Upload
michael-cooper
View
218
Download
5
Embed Size (px)
Citation preview
SQL Server Security SQL Server Security Update and Best PracticesUpdate and Best Practices
Ken BurgeKen BurgeSr. Technical Solutions AdvisorSr. Technical Solutions AdvisorMicrosoft CorporationMicrosoft Corporation
[email protected]@microsoft.com
Incidents ReportedIncidents Reported CERT/CC incident statistics 1988 through Q3 2003CERT/CC incident statistics 1988 through Q3 2003 IncidentIncident: single security issue grouping together : single security issue grouping together
all impacts of that that issueall impacts of that that issue IssueIssue: disruption, DOS, loss of data, misuse, : disruption, DOS, loss of data, misuse,
damage, loss of confidentialitydamage, loss of confidentiality
0
20000
40000
60000
80000
100000
120000
140000
'88 '89 '90 '91 '92 '93 '94 '95 '96 '97 '98 '99 '00 '01 '02 '03
Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html
Evolving DB Threat EnvironmentEvolving DB Threat Environment A decade ago, databases were:A decade ago, databases were:
Physically securePhysically secure Housed in central data centers – not distributedHoused in central data centers – not distributed External access mediated through customer service reps, External access mediated through customer service reps,
purchasing managers, etc.purchasing managers, etc. Security issues rarely reportedSecurity issues rarely reported
Now increasingly DB’s externally accessible:Now increasingly DB’s externally accessible: Suppliers directly connectedSuppliers directly connected Customers directly connectedCustomers directly connected Customers & partners directly sharing dataCustomers & partners directly sharing data
Data is most valuable resource in application stackData is most valuable resource in application stack Value increases with greater integration & aggregationValue increases with greater integration & aggregation Opportunities for data theft, modification, or destructionOpportunities for data theft, modification, or destruction
The Cost of Weak SecurityThe Cost of Weak Security
CSI/FBI CSI/FBI
Denial of Service Attack can be caused by certain
worms and viruses in addition to Internet based
attacks
DB Attack Toolkit: Well ArmedDB Attack Toolkit: Well Armed Brute force & dictionary-based password crackersBrute force & dictionary-based password crackers
Network sniffers and Port scannersNetwork sniffers and Port scanners
Object code de-compilers and Quality debuggersObject code de-compilers and Quality debuggers Symbols typically available for problem determinationSymbols typically available for problem determination
Application source code not needed for deep attacksApplication source code not needed for deep attacks
Leveraging cracked systems:Leveraging cracked systems: Credentials: leverage & escalate by stepsCredentials: leverage & escalate by steps Compute power: host distributed denial of serviceCompute power: host distributed denial of service
DB Security tools & consulting:DB Security tools & consulting: NGSSoftware NGSSoftware ((http://http://www.nextgenss.comwww.nextgenss.com//)) Internet Security Services Internet Security Services ((http://http://www.iss.netwww.iss.net//)) Application Security Inc. Application Security Inc. ((http://http://www.appsecinc.comwww.appsecinc.com)) And many others…And many others…
Community shared resources:Community shared resources: Exploit, risk, & data sharing in the communityExploit, risk, & data sharing in the community
Slammer OverviewSlammer Overview Slammer re-using existing ideas:Slammer re-using existing ideas:
"The Slammer code is a straight cut-and-paste job" "The Slammer code is a straight cut-and-paste job" – D. Litchfield– D. Litchfield
Most attacks exploit known vulnerabilitiesMost attacks exploit known vulnerabilities Recent SQL Server Service Levels unaffectedRecent SQL Server Service Levels unaffected
Single UDP packet delivery very effective (376 bytes)Single UDP packet delivery very effective (376 bytes) Spread doubles every 8.5 secondsSpread doubles every 8.5 seconds 90% of vulnerable computers in 10 min90% of vulnerable computers in 10 min Max rate hit 55 million scans/secondMax rate hit 55 million scans/second 74,855 systems affected in one minute74,855 systems affected in one minute
Patches proliferatingPatches proliferating Time to exploit Time to exploit
decreasingdecreasing Exploits are more Exploits are more
sophisticated sophisticated Current approach is not Current approach is not
sufficientsufficient
Security has become our #1 PrioritySecurity has become our #1 PriorityThere is no silver bulletThere is no silver bullet
Change requires innovationChange requires innovation
151151180180
331331
Blaster
Blaster
Welchia/ Nachi
Welchia/ Nachi
NimdaNimda
2525
SQL Slammer
SQL Slammer
Days between patch Days between patch and exploitand exploit
Reality CheckReality CheckResponding to the CrisisResponding to the Crisis
Microsoft’s ResponsibilityMicrosoft’s Responsibility
