SQL Server Howard Pincham MCITP CISSP Database and Compliance Engineer Hyland Software Inc howardpinchamhylandcom What is the purpose of this talk Discuss the importance of good security practices ID: 592124
Download Presentation The PPT/PDF document "IT Security and your" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
IT Security and your SQL Server
Howard Pincham, MCITP, CISSP
Database and Compliance Engineer
Hyland Software, Inc.
howard.pincham@hyland.comSlide2
What is the purpose of this talk?
Discuss the importance of good security practices.
Provide
guidance on how to secure SQL Server.Demonstrate repeatable techniques that you can use today!Slide3
Want a 1981 Cutlass?
Hottest-selling ’70s/’80s vehicle
Most likely to be stolen… why?
It was easy to stealBig market for stolen parts
Worth the effort to strip
“..’
cuz
that’s where the money is”
---Willie Sutton, famed bank robberSlide4
Cutlass’ security is not that good.
Cutlass
Asset
Quarter window
and ignition lock
Vulnerability
Anybody with
a screwdriver
Threat
Likelihood Cutlass is stolen
Risk
Alarm or kill
switch
SafeguardSlide5
Demo: Break into this database!
You want to access tables in a certain database instance on a laptop.
The instance has been hardened by granting access to a single user.
The user will not cooperate with you.
What actions would you take to access the data?Slide6
Vulnerability
Safeguard
Credentials stored in plaintext
Store credentials in a secure store
or
network
Unsecured backup files
Apply Least Privilege
Secure backup
folders
Encrypt backup files and/or backup volumes
Unsecured database services and files
Poor physical security
Store critical data on systems located in secure rooms or datacenters.
Harden your database.Slide7
Demo: Hack SQL Server remotely.
You are concerned about the security of data and metadata as it traverses various networks.
You suspect that some systems and applications are vulnerable to network based attacks.
What actions will you take to test these systems?Slide8
Vulnerability
Safeguard
Untrusted
clients can identify and interrogate SQL Server instances
“Hide” instances, isolate servers
Transaction
data and SQL logins are transmitted in plaintext
Isolate network traffic and/or use encrypted connections
SQL
login credentials can be configured to allow blank passwords
Apply password
policies, use Windows Authentication
SQL Injection and other hacks can compromise the server
Apply
single use servers, least privilege and use secure coding.
Harden your database server.Slide9
Problem: Not everyone can be trusted.
Local Area Network
SQLSERVERA
WEBSERVERASlide10
Firewalls, Network segments... Priceless.
Trusted
Untrusted
External/Client
SQLSERVERA
WEBSERVERASlide11
This topic requires much more discussion.Slide12
Where to find more information
http://csrc.nist.gov/
http://microsoft.com/security
www.sans.org/top20/2002/mssql_checklist.pdf
technet.microsoft.com/en-us/library/cc646023.aspx#BKMK_basic
technet.microsoft.com/en-us/security/cc184924.aspx
www.darkreading.com/database_security
http://blogs.msdn.com/b/sqlsecurity/archive/2010/07/26/security-checklists-on-technet-wiki.aspx
http://www.cisecurity.org/tools2/sqlserver/CIS_SQL2005_Benchmark_v1.1.1.pdfSlide13
Tools and Exploit Materials Mentioned
Portqry
http://support.microsoft.com/kb/310099Network Monitor http://blogs.technet.com/b/netmon/
Nessus
http://www.nessus.org/nessus/
Metasploit
http://www.metasploit.com
/
EPM
http://epmframework.codeplex.com
/
Windows
Firewall
http://technet.microsoft.com/en-us/library/cc732283(WS.10).aspxSlide14
Remember…Security is always excessive until it's not enough.