Hardening Your SQL Server Instance

1
Chapter 8

• Hardening Your SQL Server Instance

2
Hardening

• Hardening
• The process of making your SQL Server Instance
  more secure
• New features
• Policy based management (chapter 10)
• Kerberos authentication for other communication
  protocols beside TCP/IP, such as named pipes and
  shared memory
• Tighter integration between SQL Server 2008 and
  Windows Server 2008 and Active Directory Domain
  Services
• Can re-name the sa account
• Others

3
Authentication

• Windows authentication
• Always because the users are Windows users first.
• Generally the password is more secure
• Mixed Mode
• Can be as secure as Windows
• Provides a secondary guard
• Necessary to support public facing applications
• Not supporting Kerberos a more mature and
  robust protocol
• Can change between the two
• Book recommendation use Windows authentication
  only
• My recommendation allow both, use Windows
  authentication whenever make sense, use SQL
  Server authentication whenever necessary.

4
The SA account

• Everybody knows about it
• It has all the power
• When compromised, the hacker could cause a lot
  major damagers such as collecting important
  information or destroy the master table.
• We should not use it for daily operations in a
  production environment
• Should replace it with another account in two
  steps
• Make sure there is another account with
  administrator privilege
• Use Alter login SA with name abc-xyz
• Document the new SA name
• Document the SA password
• Have process of changing SA password

5
SQL Server Configuration Manager

• All programs ? Microsoft SQL Server 2008 ?
  Configuration Tools ? SQL Server Configuration
  Manager
• Reduce the Surface Area what services are
  running

6
SQL Server Configuration Manager (2)

• You can see
• Services
• Network Configuration
• Client Configuration

7
Exercise 3

• Finding out the meaning of the following types of
  connections and compare the pros and cons
• Shared Memory
• Named Pipes
• TCP/IP
• VIA
• When listed in Client Protocols, they appear in
  certain order, what does the order indicate?
• Due 2/24/2011

8
Change TCP port

• The default is 1433
• Change it so hackers take longer to find it
• Document the new number

9
Hiding a SQL Server Instance from Broadcasting
info

• Before hiding, client can find the instance with
  Server Browser listening the traffic on the net
• After hiding, only the parties know the instance
  can target the instance

10
Windows Server 2008 Tools

• Using Security Configuration Wizard
• Verify Security Using the Microsoft Baseline
  security Analyzer
• SQL Server 2008 Best Practice Analyzer Tool

11
Hardening Service Account

• There are many build in service account
• Just about one for each service
• You can set to have each service account manage
  the corresponding service or have a single
  account manages all services
• In a large enterprise you may have a large team,
  different team members are responsible for
  different components, the services accounts are a
  fitting approach
• In a small shop, use one account for everything

12
Hardening Service Account (2)

• Basic principles
• Principle of Least Privilege
• Give as little rights as you can operate
• Principle of Isolation
• Make each account apply to each instance and
  component to control the damages if compromised
  
• These principles generate more work ?

13
Others

• Install Service Packs and hot fixes
• Monitoring using Security Logs
• Remove the BUILDIN\Administrators group
• Use of Firewall