We understand your frustrationWe understand your frustration We sympathize with the inconvenience We sympathize with the inconvenience
you’ve experienced due to deploying you’ve experienced due to deploying patches and dealing with virusespatches and dealing with viruses
We’re accountable to helping you We’re accountable to helping you secure your environmentsecure your environment
[email protected]@microsoft.com
SQL Injection Attacks SQL Injection Attacks ExplainedExplained Method to pass rogue statements into Method to pass rogue statements into
SQL ServerSQL Server Allows a hacker to access the rest of Allows a hacker to access the rest of
the network, probe the SQL Server, or the network, probe the SQL Server, or create datacreate data
Not just a SQL Server problemNot just a SQL Server problem Runs under the authentication of Runs under the authentication of
whatever SQL Server login the whatever SQL Server login the application usesapplication uses
SQL Injection Attacks SQL Injection Attacks ExplainedExplained A query that looks like this:A query that looks like this:
select * from login where login_nm = “InputFromScreen”select * from login where login_nm = “InputFromScreen”
Can be injected with a single quote and Can be injected with a single quote and a comment to look like this:a comment to look like this:select * from login where login_nm = ‘ ; DELETE FROM login - - select * from login where login_nm = ‘ ; DELETE FROM login - - ‘‘
This is not a bug in SQL Server but in This is not a bug in SQL Server but in the applicationthe application
Firewall is bypassed with these types Firewall is bypassed with these types of attacksof attacks
SQL Injection Attacks SQL Injection Attacks ExplainedExplained Based on the level of permissions your Based on the level of permissions your
application has, a hacker could:application has, a hacker could: Drop your databaseDrop your database Delete your dataDelete your data Insert a login for himselfInsert a login for himself Create a Windows domain account with Create a Windows domain account with
admin rightsadmin rights Gain access to your networkGain access to your network Backup the SAM for hash crackingBackup the SAM for hash cracking
SQL Injection Attacks SQL Injection Attacks ExplainedExplainedhow to protect yourselfhow to protect yourself Validate all screen inputValidate all screen input Use the ADO command object with strict Use the ADO command object with strict
parameter validationparameter validation PermissionsPermissions
Make sure SQL Server runs with the lowest Make sure SQL Server runs with the lowest possible permissions. It does not need admin possible permissions. It does not need admin privileges on the server. privileges on the server.
Make sure the login that your application uses Make sure the login that your application uses doesn’t have direct access to your data. doesn’t have direct access to your data.
Use stored procs to access all dataUse stored procs to access all data
Getting SecureGetting SecureMicrosoft SQL Server Microsoft SQL Server security best practicessecurity best practices
Best PracticesBest PracticesService Packs and Hot FixesService Packs and Hot Fixes Install SQL Server SP3 as soon as you Install SQL Server SP3 as soon as you
cancan Install hot fixes as soon as you test for Install hot fixes as soon as you test for
application regressionsapplication regressions Sign up for the Microsoft security Sign up for the Microsoft security
bulletin at: bulletin at: http://www.microsoft.com/technet/secuhttp://www.microsoft.com/technet/securityrity
Best PracticesBest PracticesThe big threeThe big three Use Windows authentication if at all Use Windows authentication if at all
possible:possible: Can be difficult if you run in a multi-Can be difficult if you run in a multi-
domain or an environment that has a domain or an environment that has a strong firewall. strong firewall.
Start with the lowest permissions Start with the lowest permissions possible for the user then work your possible for the user then work your way upway up
Avoid easily guessed login names like Avoid easily guessed login names like ksmith. Instead use something more ksmith. Instead use something more obscure and less obvious. obscure and less obvious.
Best PracticesBest PracticesSA AccountSA Account SQL Snake virus preyed on SQL Servers SQL Snake virus preyed on SQL Servers
with SA and no passwordwith SA and no password Make the password a hard PW to crack, even Make the password a hard PW to crack, even
if you use Windows Authenticationif you use Windows Authentication Should be virtually impossible to rememeberShould be virtually impossible to rememeber
Never ever use the SA AccountNever ever use the SA Account It is a known account which makes it an obvious It is a known account which makes it an obvious
targettarget If a developer knows the SA password, he will If a developer knows the SA password, he will
use it because it is convenient. It encourages use it because it is convenient. It encourages lazy security measures. lazy security measures.
