11/22/21, 7:38 PM DBA: SQL Server Security Best Practices

HOME DECODED BEER ABOUT CONTACT RSS

May 14, 2013 IT Security | SQL | Technology

DBA: SQL Server Security Best

Practices
LATEST BLOG POSTS

C:RETRO ROO>
Keywords:
By David K. Sutton ATARI XEGS
audit backup best REBOOT, PART
practices business
continuity database DBA 1: 8-BIT
disaster recovery security NOSTALGIA
SQL sysadmin October 7th,
0 Comments 2016
Decades in the
Tweet this Post making, now the
moment of truth.
Plugs seated, power
anchor dropped,
and after a not- [...]

Secure Passwords:
What You’ve Been
Taught Is Wrong
SHARE THIS POST
START HERE
Raving Roo is a tech
blog covering IT
topics including
Windows, Mac, Active
Directory, and
information security.
And we also feature
craft beer reviews!
To get started, check
out today's most
popular posts, browse
our categories, or
perform a search:
POPULAR TODAY
Car Won't Start? Is It
Parked On A Hill?
How To: Transparent
Terminal Window In
FIX: GOOGLE
CHROME SLOW
SCROLLING ON
MACBOOK
As part of an internal security review, I put together the October 5th,
2016
following best practices guideline to secure SQL servers.
This fix may work
This is just an example, and is not meant to be a on other platforms,
but I can only verify
comprehensive list of SQL server security parameters. that it works on
my 2013 MacBook
Air run [...]
DATABASE CREATION AND CHANGES
WINDOWS 2012
New databases must be requested using a SQL database R2 REMOTE
request form with proper documentation including DESKTOP IS A
BLACK SCREEN
application owner, purpose, etc. Refer to my blog post WITH COMMAND
(“DBA: Create A SQL Server Database Request Form For PROMPT ONLY
August 31st,
Auditing, Change Tracking And Security“) for a
2016
database request form example.
If you ever find
yourself in a
Database changes (example: moving a database to a situation where
different SQL server) should also be requested via the Windows Server
2012 R2 decides to
SQL database request form. This will also serve to spontaneously
switc [...]
document existing databases and their purpose.
If given the option, name new databases descriptively.
(Some applications may not allow for custom names) MERGE MP3
FILES USING

https://ravingroo.com/249/dba-sql-server-database-security-best-practices-business-continuity/ 1/5
11/22/21, 7:38 PM DBA: SQL Server Security Best Practices
Mac OS X NEVER use the SQL SA account (or any account with SA CAT COMMAND
ON MAC OS X
Mac: How To Display equivalence) as a service account for application access to February 24th,
Photo Slideshow
Using OS X Finder
a database. 2016
Are you looking for
Create a unique SQL login account (“service account”) for a super quick way
CATEGORIES each application with a descriptive name and a secure to merge multiple
MP3 files into one

Active Directory password (example: no dictionary words, at least 10 big MP3 file? This
can be [...]
Citrix XenApp characters in length with a combination of lower case,
CSS upper case, numbers and symbols). FIX: CORRUPT
WINDOWS 2012
Exchange
If you do not enforce a password change policy on SQL RDS BASIC
Featured Beer COLOR SCHEME
accounts used by applications (“service accounts”) then
Gaming January 18th,
devise a manual process of regular password changes for 2016
Google Chrome
each account. This is a bizarre
How To
issue that has
iOS Most service accounts have full database access, but if this happened on
multiple occasions
IT How To is not necessary, limit access to the level required. with Windows 2012
IT Security servers in a
Remot [...]
Linux
Mac SECURITY AUDITING IPHONE / MAC
Movies TEXT
REPLACEMENT:
Office Each SQL server should have an internal audit conducted
SHORTCUTS
Office 365 quarterly using an internal audit procedure. Refer to my FOR PHRASES
Photography blog post (“DBA: SQL Audit Checklist For Internal January 10th,
2016
Privacy Security Review“) for an example of a checklist you can
Retro Roo use to audit your SQL servers. In both iOS and
Mac OS X, Apple
Sports offers a feature
Maintain unique copies of the checklist for each SQL called Text
SQL Replacement that
server and each quarterly audit for reference. allows you to
Technology
configur [...]
Television Checklist items must be re-produced for each audit. (Do
VMware not copy and paste) HOW TO EDIT
Windows GOOGLE

Windows Server 2012

Compare new results against old results and document CHROME
CUSTOM SPELL
WordPress reasons for changes. CHECK
DICTIONARY
January 6th,
SEARCH
2016
SECURING PHYSICAL SERVER
Type your query, hit e So, you've
accidentally added
Limit the number of employees who have physical access a misspelled word

