Slide 1

Security in SQL Jon Holmes CIS 407 Fall 2007

Slide 2

Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections

Slide 3

Reduce Surface Area Database Engine Analysis Service Engine Reporting Services Integration Services Notification Services Documentation and Samples

Slide 4

Reduce Surface Area SQL Server Active Directory Helper SQL Server Agent SQL Server FullText Search SQL Server Browser SQL Server VSS Writer

Slide 5

Blocking ports MSSQL Ports 1433 / 1434 MySQL Ports 3306 Oracle 1521 / 1526

Slide 6

Connection Strings Contains Database Name Server Address/Name May Reveal Network Schema UserName Password

Slide 7

Connection Strings (Where?) Options? In Code Place in Text file In Application Configuration file Web.Config Application Settings

Slide 8

Authentication Windows accounts Machine Specific High Security SQL accounts Portable Less Secure

Slide 9

Permissions Microsoft says use Groups not User Specific rights. What happens when user leaves? Who is responsible?

Slide 10

Permissions One Database = One Owner Lowest possible Permissions Segregation of Duties Read Write

Slide 11

Storing Data Minimum Size Data Type Sproc Data Types match

Slide 12

SQL Injections Source: http://xkcd.com/327/

Slide 13

PrincipleImplementation Never trust user input Validate all textbox entries using validation controls, regular expressions, code, and so on Never use dynamic SQLUse parameterized SQL or stored procedures Never connect to a database using an admin-level account Use a limited access account to connect to the database Don't store secrets in plain text Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings Exceptions should divulge minimal information Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false Basic Rules

Slide 14

Injections Inputs Example Critical Information Outputs Sanitization

Slide 15

Handling Inputs Never trust the user. DropDown Lists ListBoxes Tables Query Strings Hidden Fields

Slide 16

Login Forms Login UserName Password LoginCancel X

Slide 17

Dynamic SQL //This code is susceptible to SQL injection attacks. Dim strQry As String strQry = "SELECT Count(*) FROM Users WHERE UserName='" & txtUser.Text & "' AND Password='" & txtPassword.Text & "'"

Slide 18

What will happen? Login or 1=1 -- ********* UserName Password LoginCancel X

Slide 19

Critical Information Passwords Strong Hashing Salts Other Information Hashing Salts

Slide 20

Handling Outputs Know what you are showing off What data is shown? Always validate authority Do not display schema Custom Tables Careful object reuse Errors Exceptions

Slide 21

Validation - Can use ASP.Net validation tools Pros Fast Easy Cons Javascript False security Know what is running where Always best to handle in code Sanitization

Slide 22

References Stop SQL Injection Attacks Before They Stop You SQL Server 2005 Security Best Practices