SlideShare a Scribd company logo

Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia

Charley Hanania
Charley Hanania
Technology
1 of 50
Securing your SQL Server Installation Charley Hanania, QS2 AG B.Sc (Computing), MCP, MCDBA, MCITP, MCTS, MCT, Microsoft MVP: SQL Server Senior Database Specialist
My Background • Now: – Microsoft MVP: SQL Server – Database Consultant (again, and very happy) at QS2 AG • Formerly: – Production Product Owner of MS SQL Server Platform at UBS Investment Bank • ITIL v3 Certified • SQL Server Certified since 1988 – On SQL Server since 1995 – Version 4 on OS/2 • IT Professional since 1992 • PASS – Chapter Leader – Switzerland – Regional Mentor – Europe – European PASS Conference Lead – Event Speaker – Database Days Conference Switzerland
Contact Info • Email: Charley.Hanania@sqlpass.org • Website: http://www.sqlpass.ch • Twitter: http://www.twitter.com/CharleyHanania • Blog: http://blogs.mssqltips.com/blogs/charleyhanania • Linked-in: http://www.linkedin.com/in/charleyhanania
Session Outline • General areas of focus dealing with Security • Windows & SQL Server – “Secure By Default” • 80 :: 20 – Simple items that make big difference • How Much Security is Enough? • Practices to Consider
General Areas • Areas Generally looked at when speaking about security – Physical Access – Network – Application – Operating System – DBMS – Intellectual Property (IP) – Data Privacy (Customer Data Usage) – Segregation of duties • Privileged access • Privileged information
Windows Server – “Secure By Default” • Since Windows 2008, Microsoft focussed on the idea of Secure by Default. • When Windows is installed – Only the Roles and Features needed are installed – Only essential connections are enabled – Password Policies are more explicit
SQL Server – “Secure By Default” • Since SQL Server 2005, Microsoft focussed on the idea of Secure by Default. • When SQL Server is installed – Only the features needed to run are enabled – Only essential connections are configured – Connection Methodologies are also influenced.
Scopes of Protection Windows Server SQL Server Instance SQL Server Instance SQL Server Instance SQL Server System Databases SQL Server User Databases Schemas Objects Schemas Objects Accounts Groups Rights Permissions Roles EndpointsLogins Roles Users Roles Users Permissions Permissions
DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
{ DEMO Obfuscation :: Changing the RDP Port
Windows Disables RDP by default. Enabling requires firewall port opening too…
Windows Firewall
Enabling RDP App (& Port)
- Open Regedt32 - Search For “PortNumber”
- Change the port number - Create a new firewall rule for the new Port - Reboot
Use RDP with “<Server>:<PortNumber>”
DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
{ DEMO Obfuscation :: Rename Win Admin Account
Open Computer Management  Local Users and Groups  Users
Rename the Account
Open Properties Change the Account Details
DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
{ DEMO Obfuscation :: Changing Instance & Port
During SQL Server Install  Select an instance instead of default
Named Instance…
Network Protocols…
This Stops SQL Browser from Broadcasting the Instance Name
Network Port for TCP/IP…
Change the Port (review free ports first!)
Effects :: - No (local) Instance - Instance Listens on New Port
DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
{ DEMO Obfuscation :: Rename SA Account
Basically, we change the login label (external)
Rename the Account
Additionally – Strong Passwords • Renaming Accounts is a great 1st step • Disable the account from being useable for login. – Enable when needed… • Additionally, you should ensure the password is VERY strong. – Why? Because shorter/simple passwords are cracked easily • Ref: Electrical Alchemy Information Security – See http://www.goodpassword.com/
How Much Security is Enough? 1. Estimate value of data and objects – Intellectual Property – Customer Data – Marketing/Sales plans – Cost to redevelop – Corporate image – Compliance 2. Estimate risk of being compromised 3. Estimate cost of implementation 4. Estimate cost of on-going operations
How Much Security is Enough? 1. Estimate value of data and objects 2. Estimate risk of being compromised – Closed System vs External Facing – High Street Brand vs Bunkered Back Operations – New Hair Growth vs Lemon Stand Formula – China / Russia vs Switzerland 3. Estimate cost of implementation 4. Estimate cost of ongoing operations
How Much Security is Enough? 1. Estimate value of data and objects 2. Estimate risk of being compromised 3. Estimate cost of implementation – Layered Security Expert Team at the NSA (Personnel) – Mixed Hardware / Software Implementation (Complexity) – Existing vs Customised Solutions (Expense) – Three Month vs Three Year Fulfillment (Time) 4. Estimate cost of ongoing operations
How Much Security is Enough? 1. Estimate value of data and objects 2. Estimate risk of being compromised 3. Estimate cost of implementation 4. Estimate cost of ongoing operations – Fail-safes vs Recoverability – Secure Backup (on and off-site) – Personnel needed for maintenance and sustainability – Troubleshooting issues – Performance Tuning
Practices to Consider • Physical Security – Limiting access to the machine itself, backups, and copies of data – Encryption of data files and backups – Transparent Data Encryption • Authentication – Logins – Windows Authentication, SQL Server Authentication • Strong passwords, password expiration policies – Endpoints – restrict connections by protocol, login, etc. – Encryption – More needed than just to get in. • Authorization – Separation of duties • Permissions, users, roles, access through SPs or views only – No direct access to tables – No permissions directly to users; grant to roles and put users in roles – Separation of data • Instances, databases, schemas, views – or perhaps encrypt it with certificates or keys – Principle of least privilege • from service accounts to users and execution contexts • Auditing – tracking who did what when – Built into SQL Server 2008
Summary • Security is an Operational Consideration • Data Security is a cornerstone of Security Operations • SQL Server and Windows employ various techniques to secure the database environment • Obfuscation is Step One • How much Security? – It Depends!
Links and Resources • SQL Server Security Team Blog • http://blogs.msdn.com/sqlsecurity • Microsoft Patterns and Practices • http://msdn.microsoft.com/en-gb/practices/default.aspx • SQL Server Security Website • http://www.sqlsecurity.com • Security Best Practices - Operational and Administrative Tasks. • http://sqlcat.com/whitepapers/archive/2007/12/16/sql-server-2005-security-best-practices-operational- and-administrative-tasks.aspx • SQL Server Security Forum • http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads • How to Change the RDP Port • http://support.microsoft.com/kb/306759
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia
Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia

