SQL Server Security SQL Server Security Update and Best PracticesUpdate and Best Practices

Ken BurgeKen BurgeSr. Technical Solutions AdvisorSr. Technical Solutions AdvisorMicrosoft CorporationMicrosoft Corporation

ssqlnews@microsoft.comssqlnews@microsoft.com

Incidents ReportedIncidents Reported CERT/CC incident statistics 1988 through Q3 2003CERT/CC incident statistics 1988 through Q3 2003 IncidentIncident: single security issue grouping together : single security issue grouping together

all impacts of that that issueall impacts of that that issue IssueIssue: disruption, DOS, loss of data, misuse, : disruption, DOS, loss of data, misuse,

damage, loss of confidentialitydamage, loss of confidentiality

0

20000

40000

60000

80000

100000

120000

140000

'88 '89 '90 '91 '92 '93 '94 '95 '96 '97 '98 '99 '00 '01 '02 '03

Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html

Evolving DB Threat EnvironmentEvolving DB Threat Environment A decade ago, databases were:A decade ago, databases were:

Physically securePhysically secure Housed in central data centers – not distributedHoused in central data centers – not distributed External access mediated through customer service reps, External access mediated through customer service reps,

purchasing managers, etc.purchasing managers, etc. Security issues rarely reportedSecurity issues rarely reported

Now increasingly DB’s externally accessible:Now increasingly DB’s externally accessible: Suppliers directly connectedSuppliers directly connected Customers directly connectedCustomers directly connected Customers & partners directly sharing dataCustomers & partners directly sharing data

Data is most valuable resource in application stackData is most valuable resource in application stack Value increases with greater integration & aggregationValue increases with greater integration & aggregation Opportunities for data theft, modification, or destructionOpportunities for data theft, modification, or destruction

The Cost of Weak SecurityThe Cost of Weak Security

CSI/FBI CSI/FBI

Denial of Service Attack can be caused by certain

worms and viruses in addition to Internet based

attacks

DB Attack Toolkit: Well ArmedDB Attack Toolkit: Well Armed Brute force & dictionary-based password crackersBrute force & dictionary-based password crackers

Network sniffers and Port scannersNetwork sniffers and Port scanners

Object code de-compilers and Quality debuggersObject code de-compilers and Quality debuggers Symbols typically available for problem determinationSymbols typically available for problem determination

Application source code not needed for deep attacksApplication source code not needed for deep attacks

Leveraging cracked systems:Leveraging cracked systems: Credentials: leverage & escalate by stepsCredentials: leverage & escalate by steps Compute power: host distributed denial of serviceCompute power: host distributed denial of service

DB Security tools & consulting:DB Security tools & consulting: NGSSoftware NGSSoftware ((http://http://www.nextgenss.comwww.nextgenss.com//)) Internet Security Services Internet Security Services ((http://http://www.iss.netwww.iss.net//)) Application Security Inc. Application Security Inc. ((http://http://www.appsecinc.comwww.appsecinc.com)) And many others…And many others…

Community shared resources:Community shared resources: Exploit, risk, & data sharing in the communityExploit, risk, & data sharing in the community

Slammer OverviewSlammer Overview Slammer re-using existing ideas:Slammer re-using existing ideas:

"The Slammer code is a straight cut-and-paste job" "The Slammer code is a straight cut-and-paste job" – D. Litchfield– D. Litchfield

Most attacks exploit known vulnerabilitiesMost attacks exploit known vulnerabilities Recent SQL Server Service Levels unaffectedRecent SQL Server Service Levels unaffected

Single UDP packet delivery very effective (376 bytes)Single UDP packet delivery very effective (376 bytes) Spread doubles every 8.5 secondsSpread doubles every 8.5 seconds 90% of vulnerable computers in 10 min90% of vulnerable computers in 10 min Max rate hit 55 million scans/secondMax rate hit 55 million scans/second 74,855 systems affected in one minute74,855 systems affected in one minute

Patches proliferatingPatches proliferating Time to exploit Time to exploit

decreasingdecreasing Exploits are more Exploits are more

sophisticated sophisticated Current approach is not Current approach is not

sufficientsufficient

Security has become our #1 PrioritySecurity has become our #1 PriorityThere is no silver bulletThere is no silver bullet

