SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Securing SQL Server: Vulnerabilities You Might Not Have Considered


Securing SQL Server: Vulnerabilities You Might Not Have Considered

Author
Message
Site Owners
Site Owners
SSC-Insane
SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)

Group: Administrators
Points: 20793 Visits: 276
Comments posted to this topic are about the item Securing SQL Server: Vulnerabilities You Might Not Have Considered
Fabrizio Faleni
Fabrizio Faleni
SSC Eights!
SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)

Group: General Forum Members
Points: 851 Visits: 456
Dear Todd,

thank you for your article focusing on SQL Server security vulnerabilities. I would like to put the stress on a couple of points.

First your long list of vulnerabilities can be extended to the following parts of SQL Server that you did not mention:
-Filestream Data
-Full-Text Indexes
-Communication channels

Second, a widely used encryption technology called Transparent Data Encryption (TDE) allows to encrypt SQL Server databases starting from version 2008 and Oracle databases starting from version 10g.

TDE solves the major vulnerabilities that are in your list, such as:
-TempDB system database will be encrypted if any other database on the instance of SQL Server is encrypted by using TDE
-Backup Files are encrypted
-Transaction Log files are encrypted
-Replication files can be encrypted too

So, the main message of your article remains: do not rely only on database encryption to ensure
that your information is safe. Every process involving data and interaction with the database engine must be secured too. Not forgetting the application user interface where SQL Injection remains a major vulnerability.

For those who would like to know more about
TDE:
http://msdn.microsoft.com/en-us/library/bb934049.aspx
Encrypted connections:
http://msdn.microsoft.com/en-us/library/ms191192.aspx

Kind Regards,

Fabrizio Faleni

MCITP Database administrator 2008
MCTS SQL Server 2008 Implementation and maintenance
MCTS Sharepoint configuration
MCP Designing Deploying and Managing a Network Solution for the Small and Medium-sized Business
ITIL V3 Foundation

Divine Flame
Divine Flame
SSChampion
SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)

Group: General Forum Members
Points: 11346 Visits: 2827
Who is the author of this article? "Todd Thiemann" or "Ashvin Kamaraju" ?:-D


Sujeet Singh
hakkie42
hakkie42
SSC Journeyman
SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)SSC Journeyman (83 reputation)

Group: General Forum Members
Points: 83 Visits: 104
Regarding scripts:
"Since scripts may contain clear text passwords required to connect to the database, these should be encrypted."
Do you mean encrypt the filesystem where the script resides on? IMO not much difference with setting appropriate access controls etc. What does encryption add?

Furthermore, wouldn't a much better mitigation method be to use Windows authentication/SSPI to eliminate the need for passwords in scripts?
Jonathan AC Roberts
Jonathan AC Roberts
SSCarpal Tunnel
SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)SSCarpal Tunnel (4K reputation)

Group: General Forum Members
Points: 4014 Visits: 2144
Divine Flame (3/7/2013)
Who is the author of this article? "Todd Thiemann" or "Ashvin Kamaraju" ?:-D

It does seem a bit too close for comfort to this article:
http://www.dbta.com/Articles/Editorial/Think-About-It/How-Secondary-Files-Put-Your-Database-at-Risk-86580.aspx
But then again at the bottom of the article it does say it's by Todd Thiemann
Fabrizio Faleni
Fabrizio Faleni
SSC Eights!
SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)SSC Eights! (851 reputation)

Group: General Forum Members
Points: 851 Visits: 456
Divine Flame (3/7/2013)
Who is the author of this article? "Todd Thiemann" or "Ashvin Kamaraju" ?:-D


Doh! And me who was focusing on the article content while there was such a weird uncertainty on who's the author! :-D

I just read the author's info at the bottom of the article, forgetting that it was another name at the top. I've once published a piece here and it has been revised thouroughly: how could this happen?

MCITP Database administrator 2008
MCTS SQL Server 2008 Implementation and maintenance
MCTS Sharepoint configuration
MCP Designing Deploying and Managing a Network Solution for the Small and Medium-sized Business
ITIL V3 Foundation

mtassin
mtassin
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15536 Visits: 72528
Wow... talk about lazy plagarism....



--Mark Tassin
MCITP - SQL Server DBA
Proud member of the Anti-RBAR alliance.
For help with Performance click this link
For tips on how to post your problems
BigSam
BigSam
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1246 Visits: 305
Very thought provoking article. I also appreciate the the Microsoft links - I will follow up on them.
I usually enforce encryption in my SQL instances for my network connections, since some of them can come through the Internet.
What happens if I use database mirroring or replication? Is that data encrypted during transmission? I always thought so, but after reading this article I'm a little concerned.

BigSam
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search