Recommended

ยินดีต้อนรับ
ยินดีต้อนรับยินดีต้อนรับ
ยินดีต้อนรับ4LIFEYES
 
нугуманова
нугуманованугуманова
нугумановаbizalfbkru
 
Prólogo
PrólogoPrólogo
PrólogoMariella Azzato
 
Why network why 4 lifeyes 2
Why network why 4 lifeyes 2Why network why 4 lifeyes 2
Why network why 4 lifeyes 24LIFEYES
 
Unidad 4 actividad 3
Unidad 4 actividad 3Unidad 4 actividad 3
Unidad 4 actividad 3KARY
 
Outsourcing
OutsourcingOutsourcing
Outsourcingtemassinaloa
 
I Want To Paint You...
I Want To Paint You...I Want To Paint You...
I Want To Paint You...Vili 48
 
DTI Funding Opportunities for Women
DTI Funding Opportunities for WomenDTI Funding Opportunities for Women
DTI Funding Opportunities for WomenPflcw Secretariat
 

Recommended

ยินดีต้อนรับ
ยินดีต้อนรับยินดีต้อนรับ
ยินดีต้อนรับ4LIFEYES
 
нугуманова
нугуманованугуманова
нугумановаbizalfbkru
 
Prólogo
PrólogoPrólogo
PrólogoMariella Azzato
 
Why network why 4 lifeyes 2
Why network why 4 lifeyes 2Why network why 4 lifeyes 2
Why network why 4 lifeyes 24LIFEYES
 
Unidad 4 actividad 3
Unidad 4 actividad 3Unidad 4 actividad 3
Unidad 4 actividad 3KARY
 
Outsourcing
OutsourcingOutsourcing
Outsourcingtemassinaloa
 
I Want To Paint You...
I Want To Paint You...I Want To Paint You...
I Want To Paint You...Vili 48
 
DTI Funding Opportunities for Women
DTI Funding Opportunities for WomenDTI Funding Opportunities for Women
DTI Funding Opportunities for WomenPflcw Secretariat
 
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptxCharley Hanania
 
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...Charley Hanania
 
SQL Server Club - SQL Server Enterprise Consolidation - charley hanania
SQL Server Club - SQL Server Enterprise Consolidation - charley hananiaSQL Server Club - SQL Server Enterprise Consolidation - charley hanania
SQL Server Club - SQL Server Enterprise Consolidation - charley hananiaCharley Hanania
 
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...Charley Hanania
 
Tech days 2011 - database design patterns for keeping your database applicati...
Tech days 2011 - database design patterns for keeping your database applicati...Tech days 2011 - database design patterns for keeping your database applicati...
Tech days 2011 - database design patterns for keeping your database applicati...Charley Hanania
 
