Databases Reference
In-Depth Information
one of the most well-documented environments. There are numerous
resources available that can help you secure your SQL Server environments,
many products that can be of assistance, and a very large community sup-
porting security in this environment. Furthermore, contrary to public per-
ception, Microsoft is actually investing a lot in making the SQL Server
platform more secure.
Hardening a SQL Server environment should include at least the fol-
lowing tasks:
Physically secure the server on which SQL Server lives.
Apply all service packs and hot fixes to both the Windows operating
system and SQL Server. You can execute
select @@version
to see
precisely which version you are running. You can see what this ver-
sion maps to in terms of patch levels at www.sqlsecurity.com/Desk-
topDefault.aspx?tabid=37.
Make sure all SQL Server data files and system files are installed on
an NTFS partition and that the appropriate permissions are defined
for the files.
Use a low-privilege user account for the SQL Server service. Don't use
LocalSystem or Administrator.
Delete setup files. Setup files may contain plain text and weakly
encrypted credentials. They contain sensitive configuration informa-
tion that has been logged during installation. These files include sql-
stp.log, sqlsp.log, and setup.iss in the MSSQL\Install (or
MSSQL$<instance name>\Install). Microsoft provides a free utility
called killpwd that locates and removes these passwords from your
system.
Secure the sa account with a strong password.
Remove all sample users and sample databases.
Review all passwords. At the very least, check for null passwords
using the following SQL:
select name, password from syslogins
where password is null
. (See Chapter 4 for more on password
strength.)
Remove the guest user from all databases except from master and
tempdb.
Review how roles are assigned to users at a database and server level
and limit assignment to the minimal set necessary.
Search WWH ::
Custom Search