Ten common SQL Server security vulnerabilities you may be overlooking

When you shift your focus to insider threats, things are not so simple. I'll share some other SQL Server security vulnerabilities that you are likely to find in your SQL Server system.

There's a widespread consensus for securing SQL Server. And that is to make sure every database account has a strong password. Alternatively, just use SQL Server 2005 with its "secure out of the box" settings and things are good to go. These set-'em-and-leave-'em database security measures are good starting points. The problem is that they're not practical for reducing a large number of other security risks that many DBAs haven't thought about.

Those vulnerabilities, when exploited by an otherwise trusted user, can lead to a database hack just as easily as a weak password ever could. Plus, other types of SQL Server attacks can fly under the radar of traditional security controls you may have in place.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks Database Administration Top load balancing methods for SQL Server Performance implications of transaction log autogrowth in SQL Server The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 Working with sparse columns in SQL Server 2008 Determining the source of full transaction logs in SQL Server Implementing SQL Server 2008 FILESTREAM functionality Improving SQL Server full-text search performance Using the OPENROWSET function in SQL Server New replication features in SQL Server 2008 and what they mean to you

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Here are some not-so-obvious SQL Server 2000 and SQL Server 2005 security vulnerabilities and what they can lead to when exploited by an otherwise trusted system or user on your network:

Keep in mind that there are more SQL Server weaknesses you may come across, but the ones I listed here are the ones I see most often.

So, now let's find out how to find these vulnerabilities. One way is to simply step through your SQL Server configurations and compare them to this list. Or, you can use a commercial database vulnerability scanner that performs authenticated audits, such as NGSSquirreL or AppDetectivePro. Other more OS-centric vulnerability scanners, such as Nessus and QualysGuard, can help to an extent as well. I recommend using vulnerability scanners, but if your time and budget are limited, you can still achieve favorable results doing things manually. The CIS Benchmarks are a good resource as well.

Regardless of how you go about it, if you don't identify all of the risks in your SQL Server system, someone else might end up stumbling across them first. Whether they're found by a rogue insider or a security auditor, don't be caught off guard with chinks in your SQL Server's armor.

[TABLE]

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.