Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL...
-
Upload
cleopatra-warner -
Category
Documents
-
view
253 -
download
0
Transcript of Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL...
Chapter 8
Hardening Your SQL Server Instance
Hardening Hardening
• The process of making your SQL Server Instance more secure
New features • Policy based management (chapter 10)• Kerberos authentication for other communication protocols beside
TCP/IP, such as named pipes and shared memory• Tighter integration between SQL Server 2008 and Windows Server
2008 and Active Directory Domain Services• Can re-name the sa account• Others
Authentication Windows authentication
• Always because the users are Windows users first.• Generally the password is more secure
Mixed Mode• Can be as secure as Windows • Provides a secondary guard• Necessary to support public facing applications• Not supporting Kerberos – a more mature and robust protocol
Can change between the two Book recommendation – use Windows authentication only My recommendation – allow both, use Windows
authentication whenever make sense, use SQL Server authentication whenever necessary.
The SA account Everybody knows about it It has all the power
• When compromised, the hacker could cause a lot major damagers – such as collecting important information or destroy the master table.
We should not use it for daily operations in a production environment
Should replace it with another account in two steps• Make sure there is another account with administrator privilege• Use Alter login SA with name= [abc-xyz]
Document the new SA name Document the SA password Have process of changing SA password
SQL Server Configuration Manager All programs Microsoft SQL Server 2008
Configuration Tools SQL Server Configuration Manager
Reduce the “Surface Area” – what services are running
SQL Server Configuration Manager (2)
You can see • Services• Network
Configuration• Client
Configuration
Exercise #3 Finding out the meaning of the following types of
connections and compare the pros and cons • Shared Memory• Named Pipes• TCP/IP• VIA
When listed in Client Protocols, they appear in certain order, what does the order indicate?
Due 2/24/2011
Change TCP port
The default is 1433 Change it so hackers take longer to find it Document the new number
Hiding a SQL Server Instance from Broadcasting info
Before hiding, client can find the instance with Server Browser listening the traffic on the net
After hiding, only the parties know the instance can target the instance
Windows Server 2008 Tools
Using Security Configuration Wizard Verify Security Using the Microsoft Baseline
security Analyzer SQL Server 2008 Best Practice Analyzer
Tool
Hardening Service Account There are many build in service account
• Just about one for each service
You can set to have each service account manage the corresponding service or have a single account manages all services
In a large enterprise you may have a large team, different team members are responsible for different components, the services accounts are a fitting approach
In a small shop, use one account for everything
Hardening Service Account (2)
Basic principles • Principle of Least Privilege
Give as little rights as you can operate
• Principle of Isolation Make each account apply to each instance and
component – to control the damages if compromised
These principles generate more work
Others
Install Service Packs and hot fixes Monitoring using Security Logs Remove the BUILDIN\Administrators group Use of Firewall