Presentation is loading. Please wait.

Presentation is loading. Please wait.

Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc.

Published byJasmine Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc."— Presentation transcript:

1 Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc. howard.pincham@hyland.com

2  Discuss the importance of good security practices.  Provide guidance on how to secure SQL Server.  Demonstrate repeatable techniques that you can use today!

3  Hottest-selling ’70s/’80s vehicle  Most likely to be stolen… why?  It was easy to steal  Big market for stolen parts  Worth the effort to strip “..’cuz that’s where the money is” ---Willie Sutton, famed bank robber

4 CutlassAsset Quarter window and ignition lock Vulnerability Anybody with a screwdriverThreat Likelihood Cutlass is stolenRisk Alarm or kill switch Safeguard

5  You want to access tables in a certain database instance on a laptop.  The instance has been hardened by granting access to a single user.  The user will not cooperate with you.  What actions would you take to access the data?

6 VulnerabilitySafeguard Credentials stored in plaintext Store credentials in a secure store or network Unsecured backup files Apply Least Privilege Secure backup folders Encrypt backup files and/or backup volumes Unsecured database services and files Poor physical security Store critical data on systems located in secure rooms or datacenters.

7  You are concerned about the security of data and metadata as it traverses various networks.  You suspect that some systems and applications are vulnerable to network based attacks.  What actions will you take to test these systems?

8 VulnerabilitySafeguard Untrusted clients can identify and interrogate SQL Server instances “Hide” instances, isolate servers Transaction data and SQL logins are transmitted in plaintext Isolate network traffic and/or use encrypted connections SQL login credentials can be configured to allow blank passwords Apply password policies, use Windows Authentication SQL Injection and other hacks can compromise the server Apply single use servers, least privilege and use secure coding.

9 Local Area Network SQLSERVERA WEBSERVERA

10 TrustedUntrusted External/Client SQLSERVERA WEBSERVERA

11 Access Management Network Access Protection Business Continuity Configuration Management Change Management Content Management Data Protection Data Lifecycle Management Disaster Recovery Encryption Key Management Identity Management Network Access Protection Intrusion Detection Retention Management Issue Management Surface Area Configuration Patch Management Security Updates Separation of Duties

12  http://csrc.nist.gov/ http://csrc.nist.gov/  http://microsoft.com/security http://microsoft.com/security  www.sans.org/top20/2002/mssql_checklist.pdf www.sans.org/top20/2002/mssql_checklist.pdf  technet.microsoft.com/en-us/library/cc646023.aspx#BKMK_basic technet.microsoft.com/en-us/library/cc646023.aspx#BKMK_basic  technet.microsoft.com/en-us/security/cc184924.aspx technet.microsoft.com/en-us/security/cc184924.aspx  www.darkreading.com/database_security www.darkreading.com/database_security  http://blogs.msdn.com/b/sqlsecurity/archive/2010/07/26/security- checklists-on-technet-wiki.aspx http://blogs.msdn.com/b/sqlsecurity/archive/2010/07/26/security- checklists-on-technet-wiki.aspx  http://www.cisecurity.org/tools2/sqlserver/CIS_SQL2005_Benchmark_ v1.1.1.pdf http://www.cisecurity.org/tools2/sqlserver/CIS_SQL2005_Benchmark_ v1.1.1.pdf

13  Portqry http://support.microsoft.com/kb/310099http://support.microsoft.com/kb/310099  Network Monitor http://blogs.technet.com/b/netmon/http://blogs.technet.com/b/netmon/  Nessus http://www.nessus.org/nessus/http://www.nessus.org/nessus/  Metasploit http://www.metasploit.com/http://www.metasploit.com/  EPM http://epmframework.codeplex.com/http://epmframework.codeplex.com/  Windows Firewall http://technet.microsoft.com/en- us/library/cc732283(WS.10).aspxhttp://technet.microsoft.com/en- us/library/cc732283(WS.10).aspx

14

Download ppt "Howard Pincham, MCITP, CISSP Database and Compliance Engineer Hyland Software, Inc."

Similar presentations

11 Section D: SQL  SQL Basics  Adding Records  Searching for Information  Updating Fields  Joining Tables Chapter 11: Databases1.

11 Section D: SQL  SQL Basics  Adding Records  Searching for Information  Updating Fields  Joining Tables Chapter 11: Databases1.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Il-Sung Lee Senior Program Manager Microsoft Corporation SESSION CODE: DAT302.

Il-Sung Lee Senior Program Manager Microsoft Corporation SESSION CODE: DAT302.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Secure SQL Server configuration Pat Larkin Ward Solutions

Secure SQL Server configuration Pat Larkin Ward Solutions
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common.

Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Similar presentations

Ads by Google