Oh, and about those

to the SQL server. If your SQL server is in a computer to Google Chrome's
custom dictionary,
craft beer reviews... room with code access, limit the number of employees how do you
rem [...]
who have access to this code, and change the code on a
Our methodology of
craft beer reviews is regular basis. OFFICE:
refined to this QUICKLY
exacting standard: No Configure alerts (example: email via HP iLO or Dell REMOVE TEXT
point in wasting our DRAC) for hardware warnings and failures. FORMATTING
time or yours on a FROM COPY-
nasty grog...
PASTE

January 6th,
The Roo Only Raves
SECURING VIRTUAL SERVER / SERVER OS 2016
What It Craves. Here are two

lynda.com online Limit the number of employees who have administrative quicker methods to
copy-paste
training tutorials access via VMware console (or other virtual console) and formatted text as
unformatted text in
Remote Desktop Services.
Microsoft Office
Ou [...]
Consider limiting OS administrator access to only SQL
admins (via AD group and Group Policy Object).
FOLLOW US

https://ravingroo.com/249/dba-sql-server-database-security-best-practices-business-continuity/ 2/5
11/22/21, 7:38 PM DBA: SQL Server Security Best Practices

SECURING SQL Follow

All SQL and Windows AD accounts that have access to Like 9

SQL databases should be documented. Consider an access
request form for user access with supervisor/manager
Raving Roo
approval. 9 likes

SQL login auditing should be configured to audit “Failed

logins” and a procedure should be created to review failed
logins and other security data regularly. Like Page

Remove any unneeded databases (sample databases like

AdventureWorks). Raving Roo
about 5 years ago

Change the default SA account password to a secure Decades in the making, now
password (example: no dictionary words, at least 10 the moment of truth. Plugs
characters in length with a combination of lower case, seated, power anchor
upper case, numbers and symbols). dropped, and after a not-so-
confident yielding press of a
Consider renaming or disabling the SA account. bloated candy-like teal button
and subsequent moment of
Only use named user accounts for SQL administrative silence, one thought remains:
purposes. (No shared accounts) I need proof of life. But,
suddenly the room is quiet no
Limit SQL SA equivalent access to SQL admins only. (Use
more. Ah yes, I remember tha
AD group mentioned in Section 4) sound! An unsophisticated bu
satisfying reminiscent rumble
Only use SQL login accounts (“service accounts”) for
emanates out the speaker of
applications. an old cathode ray tube. [
Only assign permissions necessary for SQL accounts to 1 342 more word ]

perform their required function.

All accounts for named user access should be controlled
by AD. (Don’t create SQL logins for named users)
Do not share any folders (especially database folders) on
the network.
Do not assign elevated security permissions to SQL
installation locations or database directories.

BUSINESS CONTINUITY / DISASTER

RECOVERY

Confirm a maintenance plan and automated schedule is

in place for all databases that require backups. A typical
backup plan creates a new full database copy each night
and keeps a specified number of old backups (depending
on disk space limitations).
Confirm a secondary off-site backup method is configured
to archive the above database copies (either tape, or copy
to volume that syncs to disaster recovery location).
Confirm backup jobs (both local SQL and off-site)
complete successfully and configure some form of email
alert when backup jobs fail.

Monitor CPU/memory/disk utilization and plan upgrades

accordingly.
https://ravingroo.com/249/dba-sql-server-database-security-best-practices-business-continuity/ 3/5
11/22/21, 7:38 PM DBA: SQL Server Security Best Practices

/ photo by jimgris

PLEASE SHARE YOUR TH…

0 Comments

Add a comment...

Facebook Comments Plugin

ALSO ON RAVING ROO

iPhone / Mac Text Captain Obvious Log: Batch File:

Replacement: … Hide Remote … Ping Failur
6 years ago • 1 comment 7 years ago • 1 comment 8 years ago • 13

In both iOS and Mac OS X, In this installment of Create a simpl

Apple offers a feature called Captain Obvious Log, we that outputs to
Text Replacement that … focus our attention on the … ONLY when a

https://ravingroo.com/249/dba-sql-server-database-security-best-practices-business-continuity/ 4/5
11/22/21, 7:38 PM DBA: SQL Server Security Best Practices

0 Comments Raving Roo 🔒 Privacy Policy 

1 Login

 Favorite t Tweet f Share Sort by Best

Start the discussion…

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Be the first to comment.

✉ Subscribe d Add Disqus to your siteAdd ⚠ Do Not Sell My Data

DisqusAdd

Get The Roo In Your Inbox HOME DECODED BEER CONTACT ABOUT

PRIVACY POLICY RSS SITEMAP PHOTOGRAPHY

Receive The Roo Report only when new content is
posted. We promise the Roo will be on his best behavior!

Email Address

Subscribe

Raving Roo   |   © 2013 - 2021

https://ravingroo.com/249/dba-sql-server-database-security-best-practices-business-continuity/ 5/5