Home Forums Article Discussions Article Discussions by Author Discuss content posted by Ashvin Kamaraju Securing SQL Server: Vulnerabilities You Might Not Have Considered RE: Securing SQL Server: Vulnerabilities You Might Not Have Considered

  • March 7, 2013 at 3:36 am

    #1594371

    Dear Todd,

    thank you for your article focusing on SQL Server security vulnerabilities. I would like to put the stress on a couple of points.

    First your long list of vulnerabilities can be extended to the following parts of SQL Server that you did not mention:

    -Filestream Data

    -Full-Text Indexes

    -Communication channels

    Second, a widely used encryption technology called Transparent Data Encryption (TDE) allows to encrypt SQL Server databases starting from version 2008 and Oracle databases starting from version 10g.

    TDE solves the major vulnerabilities that are in your list, such as:

    -TempDB system database will be encrypted if any other database on the instance of SQL Server is encrypted by using TDE

    -Backup Files are encrypted

    -Transaction Log files are encrypted

    -Replication files can be encrypted too

    So, the main message of your article remains: do not rely only on database encryption to ensure

    that your information is safe. Every process involving data and interaction with the database engine must be secured too. Not forgetting the application user interface where SQL Injection remains a major vulnerability.

    For those who would like to know more about

    TDE:

    http://msdn.microsoft.com/en-us/library/bb934049.aspx

    Encrypted connections:

    http://msdn.microsoft.com/en-us/library/ms191192.aspx

    Kind Regards,

    Fabrizio Faleni

    MCITP Database administrator 2008
    MCTS SQL Server 2008 Implementation and maintenance
    MCTS Sharepoint configuration
    MCP Designing Deploying and Managing a Network Solution for the Small and Medium-sized Business
    ITIL V3 Foundation