Overview of the SQL Server Security Model and Security Best Practices
SQL Server Security Best Practices
Here is an ideal implementation of security in a Windows NT/2000 environment with SQL Server 7.0 or 2000 database server:
- Configure SQL Server to use Windows authentication mode.
- Depending upon the data access needs of your domain users, group them into different global groups in the domain.
- Consolidate these global groups from all the trusted domains into the Windows NT/2000 local groups in your SQL Server computer.
- The Windows NT/2000 local groups are then granted access to log into the SQL Server.
- Add these Windows NT/2000 local groups to the required fixed server roles in SQL Server.
- Associate these local group logins with individual user accounts in the databases and grant them the required permissions using the database roles.
- Create custom database roles if required, for finer control over permissions.
Here are some standard security practices and tips:
- Restrict physical access to the SQL Server computer. Always lock the server while not in use.
- Make sure all the file and disk shares on the SQL Server computer are read-only. In case you have read-write shares, make sure only the right people have access to those shares.
- Use the NTFS file system, as it provides advanced security and recovery features.
- Prefer Windows authentication to mixed mode. If mixed mode authentication is inevitable, for backward compatibility reasons, make sure you have complex passwords for sa and all other SQL Server logins. It is recommended to have mixed case passwords with a few numbers and/or special characters, to counter the dictionary-based password guessing tools and user identity spoofing by hackers.
- Rename the Windows NT/2000 Administrator account on the SQL Server computer to discourage hackers from guessing the administrator password.
- In a website environment, keep your databases on a different computer than the one running the web service. In other words, keep your SQL Server off the Internet, for security reasons.
- Keep yourself up-to-date with the information on latest service packs and security patches released by Microsoft. Carefully evaluate the service packs and patches before applying them on the production SQL Server. Bookmark the following URL for the latest in the security area from Microsoft: www.microsoft.com/security/.
- If it is appropriate for your environment, hide the SQL Server service from appearing in the server enumeration box in Query Analyzer, using the /HIDDEN:YES switch of NET CONFIG SERVER command.
- Enable login auditing at the Operating System and SQL Server level. Examine the audit for login failure events and look for trends to detect any possible intrusion.
- If it fits your budget, use Intrusion Detection Systems (IDS), especially on high-risk online database servers. IDS can constantly analyze the inbound network traffic, look for trends and detect Denial of Service (DoS) attacks and port scans. IDS can be configured to alert the administrators upon detecting a particular trend.
- Disable guest user account of Windows. Drop guest user from production databases using sp_dropuser.
- Do not let your applications query and manipulate your database directly using SELECT/INSERT/UPDATE/DELETE statements. Wrap these commands within stored procedures and let your applications call these stored procedures. This helps centralize business logic within the database, at the same time hides the internal database structure from client applications.
- Let your users query views instead of giving them access to the underlying base tables.
- Discourage applications from executing dynamic SQL statements. To execute a dynamic SQL statement, users need explicit permissions on the underlying tables. This defeats the purpose of restricting access to base tables using stored procedures and views.
- Don’t let applications accept SQL commands from users and execute them against the database. This could be dangerous (known as SQL injection), as a skilled user can input commands that can destroy the data or gain unauthorized access to sensitive information.
- Take advantage of the fixed server and database roles by assigning users to the appropriate roles. You could also create custom database roles that suit your needs.
- Carefully choose the members of the sysadmin role, as the members of the sysadmin role can do anything in the SQL Server. Note that, by default, the Windows NT/2000 local administrators group is a part of the sysadmin fixed server role. You will probably want to remove this builtin group from SQL Server.
- Constantly monitor error logs and event logs for security related alerts and errors.
- Secure your registry by restricting access to the SQL Server specific registry keys like HKEY_LOCAL_MACHINESoftwareMicrosoftMSSQLServer.
- If your databases contain sensitive information, consider encrypting the sensitive pieces (like credit card numbers and Social Security Numbers (SSN)). There are undocumented encryption functions in SQL Server, but I wouldn’t recommend those. If you have the right skills available in your organization, develop your own encryption/decryption modules using Crypto API or other encryption libraries.
- If you are running SQL Server 7.0, you could use the encryption capabilities of the Multi-Protocol net library for encrypted data exchange between the client and SQL Server. SQL Server 2000 supports encryption over all protocols using Secure Socket Layer (SSL). See SQL Server 7.0 and 2000 Books Online (BOL) for more information on this topic. Please note that, enabling encryption is always a tradeoff between security and performance, because of the additional overhead of encryption and decryption.
- Prevent unauthorized access to linked servers by deleting the linked server entries that are no longer needed. Pay special attention to the login mapping between the local and remote servers. Use logins with the bare minimum privileges for configuring linked servers.
- DBAs generally tend to run SQL Server service’s using a domain administrator account. That is asking for trouble. A malicious SQL Server user could take advantage of these domain admin privileges. Most of the times, a local administrator account would be more than enough for SQL Server service.
- DBAs also tend to drop system stored procedures like xp_cmdshell and all the OLE automation stored procedures (sp_OACreate and the likes). Instead of dropping these procedures, deny EXECUTE permission on them to specific users/roles. Dropping these procedures would break some of the SQL Server functionality.
- Be prompt in dropping the SQL Server logins of employees leaving the organization. Especially, in the case of a layoff, drop the logins of those poor souls ASAP as they could do anything to your data out of frustration.
- When using mixed mode authentication, consider customizing the system stored procedure sp_password, to prevent users from using simple and easy-to-guess passwords.
- To setup secure data replication over Internet or Wide Area Networks (WAN), implement Virtual Private Networks (VPN). Securing the snapshot folder is important too, as the snapshot agent exports data and object scripts from published databases to this folder in the form of text files. Only the replication agents should have access to the snapshot folder.
- It is good to have a tool like Lumigent Log Explorer handy, for a closer look at the transaction log to see who is doing what in the database.
- Do not save passwords in your .udf files, as the password gets stored in clear text.
- If your database code is proprietary, encrypt the definition of stored procedures, triggers, views and user defined functions using the WITH ENCRYPTION clause.
- In database development environments, use a source code control system like Visual Source Safe (VSS) or Rational Clear Case. Control access to source code by creating users in VSS and giving permissions by project. Reserve the ‘destroy permanently’ permission for VSS administrator only. After project completion, lock your VSS database or leave your developers with just read-only access. For a list of other best practices in a database development environment, click here to visit my database programming guidelines and coding conventions.
- Store the data files generated by DTS or BCP in a secure folder or share and delete these files once you are done.
- Install anti-virus software on the SQL Server computer, but exclude your database folders from regular scans. Keep your anti-virus signature files up to date.
- SQL Server 2000 allows you to specify a password for backups. If a backup is created with a password, you must provide that password to restore from that backup. This discourages unauthorized access to backup files.
- Windows 2000 introduced Encrypted File System (EFS) that allows you to encrypt individual files and folders on an NTFS partition. Use this feature to encrypt your SQL Server database files. You must encrypt the files using the service account of SQL Server. When you want to change the service account of SQL Server, you must decrypt the files, change the service account and encrypt the files again with the new service account.
The above points pretty much cover my security check list. Feel free to email me your comments and suggestions. Be sure to check back once in a while, as I will be constantly updating this page.