Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code-Less Securing of SQL Server

Published byFrederick Chandler Modified over 6 years ago

Similar presentations

Presentation on theme: "Code-Less Securing of SQL Server"— Presentation transcript:

1 Code-Less Securing of SQL Server
Argenis Fernandez SurveyMonkey

2 About Me Member of the Database Engineering team at SurveyMonkey (We’re hiring!) Former Senior Consultant: SQL Server Core, Microsoft Consulting Services Microsoft Certified Master: SQL Server 2008 and Microsoft Certified Solutions Master: Data Platform (Charter) Idera SQL Server ACE DBA/Dev & SysAdmin for 15 years Love OS, SQL internals/Security Frequent Speaker (PASS Summit, SQLRally, 24HOP, SQLBits, TechEd) Twitter enthusiast, rather infrequent blogger Founder, PASS Security Virtual Chapter 2 | 9/18/2018 The Secret Life of an INSERT Statement

3 Why Bother? Security is hard It’s hardly convenient This is why…

4 Please visit Troy Hunt’s web site for more information on SQL injection: http://www.troyhunt.com/

5 Agenda The sa account Database Firewalls Active Directory IPSec
Transparent Data Encryption (TDE) Auditing Contained Databases Server Core Things to do Things to avoid

6 The sa account Omnipotent account Rename it Disable it
Don’t ever use it Forget that it even exists What sa account are you talking about?

7 Demo – sa honeypot

8 Database/Application Firewalls
Can prevent SQL injection attacks at the app level Can also inspect every TDS packet sent to the server Can work alongside agents to further secure access to the database

9 Active Directory security
Use AD Groups whenever possible Use GPOs to enforce strength/password expiration (careful!) policies for service accounts Isolate Dev/Test/QA/Prod under individual OUs, or better yet: isolate on different domains/forests

10 IPSec Provides network-level encryption
Can be restricted to a set of hosts Easier to setup than app/web level Any host affected by the policy is automatically protected “We need to encrypt data on the fly!”

11 Transparent Data Encryption (TDE)
Provides storage-level encryption It’s managed on a per-instance basis Can have a significant performance impact “We need to encrypt data at rest!”

12 Auditing You should (at the very least) audit DDL
You might be forced to audit for compliance Forensic trail The transaction log is a gold mine Default trace (in deprecation path now) Audit successful logins?

13 Contained Databases Logins contained in the database, not kept in master Standard logins/users can be made contained You want to use this feature if you’re using AlwaysOn Availability Groups and/or Database Mirroring Careful! There are gotchas

14 Demo – Contained Databases

15 Windows Server Core Reduced surface area Less Patching!
Less “let me login to the server and do stuff!”

16 Things to Do SANITIZE all of your inputs. TWICE if you must (app layer/SQL layer) LOCK YOUR WORKSTATION SCAN your network periodically for new SQL instances HIRE A PROFESSIONAL to do a penetration test that includes social engineering attacks EDUCATE your Developers/Vendors!

17 More Things to Do ENFORCE Principle of Least Privilege
REDUCE your exposure (surface area) LOCKDOWN Production!

18 Things to Avoid SQL Servers sitting on boxes with routable IP addresses xp_cmdshell TRUSTWORTHY Using the same service accounts/passwords across Dev/Test/QA/Prod Use non-standard port numbers – makes things worse

19 Get This Book! Denny Cherry: “Securing SQL Server”, 2nd Edition

20 How To Get In Touch With Me
Blog: (tag: Security) PASS Security Virtual Chapter: For access to many other SQL Server professionals, use the #SQLHelp hashtag on Twitter

Download ppt "Code-Less Securing of SQL Server"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Computer Security for Student-Administered Computers.

Computer Security for Student-Administered Computers.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
Module 14: Securing Windows Server 2003. Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Similar presentations

Ads by Google