chapter 8 hardening your sql server instance. hardening hardening the process of making your sql...
TRANSCRIPT
![Page 1: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/1.jpg)
Chapter 8
Hardening Your SQL Server Instance
![Page 2: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/2.jpg)
Hardening Hardening
• The process of making your SQL Server Instance more secure
New features • Policy based management (chapter 10)• Kerberos authentication for other communication protocols beside
TCP/IP, such as named pipes and shared memory• Tighter integration between SQL Server 2008 and Windows Server
2008 and Active Directory Domain Services• Can re-name the sa account• Others
![Page 3: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/3.jpg)
Authentication Windows authentication
• Always because the users are Windows users first.• Generally the password is more secure
Mixed Mode• Can be as secure as Windows • Provides a secondary guard• Necessary to support public facing applications• Not supporting Kerberos – a more mature and robust protocol
Can change between the two Book recommendation – use Windows authentication only My recommendation – allow both, use Windows
authentication whenever make sense, use SQL Server authentication whenever necessary.
![Page 4: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/4.jpg)
The SA account Everybody knows about it It has all the power
• When compromised, the hacker could cause a lot major damagers – such as collecting important information or destroy the master table.
We should not use it for daily operations in a production environment
Should replace it with another account in two steps• Make sure there is another account with administrator privilege• Use Alter login SA with name= [abc-xyz]
Document the new SA name Document the SA password Have process of changing SA password
![Page 5: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/5.jpg)
SQL Server Configuration Manager All programs Microsoft SQL Server 2008
Configuration Tools SQL Server Configuration Manager
Reduce the “Surface Area” – what services are running
![Page 6: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/6.jpg)
SQL Server Configuration Manager (2)
You can see • Services• Network
Configuration• Client
Configuration
![Page 7: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/7.jpg)
Exercise #3 Finding out the meaning of the following types of
connections and compare the pros and cons • Shared Memory• Named Pipes• TCP/IP• VIA
When listed in Client Protocols, they appear in certain order, what does the order indicate?
Due 2/24/2011
![Page 8: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/8.jpg)
Change TCP port
The default is 1433 Change it so hackers take longer to find it Document the new number
![Page 9: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/9.jpg)
Hiding a SQL Server Instance from Broadcasting info
Before hiding, client can find the instance with Server Browser listening the traffic on the net
After hiding, only the parties know the instance can target the instance
![Page 10: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/10.jpg)
Windows Server 2008 Tools
Using Security Configuration Wizard Verify Security Using the Microsoft Baseline
security Analyzer SQL Server 2008 Best Practice Analyzer
Tool
![Page 11: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/11.jpg)
Hardening Service Account There are many build in service account
• Just about one for each service
You can set to have each service account manage the corresponding service or have a single account manages all services
In a large enterprise you may have a large team, different team members are responsible for different components, the services accounts are a fitting approach
In a small shop, use one account for everything
![Page 12: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/12.jpg)
Hardening Service Account (2)
Basic principles • Principle of Least Privilege
Give as little rights as you can operate
• Principle of Isolation Make each account apply to each instance and
component – to control the damages if compromised
These principles generate more work
![Page 13: Chapter 8 Hardening Your SQL Server Instance. Hardening Hardening The process of making your SQL Server Instance more secure New features Policy based](https://reader036.vdocuments.us/reader036/viewer/2022081421/56649ddd5503460f94ad5461/html5/thumbnails/13.jpg)
Others
Install Service Packs and hot fixes Monitoring using Security Logs Remove the BUILDIN\Administrators group Use of Firewall