MS SQL Server is Microsoft’s relational database management system with a large number of features and services. With this coverage, there is a large surface area for attack and vulnerabilities. Fortunately, there are a number of security benchmarks and good practice documents available. This article gives an introduction to the security guidelines available and an overview on what key areas to audit and lock down.
Introduction
Microsoft has a SQL Server – Best Practices section on their technet web site. Specifically, a couple of good practice documents of interest are:
- Microsoft SQL Server 2008 R2 Best Practices Analyzer Whitepaper
- Microsoft SQL Server 2012 Best Practices Analyzer Whitepaper
Microsoft also has available a Best Practices Analyser (BPA) for each version of SQL Server which is a diagnostics tool that trawls through a given SQL Server instance and reports the configurations and any differences against Microsoft’s recommended good practices.
The Center for Internet Security (CIS) is the non-profit organisation focused on enhancing the cyber security readiness and response of public and private sector entities. One of its divisions deals with setting Security Benchmarks for a number of systems and frameworks. There are specific security benchmark documents for each major version of SQL Server up to 2012.
Security Technical Implementation Guide (STIG) is a methodology for standardised secure installation and maintenance of computer software and hardware. It was originally defined by the Defense Information Systems Agency (DISA) which created configuration documents in support of the US Department of Defence (DoD). The resource for STIG documents can be found on DISA’s Information Assurance Support Environment.
Looking in particular at Microsoft SQL Server Best Practice and CIS security benchmark, there are a few sections that are covered:
- Compliance
- Encryption
- Access Control
- Authentication
- Network Security
- Auditing
Compliance
For compliance, a number of items have been identified to help improve the security for a SQL Server and used as a benchmark setting. The following are areas for compliance
- Surface Area Reduction – Configure settings on SQL server to disable unnecessary features and services
- Policy-Based Management – Configure a policy on SQL server
- Service Account Selection and Management – Configure and disable unnecessary services
- SQL Server Best Practices Analyzer and other analysis utilities – Run SQL tools to assist in auditing the SQL Server (such as SQL Server Best Practices Analyzer, Microsoft Baseline Security Analyser (MBSA), Microsoft Security Compliance Manager (SCM), Anti-Virus.
- Patching and Automatic Windows Update – Ensure underlying system is patched up to date.
Encryption
For encryption, the following should be considered:
- Encryption of Data and Database
- SSL Encryption of client connections
Access Control
For access control, the following should be considered:
- Administrator Privileges
- Database Ownership and Trust
- Lockdown of System Stored Procedures
- Schemas
- Authorization
- Catalog Security
- Execution Context
- Remote Data Source Execution
Authentication
For authentication, the following should be considered:
- Authentication Modes and Logins
- Password Policy
- Contained Databases and Authentication
Network Security
For network security, the following should be considered:
- Limiting the network protocols used
- Configuring and enabling a firewall
- Avoiding expose a server that is running SQL Server to the public Internet
Auditing
For auditing, it is scenario-specific but in general to configure your server to audit as much detail as possible without making the server inoperable.
Generally, you should look at:
- Auditing is scenario-specific. Balance the need for auditing with the overhead of generating addition data
- Use the SQL Server 2008/2012 Audit feature for the most secure, performant, and granular
- Audit successful logins in addition to unsuccessful logins if you store highly sensitive data
- Audit DDL and specific server events by using trace events or event notifications
- DML can be audited by using trace events or SQL Server Audit
- Use WMI to be alerted of emergency events
Summary
As we have seen there are a number of security benchmark and guideline articles available. Examples include Microsoft, Center for Information Security (CIS) and Security Technical Implementation Guide (STIG). We looked at the general areas covered in these examples. In the next post, we shall look further at the first of these areas, reducing the surface area for vulnerabilities and attack.