SQL Server Security & Intrusion Prevention

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Computer Security set of slides 10 Dr Alexei Vernitski.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Understand Database Security Concepts

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Chapter 7 HARDENING SERVERS.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Database Security Managing Users and Security Models.

1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Module 14: Configuring Server Security Compliance

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Attacking Applications: SQL Injection & Buffer Overflows.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.

Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,

File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

INTRO TO SQL SERVER SECURITY By Robert Biddle

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Chapter 15: Reliability and Security in Database Servers Neyha Amar CS 157B May 6, 2008.

SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

Windows Administration How to protect your computer.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.

Defense In Depth: Minimizing the Risk of SQL Injection

Administrating a Database

Recommended Practices & Fundamentals

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Working at a Small-to-Medium Business or ISP – Chapter 8

Securing Data with SQL Server 2016

Module Overview Installing and Configuring a Network Policy Server

Secure Software Confidentiality Integrity Data Security Authentication

Securing the Network Perimeter with ISA 2004

Introduction to SQL Server 2000 Security

Common Security Mistakes

Limiting SQL Server Exposure

5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN

Defense in Depth Web Server Custom HTTP Handler Input Validation

Limiting SQL Server Exposure

PLANNING A SECURE BASELINE INSTALLATION

Governing Your Enterprise with Policy-Based Management

Administrating a Database

We Need To Talk Security

Presentation transcript:

SQL Server Security & Intrusion Prevention Gabriel Villa www.extofer.com SQL Saturday #94 Salt Lake City

“Please allow me to introduce myself” … Rolling Stones Gabriel Villa SQL Server 7, 2000, 2005 and 2008 .Net Developer VB.Net and C# www.extofer.com twitter: @extofer

Session Outline SQL Server Threats Security Model Auditing Write Secure Code Best Practices Physical Security Security Patches Network Security Resources

SQL Server Threats Social Engineering SQL Injection Manipulating people to gather data Not using technical cracking tools or techniques SQL Injection Vulnerable to any RDBMS, not just MS SQL Server Attacker post SQL commands via front end applications Tools: ‘ , --, ;

SQL Injection

SQL Server Security Model Principal Windows Users SQL Logins Roles Groups Securables Schemas Windows Users SQL Login Database Users DB Roles Schemas

Authentication Windows Authentications Active Directory Integration Supports Groups Use Whenever Possible

Authentication Mixed Authentication Legacy or Hard Coded Referenced Logins Non Windows Clients Connections over Internet

Authentication

Passwords DO NOT hardcode passwords Strong Passwords ASP.Net encrypt web.config Encrypt password in your code Strong Passwords 8 to 10 minimum characters L33t speak or special characters (i.e s = 5 or 3 = E) SQLPing checks for default passwords Change passwords frequently

Roles Roles Group users roles based on usage Database Roles and Server Roles Server Level Roles Sysadmin, bulkadmin, securityadmin, dbcreator Group users roles based on usage Database Roles and Server Roles Server Level Roles Sysadmin, bulkadmin, securityadmin, dbcreator

Roles and “Denali” Roles Group users roles based on usage Database Roles and Server Roles Server Level Roles sysadmin, bulkadmin, securityadmin, dbcreator “Denali” User Defined Server Roles Allow creation of new Server Roles Help prevent the use of sysadmin

Securables Using Schema to secure database objects Schema is a name space container Simplify Access Permissions Group objects into Schemas Grant permissions to schemas, not objects

Auditing Server and Database Level Events Audit Failed Login Attempts Server Operations Database Actions Audit Specifications Server Audit Specification Audit Failed Login Attempts

New “Denali” Auditing Features SQL Auditing for all editions User Defined Audit – applications write customer events to audit logs Filtering – filter unwanted events Resilience – recover auditing data from temporary file of network issues

Write Secure Code Check for Valid Input DDL Triggers Use Stored Procedures Use Parameters Customize Error Messages Avoid errors returning securable names Source Control

Best Practices Physical Security Windows Updates Network Security

Physical Security Lock server room or rack when not in use Restrict access to unauthorized individuals If feasible, use security cameras

Security Patches Second Tuesday of every month Test updates or hotfixes immediately on non-production servers Schedule patches soon after tested

Network Security Avoid network shares on servers Don’t surf the Web on the server Only enable required protocols Keep servers behind a firewall

Other Tips Encrypt your DB backups Test backups by restoring Restrict System Stored Proc’s and XP

Best Practices Resources http://www.sqlservercentral.com/Books/ Defensive Database Programming by Alex Kuznetsov Protecting SQL Server Data by John Magnabosco SQL Server Tacklebox by Rodney Landrum

Slide Deck at http://www.extofer.com Questions?? Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer

Thank you to our sponsors Gold Blog Prize Bronze