How to Secure Your SQL Server Instances

How to Secure your

SQL Server Instances

Artemakis ArtemiouMicrosoft Data Platform MVP Creator of DBA Security AdvisorCreator of In-Memory OLTP SimulatorChief Author @ Artemiou SQL BooksCDNUG Lead, INETA-EU Country Lead (CY)https://www.aartemiou.comhttps://aartemiou.blogspot.com

July 14, 2016

https://www.aartemiou.com/datatools/

https://www.aartemiou.com/datatools/

https://www.aartemiou.com/sqlbooks/

https://www.aartemiou.com/sqlbooks/

https://www.inmemoltpsim.com/

https://www.inmemoltpsim.com/

https://mvp.microsoft.com/en-us/PublicProfile/4025119?fullName=Artemakis Artemiou

https://mvp.microsoft.com/en-us/PublicProfile/4025119?fullName=Artemakis Artemiou

http://www.cdnug.net/

http://www.cdnug.net/

http://europe.ineta.org/

http://europe.ineta.org/

Agenda

• Why is this Needed?

• Areas to Secure

• Introducing DBA Security

Advisor

• Why use DBA Security Advisor?

• Resources

How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 2

Why do I Need to Secure my

SQL Server Instance?

• If you want to take DB security seriously (tip: you need to!)

• If you store your data in SQL Server databases

• Data is the most valuable asset within the Organization

• Your SQL Server instance is the next most valuable asset


Areas to Secure

• Not only SQL Server. There are subsystems and an entire ecosystem that supports SQL Server’s operation.

• You need to handle:

– Physical Security

– OS & Network Security: Service Packs, Upgrades/Patches

– Application Security

– SQL Server Instance and Database-Level Security


Physical Security

• Limit physical access to the

physical server and hardware

components.

• Establish a proper procedure

with adequate controls in order

to allow only authorized

personnel to have physical

access to the server.


OS & Network Security (I)

• Keep OS up-to-date with the

latest patches and service

packs (after you tested them

with the database applications)

• Follow the least-privilege

approach for service accounts

• Restrict access to SQL Server

Operating System files


OS & Network Security (II)

• Configure the firewalls

– Keep unauthorized users off the

network

– Properly configure firewall for

the enabled SQL Server services

(i.e. Database Engine/Port,

Integration Services, Analysis

Services, etc.)


Application Security

• Secure your client applications

– Do not expose user passwords in code. Use encrypted connection

strings.

– Prefer Windows Authentication instead of SQL Server and Windows

Authentication (mixed mode) for

connecting to SQL Server.

– Prefer and support an encrypted connection to the SQL Server

instance.


SQL Server Instance &

DB-Level Security (I)

• Check the server-level permissions

– Example 1: Check which logins have SysAdmin access

– Example 2: Check which logins have SecurityAdmin access

• Check generally all access levels and permissions

– Example: Check which logins have db_owner access, data_writer, etc.



DB-Level Security (II)

• Check Surface Area – server

configuration options whether

they are enabled or not:

– Ad Hoc Distributed Queries

– CLR Enabled & CLR assembly permission sets

– Cross DB Ownership Chaining

– Database Mail XPs

– xp_cmdshell

– etc.



DB-Level Security (III)

• Check other authentication and authorization settings

– Server authentication mode

– Guest user permissions

– Orphaned users

– etc.

• Check auditing settings

– Both failed and successful logins?

– Default trace enabled?



DB-Level Security (IV)

• Check password policies for SQL logins

– Password expiration

– Password policy

• Other checks

– Is Transparent Data Encryption used?

– SQL Server Version• Test your database applications and if OK, consider upgrading to the latest version



DB-Level Security (V)

• Other checks

– Service Packs• Test your database applications and if OK, consider upgrading to the

latest service pack.

– Are your databases successfully being backed up?

– Do BUILTIN\Administrators have any permissions on the SQL Server

instance? If yes, they should not.


Introducing:

DBA Security Advisor


What is DBA Security Advisor?

A software tool which:

Assesses SQL Server instances

for potential security risks,

using a rich set of proven best-

practice security checks.


DBA Security Advisor:

Main Features (I)

• Assesses single or multiple SQL

Server instances

• Rich set of security checks

(more than 30 checks)

• Provides recommendations

• Generates remediation scripts

and suggests remediation

methods

*Note: Only the Enterprise Edition of DBA Security Advisor has all features available.The Community Edition has limited features. For more info please visit: https://www.dbasecadvisor.com/features/ 16


Main Features (II)

• Maintains report history

• Rich set of export options

• Report with information of

connected SQL instances

*Note: Only the Enterprise Edition of DBA Security Advisor has all features available.The Community Edition has limited features. For more info please visit: https://www.dbasecadvisor.com/features/ 17


Screenshots



Why Use It?

• An easy way to constantly assess your SQL Server instances for security risks.

• Can be part of your global systems’ hardening process.

• You get recommendations and remediation scripts/methods for detected security risks.

• You can monitor your SQL Server instances’ hardening progress via the History mechanism.


DBA Security Advisor

Get it today at:

www.dbasecadvisor.com


Resources

• DBA Security Advisor Official Website

– https://www.dbasecadvisor.com

• DBA Security Advisor Blog

– http://blog.dbasecadvisor.com

• MSDN Article: Securing SQL Server

– https://msdn.microsoft.com/en-

us/library/bb283235.aspx

• The SQL Server and .NET Blog

– https://aartemiou.blogspot.com

• My Official Website

– https://www.aartemiou.com


How to Secure Your SQL Server Instances

Technology

Transcript of How to Secure Your SQL Server Instances