Best PracticesBest PracticesFirewall and Port AssignmentsFirewall and Port Assignments Block SQL Server TCP/IP port 1433 and Block SQL Server TCP/IP port 1433 and
UDP port 1434 from vulnerable areas UDP port 1434 from vulnerable areas (such as Internet)(such as Internet)
Set each SQL Server instance to use a Set each SQL Server instance to use a unique TCP/IP port that is not 1433unique TCP/IP port that is not 1433 Note: you cannot change UDP port 1434Note: you cannot change UDP port 1434
If you are using MSDE or multiple SQL If you are using MSDE or multiple SQL Server instances the nodes could Server instances the nodes could choose a random available portchoose a random available port
Best PracticesBest PracticesDefault LoginsDefault Logins Remove BUILTIN\Administrators account Remove BUILTIN\Administrators account
If needed, you should only explicitly give access to If needed, you should only explicitly give access to Windows administratorsWindows administrators
Don’t start SQL Server with the localsystem accountDon’t start SQL Server with the localsystem account Start SQL Server and Agent with an account with Start SQL Server and Agent with an account with
minimal permissionsminimal permissions SP3 fixes a problem where SQL Server Agent had to start SP3 fixes a problem where SQL Server Agent had to start
with Windows domain accountwith Windows domain account
Always change login accounts for SQL Server Always change login accounts for SQL Server through the Enterprise Manager interface.through the Enterprise Manager interface. Much easier and sets the appropriate registry settings for Much easier and sets the appropriate registry settings for
youyou
Best PracticesBest PracticesCommunicating to SQL ServerCommunicating to SQL Server A strong firewall policy is a mustA strong firewall policy is a must
Do not allow employees other than DBAs Do not allow employees other than DBAs to have direct access to the production to have direct access to the production machines. This includes developers.machines. This includes developers.
Attempt to use SSL for communication Attempt to use SSL for communication with SQL Serverwith SQL Server Will see a slight performance hitWill see a slight performance hit
Multiprotocol or IPSec are alternatives Multiprotocol or IPSec are alternatives but not as string as TCP/IP and SSLbut not as string as TCP/IP and SSL
Best PracticesBest PracticesPublic Role and Guest Public Role and Guest AccountAccount Any login with rights to your SQL Server Any login with rights to your SQL Server
account is automatically given all the account is automatically given all the privileges that the Guest login hasprivileges that the Guest login has
Any user with rights to a given database has Any user with rights to a given database has all the rights given to the Public role hasall the rights given to the Public role has
Never let the guest account have access to Never let the guest account have access to your databaseyour database You cannot remove guest account from Master You cannot remove guest account from Master
or TempDBor TempDB Northwind and Pubs by default give the Guest Northwind and Pubs by default give the Guest
account sysadmin privileges thereby creating a account sysadmin privileges thereby creating a security holesecurity hole
Best PracticesBest PracticesAuditingAuditing Always turn on Failed Login auditingAlways turn on Failed Login auditing
Create alerts to email you when this Create alerts to email you when this occursoccurs
Increase the number of error logs you Increase the number of error logs you keep to prevent the hacker from keep to prevent the hacker from cycling the error log to cover his trackscycling the error log to cover his tracks
Audit failed access to objects (error Audit failed access to objects (error 229)229) UPDATE sysmessages SET dlevel = (dlevel | 0x80) WHERE error = 229UPDATE sysmessages SET dlevel = (dlevel | 0x80) WHERE error = 229
C2 level auditing is handy, but will C2 level auditing is handy, but will cause a performance hitcause a performance hit
Best PracticesBest PracticesC2 level auditingC2 level auditing Audits access to every object and use Audits access to every object and use
