Earlier this year I wrote about how security features in SQL Server 2008 can help reduce risks. Now that SQL Server 2008 has been out for awhile, just how secure is it out of the box? Does it flex its muscle and really stand up to common attacks with strength and vigor?
Well, after poking and prodding it with some vulnerability assessment tools, it is looking good. A small footprint indeed and certainly the best out of the box database security posture I've seen from Microsoft. Unfortunately none of the mainstream commercial database vulnerability scanners that many of us depend on for really digging into SQL Server weaknesses currently support SQL Server 2008. At least the ones I'm aware of. So that angle of the story remains to be seen.
Vulnerability scanning aside, it's important to not forget that just because a piece of software such as SQL Server 2008 is secure to begin with, that doesn't mean it'll be secure in your environment. Just add people and process flaws to the equation and you've got yourself a recipe for SQL Server security problems no amount of built-in security can help.
Here's a run-down of what Microsoft can't help you with:
- Lack of reasonable policies such as requirements for strong SQL Server passwords.
- Database-related software not written with security in mind.
- Missing OS and SQL Server patches that permit an attacker to gain remote access to your server using Metasploit or one of its commercial alternatives.
- Change management gaps and oversights such as multiple admins making configuration changes to the database environment that lead to SQL Server security weaknesses.
- Poor network design that allows people from both outside and inside the network to gain an advantage in attacking the database environment.
- Lack of security monitoring and incident management that could help prevent database attacks or at least keep them from doing too much damage.
- Windows operating system-level exploits such as these findings on token kidnapping.
- Web application input validation weaknesses that permit SQL injection.
- Properly-written and well-established SQL Server security goals for making database security a priority within the business.
Even with all the latest and greatest security features built right into SQL Server 2008, you're still going to have database vulnerabilities. So, we're not out of the woods yet – nor likely ever will be since older versions of SQL Server could be around indefinitely. That said, we're certainly off to a much better start with SQL Server 2008. The only way you'll ever know is to see where you currently stand, maintain visibility and control and consistently test for new flaws in your environment. Vigilance is not everything – it's the only thing.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.