{"id":23,"date":"2013-08-24T14:36:01","date_gmt":"2013-08-24T14:36:01","guid":{"rendered":"http:\/\/www.sqlkitten.com\/?p=23"},"modified":"2013-08-24T14:36:01","modified_gmt":"2013-08-24T14:36:01","slug":"sql-saturday-223-sql-security-best-practices-and-shrinking-your-attack-surface-with-matthew-brimer","status":"publish","type":"post","link":"http:\/\/www.sqlkitten.com\/?p=23","title":{"rendered":"SQL Saturday #223 &#8211; SQL Security Best Practices and Shrinking Your Attack Surface with Matthew Brimer"},"content":{"rendered":"<p>How to break into Sql Server in 15 min &#8211; he can do it in 3 min<\/p>\n<p>Windows authentication &#8211; rename\/disable sa<\/p>\n<p>Use\u00a0GPO or\u00a0PBM to restrict access times to logins that should not be doing things after hours<\/p>\n<p>Testing permissions &#8211; should do but not everyone\u00a0does<\/p>\n<p>Permissions to backup and data files &#8211; if someone can access your backup\/data they can create their own instance with the backup or data files<\/p>\n<p>Separating user accounts<\/p>\n<p>Data integrity &#8211; data is accurate and reliable; has not been changed or tampered with by an unauthorized person<\/p>\n<p>Common forms of data integrity-<\/p>\n<ul>\n<li>hashing\/checksums<\/li>\n<li>source control locking<\/li>\n<li>isolation levels<\/li>\n<li>data modeling\/types constraints<\/li>\n<\/ul>\n<p>C2 &#8211; just say NO! Only if there is a business reason!<\/p>\n<p>Build your own auditing with sp_trace_create<\/p>\n<p>fn_trace_gettable &#8211; auditing reports<\/p>\n<p>Geo clustering &#8211; seamless Site2Site failover; one connection string; apps un-aware of failover; $$$$ to implement; SAN level replication or 3rd party too to handle bit level replication.<\/p>\n<p>Always On (SQL Server 2012) &#8211; requires availability groups; one\/multiple connection strings; can leverage multiple servers at the same time to offset reads\/writes on different servers; offload backup overhead to another server on another site; user databases only so\u00a0permissions managed\u00a0per instance.<\/p>\n<p>Database Mirroring &#8211; user databases with 1 mirror max; synchronous\/asynchronous; automatic failover for witness &#8211; depending on where can report false positve of failover; permissions on both servers; repairs torn pages and send changes back to principal.<\/p>\n<p>Log Shipping &#8211; only as good as your last log backup; requires file shares &#8211; permissions?<\/p>\n<p>Replication &#8211; &#8220;picture&#8221; of the database from a point in time; can be applied to multiple servers; snapshot\/merge\/transactional; no mention of intializing through backup.<\/p>\n<p>Secuity Best Practices<\/p>\n<ul>\n<li>change default port &#8211; network enumeration\/fingerprinting?<\/li>\n<li>revoke connect from guest &#8211; any database permission can see any other database<\/li>\n<li>Disable xp_cmdshell<\/li>\n<li>Disable un-needed protocols (VIA,TCP\/IP,shared memory, named pipes)<\/li>\n<li>Enable Common Criteria Compliance (standard in 2008)<\/li>\n<li>Disable SQL Browser &#8211; not possible with named instance or cluster<\/li>\n<li>Hide instance &#8211; will not respond to eneumeration requests but will respond to telnet requests<\/li>\n<li>Minimal Service Install &#8211; no BIDS in production; separate dev from prod<\/li>\n<li>Baselines &#8211; Baseline Analyzer; know your sysadmins; SQL permissions\/users; databases<\/li>\n<li>No DMZ, IIS or Domain Controllers<\/li>\n<li>Dev\/Test Data &#8211; mask sensitive data; MSSQL.DataMask<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to break into Sql Server in 15 min &#8211; he can do it in 3 min Windows authentication &#8211; rename\/disable sa Use\u00a0GPO or\u00a0PBM to restrict access times to logins that should not be doing things after hours Testing permissions &hellip; <a href=\"http:\/\/www.sqlkitten.com\/?p=23\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=\/wp\/v2\/posts\/23"}],"collection":[{"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23"}],"version-history":[{"count":1,"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions"}],"predecessor-version":[{"id":24,"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions\/24"}],"wp:attachment":[{"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sqlkitten.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}