101: Intro to

Security

SQL Server 7, 2000, 2005 and 2008

.Net Developer VB.Net and C#

www.extofer.com

twitter: @extofer

“Please allow me to introduce myself” … Rolling Stones

Gabriel Villa

101 Session Outline

SQL Server Threats

Write Secure Code

Auditing

Roles

Best Practices

Passwords

Physical Security

Security Patches

Network Security

Best Practices Resources

SQL Server Threats

Social Engineering

Manipulating people to gather data

Not using technical cracking tools or techniques

SQL Injection

Vulnerable to any RDBMS, not just MS SQL Server

Attacker post SQL commands via front end applications

Tools: ‘ , --, ;

SQL Injection

Write Secure Code

Check for Valid Input

DDL Triggers

Use Stored Procedures

Use Parameters

Customize Error Messages Avoid errors returning securable names

Source Control

New “Denali” Auditing Features

SQL Auditing for all editions

User Defined Audit – applications write

customer events to audit logs

Filtering – filter unwanted events

Resilience – recover auditing data from

temporary file of network issues

Roles and “Denali” Roles

Group users roles based on usage

Database Roles and Server Roles

Server Level Roles

sysadmin, bulkadmin, securityadmin, dbcreator

“Denali” User Defined Server Roles

Allow creation of new Server Roles

Help prevent the use of sysadmin

Tip: Authentication

Windows Authentications

Active Directory Integration

Supports Groups

Use Whenever Possible

Authentication

Mixed Authentication

Legacy or Hard Coded Referenced Logins

Non Windows Clients

Connections over Internet

Authentication

Passwords

DO NOT hardcode passwords

ASP.Net encrypt web.config

Encrypt password in your code

Strong Passwords

8 to 10 minimum characters

Leak speak or special characters (i.e s = 5 or 3 = E)

SQLPing checks for default passwords

Change passwords frequently

Physical Security

Lock server room or rack when not in use

Restrict access to unauthorized individuals

If feasible, use security cameras

Security Patches

Second Tuesday of every month

Test updates or hotfixes immediately on non-production servers

Schedule patches soon after tested

Network Security

Avoid network shares on servers

Don’t surf the Web on the server

Only enable required protocols

Keep servers behind a firewall

Questions??

Slide Deck at http://www.extofer.com

Gabriel Villa

email: extofer@gmail.com

blog: www.extofer. com

twitter: @extofer

Auditing

Server and Database Level Events

Server Operations

Database Actions

Audit Specifications

Server Audit Specification

Audit Failed Login Attempts