of permissions on the serverof permissions on the server Turn on by using sp_configure procTurn on by using sp_configure proc
Sp_configure ‘c2 audit mode’,1Sp_configure ‘c2 audit mode’,1
Causes a noticeable performance hitCauses a noticeable performance hit If the drive that holds the logs fills, If the drive that holds the logs fills,
SQL Server will stopSQL Server will stop
Tighten AccessTighten AccessDirectories and registry keysDirectories and registry keys Always install SQL Server on a NTFS Always install SQL Server on a NTFS
partitionpartition Watch who has access to the SQL Server Watch who has access to the SQL Server
binaries and data filesbinaries and data files If you have the MDF and LDF files, the you have If you have the MDF and LDF files, the you have
all the sensitive data you needall the sensitive data you need You can encrypt the physical files using 3You can encrypt the physical files using 3rdrd party party
or Windows encryptionor Windows encryption
Watch who has access to the followign Watch who has access to the followign registry keys: registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVERHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL
SERVER\INSTANCESERVER\INSTANCE
Tighten AccessTighten AccessProtection of Extended ProcsProtection of Extended Procs Revoke access to extended sprocs that Revoke access to extended sprocs that
read and write to the registry:read and write to the registry: Xp_regwriteXp_regwrite xp_regreadxp_regread xp_regremovemultistringxp_regremovemultistring xp_addmultistringxp_addmultistring xp_regdeletevaluexp_regdeletevalue xp_regenumvaluesxp_regenumvalues
Tighten AccessTighten AccessOA SprocsOA Sprocs Revoke access to stored procs that can Revoke access to stored procs that can
create objectscreate objects Sp_OACreateSp_OACreate Sp_OADestroySp_OADestroy Sp_OAStopSp_OAStop Sp_OAGetPropertySp_OAGetProperty Sp_OASetPropertySp_OASetProperty Sp_OAMethodSp_OAMethod Sp_OAGetErrorInfoSp_OAGetErrorInfo
Tighten AccessTighten AccessOther extended sprocsOther extended sprocs Revoke access to stored procs tha can Revoke access to stored procs tha can
cause other damage:cause other damage: Xp_commandShellXp_commandShell sp_runWebTasksp_runWebTask sp_readWebTasksp_readWebTask sp_MSSetServerPropertiessp_MSSetServerProperties sp_MScopyScriptFilessp_MScopyScriptFiles sp_MSsetAlertInfosp_MSsetAlertInfo
Manually delete the underlying .dll file for Manually delete the underlying .dll file for each extended sproc you removeeach extended sproc you remove
Tighten AccessTighten AccessDTS LockdownDTS Lockdown By default anyone who has a login to SQL By default anyone who has a login to SQL
Server can create a DTS packageServer can create a DTS package Protect your packages with a user and Protect your packages with a user and
owner passwordowner password Revoke public access to:Revoke public access to:
RTblDBMProps tableRTblDBMProps table Too many sprocs to list (See books online)Too many sprocs to list (See books online)
Create role for users who need to use DTSCreate role for users who need to use DTS As always, test and retest this before applying in As always, test and retest this before applying in
production. Have a good rollback script ready. production. Have a good rollback script ready.
Tighten AccessTighten AccessJob System LockdownJob System Lockdown Too man sprocs here to list, but here Too man sprocs here to list, but here
are a few:are a few: Sp_ add_jobSp_ add_job Sp_delete_jobSp_delete_job Sp_start_jobSp_start_job Sp_purge_jobhistorySp_purge_jobhistory
You should create a SQL Server user You should create a SQL Server user defined role for all who need to be able defined role for all who need to be able to create and start jobs. to create and start jobs.
Tighten AccessTighten Access
Revoke access to the guest accountRevoke access to the guest account Remove or revoke access to certain Remove or revoke access to certain
system stored proceduressystem stored procedures Create roles for users who can create Create roles for users who can create
DTS packages and jobsDTS packages and jobs Caution: make sure you test all of Caution: make sure you test all of
these types of changes as you may these types of changes as you may affect an application or Enterprise affect an application or Enterprise Manager!Manager!