Designing and developing your database for application availability
Designing and developing your database for application availabilityDesigning and developing your database for application availability
Designing and developing your database for application availabilityCharley Hanania
 
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...Charley Hanania
 
Pass chapter meeting - november - partitioning for database availability - ch...
Pass chapter meeting - november - partitioning for database availability - ch...Pass chapter meeting - november - partitioning for database availability - ch...
Pass chapter meeting - november - partitioning for database availability - ch...Charley Hanania
 
Swiss pass chapter deck lausanne - june 2011
Swiss pass chapter deck lausanne - june 2011Swiss pass chapter deck lausanne - june 2011
Swiss pass chapter deck lausanne - june 2011Charley Hanania
 
Swiss pass chapter deck - zurich - april 2011
Swiss pass chapter deck - zurich - april 2011Swiss pass chapter deck - zurich - april 2011
Swiss pass chapter deck - zurich - april 2011Charley Hanania
 
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck DivesPass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck DivesCharley Hanania
 
Sql server operational best practices notes from the field - charley hanan...
Sql server operational best practices notes from the field - charley hanan...Sql server operational best practices notes from the field - charley hanan...
Sql server operational best practices notes from the field - charley hanan...Charley Hanania
 
Sql server club - performance management methodologies and enhancements in sq...
Sql server club - performance management methodologies and enhancements in sq...Sql server club - performance management methodologies and enhancements in sq...
Sql server club - performance management methodologies and enhancements in sq...Charley Hanania
 
Sql connections germany - migration considerations when migrating your on pre...
Sql connections germany - migration considerations when migrating your on pre...Sql connections germany - migration considerations when migrating your on pre...
Sql connections germany - migration considerations when migrating your on pre...Charley Hanania
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Christopher Logan Kennedy
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 

More Related Content

More from Charley Hanania

2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptxCharley Hanania
 
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...Charley Hanania
 
SQL Server Club - SQL Server Enterprise Consolidation - charley hanania
SQL Server Club - SQL Server Enterprise Consolidation - charley hananiaSQL Server Club - SQL Server Enterprise Consolidation - charley hanania
SQL Server Club - SQL Server Enterprise Consolidation - charley hananiaCharley Hanania
 
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...Charley Hanania
 
Tech days 2011 - database design patterns for keeping your database applicati...
Tech days 2011 - database design patterns for keeping your database applicati...Tech days 2011 - database design patterns for keeping your database applicati...
Tech days 2011 - database design patterns for keeping your database applicati...Charley Hanania
 
Designing and developing your database for application availability
Designing and developing your database for application availabilityDesigning and developing your database for application availability
Designing and developing your database for application availabilityCharley Hanania
 
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...Charley Hanania
 
Pass chapter meeting - november - partitioning for database availability - ch...
Pass chapter meeting - november - partitioning for database availability - ch...Pass chapter meeting - november - partitioning for database availability - ch...
Pass chapter meeting - november - partitioning for database availability - ch...Charley Hanania
 
Swiss pass chapter deck lausanne - june 2011
Swiss pass chapter deck lausanne - june 2011Swiss pass chapter deck lausanne - june 2011
Swiss pass chapter deck lausanne - june 2011Charley Hanania
 
Swiss pass chapter deck - zurich - april 2011
Swiss pass chapter deck - zurich - april 2011Swiss pass chapter deck - zurich - april 2011
Swiss pass chapter deck - zurich - april 2011Charley Hanania
 
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck DivesPass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck DivesCharley Hanania
 
Sql server operational best practices notes from the field - charley hanan...
Sql server operational best practices notes from the field - charley hanan...Sql server operational best practices notes from the field - charley hanan...
Sql server operational best practices notes from the field - charley hanan...Charley Hanania
 
Sql server club - performance management methodologies and enhancements in sq...
Sql server club - performance management methodologies and enhancements in sq...Sql server club - performance management methodologies and enhancements in sq...
Sql server club - performance management methodologies and enhancements in sq...Charley Hanania
 
Sql connections germany - migration considerations when migrating your on pre...
Sql connections germany - migration considerations when migrating your on pre...Sql connections germany - migration considerations when migrating your on pre...
Sql connections germany - migration considerations when migrating your on pre...Charley Hanania
 

More from Charley Hanania (14)

2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
2024.03.01 - My weakness, Your Glory - Contemplations on Jonah.pptx
 
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
SQLBits 2008 - SQL Server High Availability and Disaster Recovery Overview - ...
 
