Defense In Depth: Minimizing the Risk of SQL Injection

Slides:



Advertisements
Similar presentations
Understand Database Security Concepts
Advertisements

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Chapter 9 Auditing Database Activities
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Troubleshooting Windows Vista Security Chapter 4.
Module 14: Configuring Server Security Compliance
Module 11: Remote Access Fundamentals
ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
IMS 4212: Database Security 1 Dr. Lawrence West, Management Dept., University of Central Florida Data & Database Administration Security.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
NetTech Solutions Protecting the Computer Lesson 10.
Virtualization Technology and Microsoft Virtual PC 2007 YOU ARE WELCOME By : Osama Tamimi.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
How they work and how to stop them.
SQL Server Security & Intrusion Prevention
Recommended Practices & Fundamentals
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Data with SQL Server 2016
Outsourcing Database Administration
CompTIA Server+ Certification (Exam SK0-004)
Introduction to SQL Server 2000 Security
Security mechanisms and vulnerabilities in .NET
Code-Less Securing of SQL Server
Security.
DevOps Database Administration
Auditing in SQL Server 2008 DBA-364-M
Unit 7 NT1330 Client-Server Networking II Date: 7/26/2016
Information Security Session October 24, 2005
DevOps Database Administration
Defense in Depth Web Server Custom HTTP Handler Input Validation
Migrating your SQL Server Instance
Lesson 16-Windows NT Security Issues
Information Security Awareness
Outsourcing Database Administration
Security.
Topic 5: Communication and the Internet
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Defense In Depth: Minimizing the Risk of SQL Injection Rob Kraft

Rob Kraft I confess. I’m a developer, not a DBA Independent Consultant Primarily a Software Architect and Project Manager SQL Server DBA since Version 4.2 Co-authored books on SQL Server 7 Taught classes on SQL Server From Lee’s Summit, MO Rob Kraft – SQL Saturday Kansas City in 2015

The Scenario Your first week on the job as junior DBA and the senior DBA gets fired The company is concerned he did something malicious They want you to find out if the company is exposed to SQL Injection What is vulnerable? Document it, fix it, prevent it from happening again. Rob Kraft – SQL Saturday Kansas City in 2015

Learn about SQL Injection https://www.owasp.org/index.php/SQL_injection https://en.wikipedia.org/wiki/SQL_injection http://www.sqlinjection.net https://www.youtube.com/watch?t=170&v=PB7hWlqTSqs – A good ten minute video – all demo, no speaker https://www.youtube.com/watch?v=Fp47G4MQFvA - Troy Hunt teaches a three year old about SQL Injection https://www.youtube.com/watch?t=128&v=JqzWPLq7bJY – A good seven minute video http://www.pluralsight.com/courses/ethical-hacking-sql-injection - A very good five hour training course Rob Kraft – SQL Saturday Kansas City in 2015

What is SQL Injection? SQL Injection lets hackers run their own carefully crafted SQL against the database. Rob Kraft – SQL Saturday Kansas City in 2015

What Can Hackers Do? The application expects this: But the hacker enters this: To SQL, they look like this: Rob Kraft – SQL Saturday Kansas City in 2015

Can They Do More Than Query Data? They can Update data They can Insert data They can Delete data They can query to learn the database structure They can query to learn the data in any table Rob Kraft – SQL Saturday Kansas City in 2015

Isn’t This Hard for Hackers? Unfortunately the answer is usually NO! Automated tools make it easy Rob Kraft – SQL Saturday Kansas City in 2015

Could it get any worse? They can alter table structures They can drop tables They can drop databases They can stop SQL Server Rob Kraft – SQL Saturday Kansas City in 2015

Surely it Can’t Get Any Worse! But it can! Connect to other computers on the network Download Malware from the Internet Run the Malware Create user accounts in the Domain Rob Kraft – SQL Saturday Kansas City in 2015

Let’s look at some examples DEMO TIME Rob Kraft – SQL Saturday Kansas City in 2015

What Can We Do About It? Secure the Services Turn off xp_cmdshell Limit the permissions on the database connection strings Write code to prevent SQL Injection Use IIS, Firewalls and other appliances to filter SQL Injection Monitor our systems Rob Kraft – SQL Saturday Kansas City in 2015

Secure the Services Limit the OS permissions of the account running SQL Server Services Rob Kraft – SQL Saturday Kansas City in 2015