Staying SecureStaying SecureMicrosoft SQL Server Microsoft SQL Server management updatemanagement update
You’ve Told UsYou’ve Told Us Our Action ItemsOur Action Items
““I can’t keep up…new SQL I can’t keep up…new SQL patches are released too patches are released too often”often”
“The quality of the SQL Server patching process is low and inconsistent”
““I need to know the right way I need to know the right way to run an enterprise on SQL to run an enterprise on SQL Server”Server”
““There are still too many There are still too many vulnerabilities in SQL vulnerabilities in SQL Server”Server”
Provide Guidance Provide Guidance and Trainingand Training
Mitigate Vulnerabilities Mitigate Vulnerabilities Without PatchesWithout Patches
Continue Improving Continue Improving QualityQuality
Improve the Patching Improve the Patching ExperienceExperience
Microsoft’s ResponsibilityMicrosoft’s Responsibility
Improve the Patching ExperienceImprove the Patching ExperienceNew Patch PoliciesNew Patch Policies
Extending security support to June 2004Extending security support to June 2004 Windows 2000 SP2Windows 2000 SP2 Windows NT4 Workstation SP6aWindows NT4 Workstation SP6a
Security patches on a monthly predictable Security patches on a monthly predictable release cycle release cycle Allows for planning a Allows for planning a
predictable monthly test and predictable monthly test and deployment cycle deployment cycle
Packaged as individual patches Packaged as individual patches that can be deployed together that can be deployed together
NOTE: Exceptions will be made if customers are at NOTE: Exceptions will be made if customers are at immediate risk from viruses, worms, attacks or other immediate risk from viruses, worms, attacks or other malicious activitiesmalicious activities
By late 2004: Consolidation to 2 patch installers for W2k and By late 2004: Consolidation to 2 patch installers for W2k and later, SQL 2000, Office & Exchange 2003; all patches will later, SQL 2000, Office & Exchange 2003; all patches will behave the same way behave the same way (update.exe, MSI 3.0)(update.exe, MSI 3.0)
Improved tools Improved tools consistencyconsistency
By mid-2004: Consistent results from MBSA, SUS, SMS, By mid-2004: Consistent results from MBSA, SUS, SMS, Windows Update Windows Update (will all use SUS 2.0 engine for detection)(will all use SUS 2.0 engine for detection)
Reduce patch Reduce patch complexitycomplexity
Reduce risk of Reduce risk of patch deploymentpatch deployment
Now: Increased internal testing; customer testing of patches Now: Increased internal testing; customer testing of patches before releasebefore releaseBy mid-2004: Rollback capability for W2k generation By mid-2004: Rollback capability for W2k generation products and later products and later (MSI 3.0 patches)(MSI 3.0 patches)
Reduce downtimeReduce downtimeNow:Now: Continued focus on reducing rebootsContinued focus on reducing rebootsBy late 2004: 30% of critical updates on Windows Server By late 2004: 30% of critical updates on Windows Server 2003 SP1 installed w/o rebooting 2003 SP1 installed w/o rebooting (“hot patching”)(“hot patching”)
Your NeedYour Need Our ResponseOur Response
Improve the Patching ExperienceImprove the Patching ExperiencePatch EnhancementsPatch Enhancements
Reduce patch sizeReduce patch sizeBy late 2004: Substantially smaller patches for W2k By late 2004: Substantially smaller patches for W2k generation and later OS & applications generation and later OS & applications (Delta patching (Delta patching technology, next generation patching installers)technology, next generation patching installers)
Improved tools Improved tools capabilitiescapabilities
May 2004: Microsoft Update (MU) hosts patches for W2k May 2004: Microsoft Update (MU) hosts patches for W2k server, and over time SQL 2000, Office & Exchange 2003server, and over time SQL 2000, Office & Exchange 2003
By mid-2004: SUS 2.0 receives content from MU & adds By mid-2004: SUS 2.0 receives content from MU & adds capabilities for targeting, basic reporting and rollbackcapabilities for targeting, basic reporting and rollback
Microsoft Baseline Microsoft Baseline Security AnalyzerSecurity Analyzer
Windows UpdateWindows Update Software UpdateSoftware Update
ServiceService SMS + Feature PackSMS + Feature Pack Patch Management Patch Management
GuidesGuides
Unified infrastructure Unified infrastructure “Microsoft Update”“Microsoft Update”
2 Standard Installers 2 Standard Installers Common scanning for Common scanning for
all toolsall tools Common standards for Common standards for
install behaviorinstall behavior MBSA 1.2MBSA 1.2 SUS 2.0SUS 2.0 SMS 2003SMS 2003
“The Software Update Services Feature Pack has had a major impact on how we manage security patches at CNF. We went from not managing security patches to managing them–and very effectively.” – Roger Wilding, March 17, 2003Senior Technical Engineer, CNF
Patch Management RoadmapPatch Management Roadmap
Global Education ProgramGlobal Education Program TechNet Security SeminarsTechNet Security Seminars Monthly Security WebcastsMonthly Security Webcasts www.microsoft.com/eventswww.microsoft.com/events
New Prescriptive GuidanceNew Prescriptive Guidance Patterns and practicesPatterns and practices How-to configure for securityHow-to configure for security How Microsoft Secures MicrosoftHow Microsoft Secures Microsoft
Online CommunityOnline Community Security Zone for Security Zone for
IT ProfessionalsIT Professionals Authoritative Enterprise Security GuidanceAuthoritative Enterprise Security Guidance
http://www.microsoft.com/technet/security/bestprac.asphttp://www.microsoft.com/technet/security/bestprac.asp
Providing Guidance and TrainingProviding Guidance and TrainingIT ProfessionalsIT Professionals
Critical or important vulnerabilities in the first…Critical or important vulnerabilities in the first…
33 66
……90 days90 days ……180 days180 days
88 2121
TwC release?TwC release?
