Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense In Depth: Minimizing the Risk of SQL Injection

Published byIrma Andrews Modified over 7 years ago

Similar presentations

Presentation on theme: "Defense In Depth: Minimizing the Risk of SQL Injection"— Presentation transcript:

1 Defense In Depth: Minimizing the Risk of SQL Injection
Rob Kraft

2 Rob Kraft I confess. I’m a developer, not a DBA Independent Consultant
Primarily a Software Architect and Project Manager SQL Server DBA since Version 4.2 Co-authored books on SQL Server 7 Taught classes on SQL Server From Lee’s Summit, MO Rob Kraft – SQL Saturday Kansas City in 2015

3 The Scenario Your first week on the job as junior DBA and the senior DBA gets fired The company is concerned he did something malicious They want you to find out if the company is exposed to SQL Injection What is vulnerable? Document it, fix it, prevent it from happening again. Rob Kraft – SQL Saturday Kansas City in 2015

4 Learn about SQL Injection
– A good ten minute video – all demo, no speaker - Troy Hunt teaches a three year old about SQL Injection – A good seven minute video - A very good five hour training course Rob Kraft – SQL Saturday Kansas City in 2015

5 What is SQL Injection? SQL Injection lets hackers run their own carefully crafted SQL against the database. Rob Kraft – SQL Saturday Kansas City in 2015

6 What Can Hackers Do? The application expects this:
But the hacker enters this: To SQL, they look like this: Rob Kraft – SQL Saturday Kansas City in 2015

7 Can They Do More Than Query Data?
They can Update data They can Insert data They can Delete data They can query to learn the database structure They can query to learn the data in any table Rob Kraft – SQL Saturday Kansas City in 2015

8 Isn’t This Hard for Hackers?
Unfortunately the answer is usually NO! Automated tools make it easy Rob Kraft – SQL Saturday Kansas City in 2015

9 Could it get any worse? They can alter table structures
They can drop tables They can drop databases They can stop SQL Server Rob Kraft – SQL Saturday Kansas City in 2015

10 Surely it Can’t Get Any Worse!
But it can! Connect to other computers on the network Download Malware from the Internet Run the Malware Create user accounts in the Domain Rob Kraft – SQL Saturday Kansas City in 2015

11 Let’s look at some examples
DEMO TIME Rob Kraft – SQL Saturday Kansas City in 2015

12 What Can We Do About It? Secure the Services Turn off xp_cmdshell
Limit the permissions on the database connection strings Write code to prevent SQL Injection Use IIS, Firewalls and other appliances to filter SQL Injection Monitor our systems Rob Kraft – SQL Saturday Kansas City in 2015

13 Secure the Services Limit the OS permissions of the account running SQL Server Services Rob Kraft – SQL Saturday Kansas City in 2015

14 Secure the Services Avoid Use a “Managed Service Account”
Local System An AD Administrator account Network Service An non-MSA AD account for SQL Server Use a “Managed Service Account” Permissions tailored for SQL Server Password of account managed by AD Don’t share Account with other Services Rob Kraft – SQL Saturday Kansas City in 2015

15 Secure the Services Use SQL Server Configuration Manager to set Services Accounts Rob Kraft – SQL Saturday Kansas City in 2015

16 Disable Features in SQL Server
Turn off xp_cmdshell At least set up a proxy account for it Disable ‘CLR Enabled’ Disable SSIS, SSRS, or any other applications that are installed but not used Rob Kraft – SQL Saturday Kansas City in 2015

17 Limit the Connection String
Don’t use sa or an admin account for connection strings Don’t allow sa or admin conn strings in development or test either Limit what the connected users can do to what they need to do Use stored procs for all data modifications Rob Kraft – SQL Saturday Kansas City in 2015

18 Connection String Challenges
Windows Authentication Want to allow Select for reports, but only desire edits to be done through the app SQL Server Authentication Protecting and encrypting connection strings The application must prevent users from doing what they are not allowed to Rob Kraft – SQL Saturday Kansas City in 2015

19 Write Code Carefully In .Net, use parameters to pass values to the database in the SQL Do not manually construct SQL in code Beware of dynamic SQL inside of stored procedures Validate Input to the app Is the length longer than expected? Is the value the correct Data Type? Rob Kraft – SQL Saturday Kansas City in 2015

20 C# .Net Code DEMO TIME Note: Not just web sites, REST APIS too
Rob Kraft – SQL Saturday Kansas City in 2015

21 Block Hacks Before They Get To The App
In IIS, use URLScan or Request Filtering Block/Allow specific IP address ranges access to Web Server Purchase an Intrusion Detection System (IDS) Purchase an Intrusion Prevention System (IPS) Rob Kraft – SQL Saturday Kansas City in 2015

22 Keep Software Up To Date
Apply the latest SQL Server Service Packs Apply Security Fixes Apply OS Service Packs Upgrade to a new OS Version Upgrade to a new version of SQL Server Update Firmware Rob Kraft – SQL Saturday Kansas City in 2015

23 Review Configurations
Remember that developer that you gave admin privileges to while you went on vacation You forgot to revoke those privileges And he gave the credentials to all the other devs Remember that consultant that came in and fixed the backup problem six months ago? How did he do it? He moved the backup to another server and made it working by running SQL Server as LocalSystem Rob Kraft – SQL Saturday Kansas City in 2015

24 Review Configurations
Use SQL Server Policy Based Management To notify you when something changes Xp_cmdshell is enabled SQL Server Login Mode changes To block those things from happening Manually review configurations Monitor SQL Logs, IIS Logs SQL Server Best Practices Analyzer Rob Kraft – SQL Saturday Kansas City in 2015

25 Security Who? Active Directory Admins DBAs Developers Web Admins
Set up account(s) used by services DBAs Configure SQL Server, limit permissions Encrypt data and backups Developers Sanitize SQL Web Admins Firewalls, IDS, and IPS Auditing Review Configurations and Policies Rob Kraft – SQL Saturday Kansas City in 2015

26 Encrypt Data At Rest Hash Passwords Encrypt sensitive data
Requires application code Makes reporting difficult Encrypt the entire database Only prevents use of database other servers Encrypt the database backups Rob Kraft – SQL Saturday Kansas City in 2015

27 Encrypt Data In Transit
Connection strings are encrypted Encrypt data between the app and the database? Encrypt data to/from the web server (SSL/TLS) Rob Kraft – SQL Saturday Kansas City in 2015

28 Resources Managed Service Accounts
Use SQL Server, not “Local Services” to manage service accounts: How to run SQL Server Configuration Manager SQL Server Security Checklist SQL Server Authentication Options SQL Server 2016 – Always Encrypted SQL Server Best Practices Analyzer SQL Server 2014 Backup Encryption Rob Kraft – SQL Saturday Kansas City in 2015

Download ppt "Defense In Depth: Minimizing the Risk of SQL Injection"

Similar presentations

Understand Database Security Concepts

Understand Database Security Concepts
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Similar presentations

Ads by Google