Name : Top SQL Server Vulnerabilities Author : Brian Kelley Webinar Date : 19-02-2014
Improper or Default Configurations
sp_Biltz will show security issues as well as performance items
Centre for Internet Security - Security benchmarks https://benchmarks.cisecurity.org/downloads/multiform/
Principle of Least Privilege Permission to do the job, but nothing more. Though, nothing less, as this threatens availability.
The Service Account (SA) shouldn’t be a domain administrator, nor a local administration on the server. SQL Server doesn’t need a local administrator account. Run SQL Server as a regular AD account. The installer will set the permissions needed for the user.
Don’t reuse credentials across servers.
Review both sysadmin and securityadmin role as they can grant others access. Also audit CONTROL (CL) permission. (sys.server_permissions WHERE type = “CL”)
Who knows the SA password?
When restoring a database, check within the database to see who it thinks the owner this. This is sometimes different than what the server believes it is.
SQL Server Agent user does require SA.
Two types of securable’s:
- Securable’s themselves - objects / items
Apply permissions using database roles
Every database has a system table called sys.columns which lists columns for all tables in that database. You can use this to find sensitive columns easier without having to check each table. This will take a lot of work!
There are many options to deal with sensitive data though was out of scope for the webinar.
Outside of SQL Server
A local administrators can bring SQL Server up in a safe mode allowing them sysadmin access.
Who has access to the storage and backups?
Are backups encrypted? SQL Server Enterprise has a transparent encryption feature which protects the database files as well as the backups.
SQL Injection - Due to poor or non-existent input validation and usually exploited at the application layer.