Intrusion Detection And Prevention System: SQL-Injection ...
SQL Server Security and Intrusion Prevention
-
Upload
gabriel-villa -
Category
Technology
-
view
2.131 -
download
2
description
Transcript of SQL Server Security and Intrusion Prevention
Recently moved to Colorado Springs
SQL Server 7, 2000, 2005 and 2008
.Net Developer VB.Net and C#
www.extofer.com
twitter: @extofer
Security Model
Authentication
Passwords
Threats
Physical Security and other best practices
Principal Windows Users
SQL Logins
Roles Groups
Securables Schemas
Windows Users
SQL Login
Database Users
DB Roles
Schemas
Windows Authentications
Domain or local Windows Account
Active Directory Integration
Supports Groups
Use Whenever Possible
Mixed Authentication
Legacy or Hard Coded Referenced Logins
Non Windows Clients
Connections over Internet
Strong Password
10 – 12 characters in length
Use Upper and Lower Case
Numbers
Special Characters (symbols)
l33t speak
E = 3 or A=4 or @, T= + or 7
l33t password generator
DO NOT hardcode passwords
ASP.Net encrypt web.config
Encrypt password in your code
SQLPing checks for default passwords
Change passwords frequently
Do Not use the same passwords
Social Engineering
SQL Injection
Beware of Port Sniffers
Social Engineering
Manipulating people to gather data
Not using technical cracking tools or techniques
SQL Injection
Vulnerable to any RDBMS, not just MS SQL
Server
Attacker post SQL commands via front end
applications
Tools: ‘ , --, ;
Check for Valid Input
DDL Triggers
Use Stored Procedures
Use Parameters
Customize Error Messages Avoid errors returning securable names
Change default port
Lock server room or rack when not in use
Restrict access to unauthorized individuals
If feasible, use security cameras
Second Tuesday of every month
Test updates or hotfixes immediately
on non-production servers
Schedule patches soon after tested
Avoid network shares on servers
Don’t surf the Web on the server
Only enable required protocols
Keep servers behind a firewall
Encrypt your DB backups
Test backups by restoring
Restrict System Stored Proc’s and
XP
http://www.sqlservercentral.com/Books/
Defensive Database Programming by Alex Kuznetsov
Protecting SQL Server Data by John Magnabosco
SQL Server Tacklebox by Rodney Landrum
Slide Deck at http://www.extofer.com
Gabriel Villa
email: [email protected]
blog: www.extofer. com
twitter: @extofer