Event Name here

1
Avanade 10 tips for å sikring av dine SQL Server
databaser
Bernt Lervik Infrastructure Architect Avanade
2

• Avanade is the leading technology integrator
  specialising in the Microsoft platform.
• Our people help customers around the world
  maximise their IT investment and create
  comprehensive solutions that dive business
  results.
• Additional information can be found at
  www.avanade.com

3
Agenda

• Unbreakable SQL Server?
• Background
• Baseline security
• Server installation
• Service Account Selection
• Authentication
• Patching
• Surface area reduction
• Demo Security Configuration Wizard
• Demo SQL Server 2005 Best Practices Analyzer
• Network connectivity
• Demo IPSec

4
Unbreakable SQL Server?

• SQL Server 2005 has zero vulnerabilities
  disclosed or fixed since launch!
• IIS 6.0 has only two Important patches since
  launch
• MS06-034 Vulnerability in Microsoft Internet
  Information Services using Active Server Pages
  Could Allow Remote Code Execution (917537)
• MS04-030 Vulnerability in WebDav XML Message
  Handler Could Lead to a Denial of Service (824151)

5
Unbreakable SQL Server?

• This does not mean were safe!
• . remember
• This session will cover the stuff you forget to
  do outside of SQL

"There is no 'patch' for stupidity. www.sqlsecuri
ty.com
6
BackgroundWhy are we securing our systems?

• Risk management
• Identify the appropriate level of security for
  assets according to their data classification
• Determine the most appropriate and cost-effective
  measures to mitigate security threats
• Establish regular security risk reviews
• In mixed classification, apply protection
  requirements of the more sensitive class
• Make the asset owner accountable

7
Background

• Asset Classification
• Define levels of security for assets based on
  confidentiality, integrity, and availability
• Restrict access to High Business Impact (HBI)
  data to only the most trusted parties
• Apply strict rules to the use and management of
  Medium Business Impact (MBI) data
• Low Business Impact (LBI) data has no formal
  classification or protection requirements

8
Server installation

• Install while not connected directly to the
  internet (doh)
• Always use latest slipstreamed installation media
• Windows Server 2003 with Service pack 2
• If required deploy antivirus software
• Remember Antivirus software can not always help
  you!

9
Service Account Selection

• Use a specific user account or domain account
  rather than a shared account for SQL Server
  services.
• Use a separate account for each service.
• Do not give any special privileges to the
  SQL Server service account they will be assigned
  by group membership.
• Manage privileges through the SQL Server supplied
  group account rather than through individual
  service user accounts.
• Always use SQL Server Configuration Manager to
  change service accounts.
• Change the service account password at regular
  intervals.

10
Authentication

• Always use Windows Authentication mode if
  possible.
• Use Mixed Mode Authentication only for legacy
  applications and non-Windows users.
• Change the sa account password to a known value
  if you might ever need to use it. Always use a
  strong password for the sa account and change the
  sa account password periodically.
• Do not manage SQL Server by using the sa login
  account assign sysadmin privilege to a knows
  user or group.

11
Patching

• Always stay as current as possible.
• Yes that means installing patches over time not
  only during first install
• Enable automatic updates whenever feasible but
  test them before applying to production systems.
• Microsoft update provides patches for SQL
• Windows update does not!
• Deploy WSUS / SMS for internal control over patch
  deployment

12
Surface area reduction

• Install only those components that you will
  immediately use
• Additional components can always be installed as
  needed.
• Enable only the optional features that you will
  immediately use.
• Develop a policy with respect to permitted
  network connectivity choices
• Use SQL Server Surface Area Configuration
• Turn off unneeded services by setting the service
  to either Manual startup or Disabled
• Use Security Configuration Wizard

13
Security Configuration Wizard
14
Microsoft Baseline Security Analyzer and SQL
Server Best Practices Analyzer

• Regularly run BPA against SQL Server 2005
• Regularly run MBSA 2.0 to ensure latest
  SQL Server 2005 patch level
• Regularly run MBSA 2.0 for SQL Server 2000
  instances

15
SQL Server 2005 Best Practices Analyzer
16
Network connectivity

• Limit the network protocols supported.
• Do not enable network protocols unless they are
  needed.
• Do not expose a server that is running
  SQL Server to the public Internet.
• Configure named instances of SQL Server to use
  specific port assignments for TCP/IP rather than
  dynamic ports.
• Use the built in Windows Firewall (or third
  party)
• Use IPSec for additional layer of protection
  where needed

17
IPSec
18
References

• SQL Server 2005 Security Best Practices -
  Operational and Administrative Tasks
• http//www.microsoft.com/technet/prodtechnol/sql/2
  005/sql2005secbestpract.mspx
• Security Configuration Wizard Documentation
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyID903fd496-9eb9-4a45-aa00-3f2f20fd6171Displa
  yLangen
• SQL Server 2005 Best Practices Analyzer
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyIDda0531e4-e94c-4991-82fa-f0e3fbd05e63Displa
  yLangen
• Server and Domain Isolation Using IPsec and Group
  Policy
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyID404fb62f-7cf7-48b5-a820-b881f63bc005Displa
  yLangen

19
(No Transcript)