Change requires innovationChange requires innovation

151151180180

331331

Blaster

Blaster

Welchia/ Nachi

Welchia/ Nachi

NimdaNimda

2525

SQL Slammer

SQL Slammer

Days between patch Days between patch and exploitand exploit

Reality CheckReality CheckResponding to the CrisisResponding to the Crisis

Microsoft’s ResponsibilityMicrosoft’s Responsibility

We understand your frustrationWe understand your frustration We sympathize with the inconvenience We sympathize with the inconvenience

you’ve experienced due to deploying you’ve experienced due to deploying patches and dealing with virusespatches and dealing with viruses

We’re accountable to helping you We’re accountable to helping you secure your environmentsecure your environment

ssqlnews@microsoft.comssqlnews@microsoft.com

SQL Injection Attacks SQL Injection Attacks ExplainedExplained Method to pass rogue statements into Method to pass rogue statements into

SQL ServerSQL Server Allows a hacker to access the rest of Allows a hacker to access the rest of

the network, probe the SQL Server, or the network, probe the SQL Server, or create datacreate data

Not just a SQL Server problemNot just a SQL Server problem Runs under the authentication of Runs under the authentication of

whatever SQL Server login the whatever SQL Server login the application usesapplication uses

SQL Injection Attacks SQL Injection Attacks ExplainedExplained A query that looks like this:A query that looks like this:

select * from login where login_nm = “InputFromScreen”select * from login where login_nm = “InputFromScreen”

Can be injected with a single quote and Can be injected with a single quote and a comment to look like this:a comment to look like this:select * from login where login_nm = ‘ ; DELETE FROM login - - select * from login where login_nm = ‘ ; DELETE FROM login - - ‘‘

This is not a bug in SQL Server but in This is not a bug in SQL Server but in the applicationthe application

Firewall is bypassed with these types Firewall is bypassed with these types of attacksof attacks

SQL Injection Attacks SQL Injection Attacks ExplainedExplained Based on the level of permissions your Based on the level of permissions your

application has, a hacker could:application has, a hacker could: Drop your databaseDrop your database Delete your dataDelete your data Insert a login for himselfInsert a login for himself Create a Windows domain account with Create a Windows domain account with

admin rightsadmin rights Gain access to your networkGain access to your network Backup the SAM for hash crackingBackup the SAM for hash cracking

SQL Injection Attacks SQL Injection Attacks ExplainedExplainedhow to protect yourselfhow to protect yourself Validate all screen inputValidate all screen input Use the ADO command object with strict Use the ADO command object with strict

parameter validationparameter validation PermissionsPermissions

Make sure SQL Server runs with the lowest Make sure SQL Server runs with the lowest possible permissions. It does not need admin possible permissions. It does not need admin privileges on the server. privileges on the server.

Make sure the login that your application uses Make sure the login that your application uses doesn’t have direct access to your data. doesn’t have direct access to your data.

Use stored procs to access all dataUse stored procs to access all data

Getting SecureGetting SecureMicrosoft SQL Server Microsoft SQL Server security best practicessecurity best practices

Best PracticesBest PracticesService Packs and Hot FixesService Packs and Hot Fixes Install SQL Server SP3 as soon as you Install SQL Server SP3 as soon as you

cancan Install hot fixes as soon as you test for Install hot fixes as soon as you test for

application regressionsapplication regressions Sign up for the Microsoft security Sign up for the Microsoft security

bulletin at: bulletin at: http://www.microsoft.com/technet/secuhttp://www.microsoft.com/technet/securityrity

Best PracticesBest PracticesThe big threeThe big three Use Windows authentication if at all Use Windows authentication if at all

possible:possible: Can be difficult if you run in a multi-Can be difficult if you run in a multi-

domain or an environment that has a domain or an environment that has a strong firewall. strong firewall.

Start with the lowest permissions Start with the lowest permissions possible for the user then work your possible for the user then work your way upway up

Avoid easily guessed login names like Avoid easily guessed login names like ksmith. Instead use something more ksmith. Instead use something more obscure and less obvious. obscure and less obvious.

Best PracticesBest PracticesSA AccountSA Account SQL Snake virus preyed on SQL Servers SQL Snake virus preyed on SQL Servers

with SA and no passwordwith SA and no password Make the password a hard PW to crack, even Make the password a hard PW to crack, even

if you use Windows Authenticationif you use Windows Authentication Should be virtually impossible to rememeberShould be virtually impossible to rememeber

Never ever use the SA AccountNever ever use the SA Account It is a known account which makes it an obvious It is a known account which makes it an obvious

targettarget If a developer knows the SA password, he will If a developer knows the SA password, he will

use it because it is convenient. It encourages use it because it is convenient. It encourages lazy security measures. lazy security measures.

