Scribd Logo
Importer

Bienvenue sur Scribd !

  • SQL Server Webcast: Common Security Mistakes

    Transféré par

    grsmprem
    65 vues26 pages
    This document summarizes a webcast about common security mistakes in SQL Server. It covers core SQL Server security concepts like authentication and authorization. It then discusses common mistakes like not understanding auditing, confusing stored procedures with high privileges, and not adjusting disaster recovery plans for a more secure environment. The webcast focuses on how to avoid these pitfalls and implement the principle of least privilege.

    Description originale:

    Titre original

    Common SQL Server Security Mistakes

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    This document summarizes a webcast about common security mistakes in SQL Server. It covers core SQL Server security concepts like authentication and authorization. It then discusses common mistakes like not understanding auditing, confusing stored procedures with high privileges, and not adjusting disaster recovery plans for a more secure environment. The webcast focuses on how to avoid these pitfalls and implement the principle of least privilege.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    65 vues26 pages

    SQL Server Webcast: Common Security Mistakes

    Transféré par

    grsmprem
    This document summarizes a webcast about common security mistakes in SQL Server. It covers core SQL Server security concepts like authentication and authorization. It then discusses common mistakes like not understanding auditing, confusing stored procedures with high privileges, and not adjusting disaster recovery plans for a more secure environment. The webcast focuses on how to avoid these pitfalls and implement the principle of least privilege.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 26

    SQL Server Webcast

    COMMON SECURITY MISTAKES

    Michael K. Campbell
    Common Security Mistakes

    Michael K. Campbell
     Independent Consultant
     Former DBA and Database Developer
     Author, Contributing Editor, and Presenter

     Contact
     web: http://www.overachiever.net
     email: mike@overachiever.net
     twitter: AngryPets
    In this Webcast

     Focus
     Core SQL Server Security Concepts
     Horror Stories (and how to avoid them)

     Road Map
     Session Overview
    Core SQL Server Security Concepts

    Simultaneous Requests

    SQL Server’s Job: PROXY REQUESTS to RESOURCES


    • Transactional Safety
    • Performance Optimizations
    • Security
    • Authentication SQL Server
    • Authorization

    File System / Data Files


    SQL Server Authentication

    Windows (i.e. SQL Hosting Environment)


    SQL Server
    Principals / Logins
    Windows Security

    LOGINS
    (Users and Groups)

    SQL Server
    Managed Logins
    (usernames/passwords)

    Windows
    Logins
    (Trusted from OS)
    SQL Server Authorization / Mapping

    Windows (i.e. SQL Hosting Environment)


    SQL Server
    Databases
    Principals / Logins
    Windows Security

    LOGINS
    (Users and Groups)

    SQL Server DB Level: Users and Roles


    Managed Logins (Mapped to Logins)
    (usernames/passwords)

    Windows
    Logins DB Level: Users and Roles
    (Trusted from OS) (Mapped to Logins)
    Core Security Concepts

    Synopsis
     Authorization:
     Handled By SQL Server
     Managed with Users and Roles
     Authentication
     User are Validated via:
     The OS (Integrated Authentication)
     The OS AND SQL Server (Mixed Mode-Authentication)
    Attack Vectors
     Threat Modeling / Threat Categories
     STRIDE
     Spoofing Identity
     Tampering
     Repudiation
     Information Disclosure
     Denial of Service
     Elevation of Privilege
    Common Mistakes / Areas of Focus

     Repudiation
     Escalation
     Circumvention

    http://failblog.org/2009/02/28/
    Repudiation

    http://www.flickr.com/photos/miskan/7240060/ (Creative Commons)


    COMMON MISTAKE:
    Not Understanding Auditing

     Examples
     Bad Example: Overbearing Security Practices
     Good Example: Banking
     Negatives:
     Waste of Security Attention/Effort
     (Largely) Ignores Hackers
     Makes Users Mistrust/Hate Security
    Auditing Options
     Built-In Options
     SQL Server C2 Audit Mode (Deprecated)
     SQL Server 2008 Auditing (Powerful/Versatile)
     Triggers
     Audit Changes (not access) to Data
     Ensure users are denied access to Audits/Logs
     3rd Party Solutions
     Wide Variety of Solutions
     Simple Auditing Solutions
     Sometimes Simple Solutions are Enough
    Simple Auditing Solutions

    http://www.flickr.com/photos/lara604/2610313357/ (Creative Commons)


    Escalation
    SQL Injection

    Comic by XKCD: http://xkcd.com/327/


    COMMON MISTAKE:
    Confusing Sprocs with Unicorns
    The Fix
    COMMON MISTAKE:
    Excessive / Elevated Permissions
     Applies To:
     Services, Applications, Users
     Horror Story:
     Hospital
     Cluster
     Domain Admin
     NULL SID
     Solution:
     The Principle of Least Privilege
    Least Privilege:
    Service Accounts
     Account Types
     Local or Domain Accounts.
     NEVER as LOCAL SYSTEM
     Isolate Accounts (don’t re-use service accounts)
     Locked Down:
     Deny Rights to login, login via RDP, etc.
     Never need to be Admins, Power Users, or even Users.
     MIMIMUM perms and rights only.
     Don’t forget about Proxies and Credentials
    Demoting Existing Installations
     SQL Server 2000
     Rights and Permissions (Binaries and Data)
     SQL Server 2005/2008/2008 R2
     Use SQL Server Configuration Manager
    Troubleshooting / Execution

     Troubleshooting:
     Use Windows Event Logs.
     SysInternals / Process Monitor.
     Execution
     Requires Reboot of SQL Server Service.
     Plan Accordingly.
     Monty Python: “Run Away! Run Away!”
     The BADGER is an option.
     Keep an Eye on Backups over next few days.
    Least Privilege: Applications

     Application Are Easy


     Restrict to db_datareader/db_datawriter.
     Explicitly Restrict to just Sprocs
     Or Use a ‘Sprocs’ Role:
     Create a new role: db_executeproc.
     Script that GRANTs EXECUTE on all sprocs to Role.
     Schedule the Job to run regularly.
    Least Privilege: Users
     Users are Harder
     Egos Are Involved.
     Implementation
     Roles are your friend.
     Techniques
     Social Engineering.
    Circumvention

    http://failblog.org/2008/03/13/
    COMMON MISTAKE:
    Not Adjusting Disaster Recovery Plans
     Properly Secured = Harder to Recover
     Logins and Credentials.
     Mappings to Users and Roles.
     Certificates.
     Encrypted Backups.
     Test Your Backups
     Regularly
     Document

    http://www.flickr.com/photos/jeremybrooks/3132893543/ (Creative Commons)


    Conclusion

     Links / Resources at:


     http://updates.sqlservervideos.com
     email: mike@overachiever.net

    Vous aimerez peut-être aussi