avanade: 10 tips for å sikring av dine sql server databaser bernt lervik infrastructure architect...
TRANSCRIPT
Avanade: 10 tips for å sikring av Avanade: 10 tips for å sikring av dine SQL Server databaserdine SQL Server databaserAvanade: 10 tips for å sikring av Avanade: 10 tips for å sikring av dine SQL Server databaserdine SQL Server databaser
Bernt LervikBernt LervikInfrastructure ArchitectInfrastructure ArchitectAvanadeAvanade
Avanade is the leading technology Avanade is the leading technology integrator specialising in the Microsoft integrator specialising in the Microsoft platform.platform.
Our people help customers around Our people help customers around the world maximise their IT investment the world maximise their IT investment and create comprehensive solutions and create comprehensive solutions that dive business results.that dive business results.
Additional information can be found at Additional information can be found at www.avanade.comwww.avanade.com
AgendaAgendaUnbreakable SQL Server?Unbreakable SQL Server?
BackgroundBackground
Baseline securityBaseline securityServer installationServer installation
Service Account SelectionService Account Selection
AuthenticationAuthentication
PatchingPatching
Surface area reductionSurface area reductionDemo : Security Configuration WizardDemo : Security Configuration Wizard
Demo : SQL Server 2005 Best Practices AnalyzerDemo : SQL Server 2005 Best Practices Analyzer
Network connectivityNetwork connectivityDemo : IPSecDemo : IPSec
Unbreakable SQL Server?Unbreakable SQL Server?
SQL Server 2005 has zero vulnerabilities SQL Server 2005 has zero vulnerabilities disclosed or fixed since launch!disclosed or fixed since launch!
IIS 6.0 has only two Important patches since IIS 6.0 has only two Important patches since launchlaunch
MS06-034 Vulnerability in Microsoft Internet MS06-034 Vulnerability in Microsoft Internet Information Services using Active Server Pages Information Services using Active Server Pages Could Allow Remote Code Execution (917537)Could Allow Remote Code Execution (917537)
MS04-030 Vulnerability in WebDav XML Message MS04-030 Vulnerability in WebDav XML Message Handler Could Lead to a Denial of Service (824151)Handler Could Lead to a Denial of Service (824151)
Unbreakable SQL Server?Unbreakable SQL Server?
This does not mean we’re safe!This does not mean we’re safe!
……. remember. remember
This session will cover the stuff you forget to This session will cover the stuff you forget to do do outside outside of SQLof SQL
"There is no 'patch' for stupidity.“"There is no 'patch' for stupidity.“www.sqlsecurity.comwww.sqlsecurity.com
BackgroundBackgroundWhy are we securing our systems?Why are we securing our systems?
Risk managementRisk management
Identify the appropriate level of security for assets Identify the appropriate level of security for assets according to their data classificationaccording to their data classification
Determine the most appropriate and cost-Determine the most appropriate and cost-effective measures to mitigate security threatseffective measures to mitigate security threats
Establish regular security risk reviewsEstablish regular security risk reviews
In mixed classification, apply protection In mixed classification, apply protection requirements of the more sensitive classrequirements of the more sensitive class
Make the asset owner accountableMake the asset owner accountable
BackgroundBackground
Asset ClassificationAsset ClassificationDefine levels of security for assets based on Define levels of security for assets based on confidentiality, integrity, and availabilityconfidentiality, integrity, and availability
Restrict access to High Business Impact (HBI) Restrict access to High Business Impact (HBI) data to only the most trusted partiesdata to only the most trusted parties
Apply strict rules to the use and management of Apply strict rules to the use and management of Medium Business Impact (MBI) dataMedium Business Impact (MBI) data
Low Business Impact (LBI) data has no formal Low Business Impact (LBI) data has no formal classification or protection requirementsclassification or protection requirements
Server installationServer installation
Install while not connected directly to the Install while not connected directly to the internet (doh)internet (doh)
Always use latest slipstreamed installation Always use latest slipstreamed installation mediamedia
Windows Server 2003 Windows Server 2003 with with Service pack 2Service pack 2
If required – deploy antivirus softwareIf required – deploy antivirus softwareRemember: Antivirus software can not always Remember: Antivirus software can not always help you!help you!
Service Account SelectionService Account SelectionUse a specific user account or domain account rather than a Use a specific user account or domain account rather than a shared account for SQL Server services.shared account for SQL Server services.
Use a separate account for each service.Use a separate account for each service.
Do not give any special privileges to the SQL Server service Do not give any special privileges to the SQL Server service account; they will be assigned by group membership.account; they will be assigned by group membership.
