New security features in SQL Server 2008 leave some work for you

• Lack of reasonable policies such as requirements for strong SQL Server passwords.
• Database-related software not written with security in mind.
• Missing OS and SQL Server patches that permit an attacker to gain remote access to your server using Metasploit or one of its commercial alternatives.
• Change management gaps and oversights such as multiple admins making configuration changes to the database environment that lead to SQL Server security weaknesses.
• Poor network design that allows people from both outside and inside the network to gain an advantage in attacking the database environment.
• Lack of security monitoring and incident management that could help prevent database attacks or at least keep them from doing too much damage.
• Windows operating system-level exploits such as these findings on token kidnapping.
• Web application input validation weaknesses that permit SQL injection.
• Properly-written and well-established SQL Server security goals for making database security a priority within the business.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server Security Password cracking tools for SQL Server Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Microsoft SQL Server 2008 Programming report generation with SQL Server Reporting Services 2008 Q&A: SQL Server 2008 a better fit for consolidation End of life comes for SQL Server 2005 SP2, 2008 What's new for installation with SQL Server 2008? SQL Server Reporting Services 2008 offers faster speeds, new variations Microsoft SQL Server 2008 Learning Guide Understanding transparent data encryption in SQL Server 2008 Working with sparse columns in SQL Server 2008 Implementing SQL Server 2008 FILESTREAM functionality Microsoft renames SQL Server release, adds data services Database Management and Administration Password cracking tools for SQL Server Using traces in SQL Server Profiler Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.