Presentation is loading. Please wait.

Presentation is loading. Please wait.

O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)

Published byKelly Rodgers Modified over 9 years ago

Similar presentations

Presentation on theme: "O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)"— Presentation transcript:

1 O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)

2 M Y B ACKGROUND Database Administrator / Architect Infrastructure and security architect Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Co-Author of: How to Cheat at Securing SQL Server 2005 (Syngress) Professional SQL Server 2008 Administration (Wrox) Introduction to SQL Server (Texas Publishing)

3 C ONTACT I NFORMATION Mail: kbriankelley@acm.org Twitter: @kbriankelley Blogs: SQL Server Central http://gkdba.wordpress.com/

4 A GENDA FOR T ONIGHT Why auditors can’t audit SQL Server: “Tag, you’re It” SQL Server Surface Area Server Level Auditing Database Level Auditing

5 I NFORMATION D ISCLOSURE I SSUE SQL Server 2000 – Access to DB, you can audit But so can anyone… Catch-22 SQL Server 2005+, you must have permissions to object. Recommendation: Automate the auditing. Use service account with proper permissions.

6 S URFACE A REA – F ROM R EMOTE Quest Discovery Wizard SQL Ping MS Assessment and Planning (MAP) tool nmap General scanner – Qualys, Nessus

7 S URFACE A REA – O N THE S ERVER SQL Server 2000: SQL Server Server Network Utility SQL Server 2005 only: SQL Server Surface Area Configuration SQL Server 2005 and above: SQL Server Configuration Manager

8 W HAT TO L OOK F OR What network protocols What ports SQL Server is listening on Whether remote connections are allowed

9 S ERVER L EVEL C ONCERNS SQL Server 2000 and above SQL Server 2005 and above

10 A LL V ERSIONS Logins SQL Server logins Windows users Windows groups Server Roles

11 W HAT TO L OOK F OR Windows users (not service accounts) A lot of SQL Server logins Members of: sysadmin securityadmin serveradmin Processadmin Use of sa or sysadmin level accounts

12 SQL S ERVER 2005 AND ABOVE Server level securables DAC (remote) OLE automation SQL Mail xp_cmdshell Password policy enforcement Impersonation of Logins

13 V ISUALIZING S ECURABLES

14 W HAT TO L OOK F OR (2005+) Everything in all versions list CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins SQL logins without full password policy enforcement: No enforcement at all Password never expires

15 D ATABASE L EVEL C ONCERNS SQL Server 2000 and above SQL Server 2005 and above

16 A LL V ERSIONS How database users map to server logins Use of guest user (except system DBs) Database Owner (maps as dbo) Members of database roles: db_owner db_ddladmin db_securityadmin Database level permissions (CREATE)

17 SQL S ERVER 2005+ Permissions at database securable level Permissions at schema securable level Encryption key escrow

18 W HAT TO L OOK F OR Use of database owner by application Use of db_owner by application End users with too many rights Developers in the following roles in prod: db_owner db_ddladmin db_securityadmin

19 Q UESTIONS & A NSWERS

Download ppt "O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)"

Similar presentations

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Copyright ®xSpring Pte Ltd, All rights reserved Versions AuthorDateDescription 1.0NBL2012/05First version. Modified from Enterprise edition.

Copyright ®xSpring Pte Ltd, All rights reserved Versions AuthorDateDescription 1.0NBL2012/05First version. Modified from Enterprise edition.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.

Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Similar presentations

Ads by Google