Manage privileges through the SQL Server supplied group Manage privileges through the SQL Server supplied group account rather than through individual service user accounts.account rather than through individual service user accounts.
Always use SQL Server Configuration Manager to change Always use SQL Server Configuration Manager to change service accounts.service accounts.
Change the service account password at regular intervals.Change the service account password at regular intervals.
AuthenticationAuthenticationAlways use Windows Authentication mode if possible.Always use Windows Authentication mode if possible.
Use Mixed Mode Authentication only for legacy applications Use Mixed Mode Authentication only for legacy applications and non-Windows users.and non-Windows users.
Change the Change the sasa account password to a known value if you account password to a known value if you might ever need to use it. Always use a strong password for might ever need to use it. Always use a strong password for the the sasa account and change the account and change the sasa account password account password periodically.periodically.
Do not manage SQL Server by using the Do not manage SQL Server by using the sasa login account; login account; assign assign sysadminsysadmin privilege to a knows user or group. privilege to a knows user or group.
PatchingPatchingAlways stay as current as possible.Always stay as current as possible.
Yes that means installing patches Yes that means installing patches over time over time – not – not only during first installonly during first install
Enable automatic updates whenever feasible Enable automatic updates whenever feasible but test them before applying to production but test them before applying to production systems.systems.
Microsoft update provides patches for SQLMicrosoft update provides patches for SQL
Windows update does not!Windows update does not!
Deploy WSUS / SMS for internal control over Deploy WSUS / SMS for internal control over patch deploymentpatch deployment
Surface area reductionSurface area reductionInstall only those components that you will Install only those components that you will immediately useimmediately use
Additional components can always be installed as Additional components can always be installed as needed.needed.
Enable only the optional features that you will Enable only the optional features that you will immediately use. immediately use.
Develop a policy with respect to permitted network Develop a policy with respect to permitted network connectivity choicesconnectivity choices
Use SQL Server Surface Area ConfigurationUse SQL Server Surface Area Configuration
Turn off unneeded services by setting the service to Turn off unneeded services by setting the service to either Manual startup or Disabledeither Manual startup or Disabled
Use Security Configuration WizardUse Security Configuration Wizard
Microsoft Baseline Security Analyzer and Microsoft Baseline Security Analyzer and SQL Server Best Practices AnalyzerSQL Server Best Practices Analyzer
Regularly run BPA against SQL Server 2005Regularly run BPA against SQL Server 2005
Regularly run MBSA 2.0 to ensure latest Regularly run MBSA 2.0 to ensure latest SQL Server 2005 patch levelSQL Server 2005 patch level
Regularly run MBSA 2.0 for SQL Server 2000 Regularly run MBSA 2.0 for SQL Server 2000 instancesinstances
Network connectivityNetwork connectivityLimit the network protocols supported.Limit the network protocols supported.
Do not enable network protocols unless they are needed.Do not enable network protocols unless they are needed.
Do not expose a server that is running SQL Server to the Do not expose a server that is running SQL Server to the public Internet.public Internet.
Configure named instances of SQL Server to use specific port Configure named instances of SQL Server to use specific port assignments for TCP/IP rather than dynamic ports.assignments for TCP/IP rather than dynamic ports.
Use the built in Windows Firewall (or third party)Use the built in Windows Firewall (or third party)
Use IPSec for additional layer of protection where neededUse IPSec for additional layer of protection where needed
ReferencesReferencesSQL Server 2005 Security Best Practices - Operational SQL Server 2005 Security Best Practices - Operational and Administrative Tasksand Administrative Tasks
http://www.microsoft.com/technet/prodtechnol/sql/2005/http://www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.mspxsql2005secbestpract.mspx
Security Configuration Wizard DocumentationSecurity Configuration Wizard Documentationhttp://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyID=903fd496-9eb9-4a45-aa00-FamilyID=903fd496-9eb9-4a45-aa00-3f2f20fd6171&DisplayLang=en3f2f20fd6171&DisplayLang=en
SQL Server 2005 Best Practices AnalyzerSQL Server 2005 Best Practices Analyzerhttp://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyID=da0531e4-e94c-4991-82fa-f0e3fbd05e63&DisplayLang=enFamilyID=da0531e4-e94c-4991-82fa-f0e3fbd05e63&DisplayLang=en
Server and Domain Isolation Using IPsec and Group Server and Domain Isolation Using IPsec and Group PolicyPolicy
http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?FamilyID=404fb62f-7cf7-48b5-a820-b881f63bc005&DisplayLang=enFamilyID=404fb62f-7cf7-48b5-a820-b881f63bc005&DisplayLang=en