Basic Security Practices for the Well-Rounded DBA

Basic Security Practices for the Well-Rounded DBA

SQL Server DBA Professionals

2 Global MarketingUnderstanding Query Execution Plans

It was a day like any other…

Until a hacked system administrator password led to a system lockdown.

It’s not an uncommon story.

Since the server was online – six physical business locations were negatively affected while the IT team scrambled to right the ship.


It was a day like any other…

Too often security issues can be the Achilles’ heel of an otherwise well-rounded DBA.

Even simple practices can be detrimental when overlooked.


The basics

1. As illustrated by the above anecdote, don’t give out your system administrator password. 2. Another basic network security staple is choosing the right kind of authentication (Windows vs. SQL login).

• Windows authentication is more highly recommended for an internal network.

• A database logged into a local Windows machine can use Windows authentication, which will automatically enforce a certain level of good practice.

3. Smartly using your system’s role-based access capabilities is another common-sense safeguard that is too often overlooked.


Points of vulnerability

4. SQL Injection Attack – When SQL syntax is being transferred between a web or Windows app and a database, a hacker can inject code into the app’s text box, manipulating the application to drop or delete needed tables.• This is one area where a bit of coding ability (and the

willingness to proactively communicate with your developer) makes a more well-rounded DBA.

• At the DBA level, you can set DDL (data definition language) triggers in the database so that when an injection attempts to create, drop or delete a table, the trigger prevents it. • Establishing stored procedures on your database—so that non-stored procedures are eliminated—is another safeguard against SQL injection.



5. Backups are another area of vulnerability – What kind of encryption are you using for database backups, and are they protected with a keyword so that wayward backup files would be harder for a bad actor to decrypt and open? • Unforced errors are part of database backup pitfall.

– Let’s say the database has been running great for the last few months, but an event dictates that you have to recover data.

– If you haven’t tested your backups to see if they were properly configured and now you have three months’ worth of broken or corrupted data, you have just “hacked” yourself.



6. Not every threat is virtual – How many times have you seen a completely unlocked server room or unlocked server racks?

• If that room is in your workplace, you know what to do, today.

– We have seen one company where that room was right behind the reception desk.

• Absorbed by performance issues or the daily routine, some IT teams fail to imagine that somebody could walk right into one of their server rooms, unplug a box, and walk right out the front door.


Costly liabilities

A lot of costly security liabilities can be avoided by adding just a few common-sense, basic practices to your DBA routine.

So in the event that your database or equipment becomes a target, you don’t have to explain why you didn’t protect your company’s or client’s data from the most basic and obvious threats.

Learn More

Click to view Dell’s webinar Building a Bulletproof Security Strategy for SQL Server, part of our expert series on protecting your SQL Server installation.

http://www.quest.com/webcast-ondemand/experts-perspective-webcast-building-a-bulletproof-security-strategy-815871.aspx



Basic Security Practices for the Well-Rounded DBA

Technology

Transcript of Basic Security Practices for the Well-Rounded DBA