Limiting SQL Server Exposure Presented by H. Ross Reed Email – hrreed_2000@yahoo.com Twitter @SQLSERVGUY
About Me DBA for 20 Years SQL Server (since 6.5) DB2 Oracle Developer prior to being a DBA Sr Database Administrator for The OCC. CO-President Chicago SQL Server Users Group
OPTIONS CLEARING CORPORATION SIFMU Systemically Important Financial Market Utility Designation by the SEC CFTC FED We are audited to assure we meet standards for a secure environment
Exposure from Who ? External … Internet facing servers .. Internal Exposure Dishonest Associate The individual that’s curious about the environment The one that doesn’t want to take the time to go through proper channels
Name this Account This account is known for administrating SQL Server and is the first account in Syslogins with an internal id of X’01’.
SA Windows Only Authentication this isn’t an issue DBA’s use a Windows authentication ID Disable SA Rename SA to a different name Available since SQL 2005 Longer names are better Complex Password Change it Often
Lab Renaming and Disabling SA
OS Rights Needed by Instance Account Does not need to be Local System Administrator and should not be. Installer will automatically grant the rights needed. SQL Server Configuration Manager will grant the same rights when used to change the Instance ID . Rights Needed Logon as a Service Replace process level token Adjust memory quotas for a process More information can be found here : https://docs.microsoft.com/en- us/sql/database-engine/configure-windows/configure-windows-service- accounts-and-permissions
Instance Account Additional Use a Domain Id and use a different id for each Instance and Each SQL Server Service. Don’t do this !!!
SYSADMIN Fixed Server Role When Installing Make sure DBA’s are installed in SYSADMIN Most powerful role on the Instance Most System Stored Procedures check if the id running is SYSADMIN and then bypasses security checks. Third Party Applications “We need to run as SYSADMIN” Probably don’t need that level of security to run just to install Probably run as DB Owner
What is Default TCP/IP Port for SQL Server
Change Default Port Number Change to port number other than well known port for TCP protocol
Named Pipes Vs TCP/IP TCP/IP supports Kerberos authentication better security protocol than NTLM Named Pipes has to use NTLM Usually Named Pipes and TCP/IP aren’t needed So disable Named Pipes
Disable Named Pipes
Hide an Instance Hides instance from Network Won’t display in the dropdown box
Before and After Hiding Instance
Disable SQL Server Browser Has information on Instance Name and Port Number of Instances Allows to connect with ServerName \InstanceName
Connection To Instance Server Name,Port HRREED,4050
Surface Area Configuration Settings Remain Disabled OLE Automation – Sp_OA stored procedures can be used to access OS files. sp_OACreate, sp_OADestroy, sp_OAMethod, sp_OASetProperty, sp_OAGetProperty XP_CMDSHELL - Executes Dos Shell commands using service account rights Adhoc Remote Queries – Use Linked Server , SSIS, or PowerShell Database Mail XP’s SQL Mail XP’s – Allows user to send emails
Guest Account Any User who can connect to the server has access to a database where Guest is enabled Master, MSDB, TempDB require the Guest user enabled Disable Guest in Model Database so that user Databases created will have Guest Disabled Revoke Connect from guest
Backups Encrypt Backups Use Virtual Tape instead of Physical Tape Transparent Data Encryption Third Party Tools Quest Litespeed Redgate Backup Idera SQL Safe Backup Use Virtual Tape instead of Physical Tape Data Domain Guard access to Backups - Access to the File System should be restricted
Policy Based Management Introduced with SQL Server 2008 Allows DBA to create conditions and Policies to block changes or report changes
Lab # 2 Policy Based Management
Auditing -Scan Error Log Error Log look for Login Failures Make sure setting is set to capture failed Logins Restart is required for the change in Login Auditing to take effect
Server Side Auditing Available since SQL Server 2008 Allows Auditing Login’s and other items such as schema changes
Login Failures using Server Side Auditing Defining The Audit Choices for Destination File, Application Log, Security Log
Login Audits More than Failures
Set up Audit for Logins Failures and Changes Lab # 3 Set up Audit for Logins Failures and Changes
Schema Changes CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecification] FOR SERVER AUDIT [SchemaChangeTrack] ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (SCHEMA_OBJECT_CHANGE_GROUP), ADD (SERVER_OBJECT_CHANGE_GROUP), ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP) WITH (STATE = ON) GO
Separation of Duties Windows System Administrator Installs SQL Server Patches SQL Server Security Administrator Creates Instance ID Creates SQL Authenticated ID Database Administrator Responsible for Backup and Recovery Schema Changes
Some Things External to SQL Server Segregation of Networks Separate Production / Test / Dev Separate Network for IoT Heating and Air Conditioning Target Stores
Sources Securing SQL Server – Denny Cherry Center for Internet Security https://www.cisecurity.org/cis-benchmarks/ Pinal Dave https://blog.sqlauthority.com