Best PracticesBest PracticesFirewall and Port AssignmentsFirewall and Port Assignments Block SQL Server TCP/IP port 1433 and Block SQL Server TCP/IP port 1433 and

UDP port 1434 from vulnerable areas UDP port 1434 from vulnerable areas (such as Internet)(such as Internet)

Set each SQL Server instance to use a Set each SQL Server instance to use a unique TCP/IP port that is not 1433unique TCP/IP port that is not 1433 Note: you cannot change UDP port 1434Note: you cannot change UDP port 1434

If you are using MSDE or multiple SQL If you are using MSDE or multiple SQL Server instances the nodes could Server instances the nodes could choose a random available portchoose a random available port

Best PracticesBest PracticesDefault LoginsDefault Logins Remove BUILTIN\Administrators account Remove BUILTIN\Administrators account

If needed, you should only explicitly give access to If needed, you should only explicitly give access to Windows administratorsWindows administrators

Don’t start SQL Server with the localsystem accountDon’t start SQL Server with the localsystem account Start SQL Server and Agent with an account with Start SQL Server and Agent with an account with

minimal permissionsminimal permissions SP3 fixes a problem where SQL Server Agent had to start SP3 fixes a problem where SQL Server Agent had to start

with Windows domain accountwith Windows domain account

Always change login accounts for SQL Server Always change login accounts for SQL Server through the Enterprise Manager interface.through the Enterprise Manager interface. Much easier and sets the appropriate registry settings for Much easier and sets the appropriate registry settings for

youyou

Best PracticesBest PracticesCommunicating to SQL ServerCommunicating to SQL Server A strong firewall policy is a mustA strong firewall policy is a must

Do not allow employees other than DBAs Do not allow employees other than DBAs to have direct access to the production to have direct access to the production machines. This includes developers.machines. This includes developers.

Attempt to use SSL for communication Attempt to use SSL for communication with SQL Serverwith SQL Server Will see a slight performance hitWill see a slight performance hit

Multiprotocol or IPSec are alternatives Multiprotocol or IPSec are alternatives but not as string as TCP/IP and SSLbut not as string as TCP/IP and SSL

Best PracticesBest PracticesPublic Role and Guest Public Role and Guest AccountAccount Any login with rights to your SQL Server Any login with rights to your SQL Server

account is automatically given all the account is automatically given all the privileges that the Guest login hasprivileges that the Guest login has

Any user with rights to a given database has Any user with rights to a given database has all the rights given to the Public role hasall the rights given to the Public role has

Never let the guest account have access to Never let the guest account have access to your databaseyour database You cannot remove guest account from Master You cannot remove guest account from Master

or TempDBor TempDB Northwind and Pubs by default give the Guest Northwind and Pubs by default give the Guest

account sysadmin privileges thereby creating a account sysadmin privileges thereby creating a security holesecurity hole

Best PracticesBest PracticesAuditingAuditing Always turn on Failed Login auditingAlways turn on Failed Login auditing

Create alerts to email you when this Create alerts to email you when this occursoccurs

Increase the number of error logs you Increase the number of error logs you keep to prevent the hacker from keep to prevent the hacker from cycling the error log to cover his trackscycling the error log to cover his tracks

Audit failed access to objects (error Audit failed access to objects (error 229)229) UPDATE sysmessages SET dlevel = (dlevel | 0x80) WHERE error = 229UPDATE sysmessages SET dlevel = (dlevel | 0x80) WHERE error = 229

C2 level auditing is handy, but will C2 level auditing is handy, but will cause a performance hitcause a performance hit

Best PracticesBest PracticesC2 level auditingC2 level auditing Audits access to every object and use Audits access to every object and use

of permissions on the serverof permissions on the server Turn on by using sp_configure procTurn on by using sp_configure proc

Sp_configure ‘c2 audit mode’,1Sp_configure ‘c2 audit mode’,1

Causes a noticeable performance hitCauses a noticeable performance hit If the drive that holds the logs fills, If the drive that holds the logs fills,

SQL Server will stopSQL Server will stop

Tighten AccessTighten AccessDirectories and registry keysDirectories and registry keys Always install SQL Server on a NTFS Always install SQL Server on a NTFS

partitionpartition Watch who has access to the SQL Server Watch who has access to the SQL Server

binaries and data filesbinaries and data files If you have the MDF and LDF files, the you have If you have the MDF and LDF files, the you have

all the sensitive data you needall the sensitive data you need You can encrypt the physical files using 3You can encrypt the physical files using 3rdrd party party

or Windows encryptionor Windows encryption

Watch who has access to the followign Watch who has access to the followign registry keys: registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVERHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL

