Scribd
Upload
158 views26 pages

Common SQL Server Security Mistakes

This document summarizes a webcast about common security mistakes in SQL Server. It covers core SQL Server security concepts like authentication and authorization. It then discusses common mistakes like not understanding auditing, confusing stored procedures with high privileges, and not adjusting disaster recovery plans for a more secure environment. The webcast focuses on how to avoid these pitfalls and implement the principle of least privilege.

Uploaded by

grsmprem
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
158 views26 pages

Common SQL Server Security Mistakes

This document summarizes a webcast about common security mistakes in SQL Server. It covers core SQL Server security concepts like authentication and authorization. It then discusses common mistakes like not understanding auditing, confusing stored procedures with high privileges, and not adjusting disaster recovery plans for a more secure environment. The webcast focuses on how to avoid these pitfalls and implement the principle of least privilege.

Uploaded by

grsmprem
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

SQL Server Webcast

COMMON SECURITY MISTAKES

Michael K. Campbell
Common Security Mistakes

Michael K. Campbell
 Independent Consultant
 Former DBA and Database Developer
 Author, Contributing Editor, and Presenter

 Contact
 web: http://www.overachiever.net
 email: [email protected]
 twitter: AngryPets
In this Webcast

 Focus
 Core SQL Server Security Concepts
 Horror Stories (and how to avoid them)

 Road Map
 Session Overview
Core SQL Server Security Concepts

Simultaneous Requests

SQL Server’s Job: PROXY REQUESTS to RESOURCES


• Transactional Safety
• Performance Optimizations
• Security
• Authentication SQL Server
• Authorization

File System / Data Files


SQL Server Authentication

Windows (i.e. SQL Hosting Environment)


SQL Server
Principals / Logins
Windows Security

LOGINS
(Users and Groups)

SQL Server
Managed Logins
(usernames/passwords)

Windows
Logins
(Trusted from OS)
SQL Server Authorization / Mapping

Windows (i.e. SQL Hosting Environment)


SQL Server
Databases
Principals / Logins
Windows Security

LOGINS
(Users and Groups)

SQL Server DB Level: Users and Roles


Managed Logins (Mapped to Logins)
(usernames/passwords)

Windows
Logins DB Level: Users and Roles
(Trusted from OS) (Mapped to Logins)
Core Security Concepts

Synopsis
 Authorization:
 Handled By SQL Server
 Managed with Users and Roles
 Authentication
 User are Validated via:
 The OS (Integrated Authentication)
 The OS AND SQL Server (Mixed Mode-Authentication)
Attack Vectors
 Threat Modeling / Threat Categories
 STRIDE
 Spoofing Identity
 Tampering
 Repudiation
 Information Disclosure
 Denial of Service
 Elevation of Privilege
Common Mistakes / Areas of Focus

 Repudiation
 Escalation
 Circumvention

http://failblog.org/2009/02/28/
Repudiation

http://www.flickr.com/photos/miskan/7240060/ (Creative Commons)


COMMON MISTAKE:
Not Understanding Auditing

 Examples
 Bad Example: Overbearing Security Practices
 Good Example: Banking
 Negatives:
 Waste of Security Attention/Effort
 (Largely) Ignores Hackers
 Makes Users Mistrust/Hate Security
Auditing Options
 Built-In Options
 SQL Server C2 Audit Mode (Deprecated)
 SQL Server 2008 Auditing (Powerful/Versatile)
 Triggers
 Audit Changes (not access) to Data
 Ensure users are denied access to Audits/Logs
 3rd Party Solutions
 Wide Variety of Solutions
 Simple Auditing Solutions
 Sometimes Simple Solutions are Enough
Simple Auditing Solutions

http://www.flickr.com/photos/lara604/2610313357/ (Creative Commons)


Escalation
SQL Injection

Comic by XKCD: http://xkcd.com/327/


COMMON MISTAKE:
Confusing Sprocs with Unicorns
The Fix
COMMON MISTAKE:
Excessive / Elevated Permissions
 Applies To:
 Services, Applications, Users
 Horror Story:
 Hospital
 Cluster
 Domain Admin
 NULL SID
 Solution:
 The Principle of Least Privilege
Least Privilege:
Service Accounts
 Account Types
 Local or Domain Accounts.
 NEVER as LOCAL SYSTEM
 Isolate Accounts (don’t re-use service accounts)
 Locked Down:
 Deny Rights to login, login via RDP, etc.
 Never need to be Admins, Power Users, or even Users.
 MIMIMUM perms and rights only.
 Don’t forget about Proxies and Credentials
Demoting Existing Installations
 SQL Server 2000
 Rights and Permissions (Binaries and Data)
 SQL Server 2005/2008/2008 R2
 Use SQL Server Configuration Manager
Troubleshooting / Execution

 Troubleshooting:
 Use Windows Event Logs.
 SysInternals / Process Monitor.
 Execution
 Requires Reboot of SQL Server Service.
 Plan Accordingly.
 Monty Python: “Run Away! Run Away!”
 The BADGER is an option.
 Keep an Eye on Backups over next few days.
Least Privilege: Applications

 Application Are Easy


 Restrict to db_datareader/db_datawriter.
 Explicitly Restrict to just Sprocs
 Or Use a ‘Sprocs’ Role:
 Create a new role: db_executeproc.
 Script that GRANTs EXECUTE on all sprocs to Role.
 Schedule the Job to run regularly.
Least Privilege: Users
 Users are Harder
 Egos Are Involved.
 Implementation
 Roles are your friend.
 Techniques
 Social Engineering.
Circumvention

http://failblog.org/2008/03/13/
COMMON MISTAKE:
Not Adjusting Disaster Recovery Plans
 Properly Secured = Harder to Recover
 Logins and Credentials.
 Mappings to Users and Roles.
 Certificates.
 Encrypted Backups.
 Test Your Backups
 Regularly
 Document

http://www.flickr.com/photos/jeremybrooks/3132893543/ (Creative Commons)


Conclusion

 Links / Resources at:


 http://updates.sqlservervideos.com
 email: [email protected]

You might also like