Presentation is loading. Please wait.

Presentation is loading. Please wait.

Limiting SQL Server Exposure

Similar presentations


Presentation on theme: "Limiting SQL Server Exposure"— Presentation transcript:

1 Limiting SQL Server Exposure
Presented by H. Ross Reed

2 About Me DBA for 20 Years SQL Server (since 6.5) DB2 Oracle
Developer prior to being a DBA Sr Database Administrator for The OCC. CO-President Chicago SQL Server Users Group

3 OPTIONS CLEARING CORPORATION
SIFMU Systemically Important Financial Market Utility Designation by the SEC CFTC FED We are audited to assure we meet standards for a secure environment

4 Exposure from Who ? External … Internet facing servers ..
Internal Exposure Dishonest Associate The individual that’s curious about the environment The one that doesn’t want to take the time to go through proper channels

5 Name this Account This account is known for administrating SQL Server and is the first account in Syslogins with an internal id of X’01’.

6 SA Windows Only Authentication this isn’t an issue
DBA’s use a Windows authentication ID Disable SA Rename SA to a different name Available since SQL 2005 Longer names are better Complex Password Change it Often

7 Lab Renaming and Disabling SA

8 OS Rights Needed by Instance Account
Does not need to be Local System Administrator and should not be. Installer will automatically grant the rights needed. SQL Server Configuration Manager will grant the same rights when used to change the Instance ID . Rights Needed Logon as a Service Replace process level token Adjust memory quotas for a process More information can be found here : us/sql/database-engine/configure-windows/configure-windows-service- accounts-and-permissions

9 Instance Account Additional
Use a Domain Id and use a different id for each Instance and Each SQL Server Service. Don’t do this !!!

10 SYSADMIN Fixed Server Role
When Installing Make sure DBA’s are installed in SYSADMIN Most powerful role on the Instance Most System Stored Procedures check if the id running is SYSADMIN and then bypasses security checks. Third Party Applications “We need to run as SYSADMIN” Probably don’t need that level of security to run just to install Probably run as DB Owner

11 What is Default TCP/IP Port for SQL Server

12 Change Default Port Number
Change to port number other than well known port for TCP protocol

13 Named Pipes Vs TCP/IP TCP/IP supports Kerberos authentication better security protocol than NTLM Named Pipes has to use NTLM Usually Named Pipes and TCP/IP aren’t needed So disable Named Pipes

14 Disable Named Pipes

15 Hide an Instance Hides instance from Network
Won’t display in the dropdown box

16 Before and After Hiding Instance

17 Disable SQL Server Browser
Has information on Instance Name and Port Number of Instances Allows to connect with ServerName \InstanceName

18 Connection To Instance
Server Name,Port HRREED,4050

19 Surface Area Configuration Settings Remain Disabled
OLE Automation – Sp_OA stored procedures can be used to access OS files. sp_OACreate, sp_OADestroy, sp_OAMethod, sp_OASetProperty, sp_OAGetProperty XP_CMDSHELL - Executes Dos Shell commands using service account rights Adhoc Remote Queries – Use Linked Server , SSIS, or PowerShell Database Mail XP’s SQL Mail XP’s – Allows user to send s

20 Guest Account Any User who can connect to the server has access to a database where Guest is enabled Master, MSDB, TempDB require the Guest user enabled Disable Guest in Model Database so that user Databases created will have Guest Disabled Revoke Connect from guest

21 Backups Encrypt Backups Use Virtual Tape instead of Physical Tape
Transparent Data Encryption Third Party Tools Quest Litespeed Redgate Backup Idera SQL Safe Backup Use Virtual Tape instead of Physical Tape Data Domain Guard access to Backups - Access to the File System should be restricted

22 Policy Based Management
Introduced with SQL Server 2008 Allows DBA to create conditions and Policies to block changes or report changes

23 Lab # 2 Policy Based Management

24 Auditing -Scan Error Log
Error Log look for Login Failures Make sure setting is set to capture failed Logins Restart is required for the change in Login Auditing to take effect

25 Server Side Auditing Available since SQL Server 2008
Allows Auditing Login’s and other items such as schema changes

26 Login Failures using Server Side Auditing
Defining The Audit Choices for Destination File, Application Log, Security Log

27 Login Audits More than Failures

28 Set up Audit for Logins Failures and Changes
Lab # 3 Set up Audit for Logins Failures and Changes

29 Schema Changes CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecification] FOR SERVER AUDIT [SchemaChangeTrack] ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP), ADD (DATABASE_PERMISSION_CHANGE_GROUP), ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP), ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP), ADD (DATABASE_CHANGE_GROUP), ADD (DATABASE_OBJECT_CHANGE_GROUP), ADD (DATABASE_PRINCIPAL_CHANGE_GROUP), ADD (SCHEMA_OBJECT_CHANGE_GROUP), ADD (SERVER_OBJECT_CHANGE_GROUP), ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP), ADD (DATABASE_OWNERSHIP_CHANGE_GROUP), ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP), ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP) WITH (STATE = ON) GO

30 Separation of Duties Windows System Administrator
Installs SQL Server Patches SQL Server Security Administrator Creates Instance ID Creates SQL Authenticated ID Database Administrator Responsible for Backup and Recovery Schema Changes

31 Some Things External to SQL Server
Segregation of Networks Separate Production / Test / Dev Separate Network for IoT Heating and Air Conditioning Target Stores

32 Sources Securing SQL Server – Denny Cherry
Center for Internet Security Pinal Dave


Download ppt "Limiting SQL Server Exposure"

Similar presentations


Ads by Google