SERVER\INSTANCESERVER\INSTANCE

Tighten AccessTighten AccessProtection of Extended ProcsProtection of Extended Procs Revoke access to extended sprocs that Revoke access to extended sprocs that

read and write to the registry:read and write to the registry: Xp_regwriteXp_regwrite xp_regreadxp_regread xp_regremovemultistringxp_regremovemultistring xp_addmultistringxp_addmultistring xp_regdeletevaluexp_regdeletevalue xp_regenumvaluesxp_regenumvalues

Tighten AccessTighten AccessOA SprocsOA Sprocs Revoke access to stored procs that can Revoke access to stored procs that can

create objectscreate objects Sp_OACreateSp_OACreate Sp_OADestroySp_OADestroy Sp_OAStopSp_OAStop Sp_OAGetPropertySp_OAGetProperty Sp_OASetPropertySp_OASetProperty Sp_OAMethodSp_OAMethod Sp_OAGetErrorInfoSp_OAGetErrorInfo

Tighten AccessTighten AccessOther extended sprocsOther extended sprocs Revoke access to stored procs tha can Revoke access to stored procs tha can

cause other damage:cause other damage: Xp_commandShellXp_commandShell sp_runWebTasksp_runWebTask sp_readWebTasksp_readWebTask sp_MSSetServerPropertiessp_MSSetServerProperties sp_MScopyScriptFilessp_MScopyScriptFiles sp_MSsetAlertInfosp_MSsetAlertInfo

Manually delete the underlying .dll file for Manually delete the underlying .dll file for each extended sproc you removeeach extended sproc you remove

Tighten AccessTighten AccessDTS LockdownDTS Lockdown By default anyone who has a login to SQL By default anyone who has a login to SQL

Server can create a DTS packageServer can create a DTS package Protect your packages with a user and Protect your packages with a user and

owner passwordowner password Revoke public access to:Revoke public access to:

RTblDBMProps tableRTblDBMProps table Too many sprocs to list (See books online)Too many sprocs to list (See books online)

Create role for users who need to use DTSCreate role for users who need to use DTS As always, test and retest this before applying in As always, test and retest this before applying in

production. Have a good rollback script ready. production. Have a good rollback script ready.

Tighten AccessTighten AccessJob System LockdownJob System Lockdown Too man sprocs here to list, but here Too man sprocs here to list, but here

are a few:are a few: Sp_ add_jobSp_ add_job Sp_delete_jobSp_delete_job Sp_start_jobSp_start_job Sp_purge_jobhistorySp_purge_jobhistory

You should create a SQL Server user You should create a SQL Server user defined role for all who need to be able defined role for all who need to be able to create and start jobs. to create and start jobs.

Tighten AccessTighten Access

Revoke access to the guest accountRevoke access to the guest account Remove or revoke access to certain Remove or revoke access to certain

system stored proceduressystem stored procedures Create roles for users who can create Create roles for users who can create

DTS packages and jobsDTS packages and jobs Caution: make sure you test all of Caution: make sure you test all of

these types of changes as you may these types of changes as you may affect an application or Enterprise affect an application or Enterprise Manager!Manager!

Staying SecureStaying SecureMicrosoft SQL Server Microsoft SQL Server management updatemanagement update

You’ve Told UsYou’ve Told Us Our Action ItemsOur Action Items

““I can’t keep up…new SQL I can’t keep up…new SQL patches are released too patches are released too often”often”

“The quality of the SQL Server patching process is low and inconsistent”

““I need to know the right way I need to know the right way to run an enterprise on SQL to run an enterprise on SQL Server”Server”

““There are still too many There are still too many vulnerabilities in SQL vulnerabilities in SQL Server”Server”

Provide Guidance Provide Guidance and Trainingand Training

Mitigate Vulnerabilities Mitigate Vulnerabilities Without PatchesWithout Patches

Continue Improving Continue Improving QualityQuality

Improve the Patching Improve the Patching ExperienceExperience

Microsoft’s ResponsibilityMicrosoft’s Responsibility

Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies

Extending security support to June 2004Extending security support to June 2004 Windows 2000 SP2Windows 2000 SP2 Windows NT4 Workstation SP6aWindows NT4 Workstation SP6a

