January 13, 2010 at 9:05 am
Is there a way to verify the integrity of SQL Server service startup files at startup? Make sure no modification (hacks) or other malicious changes or replacements to these files if the DBA does not manually and periodically check the integrity of the SQL Server services startup files.
Thanks,
Zee - Atlanta
General Dynamics
SS DBA
January 13, 2010 at 2:03 pm
I really don't understand your question - sorry.
Why would someone have access to the server and be able to change/modify SQL Server files? The files SQL Server needs to startup are locked while SQL Server is running - so, the only time they would be available is when SQL Server is down. SQL Server would only be down when explicitly shut down.
Can you explain what issues you are trying to prevent?
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
January 13, 2010 at 3:06 pm
ZeeAtl (1/13/2010)
Is there a way to verify the integrity of SQL Server service startup files at startup? Make sure no modification (hacks) or other malicious changes or replacements to these files if the DBA does not manually and periodically check the integrity of the SQL Server services startup files.Thanks,
Zee - Atlanta
General Dynamics
SS DBA
The fact that your SQL Server is running fine itself verifies the fact that there is nothing wrong with your service startup files. I assume, SQL Server itself proactively checks for these things and I am against any manual intervention to these files by a DBA as long as everything is fine and you have Firewalls enabled on your server.
Is there any specific issue you are facing? If so, we all would like to know...
Thanks...
The_SQL_DBA
MCTS
"Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives."
January 20, 2010 at 12:05 pm
I had to do a Security audit (DIACAP/DISA) as I'm working at active Army D.o.D. facility. One of the unmitigated findings was do we have monitoring of the SQL Server executable and configuration files. I realize the latter is bogus as SQL Server has no such thing as a config file. The former, I'm not sure how I would monitor access to this other than through an Intrusion Detection System or some other Network sniffer or security monitoring inside the firewall.
Agreed with your reply. I'm an accidental DBA thrown into a process which at times seems arbitrary (have to note why I would NOT be monitoring these files in a System Security Plan).
Thanks for your input.
FZ
SS DBA
General Dynamics - Atlanta, GA
January 20, 2010 at 2:04 pm
Permissions for anyone accessing these files directly for modification would be handled at the file system level. There is no audit. The system security plan should document the folder level permissions required to access the SQL Server bin folder. Set the permissions to allow only for the SQL Server serivce account and the local admin group. If someone has hacked the permissions to either of these accounts, your whole DB system is compromised, not just the executables.
This is one of those where you just say, "No, there is no process in place and their is no need for a process to monitor that as it is handled by file system security and permissions assignment".
January 21, 2010 at 11:53 am
Thanks John, this will help me document the System Security Plan on this issue.
Zee - Atlanta, GA
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply