1. Limiting SQL Server Exposure
Presented by H. Ross Reed –

2. About Me DBA for 20 Years SQL Server (since 6.5) DB2 Oracle
Developer prior to being a DBA
Sr Database Administrator for The OCC.
CO-President Chicago SQL Server Users Group

3. OPTIONS CLEARING CORPORATION
SIFMU Systemically Important Financial Market Utility
Designation by the SEC CFTC FED
We are audited to assure we meet standards for a secure environment

4. Exposure from Who ? External … Internet facing servers ..
Internal Exposure
Dishonest Associate
The individual that’s curious about the environment
The one that doesn’t want to take the time to go through proper channels

5. Name this Account
This account is known for administrating SQL Server and is the first account in Syslogins with an internal id of X’01’.

6. SA Windows Only Authentication this isn’t an issue
DBA’s use a Windows authentication ID
Disable SA
Rename SA to a different name
Available since SQL 2005
Longer names are better
Complex Password Change it Often

7. Lab Renaming and Disabling SA

8. OS Rights Needed by Instance Account
Does not need to be Local System Administrator and should not be.
Installer will automatically grant the rights needed.
SQL Server Configuration Manager will grant the same rights when used to change the Instance ID .
Rights Needed
Logon as a Service
Replace process level token
Adjust memory quotas for a process
More information can be found here : us/sql/database-engine/configure-windows/configure-windows-service- accounts-and-permissions

9. Instance Account Additional
Use a Domain Id and use a different id for each Instance and Each SQL Server Service.
Don’t do this !!!

10. SYSADMIN Fixed Server Role
When Installing Make sure DBA’s are installed in SYSADMIN
Most powerful role on the Instance
Most System Stored Procedures check if the id running is SYSADMIN and then bypasses security checks.
Third Party Applications “We need to run as SYSADMIN”
Probably don’t need that level of security to run just to install
Probably run as DB Owner

11. What is Default TCP/IP Port for SQL Server

12. Change Default Port Number
Change to port number other than well known port for TCP protocol

13. Named Pipes Vs TCP/IP
TCP/IP supports Kerberos authentication better security protocol than NTLM
Named Pipes has to use NTLM
Usually Named Pipes and TCP/IP aren’t needed
So disable Named Pipes

14. Disable Named Pipes

15. Hide an Instance Hides instance from Network
Won’t display in the dropdown box

16. Before and After Hiding Instance

17. Disable SQL Server Browser
Has information on Instance Name and Port Number of Instances
Allows to connect with ServerName \InstanceName

18. Connection To Instance
Server Name,Port
HRREED,4050

19. Surface Area Configuration Settings Remain Disabled
OLE Automation – Sp_OA stored procedures can be used to access OS files. sp_OACreate, sp_OADestroy, sp_OAMethod, sp_OASetProperty, sp_OAGetProperty
XP_CMDSHELL - Executes Dos Shell commands using service account rights
Adhoc Remote Queries – Use Linked Server , SSIS, or PowerShell
Database Mail XP’s SQL Mail XP’s – Allows user to send s

20. Guest Account
Any User who can connect to the server has access to a database where Guest is enabled
Master, MSDB, TempDB require the Guest user enabled
Disable Guest in Model Database so that user Databases created will have Guest Disabled
Revoke Connect from guest

21. Backups Encrypt Backups Use Virtual Tape instead of Physical Tape
Transparent Data Encryption
Third Party Tools
Quest Litespeed
Redgate Backup
Idera SQL Safe Backup
Use Virtual Tape instead of Physical Tape
Data Domain
Guard access to Backups - Access to the File System should be restricted

22. Policy Based Management
Introduced with SQL Server 2008
Allows DBA to create conditions and Policies to block changes or report changes

23. Lab # 2 Policy Based Management

24. Auditing -Scan Error Log
Error Log look for Login Failures
Make sure setting is set to capture failed Logins
Restart is required for the change in Login Auditing to take effect

25. Server Side Auditing Available since SQL Server 2008
Allows Auditing Login’s and other items such as schema changes

26. Login Failures using Server Side Auditing
Defining The Audit
Choices for Destination File, Application Log, Security Log

27. Login Audits More than Failures

28. Set up Audit for Logins Failures and Changes
Lab # 3
Set up Audit for Logins Failures and Changes

29. Schema Changes
CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpecification]
FOR SERVER AUDIT [SchemaChangeTrack]
ADD (DATABASE_ROLE_MEMBER_CHANGE_GROUP),
ADD (DATABASE_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (SERVER_OBJECT_PERMISSION_CHANGE_GROUP),
ADD (DATABASE_PRINCIPAL_IMPERSONATION_GROUP),
ADD (DATABASE_CHANGE_GROUP),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_CHANGE_GROUP),
ADD (SERVER_OBJECT_CHANGE_GROUP),
ADD (APPLICATION_ROLE_CHANGE_PASSWORD_GROUP),
ADD (DATABASE_OWNERSHIP_CHANGE_GROUP),
ADD (DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP),
ADD (SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP)
WITH (STATE = ON) GO

30. Separation of Duties Windows System Administrator
Installs SQL Server
Patches SQL Server
Security Administrator
Creates Instance ID
Creates SQL Authenticated ID
Database Administrator
Responsible for Backup and Recovery
Schema Changes

31. Some Things External to SQL Server
Segregation of Networks
Separate Production / Test / Dev
Separate Network for IoT
Heating and Air Conditioning
Target Stores

32. Sources Securing SQL Server – Denny Cherry
Center for Internet Security
Pinal Dave