 |
 |
| SQL Server Tips: |
|
 |
 |

DATABASE ADMINISTRATION
Ten common SQL Server security vulnerabilities you may be overlooking
Kevin Beaver, CISSP 03.24.2008
Rating: --- (out of 5)




|
Plenty of malicious outsiders would love to get into our databases. To block them, we simply put up a firewall and make sure no externally facing Web apps allow SQL injections. Instantly, all's well in Databaseland. Right? As long as we don't have any unknown entry points into the network (like unsecured wireless), those two things can indeed keep most of the bad guys at bay.
When you shift your focus to insider threats, things are not so simple. I'll share some other SQL Server security vulnerabilities that you are likely to find in your SQL Server system.
There's a widespread consensus for securing SQL Server. And that is to make sure every database account has a strong password. Alternatively, just use SQL Server 2005 with its "secure out of the box" settings and things are good to go. These set-'em-and-leave-'em database security measures are good starting points. The problem is that they're not practical for reducing a large number of other security risks that many DBAs haven't thought about.
Those vulnerabilities, when exploited by an otherwise trusted user, can lead to a database hack just as easily as a weak password ever could. Plus, other types of SQL Server attacks can fly under the radar of traditional security controls you may have in place.
To continue reading for free, register below or login
To read more you must become a member of SearchSQLServer.com
');
// -->

Here are some not-so-obvious SQL Server 2000 and SQL Server 2005 security vulnerabilities and what they can lead to when exploited by an otherwise trusted system or user on your network:
Keep in mind that there are more SQL Server weaknesses you may come across, but the ones I listed here are the ones I see most often.
So, now let's find out how to find these vulnerabilities. One way is to simply step through your SQL Server configurations and compare them to this list. Or, you can use a commercial database vulnerability scanner that performs authenticated audits, such as NGSSquirreL or AppDetectivePro. Other more OS-centric vulnerability scanners, such as Nessus and QualysGuard, can help to an extent as well. I recommend using vulnerability scanners, but if your time and budget are limited, you can still achieve favorable results doing things manually. The CIS Benchmarks are a good resource as well.
Regardless of how you go about it, if you don't identify all of the risks in your SQL Server system, someone else might end up stumbling across them first. Whether they're found by a rogue insider or a security auditor, don't be caught off guard with chinks in your SQL Server's armor.
[TABLE]
 |

|
|
 |
|
 |
 |
 |
 |
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|