Hardening the network and OS for SQL Server security

Many organizations are in danger of a security breach, regardless of the measures they are taking to secure their environment. In database systems, a breach in any part of the overall system can be exploited to gain access to critical information.

To properly secure SQL Server, it is important to consider the following layers that make up SQL Server security:

1. Network security (firewalls, ports, encryption)
2. Operating system security (Windows security)
3. Server level security (endpoints, server level logins, ports, protocols, and other surface area configurations)
4. Database level security (granting rights to logins/roles, encryption options, and determining what rights are appropriate when)

Since a security failure at any one of these layers can mean failure for an entire solution, there really is no point in securing individual object levels if an opponent can merely sniff everything going "over the wire" or if the operating system is breached. Therefore, all the layers need to be secured.

Part one of this series explains network and operating system security in regards to SQL Server. Database and server-level security will be discussed in part two.

Network security

Although network security specialists are primarily responsible for network security, there are certain SQL Server configuration options that interact with this layer.

Network security specialists are mainly concerned with what ports are turned on and the protocols that are used. Discussions should occur between network security specialists and SQL Server administrators about whether each SQL Server should have a different port or if they should share a common port. (I strongly advise against the standard 1433 port because there is a high likelihood of it being hacked.)

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Meet compliance requirements with improved database security practices Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Database Management and Administration Using traces in SQL Server Profiler Meet compliance requirements with improved database security practices Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Achieving high availability and disaster recovery with SharePoint databases Clearing the Windows page file and its effect on server performance Deploying a SQL Server virtual appliance for Microsoft Hyper-V How to create SQL Server virtual appliances for Hyper-V Push vs. pull: Configuring SQL Server replication

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

p> In the SQL Server Configuration Manager (Figure 1), the SQL Server Network Configuration tab contains the controls for the protocols/ports in use for the instances (S2K8 is an instance).

Figure 1 (click to enlarge)
[IMAGE]

This is the default configuration for a developer box. For a SQL Server Enterprise Edition, the only protocol that should be on is TCP/IP. All other protocols should be disabled unless there is a unique application requirement for them on the client side.

There are several important properties in the TCP/IP Properties tab. The Listen All property, shown in Figure 2, determines what ports the SQL Server instance will listen on.

Figure 2 (click to enlarge)
[IMAGE]

If this property is set to Yes and there are multiple IPs, the SQL Server instance will listen on all IPs. If there is only one IP, then the setting could be left alone.

If the server has multiple IPs, however, the Listen All property should be set to No, and the SQL Server instance should be set to listen on the IP needed. The more IPs an instance is listening on, the more potential breaches could exist.

Figure 3 shows how to limit the SQL Server instance down to a specific IP address. If the Listen All property is set to No, then the Enabled property applies. Enabled should be set to Yes only for the IPs that are necessary.

Figure 3 (click to enlarge)
[IMAGE]

The specific port that is being listened on can be set by either the TCP Dynamic Ports or the TCP Port settings on each IP or on IPAll.

In Figure 4, IPAll with dynamic ports is set up. This allows a port number to be changed any time SQL Server starts, depending on what ports are available.

Figure 4 (click to enlarge)
[IMAGE]

In dynamic ports, the SQL Server Browser Service monitors the ports in use and directs incoming connections to the current port for a given instance. Dynamic ports are a default setting for named instances.

Dynamic ports are turned off and static ports are defined for IPA11 in Figure 5.

Figure 5 (click to enlarge) [IMAGE]

Note that IP ports can also be set per IP address, and individual IP addresses can listen on multiple ports if they are listed comma delimited (1600,1700).

Operating system security

While most of the Windows OS security is handled by Windows itself, many SQL Servers have the BUILTIN\Administrators group with SysAdmin rights by default. This gives any Windows administrators on the physical box SysAdmin capabilities on the SQL Server.

Generally, this isn't a best practice since typically the production DBA teams are separate from the team(s) that maintain the production Windows servers and may even be from different companies. It's a very good idea to remove this default Windows group after you ensure that you know the SysAdmin password or have other accounts with SysAdmin.

Overall, always consider how the various systems in an environment are interconnected and could be used to exploit the entire environment.

Coming soon: Part two on database and server-level security

ABOUT THE AUTHOR:   

[IMAGE] Matthew Schroeder is a senior software engineer who works on SQL Server database systems ranging in size from 2 GB to 3+ TB, with between 2k and 40+k trans/sec. He specializes in OLTP/OLAP DBMS systems as well as highly scalable processing systems written in .NET. Matthew is a Microsoft certified MCITP, Database Developer, has a master's degree in computer science and more than 12 years of experience in SQL Server/Oracle. He can be reached at cyberstrike@aggressivecoding.com.

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.