YesYes
NoNo
For some widely-deployed, existing products:For some widely-deployed, existing products:
Mandatory for all new products:Mandatory for all new products:
Continue Improving QualityContinue Improving QualityContinue Improving QualityContinue Improving Quality
Bulletins sinceBulletins sinceTwC releaseTwC release
Shipped July 2002, 16 months ago (as of Nov. 2003)Shipped July 2002, 16 months ago (as of Nov. 2003)
11
Bulletins in 16 Bulletins in 16 month period prior month period prior
to TwC releaseto TwC release
66Service Pack 3Service Pack 3
Bulletins sinceBulletins sinceTwC releaseTwC release
Shipped Jan. 2003, 10 months ago (as of Nov. 2003)Shipped Jan. 2003, 10 months ago (as of Nov. 2003)
22
Service Pack 3Service Pack 3
1111
Bulletins in 10 Bulletins in 10 month period prior month period prior
to TwC releaseto TwC release
Successfully withstood >80K attacks Microsoft solution was never successfully hacked Solution included Windows 2000 Server, IIS 5.0, ASP.NET, SQL Server 2000
http://www.eweek.com/article2/0,3959,743411,00.asp
Continue Improving QualityContinue Improving QualityMaking ProgressMaking Progress
.NET Framework (for 2002 & .NET Framework (for 2002 & 2003)2003)ASP.NET (for 2002 & 2003)ASP.NET (for 2002 & 2003)Biztalk Server 2002 SP1Biztalk Server 2002 SP1Commerce Server 2000 SP4Commerce Server 2000 SP4Commerce Server 2002 SP1Commerce Server 2002 SP1Content Management Server Content Management Server 20022002Exchange Server 2003Exchange Server 2003Host Integration Server 2002Host Integration Server 2002Identity Integration Server Identity Integration Server 20032003Live Communications Server Live Communications Server 20032003MapPoint.NETMapPoint.NET
Office 2003Office 2003Rights Mgmt Client & Rights Mgmt Client & Server 1.0Server 1.0Services For Unix 3.0Services For Unix 3.0SQL Server 2000 SP3SQL Server 2000 SP3Visual Studio .NET 2002Visual Studio .NET 2002Visual Studio .NET 2003Visual Studio .NET 2003Virtual PCVirtual PCVirtual ServerVirtual ServerWindows CE (Magneto)Windows CE (Magneto)Windows Server 2003Windows Server 2003Windows Server 2003 Windows Server 2003 ADAMADAM
23 Products In the TwC Release Process23 Products In the TwC Release Process
ResourcesResources
SQL Server SecurityChip Andrews, David Litchfield, Bill GrindleyMcGraw-Hill Osborne Media; ISBN: 0072225157
Whitepaper: SQL Server 2000 SP3 Security Features and Best Practiceshttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/maintain/security/sp3sec/Default.asp
URLs URLs GeneralGeneral
http://www.microsoft.com/securityhttp://www.microsoft.com/security http://www.sqlserversecurity.com http://www.sqlserversecurity.com
(See the lockdown.sql script at this site)(See the lockdown.sql script at this site)
Technical Resources for IT ProfessionalsTechnical Resources for IT Professionals http://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security
Best Practices for Defense in DepthBest Practices for Defense in Depth http://www.microsoft.com/technet/security/bestprac.asphttp://www.microsoft.com/technet/security/bestprac.asp
How Microsoft Secures MicrosoftHow Microsoft Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit/ http://www.microsoft.com/technet/itsolutions/msit/
security/mssecbp.aspsecurity/mssecbp.asp
MSDN Security Development ToolsMSDN Security Development Tools http://msdn.microsoft.com/security/downloads/tools/ http://msdn.microsoft.com/security/downloads/tools/
default.aspxdefault.aspx
Call To ActionCall To Action
1.1. Read SQL Server SP3 whitepaperRead SQL Server SP3 whitepaper
2.2. Install SQL SP3 as soon as possible Install SQL SP3 as soon as possible
3.3. Run MBSA on your serversRun MBSA on your servers
4.4. Sign up for the quarterly SQL Server Sign up for the quarterly SQL Server Newsletter by emailing Newsletter by emailing [email protected]@microsoft.com
You can get this presentation by emailing [email protected] can get this presentation by emailing [email protected]..