Event Name here - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Event Name here

Description:

Avanade is the leading technology integrator specialising in ... Establish regular security risk reviews ... Use the built in Windows Firewall (or third party) ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 20
Provided by: bern164
Category:
Tags: event | firewall | here | name | reviews

less

Transcript and Presenter's Notes

Title: Event Name here


1
Avanade 10 tips for å sikring av dine SQL Server
databaser
Bernt Lervik Infrastructure Architect Avanade
2
  • Avanade is the leading technology integrator
    specialising in the Microsoft platform.
  • Our people help customers around the world
    maximise their IT investment and create
    comprehensive solutions that dive business
    results.
  • Additional information can be found at
    www.avanade.com

3
Agenda
  • Unbreakable SQL Server?
  • Background
  • Baseline security
  • Server installation
  • Service Account Selection
  • Authentication
  • Patching
  • Surface area reduction
  • Demo Security Configuration Wizard
  • Demo SQL Server 2005 Best Practices Analyzer
  • Network connectivity
  • Demo IPSec

4
Unbreakable SQL Server?
  • SQL Server 2005 has zero vulnerabilities
    disclosed or fixed since launch!
  • IIS 6.0 has only two Important patches since
    launch
  • MS06-034 Vulnerability in Microsoft Internet
    Information Services using Active Server Pages
    Could Allow Remote Code Execution (917537)
  • MS04-030 Vulnerability in WebDav XML Message
    Handler Could Lead to a Denial of Service (824151)

5
Unbreakable SQL Server?
  • This does not mean were safe!
  • . remember
  • This session will cover the stuff you forget to
    do outside of SQL

"There is no 'patch' for stupidity. www.sqlsecuri
ty.com
6
BackgroundWhy are we securing our systems?
  • Risk management
  • Identify the appropriate level of security for
    assets according to their data classification
  • Determine the most appropriate and cost-effective
    measures to mitigate security threats
  • Establish regular security risk reviews
  • In mixed classification, apply protection
    requirements of the more sensitive class
  • Make the asset owner accountable

7
Background
  • Asset Classification
  • Define levels of security for assets based on
    confidentiality, integrity, and availability
  • Restrict access to High Business Impact (HBI)
    data to only the most trusted parties
  • Apply strict rules to the use and management of
    Medium Business Impact (MBI) data
  • Low Business Impact (LBI) data has no formal
    classification or protection requirements

8
Server installation
  • Install while not connected directly to the
    internet (doh)
  • Always use latest slipstreamed installation media
  • Windows Server 2003 with Service pack 2
  • If required deploy antivirus software
  • Remember Antivirus software can not always help
    you!

9
Service Account Selection
  • Use a specific user account or domain account
    rather than a shared account for SQL Server
    services.
  • Use a separate account for each service.
  • Do not give any special privileges to the
    SQL Server service account they will be assigned
    by group membership.
  • Manage privileges through the SQL Server supplied
    group account rather than through individual
    service user accounts.
  • Always use SQL Server Configuration Manager to
    change service accounts.
  • Change the service account password at regular
    intervals.

10
Authentication
  • Always use Windows Authentication mode if
    possible.
  • Use Mixed Mode Authentication only for legacy
    applications and non-Windows users.
  • Change the sa account password to a known value
    if you might ever need to use it. Always use a
    strong password for the sa account and change the
    sa account password periodically.
  • Do not manage SQL Server by using the sa login
    account assign sysadmin privilege to a knows
    user or group.

11
Patching
  • Always stay as current as possible.
  • Yes that means installing patches over time not
    only during first install
  • Enable automatic updates whenever feasible but
    test them before applying to production systems.
  • Microsoft update provides patches for SQL
  • Windows update does not!
  • Deploy WSUS / SMS for internal control over patch
    deployment

12
Surface area reduction
  • Install only those components that you will
    immediately use
  • Additional components can always be installed as
    needed.
  • Enable only the optional features that you will
    immediately use.
  • Develop a policy with respect to permitted
    network connectivity choices
  • Use SQL Server Surface Area Configuration
  • Turn off unneeded services by setting the service
    to either Manual startup or Disabled
  • Use Security Configuration Wizard

13
Security Configuration Wizard
14
Microsoft Baseline Security Analyzer and SQL
Server Best Practices Analyzer
  • Regularly run BPA against SQL Server 2005
  • Regularly run MBSA 2.0 to ensure latest
    SQL Server 2005 patch level
  • Regularly run MBSA 2.0 for SQL Server 2000
    instances

15
SQL Server 2005 Best Practices Analyzer
16
Network connectivity
  • Limit the network protocols supported.
  • Do not enable network protocols unless they are
    needed.
  • Do not expose a server that is running
    SQL Server to the public Internet.
  • Configure named instances of SQL Server to use
    specific port assignments for TCP/IP rather than
    dynamic ports.
  • Use the built in Windows Firewall (or third
    party)
  • Use IPSec for additional layer of protection
    where needed

17
IPSec
18
References
  • SQL Server 2005 Security Best Practices -
    Operational and Administrative Tasks
  • http//www.microsoft.com/technet/prodtechnol/sql/2
    005/sql2005secbestpract.mspx
  • Security Configuration Wizard Documentation
  • http//www.microsoft.com/downloads/details.aspx?Fa
    milyID903fd496-9eb9-4a45-aa00-3f2f20fd6171Displa
    yLangen
  • SQL Server 2005 Best Practices Analyzer
  • http//www.microsoft.com/downloads/details.aspx?Fa
    milyIDda0531e4-e94c-4991-82fa-f0e3fbd05e63Displa
    yLangen
  • Server and Domain Isolation Using IPsec and Group
    Policy
  • http//www.microsoft.com/downloads/details.aspx?Fa
    milyID404fb62f-7cf7-48b5-a820-b881f63bc005Displa
    yLangen

19
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com