Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Week 2 - Installation SQL SERVER2000 ENTERPRISE EDITION INSTALLATION.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Chapter 7: Using Windows Servers to Share Information.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.
Module 4: Add Client Computers and Devices to the Network.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Troubleshooting Windows Vista Security Chapter 4.
Learningcomputer.com SQL Server 2008 Configuration Manager.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Module 11: Remote Access Fundamentals
1 SQL Server 2000 Administration Kashef Mughal MSB.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Securing ColdFusion and IIS David T Watts, CTO, Fig Leaf Software 28 July 2001.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
Module 4 : Installation Jong S. Bok
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
REALLY HACKING SQL SERVER 2000 Less Theory – More Action Jasper Smith.
Database as a networked server DB at the centre of the network Network Access Map for DB environment Tracking of tools and apps Remove unnecessary network.
2. SQL Security Objectives –Learn SQL Server 2000 components Contents –Understanding the Authentication Process –Understanding the Authorization Process.
TCOM Information Assurance Management System Hacking.
1 Chapter Overview Planning to Install SQL Server 2000 Deciding SQL Server 2000 Setup Configuration Options Running the SQL Server 2000 Setup Program Using.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Esri UC 2014 | Technical Workshop | Administering Your Microsoft SQL Server Geodatabase Shannon Shields Chet Dobbins.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.
Free Powerpoint Templates Page 1 Free Powerpoint Templates Chapter 4- Server Configuration.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 7: Using Windows Servers
Working at a Small-to-Medium Business or ISP – Chapter 8
Securing Data with SQL Server 2016
Module Overview Installing and Configuring a Network Policy Server
Chapter 5 : Designing Windows Server-Level Security Processes
Securing the Network Perimeter with ISA 2004
Configuring and Troubleshooting Routing and Remote Access
Introduction to SQL Server 2000 Security
Implementing TMG Server Publishing
Limiting SQL Server Exposure
Limiting SQL Server Exposure
Designing IIS Security (IIS – Internet Information Service)
We Need To Talk Security
Presentation transcript:

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

What’s this presentation about?  What kinds of security problems may occur with SQL Server?  How can you configure your SQL Server to be secure?  What do you have to do within your applications to keep SQL Server secure?

About SQL Server  Lots of functionality  Easy to use and manage, compared to other products  Originally popular as a workgroup product, but aimed at enterprise use  Not “secure by default”  Not just used on “database servers”, but often bundled with other products

Security problems  Buffer overflows – typically do not require authorization for success.  SQL injection – attacker can run arbitrary SQL commands through client application with rights of that application.

Security  Installation and initial configuration  Network connectivity  Trusted and untrusted connections  Database logins, roles, and rights  Application security  Data validation

Installation and initial configuration  Service user accounts  Filesystem ACLs  Default roles and permissions within SQL Server  Control access to system and extended stored procedures  Drop sample databases

User accounts  SQL Server and SQL Server Agent may run as SYSTEM, or as specific users.  SQL Server should run as a low-privilege local user account.  SQL Server Agent may need to be a domain account, if replication or other network functionality is being used.

User account configuration  During install, specific user accounts can be chosen.  The installer will grant those accounts the necessary rights to run SQL Server and related processes.  It will also grant filesystem and registry ACLs needed to run SQL Server.  You will need to create the accounts before installation.

SQL Server 2000 on Windows Server 2003  Requires SQL Server 2000 SP2 or higher.  During installation, you can’t choose a lower-privilege user account!  You will need to manually set ACLs and account rights yourself!  Documentation available on MS site, SQL Security site.

Network topology  SQL Server should not be exposed on the public Internet.  If possible, it should only be available to the web server(s) using it and to internal administrative workstations.  If it needs to be exposed, exposure should be limited to specific IP addresses or through VPN.

User authentication  SQL Server supports two types of connections:  Windows Authentication (“trusted”)  SQL Server logins (“untrusted”)

Trusted connections  Generally recommended best practice.  Windows Authentication uses existing Windows accounts.  Takes advantage of built-in Windows security functionality:  Account management  Password management  Auditing

Trusted connections, cont’d  Windows Authentication uses the security context of the client process.  With CF, this means the CF service account would be used for authentication.  The Windows password is not transferred between the client and server.

Untrusted connections  Native SQL Server logins do not rely on Windows security.  Most CF applications use native SQL Server logins.  Usernames and passwords are passed as slightly obfuscated text.

Untrusted connections, cont’d  SSL can be used between web server and database server to protect credentials from being sniffed.

CF and SQL Server authentication  CFMX doesn’t support trusted connections with the included JDBC driver.  The latest version of DataDirect Connect for JDBC does support trusted connections.  Using trusted connections would require that the CF Server account have rights to all databases used by a web server.  Impractical unless hosting a single application, or using multiple instances.

Network connectivity  Supported protocols  TCP/IP  IPX/SPX  Named Pipes  TCP/IP is MS recommended choice.  By default, connections between clients and servers use plaintext!

Demonstration  Viewing database connection information for untrusted connections

Encryption options for database connections  By default, connections between clients and servers use plaintext.  TCP/IP and SSL  Multiprotocol  CF 5 vs CFMX  CF 5 uses ODBC functionality  CFMX uses DataDirect JDBC drivers

TCP/IP default listening ports  TCP/1433 – client connections  UDP/1434 – discovery  TCP/2433 – client connections if “hide server” option enabled.  If named instances of SQL Server are installed, each will listen on a different, user-defined port instead of TCP/1433.

Ports, cont’d  UDP/1434 can and should be blocked for production servers.  The server can be manually configured to listen on a port other than TCP/1433.  This will limit the effectiveness of worms attacking exposed servers.

Users and roles within SQL Server  PUBLIC should be denied access to database objects.  Create new logins for your applications, and grant them rights to specific tables and other database objects.

Roles  Server roles  sysadmin  backup  security admin  Database roles  db owner  db_datareader  db_datawriter

SQL injection  Attacker sends arbitrary SQL commands through your application.  Attacker uses error messages (or simply times results) to determine success.

Demonstration  SQL injection attack

Input filtering  CFQUERYPARAM  Stored procedures

Resources  SQL Security:  MS Technet Security:  DataDirect Connect for JDBC:

Conclusion  If you have any questions, contact me:  Thank you!