Denali Sql Server Security
-
Upload
gabriel-villa -
Category
Technology
-
view
800 -
download
4
description
Transcript of Denali Sql Server Security
101: Intro to
Security
SQL Server 7, 2000, 2005 and 2008
.Net Developer VB.Net and C#
www.extofer.com
twitter: @extofer
“Please allow me to introduce myself” … Rolling Stones
Gabriel Villa
101 Session Outline
SQL Server Threats
Write Secure Code
Auditing
Roles
Best Practices
Passwords
Physical Security
Security Patches
Network Security
Best Practices Resources
SQL Server Threats
Social Engineering
Manipulating people to gather data
Not using technical cracking tools or techniques
SQL Injection
Vulnerable to any RDBMS, not just MS SQL Server
Attacker post SQL commands via front end applications
Tools: ‘ , --, ;
SQL Injection
Write Secure Code
Check for Valid Input
DDL Triggers
Use Stored Procedures
Use Parameters
Customize Error Messages Avoid errors returning securable names
Source Control
New “Denali” Auditing Features
SQL Auditing for all editions
User Defined Audit – applications write
customer events to audit logs
Filtering – filter unwanted events
Resilience – recover auditing data from
temporary file of network issues
Roles and “Denali” Roles
Group users roles based on usage
Database Roles and Server Roles
Server Level Roles
sysadmin, bulkadmin, securityadmin, dbcreator
“Denali” User Defined Server Roles
Allow creation of new Server Roles
Help prevent the use of sysadmin
Tip: Authentication
Windows Authentications
Active Directory Integration
Supports Groups
Use Whenever Possible
Authentication
Mixed Authentication
Legacy or Hard Coded Referenced Logins
Non Windows Clients
Connections over Internet
Authentication
Passwords
DO NOT hardcode passwords
ASP.Net encrypt web.config
Encrypt password in your code
Strong Passwords
8 to 10 minimum characters
Leak speak or special characters (i.e s = 5 or 3 = E)
SQLPing checks for default passwords
Change passwords frequently
Physical Security
Lock server room or rack when not in use
Restrict access to unauthorized individuals
If feasible, use security cameras
Security Patches
Second Tuesday of every month
Test updates or hotfixes immediately on non-production servers
Schedule patches soon after tested
Network Security
Avoid network shares on servers
Don’t surf the Web on the server
Only enable required protocols
Keep servers behind a firewall
Questions??
Slide Deck at http://www.extofer.com
Gabriel Villa
email: [email protected]
blog: www.extofer. com
twitter: @extofer
Auditing
Server and Database Level Events
Server Operations
Database Actions
Audit Specifications
Server Audit Specification
Audit Failed Login Attempts