SQL Server Club - SQL Server Enterprise Consolidation - charley hanania
SQL Server Club - SQL Server Enterprise Consolidation - charley hananiaSQL Server Club - SQL Server Enterprise Consolidation - charley hanania
SQL Server Club - SQL Server Enterprise Consolidation - charley hanania
 
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
Pass chapter meeting dec 2013 - compression a hidden gem for io heavy databas...
 
Tech days 2011 - database design patterns for keeping your database applicati...
Tech days 2011 - database design patterns for keeping your database applicati...Tech days 2011 - database design patterns for keeping your database applicati...
Tech days 2011 - database design patterns for keeping your database applicati...
 
Designing and developing your database for application availability
Designing and developing your database for application availabilityDesigning and developing your database for application availability
Designing and developing your database for application availability
 
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
TehDays Basel - Auditing in sql server 2012 - charley hanania - tech days bas...
 
Pass chapter meeting - november - partitioning for database availability - ch...
Pass chapter meeting - november - partitioning for database availability - ch...Pass chapter meeting - november - partitioning for database availability - ch...
Pass chapter meeting - november - partitioning for database availability - ch...
 
Swiss pass chapter deck lausanne - june 2011
Swiss pass chapter deck lausanne - june 2011Swiss pass chapter deck lausanne - june 2011
Swiss pass chapter deck lausanne - june 2011
 
Swiss pass chapter deck - zurich - april 2011
Swiss pass chapter deck - zurich - april 2011Swiss pass chapter deck - zurich - april 2011
Swiss pass chapter deck - zurich - april 2011
 
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck DivesPass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
Pass camp 2010 - DBA 101 to 401 - From Spring Board to Deep Wreck Dives
 
Sql server operational best practices notes from the field - charley hanan...
Sql server operational best practices notes from the field - charley hanan...Sql server operational best practices notes from the field - charley hanan...
Sql server operational best practices notes from the field - charley hanan...
 
Sql server club - performance management methodologies and enhancements in sq...
Sql server club - performance management methodologies and enhancements in sq...Sql server club - performance management methodologies and enhancements in sq...
Sql server club - performance management methodologies and enhancements in sq...
 
Sql connections germany - migration considerations when migrating your on pre...
Sql connections germany - migration considerations when migrating your on pre...Sql connections germany - migration considerations when migrating your on pre...
Sql connections germany - migration considerations when migrating your on pre...
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Sql tune in 2012 - securing your sql server - charley hanania - 2012-09-25 - zagreb croatia