Security patches on a monthly predictable Security patches on a monthly predictable release cycle release cycle Allows for planning a Allows for planning a

predictable monthly test and predictable monthly test and deployment cycle deployment cycle

Packaged as individual patches Packaged as individual patches that can be deployed together that can be deployed together

NOTE: Exceptions will be made if customers are at NOTE: Exceptions will be made if customers are at immediate risk from viruses, worms, attacks or other immediate risk from viruses, worms, attacks or other malicious activitiesmalicious activities

By late 2004: Consolidation to 2 patch installers for W2k and By late 2004: Consolidation to 2 patch installers for W2k and later, SQL 2000, Office & Exchange 2003; all patches will later, SQL 2000, Office & Exchange 2003; all patches will behave the same way behave the same way (update.exe, MSI 3.0)(update.exe, MSI 3.0)

Improved tools Improved tools consistencyconsistency

By mid-2004: Consistent results from MBSA, SUS, SMS, By mid-2004: Consistent results from MBSA, SUS, SMS, Windows Update Windows Update (will all use SUS 2.0 engine for detection)(will all use SUS 2.0 engine for detection)

Reduce patch Reduce patch complexitycomplexity

Reduce risk of Reduce risk of patch deploymentpatch deployment

Now: Increased internal testing; customer testing of patches Now: Increased internal testing; customer testing of patches before releasebefore releaseBy mid-2004: Rollback capability for W2k generation By mid-2004: Rollback capability for W2k generation products and later products and later (MSI 3.0 patches)(MSI 3.0 patches)

Reduce downtimeReduce downtimeNow:Now: Continued focus on reducing rebootsContinued focus on reducing rebootsBy late 2004: 30% of critical updates on Windows Server By late 2004: 30% of critical updates on Windows Server 2003 SP1 installed w/o rebooting 2003 SP1 installed w/o rebooting (“hot patching”)(“hot patching”)

Your NeedYour Need Our ResponseOur Response

Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements

Reduce patch sizeReduce patch sizeBy late 2004: Substantially smaller patches for W2k By late 2004: Substantially smaller patches for W2k generation and later OS & applications generation and later OS & applications (Delta patching (Delta patching technology, next generation patching installers)technology, next generation patching installers)

Improved tools Improved tools capabilitiescapabilities

May 2004: Microsoft Update (MU) hosts patches for W2k May 2004: Microsoft Update (MU) hosts patches for W2k server, and over time SQL 2000, Office & Exchange 2003server, and over time SQL 2000, Office & Exchange 2003

By mid-2004: SUS 2.0 receives content from MU & adds By mid-2004: SUS 2.0 receives content from MU & adds capabilities for targeting, basic reporting and rollbackcapabilities for targeting, basic reporting and rollback

Microsoft Baseline Microsoft Baseline Security AnalyzerSecurity Analyzer

Windows UpdateWindows Update Software UpdateSoftware Update

ServiceService SMS + Feature PackSMS + Feature Pack Patch Management Patch Management

GuidesGuides

Unified infrastructure Unified infrastructure “Microsoft Update”“Microsoft Update”

2 Standard Installers 2 Standard Installers Common scanning for Common scanning for

all toolsall tools Common standards for Common standards for

install behaviorinstall behavior MBSA 1.2MBSA 1.2 SUS 2.0SUS 2.0 SMS 2003SMS 2003

“The Software Update Services Feature Pack has had a major impact on how we manage security patches at CNF. We went from not managing security patches to managing them–and very effectively.” – Roger Wilding, March 17, 2003Senior Technical Engineer, CNF

Patch Management RoadmapPatch Management Roadmap

Global Education ProgramGlobal Education Program TechNet Security SeminarsTechNet Security Seminars Monthly Security WebcastsMonthly Security Webcasts www.microsoft.com/eventswww.microsoft.com/events

New Prescriptive GuidanceNew Prescriptive Guidance Patterns and practicesPatterns and practices How-to configure for securityHow-to configure for security How Microsoft Secures MicrosoftHow Microsoft Secures Microsoft

Online CommunityOnline Community Security Zone for Security Zone for

IT ProfessionalsIT Professionals Authoritative Enterprise Security GuidanceAuthoritative Enterprise Security Guidance

http://www.microsoft.com/technet/security/bestprac.asphttp://www.microsoft.com/technet/security/bestprac.asp

Providing Guidance and TrainingProviding Guidance and TrainingIT ProfessionalsIT Professionals

Critical or important vulnerabilities in the first…Critical or important vulnerabilities in the first…

33 66

……90 days90 days ……180 days180 days

88 2121

TwC release?TwC release?

