The Dirty Business of Auditing

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Chapter 7: WORKING WITH GROUPS
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
SQL Server Security By Mattias Lind For PASS Security VC.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)
Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Database Role Activity. DB Role and Privileges Worksheet.
Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
INTRO TO SQL SERVER SECURITY By Robert Biddle
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP.
Defense In Depth: Minimizing the Risk of SQL Injection
SQL Implementation & Administration
Building a Home Grown Auditing Infrastructure for SQL Server
Administrating a Database
Secure Connected Infrastructure
Stop Those Prying Eyes Getting to Your Data
Microsoft SQL Server 2014 for Oracle DBAs Module 8
Performing a SQL Server Security Risk Assessment
Chapter 5 : Designing Windows Server-Level Security Processes
SQL Server Security For Everyone
Introduction to SQL Server 2000 Security
Common Security Mistakes
Designing Database Solutions for SQL Server
SQL Server Security Mistakes Everyone Makes
Code-Less Securing of SQL Server
Limiting SQL Server Exposure
SQL Server Security from the ground up
SQL Server Security 101 How did you get in here, and
Limiting SQL Server Exposure
Implementing Database Roles in the Enterprise Geodatababse
Back-End Data Security
Copyright © 2013 – 2018 by Curt Hill
PT2520 Unit 8: Database Security I
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
SQL Server Security 101 How did you get in here, and
Designing IIS Security (IIS – Internet Information Service)
Administrating a Database
SQL Server Security from the ground up
We Need To Talk Security
Presentation transcript:

The Dirty Business of Auditing Auditing SQL Server K. Brian Kelley PASS Security Virtual Chapter

Short Bio Database Administrator / Architect Infrastructure and security architect Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger

Contact Information Mail: kbriankelley@acm.org Twitter: @kbriankelley Blogs: https://truthsolutions.wordpress.com/ https://gkdba.wordpress.com/

Agenda for Today SQL Server (and OS) Surface Area Server Level Auditing Database Level Auditing

Surface area concerns “Outside” of SQL Server

What to look for (OS) Who are the members of local Administrators? What shares are exposed? What other applications are installed? Is the server being properly patched and maintained?

What to Look For (specific to SQL Server) What network protocols are you using? What ports is SQL Server is listening on? Are remote connections allowed? Are you configured for Kerberos authentication? Are you using encrypted connections?

Questions to ask What needs to connect to SQL Server? How does it need to connect? What risk is there for the personnel in Administrators? What risk do the other apps pose?

Things to consider Can I restrict network access to just the SQL Server port? Can I reduce the # of admins on the server? Can I remove any of the additional applications? If the server isn’t patched properly, how do you get it so?

Server Level Concerns “Inside” SQL Server

Server level security Logins Roles Permissions

What to Look For in logins Windows users (not service accounts) A lot of SQL Server logins Windows logins that no longer exist (requires lookup against Active Directory) Non-hardened sa account (active & not re-named)

Logins a little deeper Password policy enforcement (SQL Logins) Server role membership Server-level permissions

More on Server Roles Look for User-Defined Server Roles Check for Permissions Determine if any “replace” the built-in roles

Visualizing Permissions

Diving into Permissions CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins Remember inheritance of permissions because of scopes

Questions to Ask Who needs to connect? What permissions are actually needed? Do the cascading permissions cause issues at the DB level?

Things to consider Goal is the Principle of Least Privilege Legitimate user accounts are targets Undocumented permissions / roles could be a sign of malicious activity, but not necessarily.

Database Level Concerns User Databases

Database First Steps How database users map to server logins Use of guest user (except system DBs) Database Owner (according to sys.database_principals) Database Owner (according to sys.databases)

Database roles Fixed roles User-defined roles db_owner db_securityadmin db_ddladmin db_datareader db_datawriter User-defined roles Check permissions Check nesting

Carry those to permissions Permissions at database securable level Permissions at schema securable level

If Encryption is involved Key Escrow Who has permissions? VARBINARY and NVARCHAR columns

Questions to ask If an application uses a login that’s the database owner, does it need to? Corollary: 3rd party product – Will the 3rd party support? Do end users have too many permissions? Do service accounts have too many permissions?

Things to consider If db_datareader and db_datawriter are in use, can user- defined roles with explicit permissions be used? Who has access to sensitive data? If permissions are identified as too much, how can the model be simplified and permissions tightened?

Agenda for Today SQL Server (and OS) Surface Area Server Level Auditing Database Level Auditing

Questions? Mail: kbriankelley@acm.org Twitter: @kbriankelley Blogs: https://truthsolutions.wordpress.com/ https://gkdba.wordpress.com/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.