL Server Active Directory Helper SQL Server Agent SQL Server FullText Search SQL Server Browser SQL Server VSS Writer

5 Blocking ports MSSQL Ports 1433 / 1434 MySQL Ports 3306 Oracle 1521 / 1526

6 Connection Strings Contains –Database Name –Server Address/Name May Reveal Network Schema –UserName –Password

7 Connection Strings (Where?) Options? –In Code –Place in Text file –In Application Configuration file Web.Config Application Settings

8 Authentication Windows accounts –Machine Specific –High Security SQL accounts –Portable –Less Secure

9 Permissions Microsoft says use Groups not User Specific rights. What happens when user leaves? Who is responsible?

10 Permissions One Database = One Owner Lowest possible Permissions Segregation of Duties –Read –Write

11 Storing Data Minimum Size Data Type –Sproc Data Types match

12 SQL Injections Source: http://xkcd.com/327/

13 PrincipleImplementation Never trust user input Validate all textbox entries using validation controls, regular expressions, code, and so on Never use dynamic SQLUse parameterized SQL or stored procedures Never connect to a database using an admin-level account Use a limited access account to connect to the database Don't store secrets in plain text Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings Exceptions should divulge minimal information Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false Basic Rules

14 Injections Inputs Example Critical Information Outputs Sanitization

15 Handling Inputs Never trust the user. –DropDown Lists –ListBoxes –Tables –Query Strings –Hidden Fields

16 Login Forms Login UserName Password LoginCancel X

17 Dynamic SQL //This code is susceptible to SQL injection attacks. Dim strQry As String strQry = "SELECT Count(*) FROM Users WHERE UserName='" & txtUser.Text & "' AND Password='" & txtPassword.Text & "'"

18 What will happen? Login ’ or 1=1 -- ********* UserName Password LoginCancel X

19 Critical Information Passwords –Strong –Hashing –Salts Other Information –Hashing –Salts

20 Handling Outputs Know what you are showing off –What data is shown? –Always validate authority –Do not display schema –Custom Tables –Careful object reuse –Errors –Exceptions

21 Validation - Can use ASP.Net validation tools –Pros Fast Easy –Cons Javascript False security –Know what is running where –Always best to handle in code Sanitization

22 References Stop SQL Injection Attacks Before They Stop You SQL Server 2005 Security Best Practices

Download ppt "Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections."

Similar presentations

PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Similar presentations

Ads by Google