OPASS – MARCH 8, 2012

K. Brian Kelley

MCSE, CISA, Security+, MVP-SQL Server

The Dirty Business of AuditingAuditing SQL Server (2000 – 2008R2)

MY BACKGROUND

Database Administrator / Architect Infrastructure and security architect Incident response team lead

Certified Information Systems Auditor (CISA)

SQL Server security columnist / blogger

Co-Author of: How to Cheat at Securing SQL Server 2005

(Syngress) Professional SQL Server 2008 Administration (Wrox) Introduction to SQL Server (Texas Publishing)

CONTACT INFORMATION

Mail: kbriankelley@acm.org Twitter: @kbriankelley Blogs:

SQL Server Central http://gkdba.wordpress.com/

AGENDA FOR TONIGHT

Why auditors can’t audit SQL Server: “Tag, you’re It”

SQL Server Surface Area Server Level Auditing Database Level Auditing

INFORMATION DISCLOSURE ISSUE

SQL Server 2000 – Access to DB, you can audit But so can anyone… Catch-22

SQL Server 2005+, you must have permissions to object.

Recommendation: Automate the auditing. Use service account with proper permissions.

SURFACE AREA – FROM REMOTE

Quest Discovery Wizard SQL Ping MS Assessment and Planning (MAP) tool nmap General scanner – Qualys, Nessus

SURFACE AREA – ON THE SERVER

SQL Server 2000: SQL Server Server Network Utility

SQL Server 2005 only: SQL Server Surface Area Configuration

SQL Server 2005 and above: SQL Server Configuration Manager

WHAT TO LOOK FOR

What network protocols What ports SQL Server is listening on Whether remote connections are allowed

SERVER LEVEL CONCERNS

SQL Server 2000 and above SQL Server 2005 and above

ALL VERSIONS

Logins SQL Server logins Windows users Windows groups

Server Roles

WHAT TO LOOK FOR

Windows users (not service accounts) A lot of SQL Server logins Members of:

sysadmin securityadmin serveradmin Processadmin

Use of sa or sysadmin level accounts

SQL SERVER 2005 AND ABOVE

Server level securables DAC (remote) OLE automation SQL Mail xp_cmdshell Password policy enforcement Impersonation of Logins

VISUALIZING SECURABLES

WHAT TO LOOK FOR (2005+)

Everything in all versions list CONTROL permission at Server level IMPERSONATE of sa or sysadmin logins SQL logins without full password policy

enforcement: No enforcement at all Password never expires

DATABASE LEVEL CONCERNS

SQL Server 2000 and above SQL Server 2005 and above

ALL VERSIONS

How database users map to server logins Use of guest user (except system DBs) Database Owner (maps as dbo) Members of database roles:

db_owner db_ddladmin db_securityadmin

Database level permissions (CREATE)

SQL SERVER 2005+

Permissions at database securable level Permissions at schema securable level Encryption key escrow

WHAT TO LOOK FOR

Use of database owner by application Use of db_owner by application End users with too many rights Developers in the following roles in prod:

db_owner db_ddladmin db_securityadmin

QUESTIONS & ANSWERS