  • 1. Securing your SQL Server Installation Charley Hanania, QS2 AG B.Sc (Computing), MCP, MCDBA, MCITP, MCTS, MCT, Microsoft MVP: SQL Server Senior Database Specialist
  • 2.
  • 3. My Background • Now: – Microsoft MVP: SQL Server – Database Consultant (again, and very happy) at QS2 AG • Formerly: – Production Product Owner of MS SQL Server Platform at UBS Investment Bank • ITIL v3 Certified • SQL Server Certified since 1988 – On SQL Server since 1995 – Version 4 on OS/2 • IT Professional since 1992 • PASS – Chapter Leader – Switzerland – Regional Mentor – Europe – European PASS Conference Lead – Event Speaker – Database Days Conference Switzerland
  • 4. Contact Info • Email: Charley.Hanania@sqlpass.org • Website: http://www.sqlpass.ch • Twitter: http://www.twitter.com/CharleyHanania • Blog: http://blogs.mssqltips.com/blogs/charleyhanania • Linked-in: http://www.linkedin.com/in/charleyhanania
  • 5. Session Outline • General areas of focus dealing with Security • Windows & SQL Server – “Secure By Default” • 80 :: 20 – Simple items that make big difference • How Much Security is Enough? • Practices to Consider
  • 6. General Areas • Areas Generally looked at when speaking about security – Physical Access – Network – Application – Operating System – DBMS – Intellectual Property (IP) – Data Privacy (Customer Data Usage) – Segregation of duties • Privileged access • Privileged information
  • 7. Windows Server – “Secure By Default” • Since Windows 2008, Microsoft focussed on the idea of Secure by Default. • When Windows is installed – Only the Roles and Features needed are installed – Only essential connections are enabled – Password Policies are more explicit
  • 8. SQL Server – “Secure By Default” • Since SQL Server 2005, Microsoft focussed on the idea of Secure by Default. • When SQL Server is installed – Only the features needed to run are enabled – Only essential connections are configured – Connection Methodologies are also influenced.
  • 9. Scopes of Protection Windows Server SQL Server Instance SQL Server Instance SQL Server Instance SQL Server System Databases SQL Server User Databases Schemas Objects Schemas Objects Accounts Groups Rights Permissions Roles EndpointsLogins Roles Users Roles Users Permissions Permissions
  • 10. DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
  • 12. Windows Disables RDP by default. Enabling requires firewall port opening too…
  • 14. Enabling RDP App (& Port)
  • 15. - Open Regedt32 - Search For “PortNumber”
  • 16. - Change the port number - Create a new firewall rule for the new Port - Reboot
  • 17. Use RDP with “<Server>:<PortNumber>”
  • 18.
  • 19. DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
  • 20. { DEMO Obfuscation :: Rename Win Admin Account
  • 21. Open Computer Management  Local Users and Groups  Users
  • 23. Open Properties Change the Account Details
  • 24.
  • 25. DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
  • 27. During SQL Server Install  Select an instance instead of default
  • 30. This Stops SQL Browser from Broadcasting the Instance Name
  • 31. Network Port for TCP/IP…
  • 32. Change the Port (review free ports first!)
  • 33. Effects :: - No (local) Instance - Instance Listens on New Port
  • 34.
  • 35. DEMO • Obfuscation • Change the RDP Port • Rename the Windows Administrator Account • Use Non-Default Instance / Port • Rename the SA Account
  • 37. Basically, we change the login label (external)
  • 39.
  • 40. Additionally – Strong Passwords • Renaming Accounts is a great 1st step • Disable the account from being useable for login. – Enable when needed… • Additionally, you should ensure the password is VERY strong. – Why? Because shorter/simple passwords are cracked easily • Ref: Electrical Alchemy Information Security – See http://www.goodpassword.com/
  • 41. How Much Security is Enough? 1. Estimate value of data and objects – Intellectual Property – Customer Data – Marketing/Sales plans – Cost to redevelop – Corporate image – Compliance 2. Estimate risk of being compromised 3. Estimate cost of implementation 4. Estimate cost of on-going operations
  • 42. How Much Security is Enough? 1. Estimate value of data and objects 2. Estimate risk of being compromised – Closed System vs External Facing – High Street Brand vs Bunkered Back Operations – New Hair Growth vs Lemon Stand Formula – China / Russia vs Switzerland 3. Estimate cost of implementation 4. Estimate cost of ongoing operations
  • 43. How Much Security is Enough? 1. Estimate value of data and objects 2. Estimate risk of being compromised 3. Estimate cost of implementation – Layered Security Expert Team at the NSA (Personnel) – Mixed Hardware / Software Implementation (Complexity) – Existing vs Customised Solutions (Expense) – Three Month vs Three Year Fulfillment (Time) 4. Estimate cost of ongoing operations
  • 44. How Much Security is Enough? 1. Estimate value of data and objects 2. Estimate risk of being compromised 3. Estimate cost of implementation 4. Estimate cost of ongoing operations – Fail-safes vs Recoverability – Secure Backup (on and off-site) – Personnel needed for maintenance and sustainability – Troubleshooting issues – Performance Tuning
  • 45. Practices to Consider • Physical Security – Limiting access to the machine itself, backups, and copies of data – Encryption of data files and backups – Transparent Data Encryption • Authentication – Logins – Windows Authentication, SQL Server Authentication • Strong passwords, password expiration policies – Endpoints – restrict connections by protocol, login, etc. – Encryption – More needed than just to get in. • Authorization – Separation of duties • Permissions, users, roles, access through SPs or views only – No direct access to tables – No permissions directly to users; grant to roles and put users in roles – Separation of data • Instances, databases, schemas, views – or perhaps encrypt it with certificates or keys – Principle of least privilege • from service accounts to users and execution contexts • Auditing – tracking who did what when – Built into SQL Server 2008
  • 46. Summary • Security is an Operational Consideration • Data Security is a cornerstone of Security Operations • SQL Server and Windows employ various techniques to secure the database environment • Obfuscation is Step One • How much Security? – It Depends!
  • 47. Links and Resources • SQL Server Security Team Blog • http://blogs.msdn.com/sqlsecurity • Microsoft Patterns and Practices • http://msdn.microsoft.com/en-gb/practices/default.aspx • SQL Server Security Website • http://www.sqlsecurity.com • Security Best Practices - Operational and Administrative Tasks. • http://sqlcat.com/whitepapers/archive/2007/12/16/sql-server-2005-security-best-practices-operational- and-administrative-tasks.aspx • SQL Server Security Forum • http://social.msdn.microsoft.com/forums/en-US/sqlsecurity/threads • How to Change the RDP Port • http://support.microsoft.com/kb/306759