Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Thrasymachus
Constraint Violating Yak Guru
483 Posts |
 Posted - 2005-06-23 : 14:19:11
|
| Some of you may ridicule me but this has been bugging me for a while.Lately it seems like I can not turn the TV or radio on or read the paper without seeing a breach of database security and it makes me feel uneasy everytime it happens. Given some of the break ins have been somewhat beyond the control of guys like us (like the offsite data tape transfer and the cop who got his Lexus Nexus password swiped by a trojan horse while chatting with a hacker pretending to be a 14 year old girl) some of the break ins have been the result of incompetence by DB developers and administrators. If this is not addressed industry wide and soon a lot of our livelihoods that rely on e-commerce will be threatened because the consumers will no longer have any trust in buying goods and services on-line.So if you have not aleady done so, please do the following minimal measures...1. Encrypt all credit card data and sensitive data in your database with a strong public key encryption routine.2. Make sure you do not have a blank SA password.3. If at all possible use windows authentication.4. Remove any guest accounts.5. Test all applications for SQL injection vulnerabilities.6. Enforce strong password policies and expiring passwords.7. Eliminate direct access to tables and only give users access to data through stored procedures and views.8. Make sure your SQL server is sitting behind a good firewall and is not directly accessible to the internet.9. Download the Microsoft Baseline Security Analyzer and run it on all of your servers and examine the results and take action where necessary.10. Be sure to use SSL encryption in the transmission of all sensitive data.11. Consider changing the default TCP/IP port that SQL Server listens on.12. Ensure that the physical location of your servers is secure.13. If cross database ownership chaining is enabled, disable it.These are just the things I came up with during lunch. Feel free to add to the list. I know nothing is 100% but we have to start trying harder.Sean RoussyPlease backup all of your databases including master, msdb and model on a regular basis. I am tired of telling people they are screwed. The job you save may be your own.I am available for consulting work. Just email me though the forum. |
|
|
AndyB13
Aged Yak Warrior
583 Posts |
Posted - 2005-06-23 : 15:06:46
|
I would say 11 is a must and not a consideration14. Rename the Administrator accountEdit:Nice rant... Beauty is in the eyes of the beerholder  |
 |
|
|
Thrasymachus
Constraint Violating Yak Guru
483 Posts |
Posted - 2005-06-23 : 15:16:00
|
| 15. blindman @ dbforums.com: no sa as the sa password 16. Dictionary attacks. Put in a 3 strikes and your out on all login pages. 17. sundialsvcs @ dbforums.com: "Also bear this fact in mind...It is not the case that "someone is suddenly stealing all this data." Rather, what's happening is that California passed a law which requires companies to disclose breaches of security when they occur. They even created an "Office of Privacy Protection." Breaches of security like this have been happening all the time, but until recently no one ever was required to know. The stated intention of this law is to cause companies to "air their dirty laundry in public," thereby to compel them to start taking data security seriously. And I think it will work. Consumers have always had a high expectation of data-security... much higher than what really existed... and now there will be (quite rightly) "hell to pay." We'll all be much better for it.As you correctly point out, many companies do not pay serious attention to data security. In particular, while they may put SSL-type protections on the "most obvious front door," they seem to pay no attention to how the data is being handled, internally, from day to day. Backup tapes are routinely unencrypted, and they're simply mailed from here to there. Internal networks are commonly unencrypted, such that anyone with a packet-sniffer could record all of the juicy details of the company's business for free. The internal networks of even large and respected companies are like chocolate truffles: once you crack through the thin, hard shell, there's a rich and tasty interior completely exposed.The best bit of advice I would give anyone is... use VPN internally. Virtual Private Networking is readily available in Windows, OS/X and Linux. VPN-capable hardware can be bought for less than $100 at OfficeMax. And what you can accomplish, quite easily, is for every packet on your internal network to be encrypted, so that anyone who "sniffs" it would learn nothing. Furthermore, you can now tightly control which machines/users/services are allowed to communicate and with whom. You can establish "layers" or "rings" of protection within your network just as you do within your buildings. It takes a very, very slight amount of administration to manage the system, but once it is in place it's quite transparent to all users.Encrypted filesystems are much the same way... if you back up your data to removable or portable disks, it adds a truly negligible amount of overhead to cause everything on that volume to be securely scrambled. Anyone who steals the volume is hopelessly out of luck, while anyone who is authorized to use the volume need not be aware that the encryption exists at all.All of these safeguards are well-implemented and readily available, but data centers simply don't bother to use them. Perhaps, with laws like California's, now they will."Sean RoussyPlease backup all of your databases including master, msdb and model on a regular basis. I am tired of telling people they are screwed. The job you save may be your own.I am available for consulting work. Just email me though the forum. |
|
|
|
|
|
|
|
|
Database Security Rant