How to Secure Your SQL Server Instances
-
Upload
artemakis-artemiou -
Category
Technology
-
view
271 -
download
1
Transcript of How to Secure Your SQL Server Instances
How to Secure your
SQL Server Instances
Artemakis ArtemiouMicrosoft Data Platform MVP Creator of DBA Security AdvisorCreator of In-Memory OLTP SimulatorChief Author @ Artemiou SQL BooksCDNUG Lead, INETA-EU Country Lead (CY)https://www.aartemiou.comhttps://aartemiou.blogspot.com
July 14, 2016
Agenda
• Why is this Needed?
• Areas to Secure
• Introducing DBA Security
Advisor
• Why use DBA Security Advisor?
• Resources
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 2
Why do I Need to Secure my
SQL Server Instance?
• If you want to take DB security seriously (tip: you need to!)
• If you store your data in SQL Server databases
• Data is the most valuable asset within the Organization
• Your SQL Server instance is the next most valuable asset
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 3
Areas to Secure
• Not only SQL Server. There are subsystems and an entire ecosystem that supports SQL Server’s operation.
• You need to handle:
– Physical Security
– OS & Network Security: Service Packs, Upgrades/Patches
– Application Security
– SQL Server Instance and Database-Level Security
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 4
Physical Security
• Limit physical access to the
physical server and hardware
components.
• Establish a proper procedure
with adequate controls in order
to allow only authorized
personnel to have physical
access to the server.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 5
OS & Network Security (I)
• Keep OS up-to-date with the
latest patches and service
packs (after you tested them
with the database applications)
• Follow the least-privilege
approach for service accounts
• Restrict access to SQL Server
Operating System files
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 6
OS & Network Security (II)
• Configure the firewalls
– Keep unauthorized users off the
network
– Properly configure firewall for
the enabled SQL Server services
(i.e. Database Engine/Port,
Integration Services, Analysis
Services, etc.)
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 7
Application Security
• Secure your client applications
– Do not expose user passwords in code. Use encrypted connection
strings.
– Prefer Windows Authentication instead of SQL Server and Windows
Authentication (mixed mode) for
connecting to SQL Server.
– Prefer and support an encrypted connection to the SQL Server
instance.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 8
SQL Server Instance &
DB-Level Security (I)
• Check the server-level permissions
– Example 1: Check which logins have SysAdmin access
– Example 2: Check which logins have SecurityAdmin access
• Check generally all access levels and permissions
– Example: Check which logins have db_owner access, data_writer, etc.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 9
SQL Server Instance &
DB-Level Security (II)
• Check Surface Area – server
configuration options whether
they are enabled or not:
– Ad Hoc Distributed Queries
– CLR Enabled & CLR assembly permission sets
– Cross DB Ownership Chaining
– Database Mail XPs
– xp_cmdshell
– etc.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 10
SQL Server Instance &
DB-Level Security (III)
• Check other authentication and authorization settings
– Server authentication mode
– Guest user permissions
– Orphaned users
– etc.
• Check auditing settings
– Both failed and successful logins?
– Default trace enabled?
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 11
SQL Server Instance &
DB-Level Security (IV)
• Check password policies for SQL logins
– Password expiration
– Password policy
• Other checks
– Is Transparent Data Encryption used?
– SQL Server Version• Test your database applications and if OK, consider upgrading to the latest version
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 12
SQL Server Instance &
DB-Level Security (V)
• Other checks
– Service Packs• Test your database applications and if OK, consider upgrading to the
latest service pack.
– Are your databases successfully being backed up?
– Do BUILTIN\Administrators have any permissions on the SQL Server
instance? If yes, they should not.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 13
Introducing:
DBA Security Advisor
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 14
What is DBA Security Advisor?
A software tool which:
Assesses SQL Server instances
for potential security risks,
using a rich set of proven best-
practice security checks.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 15
DBA Security Advisor:
Main Features (I)
• Assesses single or multiple SQL
Server instances
• Rich set of security checks
(more than 30 checks)
• Provides recommendations
• Generates remediation scripts
and suggests remediation
methods
*Note: Only the Enterprise Edition of DBA Security Advisor has all features available.The Community Edition has limited features. For more info please visit: https://www.dbasecadvisor.com/features/ 16
DBA Security Advisor:
Main Features (II)
• Maintains report history
• Rich set of export options
• Report with information of
connected SQL instances
*Note: Only the Enterprise Edition of DBA Security Advisor has all features available.The Community Edition has limited features. For more info please visit: https://www.dbasecadvisor.com/features/ 17
DBA Security Advisor:
Screenshots
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 18
DBA Security Advisor:
Screenshots
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 19
DBA Security Advisor:
Screenshots
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 20
DBA Security Advisor:
Screenshots
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 21
DBA Security Advisor:
Screenshots
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 22
DBA Security Advisor:
Screenshots
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 23
DBA Security Advisor:
Why Use It?
• An easy way to constantly assess your SQL Server instances for security risks.
• Can be part of your global systems’ hardening process.
• You get recommendations and remediation scripts/methods for detected security risks.
• You can monitor your SQL Server instances’ hardening progress via the History mechanism.
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 24
DBA Security Advisor
Get it today at:
www.dbasecadvisor.com
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 25
Resources
• DBA Security Advisor Official Website
– https://www.dbasecadvisor.com
• DBA Security Advisor Blog
– http://blog.dbasecadvisor.com
• MSDN Article: Securing SQL Server
– https://msdn.microsoft.com/en-
us/library/bb283235.aspx
• The SQL Server and .NET Blog
– https://aartemiou.blogspot.com
• My Official Website
– https://www.aartemiou.com
How to Secure your SQL Server Instances, by Artemakis Artemiou (Microsoft Data Platform MVP) 26