8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 1/16
Securing Your SQL Server Database
Phua Chiu Kiang
MVP – SQL Server
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 2/16
Agenda
• Top Database Server Threats
• Secure the Server
• Deprive your Development Account
• Prevent SQL Injection• Encrypt Sensitive Information
•
Protect the Connection Strings
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 3/16
Top Database Server Threats
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 4/16
Secure the Server
• Physical security
– Protect the file system and backups
– Consider database encryption
•
Use a firewall – Default port 1433
• Reduce attack surface
• Disable unused network protocols
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 5/16
Secure the Server
• Use Windows Authentication Mode
• Enforce password policy for SQL logins
– SSL Network Encryption prevents sniffing
•Enable auditing (and monitor it!)
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 6/16
Deprive your Development Account
• Employ principle of least privilege
• Do not use sa/sysadmin/dbo account,even during development
–
“we will fix it before production” (yeah, right)• Create accounts and grant privileges as
required
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 7/16
SQL Injection
• An attack in which malicious code is
passed into strings for SQL Server toexecute
•
Most common form of injection are fromweb forms
• Affects almost all web and database
applications, not just SQL Server
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 8/16
SQL Injection Example 1strQuery = “SELECT * FROM users WHERE name = ‘” + userName + “’”
userName = Bill
strQuery = “SELECT * FROM users WHERE name = ‘Bill’”
userName = ‘ OR ‘1’=‘1
strQuery = “SELECT * FROM users WHERE name = ‘’ OR ‘1’=‘1’”
userName = x’; SELECT * FROM users; DROP TABLE users;--
strQuery = “SELECT * FROM users WHERE name = ‘x’; SELECT * FROMusers; DROP TABLE users;--’”
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 9/16
Demo #1Demo #1
SQL InjectionSQL Injection
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 10/16
SQL Injection Example 2• QueryString Injection
http://petshop.com/Category.aspx?categoryId=Fish' UNION SELECTTABLE_NAME, NULL, NULL FROM INFORMATION_SCHEMA.TABLES;--
• To determine number of columnshttp://petshop.com/Category.aspx?categoryId=Fish‘ ORDER BY 4 -- (Error)
http://petshop.com/Category.aspx?categoryId=Fish‘ ORDER BY 3 -- (OK)
• To retrieve column nameshttp://petshop.com/Category.aspx?categoryId=Fish‘ UNION SELECTCOLUMN_NAME, NULL, NULL FROM
INFORMATION_SCHEMA.COLUMNS; --
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 11/16
SQL Injection Mitigation• Follow the Golden Rule - All Input is Evil!
• Use parameterized queries• Filter input strings
• Use parameters with dynamic SQL
• Avoid disclosing error information• Use a scanning tool
private string SafeSqlLiteral(string inputSQL){ return inputSQL.Replace("'", "''");
}
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 12/16
Parameterized Query Sampleusing System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@id", SqlDbType.VarChar, 11);myCommand.SelectCommand.Parameters["@id"].Value = txtUserid.Text;
myCommand.SelectCommand.Parameters.Add("@pwd", SqlDbType.VarChar, 80);myCommand.SelectCommand.Parameters["@pwd"].Value = txtPassword.Text;
myCommand.Fill(userDataset);
}
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 13/16
Parameterized Query Sampleusing System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(“SELECT * FROM users WHERE id=@idAND password=@pwd", connection);
myCommand.SelectCommand.CommandType = CommandType.Text;myCommand.SelectCommand.Parameters.Add("@id", SqlDbType.VarChar, 11);myCommand.SelectCommand.Parameters["@id"].Value = txtUserid.Text;
myCommand.SelectCommand.Parameters.Add("@pwd", SqlDbType.VarChar, 80);myCommand.SelectCommand.Parameters["@pwd"].Value = txtPassword.Text;
myCommand.Fill(userDataset);
}
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 14/16
Encrypt Sensitive Information• Avoid creating your own encryption code
• SQL Server encryption mechanisms
– T-SQL functions (PWDENCRYPT, HASHBYTES)
–
Asymmetric keys – Symmetric keys
– Certificates
• Protect you connection strings!C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe-pef "connectionStrings" "C:\Microsoft .NET Pet Shop\Web"
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 15/16
Demo #2Demo #2
SQL ServerSQL ServerEncryptionEncryption
8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang
http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 16/16
Thank YouThank YouQ&AQ&A
Top Related