Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server Security & Intrusion Prevention

Published byCathleen Greer Modified over 6 years ago

Similar presentations

Presentation on theme: "SQL Server Security & Intrusion Prevention"— Presentation transcript:

1

2 SQL Server Security & Intrusion Prevention
Gabriel Villa SQL Saturday #94 Salt Lake City

3 “Please allow me to introduce myself” … Rolling Stones
Gabriel Villa SQL Server 7, 2000, 2005 and 2008 .Net Developer VB.Net and C#

4 Session Outline SQL Server Threats Security Model Auditing
Write Secure Code Best Practices Physical Security Security Patches Network Security Resources

5 SQL Server Threats Social Engineering SQL Injection
Manipulating people to gather data Not using technical cracking tools or techniques SQL Injection Vulnerable to any RDBMS, not just MS SQL Server Attacker post SQL commands via front end applications Tools: ‘ , --, ;

6 SQL Injection

7 SQL Server Security Model
Principal Windows Users SQL Logins Roles Groups Securables Schemas Windows Users SQL Login Database Users DB Roles Schemas

8 Authentication Windows Authentications Active Directory Integration
Supports Groups Use Whenever Possible

9 Authentication Mixed Authentication
Legacy or Hard Coded Referenced Logins Non Windows Clients Connections over Internet

10 Authentication

11 Passwords DO NOT hardcode passwords Strong Passwords
ASP.Net encrypt web.config Encrypt password in your code Strong Passwords 8 to 10 minimum characters L33t speak or special characters (i.e s = 5 or 3 = E) SQLPing checks for default passwords Change passwords frequently

12 Roles Roles Group users roles based on usage
Database Roles and Server Roles Server Level Roles Sysadmin, bulkadmin, securityadmin, dbcreator Group users roles based on usage Database Roles and Server Roles Server Level Roles Sysadmin, bulkadmin, securityadmin, dbcreator

13 Roles and “Denali” Roles
Group users roles based on usage Database Roles and Server Roles Server Level Roles sysadmin, bulkadmin, securityadmin, dbcreator “Denali” User Defined Server Roles Allow creation of new Server Roles Help prevent the use of sysadmin

14 Securables Using Schema to secure database objects
Schema is a name space container Simplify Access Permissions Group objects into Schemas Grant permissions to schemas, not objects

15 Auditing Server and Database Level Events Audit Failed Login Attempts
Server Operations Database Actions Audit Specifications Server Audit Specification Audit Failed Login Attempts

16 New “Denali” Auditing Features
SQL Auditing for all editions User Defined Audit – applications write customer events to audit logs Filtering – filter unwanted events Resilience – recover auditing data from temporary file of network issues

17 Write Secure Code Check for Valid Input DDL Triggers
Use Stored Procedures Use Parameters Customize Error Messages Avoid errors returning securable names Source Control

18 Best Practices Physical Security Windows Updates Network Security

19 Physical Security Lock server room or rack when not in use
Restrict access to unauthorized individuals If feasible, use security cameras

20 Security Patches Second Tuesday of every month
Test updates or hotfixes immediately on non-production servers Schedule patches soon after tested

21 Network Security Avoid network shares on servers
Don’t surf the Web on the server Only enable required protocols Keep servers behind a firewall

22 Other Tips Encrypt your DB backups Test backups by restoring
Restrict System Stored Proc’s and XP

23 Best Practices Resources
Defensive Database Programming by Alex Kuznetsov Protecting SQL Server Data by John Magnabosco SQL Server Tacklebox by Rodney Landrum

24 Slide Deck at http://www.extofer.com
Questions?? Slide Deck at Gabriel Villa blog: com

25 Thank you to our sponsors
Gold Blog Prize Bronze

Download ppt "SQL Server Security & Intrusion Prevention"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Computer Security set of slides 10 Dr Alexei Vernitski.

Computer Security set of slides 10 Dr Alexei Vernitski.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Understand Database Security Concepts

Understand Database Security Concepts
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.

1 Client/Server Database Tutorial. SQL Server Connection through MS Access FACBUSAD1 SQL server MS Access MGD B106 Computer or your own PC Remote SQL.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google