Code-Less Securing of SQL Server

Slides:



Advertisements
Similar presentations
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 7 HARDENING SERVERS.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Secure SQL Server configuration Pat Larkin Ward Solutions
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Computer Security for Student-Administered Computers.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Microsoft ® Official Course Module 9 Configuring Applications.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Module 14: Configuring Server Security Compliance
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
File System Security Robert “Bobby” Roy And Chris “Sparky” Arnold.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
Making DBCC CHECKDB Go Faster Argenis Fernandez Senior Database Engineer
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
SQL Server 2014 AlwaysOn Step-by-Step SQL Server 2014 AlwaysOn Step-by-Step A hands on look at implementing AlwaysOn in SQL Server 2014.
Rolling Upgrades, The Easy Way Argenis Fernandez Senior Database Engineer,
SQL Server as a Cloud Service November 11th 2015 Warner Chaves SQL MVP/MCM.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
SQL Server as a Cloud Service April 15th 2016 Warner Chaves Data Platform MVP/SQL Server MCM.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.
Defense In Depth: Minimizing the Risk of SQL Injection
.
Stop Those Prying Eyes Getting to Your Data
SQL Server Security & Intrusion Prevention
Recommended Practices & Fundamentals
Welcome to SharePoint Saturday Houston
# 66.
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Configuring Windows Firewall with Advanced Security
Chapter 5 : Designing Windows Server-Level Security Processes
Policy Based Management: Introduction & implementation
Using Microsoft Identity Manger with SharePoint 2016 to fill the User Profile Sync Gap Max Fritz Senior Systems Consultant Now Micro.
SQL Server on Linux on All-Flash Arrays
Exploiting SQL Server Security Holes
Troubleshooting SQL Server Connection Issues
Advanced Security Protecting Data from the DBA
SQL Server Security Mistakes Everyone Makes
Limiting SQL Server Exposure
How to Lose Your Job in 3 Easy Steps
Information Security Session October 24, 2005
The Dirty Business of Auditing
Chapter 27: System Security
Securing SQL Server Processes with Certificates
Better Together: Secure SQL Server on Secure Windows
New Paradigm for Performance Tuning in SQL Server 2016
Contact Center Security Strategies
SQLCmd Mode The T-SQL Easy Button
Limiting SQL Server Exposure
AlwaysOn Availability Groups
Secure/Encrypt SQL Server Database With TDE
High Availability/Disaster Recovery Solution
Governing Your Enterprise with Policy-Based Management
Designing IIS Security (IIS – Internet Information Service)
=tg= Thomas Grohser SQL Saturday Philadelphia 2019 TSQL Functions 42.
Boston Code Camp – April 2019 Jason Haley
42 TSQL Functions =tg= Thomas Grohser SQL Saturday
The Ins and Outs of Indexes
Presentation transcript:

Code-Less Securing of SQL Server Argenis Fernandez SurveyMonkey

About Me Member of the Database Engineering team at SurveyMonkey (We’re hiring!) Former Senior Consultant: SQL Server Core, Microsoft Consulting Services Microsoft Certified Master: SQL Server 2008 and Microsoft Certified Solutions Master: Data Platform (Charter) 2012-2013 Idera SQL Server ACE DBA/Dev & SysAdmin for 15 years Love OS, SQL internals/Security Frequent Speaker (PASS Summit, SQLRally, 24HOP, SQLBits, TechEd) Twitter enthusiast, rather infrequent blogger Founder, PASS Security Virtual Chapter 2 | 9/18/2018 The Secret Life of an INSERT Statement

Why Bother? Security is hard It’s hardly convenient This is why…

Please visit Troy Hunt’s web site for more information on SQL injection: http://www.troyhunt.com/

Agenda The sa account Database Firewalls Active Directory IPSec Transparent Data Encryption (TDE) Auditing Contained Databases Server Core Things to do Things to avoid

The sa account Omnipotent account Rename it Disable it Don’t ever use it Forget that it even exists What sa account are you talking about?

Demo – sa honeypot

Database/Application Firewalls Can prevent SQL injection attacks at the app level Can also inspect every TDS packet sent to the server Can work alongside agents to further secure access to the database

Active Directory security Use AD Groups whenever possible Use GPOs to enforce strength/password expiration (careful!) policies for service accounts Isolate Dev/Test/QA/Prod under individual OUs, or better yet: isolate on different domains/forests

IPSec Provides network-level encryption Can be restricted to a set of hosts Easier to setup than app/web level Any host affected by the policy is automatically protected “We need to encrypt data on the fly!”

Transparent Data Encryption (TDE) Provides storage-level encryption It’s managed on a per-instance basis Can have a significant performance impact “We need to encrypt data at rest!”

Auditing You should (at the very least) audit DDL You might be forced to audit for compliance Forensic trail The transaction log is a gold mine Default trace (in deprecation path now) Audit successful logins?

Contained Databases Logins contained in the database, not kept in master Standard logins/users can be made contained You want to use this feature if you’re using AlwaysOn Availability Groups and/or Database Mirroring Careful! There are gotchas

Demo – Contained Databases

Windows Server Core Reduced surface area Less Patching! Less “let me login to the server and do stuff!”

Things to Do SANITIZE all of your inputs. TWICE if you must (app layer/SQL layer) LOCK YOUR WORKSTATION SCAN your network periodically for new SQL instances HIRE A PROFESSIONAL to do a penetration test that includes social engineering attacks EDUCATE your Developers/Vendors!

More Things to Do ENFORCE Principle of Least Privilege REDUCE your exposure (surface area) LOCKDOWN Production!

Things to Avoid SQL Servers sitting on boxes with routable IP addresses xp_cmdshell TRUSTWORTHY Using the same service accounts/passwords across Dev/Test/QA/Prod Use non-standard port numbers – makes things worse

Get This Book! Denny Cherry: “Securing SQL Server”, 2nd Edition

How To Get In Touch With Me Twitter: @DBArgenis Blog: http://sqlblog.com/blogs/argenis_fernandez (tag: Security) E-Mail: Argenis@SurveyMonkey.com PASS Security Virtual Chapter: http://security.sqlpass.org For access to many other SQL Server professionals, use the #SQLHelp hashtag on Twitter

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.