Secure the Services Avoid Use a “Managed Service Account” Local System An AD Administrator account Network Service An non-MSA AD account for SQL Server Use a “Managed Service Account” Permissions tailored for SQL Server Password of account managed by AD Don’t share Account with other Services Rob Kraft – SQL Saturday Kansas City in 2015

Secure the Services Use SQL Server Configuration Manager to set Services Accounts Rob Kraft – SQL Saturday Kansas City in 2015

Disable Features in SQL Server Turn off xp_cmdshell At least set up a proxy account for it Disable ‘CLR Enabled’ Disable SSIS, SSRS, or any other applications that are installed but not used Rob Kraft – SQL Saturday Kansas City in 2015

Limit the Connection String Don’t use sa or an admin account for connection strings Don’t allow sa or admin conn strings in development or test either Limit what the connected users can do to what they need to do Use stored procs for all data modifications Rob Kraft – SQL Saturday Kansas City in 2015

Connection String Challenges Windows Authentication Want to allow Select for reports, but only desire edits to be done through the app SQL Server Authentication Protecting and encrypting connection strings The application must prevent users from doing what they are not allowed to Rob Kraft – SQL Saturday Kansas City in 2015

Write Code Carefully In .Net, use parameters to pass values to the database in the SQL Do not manually construct SQL in code Beware of dynamic SQL inside of stored procedures Validate Input to the app Is the length longer than expected? Is the value the correct Data Type? Rob Kraft – SQL Saturday Kansas City in 2015

C# .Net Code DEMO TIME Note: Not just web sites, REST APIS too Rob Kraft – SQL Saturday Kansas City in 2015

Block Hacks Before They Get To The App In IIS, use URLScan or Request Filtering Block/Allow specific IP address ranges access to Web Server Purchase an Intrusion Detection System (IDS) Purchase an Intrusion Prevention System (IPS) Rob Kraft – SQL Saturday Kansas City in 2015

Keep Software Up To Date Apply the latest SQL Server Service Packs Apply Security Fixes Apply OS Service Packs Upgrade to a new OS Version Upgrade to a new version of SQL Server Update Firmware Rob Kraft – SQL Saturday Kansas City in 2015

Review Configurations Remember that developer that you gave admin privileges to while you went on vacation You forgot to revoke those privileges And he gave the credentials to all the other devs Remember that consultant that came in and fixed the backup problem six months ago? How did he do it? He moved the backup to another server and made it working by running SQL Server as LocalSystem Rob Kraft – SQL Saturday Kansas City in 2015

Review Configurations Use SQL Server Policy Based Management To notify you when something changes Xp_cmdshell is enabled SQL Server Login Mode changes To block those things from happening Manually review configurations Monitor SQL Logs, IIS Logs SQL Server Best Practices Analyzer Rob Kraft – SQL Saturday Kansas City in 2015

Security Who? Active Directory Admins DBAs Developers Web Admins Set up account(s) used by services DBAs Configure SQL Server, limit permissions Encrypt data and backups Developers Sanitize SQL Web Admins Firewalls, IDS, and IPS Auditing Review Configurations and Policies Rob Kraft – SQL Saturday Kansas City in 2015

Encrypt Data At Rest Hash Passwords Encrypt sensitive data Requires application code Makes reporting difficult Encrypt the entire database Only prevents use of database other servers Encrypt the database backups Rob Kraft – SQL Saturday Kansas City in 2015

Encrypt Data In Transit Connection strings are encrypted Encrypt data between the app and the database? Encrypt data to/from the web server (SSL/TLS) Rob Kraft – SQL Saturday Kansas City in 2015

Resources Managed Service Accounts https://msdn.microsoft.com/en-us/library/ms143504.aspx Use SQL Server, not “Local Services” to manage service accounts: How to run SQL Server Configuration Manager https://msdn.microsoft.com/en-us/library/ms174212(v=sql.120).aspx SQL Server Security Checklist http://www.kraftsoftware.com/Publications/SQLServerSecurityChecklist.aspx SQL Server Authentication Options http://www.kraftsoftware.com/Publications/SQLServerAuthenticationOptions.aspx SQL Server 2016 – Always Encrypted https://channel9.msdn.com/Blogs/mwilmot/SQL-Server-2016-Encryption SQL Server Best Practices Analyzer http://www.microsoft.com/en-us/download/details.aspx?id=29302 SQL Server 2014 Backup Encryption http://blogs.msdn.com/b/mvpawardprogram/archive/2014/06/02/sql-server-2014-backup-encryption.aspx Rob Kraft – SQL Saturday Kansas City in 2015

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.