IT Security, SQL Server and You!
Download
Report
Transcript IT Security, SQL Server and You!
Howard Pincham, MCITP, CISSP
Database and Compliance Engineer
Hyland Software, Inc.
[email protected]
Discuss the importance of good
security practices.
Provide guidance on how to secure
SQL Server.
Demonstrate repeatable techniques
that you can use today!
Hottest-selling ’70s/’80s
vehicle
Most likely to be stolen…
why?
It was easy to steal
Big market for stolen parts
Worth the effort to strip
“..’cuz that’s where the money is”---Willie Sutton, famed bank robber
Cutlass
Quarter window and ignition
lock
Asset
Vulnerability
Anybody with a screwdriver
Threat
Likelihood Cutlass is stolen
Risk
Alarm or kill
switch
Safeguard
You want to access tables in a
certain database instance on a
laptop.
The instance has been hardened
by granting access to a single user.
The user will not cooperate with
you.
What actions would you take to
access the data?
Vulnerability
Credentials stored in plaintext
Unsecured backup files
Unsecured database services and
files
Poor physical security
Safeguard
Store credentials in a secure store
or network
Apply Least Privilege
Secure backup folders
Encrypt backup files and/or backup
volumes
Store critical data on systems
located in secure rooms or
datacenters.
You are concerned about the
security of data and metadata as it
traverses various networks.
You suspect that some systems and
applications are vulnerable to
network based attacks.
What actions will you take to test
these systems?
Vulnerability
Untrusted clients can identify and
interrogate SQL Server instances
Transaction data and SQL logins
are transmitted in plaintext
SQL login credentials can be
configured to allow blank
passwords
SQL Injection and other hacks can
compromise the server
Safeguard
“Hide” instances, isolate servers
Isolate network traffic and/or use
encrypted connections
Apply password policies, use
Windows Authentication
Apply single use servers, least
privilege and use secure coding.
WEBSERVERA
Local Area Network
SQLSERVERA
WEBSERVERA
External/Client
Untrusted
SQLSERVERA
Trusted
Access
Management
Network
Access
Protection
Business
Continuity
Configuration
Management
Change
Management
Content
Management
Data
Protection
Data
Lifecycle
Management
Disaster
Recovery
Encryption
Key
Management
Identity
Management
Network
Access
Protection
Intrusion
Detection
Retention
Management
Issue
Management
Surface Area
Configuration
Patch
Management
Security
Updates
Separation of
Duties
http://csrc.nist.gov/
http://microsoft.com/security
www.sans.org/top20/2002/mssql_checklist.pdf
technet.microsoft.com/en-us/library/cc646023.aspx#BKMK_basic
technet.microsoft.com/en-us/security/cc184924.aspx
www.darkreading.com/database_security
http://blogs.msdn.com/b/sqlsecurity/archive/2010/07/26/securitychecklists-on-technet-wiki.aspx
http://www.cisecurity.org/tools2/sqlserver/CIS_SQL2005_Benchmark_
v1.1.1.pdf
Portqry http://support.microsoft.com/kb/310099
Network Monitor http://blogs.technet.com/b/netmon/
Nessus http://www.nessus.org/nessus/
Metasploit http://www.metasploit.com/
EPM http://epmframework.codeplex.com/
Windows Firewall http://technet.microsoft.com/enus/library/cc732283(WS.10).aspx