 |
| Securing SQL Server |
Protecting Your Database From Attackers
DENNY CHERRY
THOMAS LAROCK, Technical Editor
Denny Cherry has over a decade of experience managing SQL Server, including some of the
largest in the world. Denny’s areas of technical expertise include system architecture,
performance tuning, replication and troubleshooting. Denny currently holds several all the
Microsoft Certifications related to SQL Server for versions 2000 through 2008 as well as being
a Microsoft MVP. Denny is a longtime member of PASS and Quest Software’s Association of
SQL Server Experts and has written numerous technical articles on SQL Server management
and how SQL Server integrates with Enterprise Storage, in addition to working on several
books including this his first solo book project.
INTRODUCTION
As you move through this book you may notice that this book doesn’t gently flow from one
topic to another like a lot of technical books.This is intentional asmany of the subjects covered in
this book are going to be related, but separate fields of study. As you move through the various
chapters in this book you’ll be able to secure a portion of your infrastructure. If you think about
each chapter of the book as an independent project that you can take to your management the
way that the book is structured may make a little more sense. My goal for this book, is that after
reading it you’ll have the most secure database that you can have within your environment.
Our book starts from the outside looking in, with the most outside thing that can be
controlled being your network design and firewalls. In larger shops this will be outside the
realm of the database professional, but in smaller shops there may be a single person who is
the developer, DBA, systems administrator.
There are a lot of database encryption options available to the DBA. Usually many, many
more than most people realize. As we move through this chapter we’ll start by looking at how
to encrypt the data within the database itself, then move to having the SQL Server automatically
encrypt all the data, having the MPIO driver encrypt all the data, and having the HBA
encrypt all the data. Not only will we look at how to do each one, but what the upsides and the
downsides of each of these techniques are.
One of the most common problems at smaller database shops are password policies, and
using week passwords in production. In Chapter 3 we’ll go over using some ways to ensure you
are using a strong password, and some best practices to give yourself some extra layers of
protection.
In chapter 4 we’ll look at securing the instance itself, including minimizing the attack surface,
and securing the parts of the database which we have to leave open for client connections.
Chapter 5 is really geared towards the smaller companies who have to have their databases
accessible from the public Internet (hopefully if this is you, you’ll be going through chapter 1
as well). In this chapter we are going to look at some extra precautions that you can take to
protect yourself to make it as hard as possible for someone to break into your database.
In Chapter 6 we are going to look at one of the most common techniques for breaking into
a Microsoft SQL Server, the SQL Injection attack. We’ll look at why this attack vector is so
successful, how to protect yourself, and how to clean up after an attack.
The next chapter is Chapter 7 where we are going to talk about what is probably the least
favorite subject of everyone in an Information Technology role, backups. No matter how
secure your database is, if your backups aren’t secure then nothing is secure.
Probably the next least popular topic is Chapter 8, auditing. You need to know when
something is happening within your database, and who is doing it.
In Chapter 9 we look at the various operating system level rights that people within the
organization should have.
The appendix at the end of this book is a set of checklists which you can use to help pass
your various audits. While they aren’t a sure fire way to ensure that you pass your audits, they
are a set of bullet points that you can use to work with your auditors to ensure that you can get
to passing quickly and easily.
CONTENTS
Dedication.........v
Acknowledgments...........xi
Author Bio ..........xiii
Introduction ...........xv
Chapter 1 Securing the Network
Securing the Network ............1
Public IP Addresses versus Private IP Addresses..........12
Accessing SQL Server from Home..........15
Physical Security.............17
Social Engineering.................21
Finding the Instances .............22
Testing the Network Security..........24
Summary...................26
Chapter 2 Database Encryption
Database Encryption ............27
Encrypting Data within Tables .............31
Encrypting Data at Rest .............41
Encrypting Data on the Wire ............44
Encrypting Data with MPIO Drivers.........56
Encrypting Data via HBAs.............69
Summary...................70
Chapter 3 SQL Password Security
SQL Server Password Security..........73
Strong Passwords ................80
Encrypting Client Connection Strings .......83
Application Roles...............85
Using Windows Domain Policies to Enforce Password Length.......89
Summary...............96
Chapter 4 Securing the Instance
What to Install, and When? .........97
SQL Authentication and Windows Authentication....... 100
Password Change Policies........ 106
Auditing Failed Logins ......... 108
Renaming the SA Account...... 109
Disabling the SA Account......... 110
Securing Endpoints .......... 112
Stored Procedures as a Security Measure ....... 113
Minimum Permissions Possible ...... 115
Linked Servers ................ 116
Using Policies to Secure Your Instance .... 118
SQL Azure Specific Settings......... 123
Instances That Leave the Office......... 125
Summary.............. 126
Chapter 5 Additional Security for an Internet Facing SQL Server and Application
SQL CLR........... 127
Extended Stored Procedures........... 132
Protecting Your Connection Strings......... 134
Database Firewalls ............ 135
Clear Virtual Memory Pagefile ......... 135
User Access Control (UAC) ......... 139
Other Domain Policies to Adjust........ 142
Reporting Services .......... 143
Summary.......... 148
Chapter 6 SQL Injection Attacks........149
What Is an SQL Injection Attack?....... 149
Why Are SQL Injection Attacks So Successful?..... 154
How to Protect Yourself from an SQL Injection Attack.... 155
Cleaning Up the Database After an SQL Injection Attack... 165
Summary......... 168
Chapter 7 Database Backup Security
Overwriting Backups .... 172
Media Set and Backup Set Passwords...... 177
Backup Encryption........ 178
Transparent Data Encryption ....... 182
Compression and Encryption...... 183
Offsite Backups .......... 184
Summary......... 186
Chapter 8 Auditing for Security
Login Auditing .......... 190
Data Modification Auditing....... 197
Data Querying Auditing ........ 202
Schema Change Auditing....... 204
Using Policy-Based Management to Ensure Policy Compliance.... 204
C2 Auditing....... 208
Common Criteria Compliance....... 210
Summary..... 212
Chapter 9 Server Rights
OS Rights Needed by the SQL Server Service ... 213
OS Rights Needed by the DBA ..... 216
OS Rights Needed to Install Service Packs ...... 217
OS Rights Needed to Access SSIS Remotely .... 218
Console Apps Must Die ...... 220
Default Sysadmin Rights ...... 222
Vendor’s and the Sysadmin Fixed-Server Role ..... 223
Summary......... 224
Appendix A: External Audit Checklists ..... 225
Index......... 239
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 4,256 KB |
Pages
|
273 p |
File Type
|
PDF format |
ISBN
| 978-1-59749-625-4 |
Copyright
|
2011 Elsevier Inc
|
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
