COMMON SECURITY MISTAKES

SQL Server Webcast

Michael K. Campbell

Michael K. Campbell Independent Consultant

Former DBA and Database Developer

Author, Contributing Editor, and Presenter

Contact web: http://www.overachiever.net

email: mike@overachiever.net

twitter: AngryPets

Common Security Mistakes

In this Webcast

Focus

Core SQL Server Security Concepts

Horror Stories (and how to avoid them)

Road Map

Session Overview

Core SQL Server Security Concepts

File System / Data Files

Simultaneous Requests

SQL Server

SQL Server’s Job: PROXY REQUESTS to RESOURCES • Transactional Safety • Performance Optimizations • Security

• Authentication • Authorization

SQL Server Authentication

Windows (i.e. SQL Hosting Environment)

SQL Server

LOGINS

SQL Server Managed Logins (usernames/passwords)

Windows Logins

(Trusted from OS)

Win

do

ws

Se

curi

ty

Pri

nci

pa

ls /

Lo

gin

s

(Use

rs a

nd

Gro

up

s)

SQL Server Authorization / Mapping

Windows (i.e. SQL Hosting Environment)

SQL Server

LOGINS

SQL Server Managed Logins (usernames/passwords)

Windows Logins

(Trusted from OS)

Win

do

ws

Se

curi

ty

Pri

nci

pa

ls /

Lo

gin

s

(Use

rs a

nd

Gro

up

s)

Databases

DB Level: Users and Roles (Mapped to Logins)

DB Level: Users and Roles (Mapped to Logins)

Core Security Concepts

Synopsis

Authorization:

Handled By SQL Server

Managed with Users and Roles

Authentication

User are Validated via:

The OS (Integrated Authentication)

The OS AND SQL Server (Mixed Mode-Authentication)

Attack Vectors

Threat Modeling / Threat Categories

STRIDE

Spoofing Identity

Tampering

Repudiation

Information Disclosure

Denial of Service

Elevation of Privilege

Common Mistakes / Areas of Focus

Repudiation

Escalation

Circumvention

http://failblog.org/2009/02/28/

Repudiation

http://www.flickr.com/photos/miskan/7240060/ (Creative Commons)

COMMON MISTAKE: Not Understanding Auditing

Examples

Bad Example: Overbearing Security Practices

Good Example: Banking

Negatives:

Waste of Security Attention/Effort

(Largely) Ignores Hackers

Makes Users Mistrust/Hate Security

Auditing Options

Built-In Options SQL Server C2 Audit Mode (Deprecated)

SQL Server 2008 Auditing (Powerful/Versatile)

Triggers Audit Changes (not access) to Data

Ensure users are denied access to Audits/Logs

3rd Party Solutions Wide Variety of Solutions

Simple Auditing Solutions Sometimes Simple Solutions are Enough

Simple Auditing Solutions

http://www.flickr.com/photos/lara604/2610313357/ (Creative Commons)

Escalation

SQL Injection

Comic by XKCD: http://xkcd.com/327/

COMMON MISTAKE: Confusing Sprocs with Unicorns

The Fix

Applies To:

Services, Applications, Users

Horror Story:

Hospital

Cluster

Domain Admin

NULL SID

Solution:

The Principle of Least Privilege

COMMON MISTAKE: Excessive / Elevated Permissions

Least Privilege: Service Accounts

Account Types

Local or Domain Accounts.

NEVER as LOCAL SYSTEM

Isolate Accounts (don’t re-use service accounts)

Locked Down:

Deny Rights to login, login via RDP, etc.

Never need to be Admins, Power Users, or even Users.

MIMIMUM perms and rights only.

Don’t forget about Proxies and Credentials

Demoting Existing Installations

SQL Server 2000

Rights and Permissions (Binaries and Data)

SQL Server 2005/2008/2008 R2

Use SQL Server Configuration Manager

Troubleshooting / Execution

Troubleshooting:

Use Windows Event Logs.

SysInternals / Process Monitor.

Execution

Requires Reboot of SQL Server Service.

Plan Accordingly.

Monty Python: “Run Away! Run Away!”

The BADGER is an option.

Keep an Eye on Backups over next few days.

Least Privilege: Applications

Application Are Easy

Restrict to db_datareader/db_datawriter.

Explicitly Restrict to just Sprocs

Or Use a ‘Sprocs’ Role:

Create a new role: db_executeproc.

Script that GRANTs EXECUTE on all sprocs to Role.

Schedule the Job to run regularly.

Least Privilege: Users

Users are Harder Egos Are Involved.

Implementation Roles are your friend.

Techniques Social Engineering.

Circumvention

http://failblog.org/2008/03/13/

Properly Secured = Harder to Recover Logins and Credentials.

Mappings to Users and Roles.

Certificates.

Encrypted Backups.

Test Your Backups Regularly

Document

http://www.flickr.com/photos/jeremybrooks/3132893543/ (Creative Commons)

COMMON MISTAKE: Not Adjusting Disaster Recovery Plans

Conclusion

Links / Resources at: http://updates.sqlservervideos.com

email: mike@overachiever.net