1 / 13

Chapter 8

Chapter 8. Hardening Your SQL Server Instance. Hardening. Hardening The process of making your SQL Server Instance more secure New features Policy based management (chapter 10) Kerberos authentication for other communication protocols beside TCP/IP, such as named pipes and shared memory

leo-pace
Download Presentation

Chapter 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8 Hardening Your SQL Server Instance

  2. Hardening • Hardening • The process of making your SQL Server Instance more secure • New features • Policy based management (chapter 10) • Kerberos authentication for other communication protocols beside TCP/IP, such as named pipes and shared memory • Tighter integration between SQL Server 2008 and Windows Server 2008 and Active Directory Domain Services • Can re-name the sa account • Others

  3. Authentication • Windows authentication • Always because the users are Windows users first. • Generally the password is more secure • Mixed Mode • Can be as secure as Windows • Provides a secondary guard • Necessary to support public facing applications • Not supporting Kerberos – a more mature and robust protocol • Can change between the two • Book recommendation – use Windows authentication only • My recommendation – allow both, use Windows authentication whenever make sense, use SQL Server authentication whenever necessary.

  4. The SA account • Everybody knows about it • It has all the power • When compromised, the hacker could cause a lot major damagers – such as collecting important information or destroy the master table. • We should not use it for daily operations in a production environment • Should replace it with another account in two steps • Make sure there is another account with administrator privilege • Use Alter login SA with name= [abc-xyz] • Document the new SA name • Document the SA password • Have process of changing SA password

  5. SQL Server Configuration Manager • All programs  Microsoft SQL Server 2008  Configuration Tools  SQL Server Configuration Manager • Reduce the “Surface Area” – what services are running

  6. SQL Server Configuration Manager (2) • You can see • Services • Network Configuration • Client Configuration

  7. Exercise #3 • Finding out the meaning of the following types of connections and compare the pros and cons • Shared Memory • Named Pipes • TCP/IP • VIA • When listed in Client Protocols, they appear in certain order, what does the order indicate? • Due 2/24/2011

  8. Change TCP port • The default is 1433 • Change it so hackers take longer to find it • Document the new number

  9. Hiding a SQL Server Instance from Broadcasting info • Before hiding, client can find the instance with Server Browser listening the traffic on the net • After hiding, only the parties know the instance can target the instance

  10. Windows Server 2008 Tools • Using Security Configuration Wizard • Verify Security Using the Microsoft Baseline security Analyzer • SQL Server 2008 Best Practice Analyzer Tool

  11. Hardening Service Account • There are many build in service account • Just about one for each service • You can set to have each service account manage the corresponding service or have a single account manages all services • In a large enterprise you may have a large team, different team members are responsible for different components, the services accounts are a fitting approach • In a small shop, use one account for everything

  12. Hardening Service Account (2) • Basic principles • Principle of Least Privilege • Give as little rights as you can operate • Principle of Isolation • Make each account apply to each instance and component – to control the damages if compromised • These principles generate more work 

  13. Others • Install Service Packs and hot fixes • Monitoring using Security Logs • Remove the BUILDIN\Administrators group • Use of Firewall

More Related