
	Home > SQL Server Tips > Database Administration > Not upgrading? Keep SQL Server 2000 secure

SQL Server Tips:

EMAIL THIS

TIPS & NEWSLETTERS TOPICS

DATABASE ADMINISTRATION

Not upgrading? Keep SQL Server 2000 secure

By Kevin Beaver, CISSP
11.15.2005
Rating: --- (out of 5)

Expert advice on database administration

Digg This! StumbleUpon Del.icio.us

SQL Server 2005 is finally here with many new security features, but you may not be planning an upgrade for another year or so. You still need the utmost in database security for your SQL Server 2000 system(s). Fear not! There are several tried-and-true ways to lock down your network's crown jewels stored in SQL Server 2000 for which you can get just about as much bang for your buck.

Before you do anything, find out which vulnerabilities currently exist in your server. To do this, I suggest you use one of the enterprise-grade vulnerability-assessment tools such as Qualys Inc.'s QualysGuard or Internet Security Systems Inc.'s Internet Scanner. These tools will not only find missing patches that the lower-end tools report, but they'll also dig several layers deeper to find and exploit (to a certain extent) any existing weaknesses you may not have known about otherwise.

Secondly, I highly recommend that you use one of the enterprise-grade database vulnerability-assessment tools such as NGS Software Ltd.'s NGSSquirrel for SQL Server or Application Security Inc.'s AppDetective for Microsoft SQL Server. These tools take the vulnerability-assessment process a step further by finding SQL Server-specific vulnerabilities that no other tool or manual assessment would uncover -- especially in a short time period. In my experience, the number of vulnerabilities in database configuration, access control, DoS, etc., rooted out by these tools never fails to be an eye-opening experience for even the most security-savvy DBAs. On a related note, believe it or not, the Microsoft Baseline Security Analyzer (MBSA) does a pretty decent job checking for SQL Server misconfigurations, so you'll do well to at least run MBSA if nothing else.

Once you find existing vulnerabilities and plug the holes where practical, it's time to batten down the hatches with a handful of SQL Server security defenses. You may discover that you've already addressed some of these after implementing

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	SQL Server Security
	Setting up SQL Server Service Broker for secure communication
	The keys to database backup protection for SQL Server
	Understanding transparent data encryption in SQL Server 2008
	The fine line between not encrypting your databases and breach notification
	Securing SQL Server with access control, login monitoring and DDL triggers
	SQL Server security: Controlling access via database roles
	Implementing security audit in SQL Server 2008
	New security features in SQL Server 2008 leave some work for you
	Can I encrypt and restore a database backup in SQL Server 2005?
	FAQ: How to troubleshoot and grant SQL Server permissions

Microsoft SQL Server 2005 (Yukon)

SQL Server Reporting Services Fast Guide

SQL Server Service Broker Tutorial and Reference Guide

Tips for tuning SQL Server 2005 to improve reporting performance

SQL Server consolidation: Why it's an optimization technique

Parent-child dimensions in SQL Server 2005 with Analysis Services MDX

Enforcing data integrity in a SQL Server database

SSIS error message due to installation problem on SQL Server 2005

Should you upgrade to SQL Server 2005 or SQL Server 2008?

Basics for working with DATETIME and SMALLDATETIME in SQL Server 2005

How to configure Database Mail in SQL Server 2005 to send mail

Microsoft SQL Server 2005 (Yukon) Research

Database Administration

Setting up SQL Server Service Broker for secure communication

Top load balancing methods for SQL Server

Performance implications of transaction log autogrowth in SQL Server

The keys to database backup protection for SQL Server

Understanding transparent data encryption in SQL Server 2008

Working with sparse columns in SQL Server 2008

Determining the source of full transaction logs in SQL Server

Implementing SQL Server 2008 FILESTREAM functionality

Improving SQL Server full-text search performance

Using the OPENROWSET function in SQL Server

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

data corruption (SearchSQLServer.com)

data hiding (SearchSQLServer.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

the recommendations outlined by the vulnerability-assessment tools above, but it won't hurt to double check. Remember to keep usability in mind and document your work in case you need to back out any changes.

There are literally hundreds of ways you can lock down SQL Server, but these provide the most value. Once your SQL Server is secure, you should check your work by running the vulnerability-assessment tools again. In fact, the only way to know for sure if your SQL Server 2000 systems are secure on an ongoing basis is to run these tools consistently moving forward -- perhaps once a quarter, twice a year or after any major changes.

If you can justify third-party add-ons, consider a database intrusion detection system such as Application Security Inc.'s AppRadar or even the more generic Internet Security Systems' BlackICE Server Protection -- the latter of which is an excellent option to get the most bang for your buck when it comes to intrusion detection and prevention. In addition, consider a database encryption solution such as Activecrypt Software's XP_Crypt, Application Security's DbEncrypt, and NetLib's Encryptionizer. Combine layered defenses such as these with a reasonably hardened database and it might be all you need to have the next best thing to Fort Knox.

About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Beaver has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

More information from SearchSQLServer.com

Find out how to hide SQL Server from network discovery

Learn all about SQL Server security in our learning guide

Get more SQL Server security tips and best practices in this topics section

Rate this Tip
To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

SQL Server Development - .NET, C#, T-SQL, Visual Basic

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2005 - 2009, TechTarget \| Read our Privacy Policy