Download presentation
Presentation is loading. Please wait.
Published byKelly Rodgers Modified over 9 years ago
1
O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)
2
M Y B ACKGROUND Database Administrator / Architect Infrastructure and security architect Incident response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Co-Author of: How to Cheat at Securing SQL Server 2005 (Syngress) Professional SQL Server 2008 Administration (Wrox) Introduction to SQL Server (Texas Publishing)
3
C ONTACT I NFORMATION Mail: kbriankelley@acm.org Twitter: @kbriankelley Blogs: SQL Server Central http://gkdba.wordpress.com/
4
A GENDA FOR T ONIGHT Why auditors can’t audit SQL Server: “Tag, you’re It” SQL Server Surface Area Server Level Auditing Database Level Auditing
5
I NFORMATION D ISCLOSURE I SSUE SQL Server 2000 – Access to DB, you can audit But so can anyone… Catch-22 SQL Server 2005+, you must have permissions to object. Recommendation: Automate the auditing. Use service account with proper permissions.
6
S URFACE A REA – F ROM R EMOTE Quest Discovery Wizard SQL Ping MS Assessment and Planning (MAP) tool nmap General scanner – Qualys, Nessus
7
S URFACE A REA – O N THE S ERVER SQL Server 2000: SQL Server Server Network Utility SQL Server 2005 only: SQL Server Surface Area Configuration SQL Server 2005 and above: SQL Server Configuration Manager
8
W HAT TO L OOK F OR What network protocols What ports SQL Server is listening on Whether remote connections are allowed
9
S ERVER L EVEL C ONCERNS SQL Server 2000 and above SQL Server 2005 and above
10
A LL V ERSIONS Logins SQL Server logins Windows users Windows groups Server Roles
11
W HAT TO L OOK F OR Windows users (not service accounts) A lot of SQL Server logins Members of: sysadmin securityadmin serveradmin Processadmin Use of sa or sysadmin level accounts
12
SQL S ERVER 2005 AND ABOVE Server level securables DAC (remote) OLE automation SQL Mail xp_cmdshell Password policy enforcement Impersonation of Logins
13
V ISUALIZING S ECURABLES
14
W HAT TO L OOK F OR (2005+) Everything in all versions list CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins SQL logins without full password policy enforcement: No enforcement at all Password never expires
15
D ATABASE L EVEL C ONCERNS SQL Server 2000 and above SQL Server 2005 and above
16
A LL V ERSIONS How database users map to server logins Use of guest user (except system DBs) Database Owner (maps as dbo) Members of database roles: db_owner db_ddladmin db_securityadmin Database level permissions (CREATE)
17
SQL S ERVER 2005+ Permissions at database securable level Permissions at schema securable level Encryption key escrow
18
W HAT TO L OOK F OR Use of database owner by application Use of db_owner by application End users with too many rights Developers in the following roles in prod: db_owner db_ddladmin db_securityadmin
19
Q UESTIONS & A NSWERS
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.