O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)

Slides:



Advertisements
Similar presentations
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Advertisements

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Copyright ®xSpring Pte Ltd, All rights reserved Versions AuthorDateDescription 1.0NBL2012/05First version. Modified from Enterprise edition.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Vulnerability Analysis Borrowed from the CLICS group.
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Introduction To Windows NT ® Server And Internet Information Server.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Module 11: Remote Access Fundamentals
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
SQL Server Security By Mattias Lind For PASS Security VC.
Module 14 Configuring Security for SQL Server Agent.
October 1-2 Ølensvåg. AppFrame SQL – Security Session Code: SQL-201-Security Speaker(s): Jekaterina Golouchova.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.
Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
TCOM Information Assurance Management System Hacking.
Retina Network Security Scanner
INTRO TO SQL SERVER SECURITY By Robert Biddle
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Chapter 7 Server Management Policies –User accounts –Groups Rights and permissions Examples.
1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
Central Management Server Managing Your SQL Server Environment 1.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Introduction to SQL Server for Windows Administrators Presented to WiNSUG 02/05/09 Bret Stateham Owner, Net Connex Blogs.netconnex.com.
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP.
SQL Implementation & Administration
Building a Home Grown Auditing Infrastructure for SQL Server
Administrating a Database
Performing a SQL Server Security Risk Assessment
Outsourcing Database Administration
Chapter 5 : Designing Windows Server-Level Security Processes
Access, Users, Permissions
SQL Server Security For Everyone
Introduction to SQL Server 2000 Security
Common Security Mistakes
Designing Database Solutions for SQL Server
SQL Server Security Mistakes Everyone Makes
Code-Less Securing of SQL Server
Limiting SQL Server Exposure
The Dirty Business of Auditing
SQL Server Security from the ground up
Limiting SQL Server Exposure
Back-End Data Security
Outsourcing Database Administration
PT2520 Unit 8: Database Security I
Administrating a Database
SQL Server Security from the ground up
We Need To Talk Security
Presentation transcript:

O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)

M Y B ACKGROUND Database Administrator / Architect Infrastructure and security architect Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Co-Author of: How to Cheat at Securing SQL Server 2005 (Syngress) Professional SQL Server 2008 Administration (Wrox) Introduction to SQL Server (Texas Publishing)

C ONTACT I NFORMATION Mail: Blogs: SQL Server Central

A GENDA FOR T ONIGHT Why auditors can’t audit SQL Server: “Tag, you’re It” SQL Server Surface Area Server Level Auditing Database Level Auditing

I NFORMATION D ISCLOSURE I SSUE SQL Server 2000 – Access to DB, you can audit But so can anyone… Catch-22 SQL Server 2005+, you must have permissions to object. Recommendation: Automate the auditing. Use service account with proper permissions.

S URFACE A REA – F ROM R EMOTE Quest Discovery Wizard SQL Ping MS Assessment and Planning (MAP) tool nmap General scanner – Qualys, Nessus

S URFACE A REA – O N THE S ERVER SQL Server 2000: SQL Server Server Network Utility SQL Server 2005 only: SQL Server Surface Area Configuration SQL Server 2005 and above: SQL Server Configuration Manager

W HAT TO L OOK F OR What network protocols What ports SQL Server is listening on Whether remote connections are allowed

S ERVER L EVEL C ONCERNS SQL Server 2000 and above SQL Server 2005 and above

A LL V ERSIONS Logins SQL Server logins Windows users Windows groups Server Roles

W HAT TO L OOK F OR Windows users (not service accounts) A lot of SQL Server logins Members of: sysadmin securityadmin serveradmin Processadmin Use of sa or sysadmin level accounts

SQL S ERVER 2005 AND ABOVE Server level securables DAC (remote) OLE automation SQL Mail xp_cmdshell Password policy enforcement Impersonation of Logins

V ISUALIZING S ECURABLES

W HAT TO L OOK F OR (2005+) Everything in all versions list CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins SQL logins without full password policy enforcement: No enforcement at all Password never expires

D ATABASE L EVEL C ONCERNS SQL Server 2000 and above SQL Server 2005 and above

A LL V ERSIONS How database users map to server logins Use of guest user (except system DBs) Database Owner (maps as dbo) Members of database roles: db_owner db_ddladmin db_securityadmin Database level permissions (CREATE)

SQL S ERVER Permissions at database securable level Permissions at schema securable level Encryption key escrow

W HAT TO L OOK F OR Use of database owner by application Use of db_owner by application End users with too many rights Developers in the following roles in prod: db_owner db_ddladmin db_securityadmin

Q UESTIONS & A NSWERS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.