Common SQL Server Security Mistakes
Transcript of Common SQL Server Security Mistakes
COMMON SECURITY MISTAKES
SQL Server Webcast
Michael K. Campbell
Michael K. Campbell Independent Consultant
Former DBA and Database Developer
Author, Contributing Editor, and Presenter
Contact web: http://www.overachiever.net
email: [email protected]
twitter: AngryPets
Common Security Mistakes
In this Webcast
Focus
Core SQL Server Security Concepts
Horror Stories (and how to avoid them)
Road Map
Session Overview
Core SQL Server Security Concepts
File System / Data Files
Simultaneous Requests
SQL Server
SQL Server’s Job: PROXY REQUESTS to RESOURCES • Transactional Safety • Performance Optimizations • Security
• Authentication • Authorization
SQL Server Authentication
Windows (i.e. SQL Hosting Environment)
SQL Server
LOGINS
SQL Server Managed Logins (usernames/passwords)
Windows Logins
(Trusted from OS)
Win
do
ws
Se
curi
ty
Pri
nci
pa
ls /
Lo
gin
s
(Use
rs a
nd
Gro
up
s)
SQL Server Authorization / Mapping
Windows (i.e. SQL Hosting Environment)
SQL Server
LOGINS
SQL Server Managed Logins (usernames/passwords)
Windows Logins
(Trusted from OS)
Win
do
ws
Se
curi
ty
Pri
nci
pa
ls /
Lo
gin
s
(Use
rs a
nd
Gro
up
s)
Databases
DB Level: Users and Roles (Mapped to Logins)
DB Level: Users and Roles (Mapped to Logins)
Core Security Concepts
Synopsis
Authorization:
Handled By SQL Server
Managed with Users and Roles
Authentication
User are Validated via:
The OS (Integrated Authentication)
The OS AND SQL Server (Mixed Mode-Authentication)
Attack Vectors
Threat Modeling / Threat Categories
STRIDE
Spoofing Identity
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
Common Mistakes / Areas of Focus
Repudiation
Escalation
Circumvention
http://failblog.org/2009/02/28/
Repudiation
http://www.flickr.com/photos/miskan/7240060/ (Creative Commons)
COMMON MISTAKE: Not Understanding Auditing
Examples
Bad Example: Overbearing Security Practices
Good Example: Banking
Negatives:
Waste of Security Attention/Effort
(Largely) Ignores Hackers
Makes Users Mistrust/Hate Security
Auditing Options
Built-In Options SQL Server C2 Audit Mode (Deprecated)
SQL Server 2008 Auditing (Powerful/Versatile)
Triggers Audit Changes (not access) to Data
Ensure users are denied access to Audits/Logs
3rd Party Solutions Wide Variety of Solutions
Simple Auditing Solutions Sometimes Simple Solutions are Enough
Simple Auditing Solutions
http://www.flickr.com/photos/lara604/2610313357/ (Creative Commons)
Escalation
SQL Injection
Comic by XKCD: http://xkcd.com/327/
COMMON MISTAKE: Confusing Sprocs with Unicorns
The Fix
Applies To:
Services, Applications, Users
Horror Story:
Hospital
Cluster
Domain Admin
NULL SID
Solution:
The Principle of Least Privilege
COMMON MISTAKE: Excessive / Elevated Permissions
Least Privilege: Service Accounts
Account Types
Local or Domain Accounts.
NEVER as LOCAL SYSTEM
Isolate Accounts (don’t re-use service accounts)
Locked Down:
Deny Rights to login, login via RDP, etc.
Never need to be Admins, Power Users, or even Users.
MIMIMUM perms and rights only.
Don’t forget about Proxies and Credentials
Demoting Existing Installations
SQL Server 2000
Rights and Permissions (Binaries and Data)
SQL Server 2005/2008/2008 R2
Use SQL Server Configuration Manager
Troubleshooting / Execution
Troubleshooting:
Use Windows Event Logs.
SysInternals / Process Monitor.
Execution
Requires Reboot of SQL Server Service.
Plan Accordingly.
Monty Python: “Run Away! Run Away!”
The BADGER is an option.
Keep an Eye on Backups over next few days.
Least Privilege: Applications
Application Are Easy
Restrict to db_datareader/db_datawriter.
Explicitly Restrict to just Sprocs
Or Use a ‘Sprocs’ Role:
Create a new role: db_executeproc.
Script that GRANTs EXECUTE on all sprocs to Role.
Schedule the Job to run regularly.
Least Privilege: Users
Users are Harder Egos Are Involved.
Implementation Roles are your friend.
Techniques Social Engineering.
Circumvention
http://failblog.org/2008/03/13/
Properly Secured = Harder to Recover Logins and Credentials.
Mappings to Users and Roles.
Certificates.
Encrypted Backups.
Test Your Backups Regularly
Document
http://www.flickr.com/photos/jeremybrooks/3132893543/ (Creative Commons)
COMMON MISTAKE: Not Adjusting Disaster Recovery Plans