SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Securing SQL Server: Vulnerabilities You Might Not Have Considered


Securing SQL Server: Vulnerabilities You Might Not Have Considered

Author
Message
Site Owners
Site Owners
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: Administrators
Points: 12661 Visits: 16
Comments posted to this topic are about the item Securing SQL Server: Vulnerabilities You Might Not Have Considered
Fabrizio Faleni
Fabrizio Faleni
SSC Veteran
SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)

Group: General Forum Members
Points: 279 Visits: 456
Dear Todd,

thank you for your article focusing on SQL Server security vulnerabilities. I would like to put the stress on a couple of points.

First your long list of vulnerabilities can be extended to the following parts of SQL Server that you did not mention:
-Filestream Data
-Full-Text Indexes
-Communication channels

Second, a widely used encryption technology called Transparent Data Encryption (TDE) allows to encrypt SQL Server databases starting from version 2008 and Oracle databases starting from version 10g.

TDE solves the major vulnerabilities that are in your list, such as:
-TempDB system database will be encrypted if any other database on the instance of SQL Server is encrypted by using TDE
-Backup Files are encrypted
-Transaction Log files are encrypted
-Replication files can be encrypted too

So, the main message of your article remains: do not rely only on database encryption to ensure
that your information is safe. Every process involving data and interaction with the database engine must be secured too. Not forgetting the application user interface where SQL Injection remains a major vulnerability.

For those who would like to know more about
TDE:
http://msdn.microsoft.com/en-us/library/bb934049.aspx
Encrypted connections:
http://msdn.microsoft.com/en-us/library/ms191192.aspx

Kind Regards,

Fabrizio Faleni

MCITP Database administrator 2008
MCTS SQL Server 2008 Implementation and maintenance
MCTS Sharepoint configuration
MCP Designing Deploying and Managing a Network Solution for the Small and Medium-sized Business
ITIL V3 Foundation

Divine Flame
Divine Flame
SSCarpal Tunnel
SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)

Group: General Forum Members
Points: 4383 Visits: 2816
Who is the author of this article? "Todd Thiemann" or "Ashvin Kamaraju" ?:-D


Sujeet Singh
hakkie42
hakkie42
SSC Rookie
SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)SSC Rookie (31 reputation)

Group: General Forum Members
Points: 31 Visits: 104
Regarding scripts:
"Since scripts may contain clear text passwords required to connect to the database, these should be encrypted."
Do you mean encrypt the filesystem where the script resides on? IMO not much difference with setting appropriate access controls etc. What does encryption add?

Furthermore, wouldn't a much better mitigation method be to use Windows authentication/SSPI to eliminate the need for passwords in scripts?
Jonathan AC Roberts
Jonathan AC Roberts
SSCommitted
SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)SSCommitted (1.8K reputation)

Group: General Forum Members
Points: 1826 Visits: 1932
Divine Flame (3/7/2013)
Who is the author of this article? "Todd Thiemann" or "Ashvin Kamaraju" ?:-D

It does seem a bit too close for comfort to this article:
http://www.dbta.com/Articles/Editorial/Think-About-It/How-Secondary-Files-Put-Your-Database-at-Risk-86580.aspx
But then again at the bottom of the article it does say it's by Todd Thiemann
Fabrizio Faleni
Fabrizio Faleni
SSC Veteran
SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)SSC Veteran (279 reputation)

Group: General Forum Members
Points: 279 Visits: 456
Divine Flame (3/7/2013)
Who is the author of this article? "Todd Thiemann" or "Ashvin Kamaraju" ?:-D


Doh! And me who was focusing on the article content while there was such a weird uncertainty on who's the author! :-D

I just read the author's info at the bottom of the article, forgetting that it was another name at the top. I've once published a piece here and it has been revised thouroughly: how could this happen?

MCITP Database administrator 2008
MCTS SQL Server 2008 Implementation and maintenance
MCTS Sharepoint configuration
MCP Designing Deploying and Managing a Network Solution for the Small and Medium-sized Business
ITIL V3 Foundation

mtassin
mtassin
SSCertifiable
SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)SSCertifiable (7.2K reputation)

Group: General Forum Members
Points: 7232 Visits: 72521
Wow... talk about lazy plagarism....



--Mark Tassin
MCITP - SQL Server DBA
Proud member of the Anti-RBAR alliance.
For help with Performance click this link
For tips on how to post your problems
BigSam
BigSam
SSC-Addicted
SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)SSC-Addicted (406 reputation)

Group: General Forum Members
Points: 406 Visits: 305
Very thought provoking article. I also appreciate the the Microsoft links - I will follow up on them.
I usually enforce encryption in my SQL instances for my network connections, since some of them can come through the Internet.
What happens if I use database mirroring or replication? Is that data encrypted during transmission? I always thought so, but after reading this article I'm a little concerned.

BigSam
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search