YesYes

NoNo

For some widely-deployed, existing products:For some widely-deployed, existing products:

Mandatory for all new products:Mandatory for all new products:

Continue Improving QualityContinue Improving QualityContinue Improving QualityContinue Improving Quality

Bulletins sinceBulletins sinceTwC releaseTwC release

Shipped July 2002, 16 months ago (as of Nov. 2003)Shipped July 2002, 16 months ago (as of Nov. 2003)

11

Bulletins in 16 Bulletins in 16 month period prior month period prior

to TwC releaseto TwC release

66Service Pack 3Service Pack 3

Bulletins sinceBulletins sinceTwC releaseTwC release

Shipped Jan. 2003, 10 months ago (as of Nov. 2003)Shipped Jan. 2003, 10 months ago (as of Nov. 2003)

22

Service Pack 3Service Pack 3

1111

Bulletins in 10 Bulletins in 10 month period prior month period prior

to TwC releaseto TwC release

Successfully withstood >80K attacks Microsoft solution was never successfully hacked Solution included Windows 2000 Server, IIS 5.0, ASP.NET, SQL Server 2000

http://www.eweek.com/article2/0,3959,743411,00.asp

Continue Improving QualityContinue Improving QualityMaking ProgressMaking Progress

.NET Framework (for 2002 & .NET Framework (for 2002 & 2003)2003)ASP.NET (for 2002 & 2003)ASP.NET (for 2002 & 2003)Biztalk Server 2002 SP1Biztalk Server 2002 SP1Commerce Server 2000 SP4Commerce Server 2000 SP4Commerce Server 2002 SP1Commerce Server 2002 SP1Content Management Server Content Management Server 20022002Exchange Server 2003Exchange Server 2003Host Integration Server 2002Host Integration Server 2002Identity Integration Server Identity Integration Server 20032003Live Communications Server Live Communications Server 20032003MapPoint.NETMapPoint.NET

Office 2003Office 2003Rights Mgmt Client & Rights Mgmt Client & Server 1.0Server 1.0Services For Unix 3.0Services For Unix 3.0SQL Server 2000 SP3SQL Server 2000 SP3Visual Studio .NET 2002Visual Studio .NET 2002Visual Studio .NET 2003Visual Studio .NET 2003Virtual PCVirtual PCVirtual ServerVirtual ServerWindows CE (Magneto)Windows CE (Magneto)Windows Server 2003Windows Server 2003Windows Server 2003 Windows Server 2003 ADAMADAM

23 Products In the TwC Release Process23 Products In the TwC Release Process

ResourcesResources

SQL Server SecurityChip Andrews, David Litchfield, Bill GrindleyMcGraw-Hill Osborne Media; ISBN: 0072225157

Whitepaper: SQL Server 2000 SP3 Security Features and Best Practiceshttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp

URLs URLs GeneralGeneral

http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.sqlserversecurity.com http://www.sqlserversecurity.com

(See the lockdown.sql script at this site)(See the lockdown.sql script at this site)

Technical Resources for IT ProfessionalsTechnical Resources for IT Professionals http://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security

Best Practices for Defense in DepthBest Practices for Defense in Depth http://www.microsoft.com/technet/security/bestprac.asphttp://www.microsoft.com/technet/security/bestprac.asp

How Microsoft Secures MicrosoftHow Microsoft Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit/ http://www.microsoft.com/technet/itsolutions/msit/

security/mssecbp.aspsecurity/mssecbp.asp

MSDN Security Development ToolsMSDN Security Development Tools http://msdn.microsoft.com/security/downloads/tools/ http://msdn.microsoft.com/security/downloads/tools/

default.aspxdefault.aspx

Call To ActionCall To Action

1.1. Read SQL Server SP3 whitepaperRead SQL Server SP3 whitepaper

2.2. Install SQL SP3 as soon as possible Install SQL SP3 as soon as possible

3.3. Run MBSA on your serversRun MBSA on your servers

4.4. Sign up for the quarterly SQL Server Sign up for the quarterly SQL Server Newsletter by emailing Newsletter by emailing ssqlnews@microsoft.comssqlnews@microsoft.com

You can get this presentation by emailing ssqlnews@microsoft.comYou can get this presentation by emailing ssqlnews@microsoft.com..