Secure SQL Server and you will be protecting one of an organization’s greatest assets (information/data). Banks need to keep financial data; hospitals need to keep medical records. An online store needs to keep credit card numbers. Having such data published in the public domain violates the confidentiality goal of information. Securing a system requires collective responsibility from all stakeholders involved from end users, developers through to database administrators.
This article gives you ten (10) SQL Server best practices that will primarily protect you from outside attacks. Servers that are exposed online are more likely to be attacked by hackers. Follow these recommendations and you will make the attacker’s life a living hell.
SQL Server Security 10 Best Practices
# 1 - Disable the built-in sa account
Attackers use it as the default account to attack when a system is compromised. If it has a weak password then bazinga! You can kiss the confidentiality goal of information good bye. All it takes is a simple automated dictionary attack. A dictionary attack uses a list of commonly used passwords to try and connect to SQL server. If the attacker has a valid login, then the chances of a successful attacker are high.
# 2 - Access control
SQL Server sinfully allows you to grant different permissions to users. If a user only needs to read data from the database then why in security’s name would we grant them access rights to create, drop and write data. Opportunity makes a thief an attacker. Don’t be an enabler.
# 3 - Disable SQL Server browser service
If it were that bad perhaps Microsoft would have removed the feature. The browser service simplifies the process of find instances of SQL Server on a network/computer. From a developer’s point of view, it makes life easy for the users to select the server name from the listed instances and connect to. Every second counts to an attacker to quickly get data and log out, they will thank the gods and you if you enable them to easily find instances of SQL server. Weather you disable this service or not depends on the likelihood of an attack occurring, current security measures already implemented and the impact a successful attack would have on the business organization*.
# 4 - Change default SQL Server port for servers with sensitive data and high likelihoods of successful network attacks
The attacker needs a port to connect to. The default for SQL server is 1433; change it to a different and you would have added another obstacle for the attacker. Hackers will actually hate you for doing this.
# 5 - Enforce password policy for SQL Server authentication
As users we all love qwerty and p@$$word as passwords, we already discussed dictionary wordlist attacks above. It will only take a couple of minutes to gain access if you allow users to user simple passwords. Password policy ensures that users use long and strong passwords.
# 6 - Install only required services
in most enterprise environments, you will have servers dedicated for specific activities i.e. database server, email server etc. enabling IIS on a database server may just open you up to unnecessary attacks. Disable all the services that you are not using and only leave the necessary ones to get the job done. You will actually thank yourself afterwards as this will improve system performance and cut down on the maintenance time and cost of unnecessary services running
# 6 - Patch managements
The word patch always reminds me of one eyed pirates and what they are capable of. A patch is an update that fixes security vulnerability. CVEDetails is your best pal when it comes to identifying vulnerabilities. Vulnerability is a weakness in a system that can be exploited to gain or allow users with limited access rights to perform super user actions. Attackers exploit these vulnerabilities to gain access to your system. Always ensure that you install the latest updates for the version of SQL Server that you are using.
# 8 - Always use a backup server for critical data
In a world where medical records have been computerized, the server going down is the difference between life and death. Doctors need access to the medical history of a patient before prescribing drugs. A backup server (with a possibility of data replication) can be used as a fallback when things go wrong with the main server. You don’t need to be a hospital system developer to use backup servers. Think of it as a business continuity thing.
# 9 - Server disk space
That’s right, SQL server needs space on the disk. As the database grows, it will need disk space. Not having disk space may cause processes to fail.
# 10 - Keep the OS secure
As an attacker, if I cannot break into SQL Server then I will simply gain access to the OS, copy the data files, paste on my local machine, attach them using SQL Server management studio then smile flamboyantly as I browse through the credit card numbers, medical records etc. I have access to the database even if I do not know the sa or whatever account’s password used on the server where I got the files from.
SQL Server is a great and popular database engine loved by most windows users. A good security policy in place will turn you into the next rock star database security administrator and users will extend their love to you too. Follow the above best practices to keep data safe.