SQL Server Security and Intrusion Prevention

Post on 08-Jul-2015

2.131 views 2 download

Preview:

Click to see full reader

Report this document

description

Is your data secured? Are you a victim of a SQL injection hack?In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.

Transcript of SQL Server Security and Intrusion Prevention

Recently moved to Colorado Springs

SQL Server 7, 2000, 2005 and 2008

.Net Developer VB.Net and C#

www.extofer.com

twitter: @extofer

Security Model

Authentication

Passwords

Threats

Physical Security and other best practices

Principal Windows Users

SQL Logins

Roles Groups

Securables Schemas

Windows Users

SQL Login

Database Users

DB Roles

Schemas

Windows Authentications

Domain or local Windows Account

Active Directory Integration

Supports Groups

Use Whenever Possible

Mixed Authentication

Legacy or Hard Coded Referenced Logins

Non Windows Clients

Connections over Internet

Strong Password

10 – 12 characters in length

Use Upper and Lower Case

Numbers

Special Characters (symbols)

l33t speak

E = 3 or A=4 or @, T= + or 7

l33t password generator

DO NOT hardcode passwords

ASP.Net encrypt web.config

Encrypt password in your code

SQLPing checks for default passwords

Change passwords frequently

Do Not use the same passwords

Social Engineering

SQL Injection

Beware of Port Sniffers

Social Engineering

Manipulating people to gather data

Not using technical cracking tools or techniques

SQL Injection

Vulnerable to any RDBMS, not just MS SQL

Server

Attacker post SQL commands via front end

applications

Tools: ‘ , --, ;

Check for Valid Input

DDL Triggers

Use Stored Procedures

Use Parameters

Customize Error Messages Avoid errors returning securable names

Change default port

Lock server room or rack when not in use

Restrict access to unauthorized individuals

If feasible, use security cameras

Second Tuesday of every month

Test updates or hotfixes immediately

on non-production servers

Schedule patches soon after tested

Avoid network shares on servers

Don’t surf the Web on the server

Only enable required protocols

Keep servers behind a firewall

Encrypt your DB backups

Test backups by restoring

Restrict System Stored Proc’s and

XP

http://www.sqlservercentral.com/Books/

Defensive Database Programming by Alex Kuznetsov

Protecting SQL Server Data by John Magnabosco

SQL Server Tacklebox by Rodney Landrum

Slide Deck at http://www.extofer.com

Gabriel Villa

email: extofer@gmail.com

blog: www.extofer. com

twitter: @extofer

Copyright © 2022 FDOCUMENTS