SlideShare a Scribd company logo

SQL Server Security and Intrusion Prevention

Download as PPTX, PDF
Gabriel Villa, profile picture
Gabriel Villa

The document covers security best practices for SQL Server and application development, emphasizing authentication methods and password management. It warns against threats such as SQL injection and social engineering, while advising on proper server management, access control, and the use of encryption. Additional resources, including books and a blog, are provided for further information.

Technology
1 of 24
Downloaded 26 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
 Recently moved to Colorado Springs  SQL Server 7, 2000, 2005 and 2008  .Net Developer VB.Net and C#  www.extofer.com  twitter: @extofer
 Security Model  Authentication  Passwords  Threats  Physical Security and other best practices
 Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users  Roles DB Roles  Groups  Securables Schemas  Schemas
 Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
 Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
SQL Server Security and Intrusion Prevention
 Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols)  l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
 DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code  SQLPing checks for default passwords  Change passwords frequently  Do Not use the same passwords
 Social Engineering  SQL Injection  Beware of Port Sniffers
 Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
SQL Server Security and Intrusion Prevention
 SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
 Check for Valid Input  DDL Triggers  Use Stored Procedures  Use Parameters  Customize Error Messages  Avoid errors returning securable names
 Change default port
SQL Server Security and Intrusion Prevention
SQL Server Security and Intrusion Prevention
 Lock server room or rack when not in use  Restrict access to unauthorized individuals  If feasible, use security cameras
 Second Tuesday of every month  Test updates or hotfixes immediately on non-production servers  Schedule patches soon after tested
 Avoid network shares on servers  Don’t surf the Web on the server  Only enable required protocols  Keep servers behind a firewall
 Encrypt your DB backups  Test backups by restoring  Restrict System Stored Proc’s and XP
http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer

More Related Content

PPTX
Sql server security in an insecure world
Gianluca Sartori
 
PPTX
Denali Sql Server Security
Gabriel Villa
 
PPT
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
PPT
SQL Server Security
sunitkanyan
 
KEY
SQL Server: Security
LearnNowOnline
 
PPT
Sql Server Security
Vinod Kumar
 
PPTX
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
PPTX
SQL Server 2012 Security Task
Yaakub Idris
 
Sql server security in an insecure world
Gianluca Sartori
 
Denali Sql Server Security
Gabriel Villa
 
Securing you SQL Server - Denver, RMTT
Gabriel Villa
 
SQL Server Security
sunitkanyan
 
SQL Server: Security
LearnNowOnline
 
Sql Server Security
Vinod Kumar
 
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
SQL Server 2012 Security Task
Yaakub Idris
 

What's hot (20)

PPTX
Practice of AppSec .NET
Mikhail Shcherbakov
 
PPT
Top Keys to create a secure website
Click Ripple Solutions
 
PDF
Compute Security - Host Security
Eng Teong Cheah
 
PPT
Implementing application security using the .net framework
Lalit Kale
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PPT
Securing Your .NET Application
Iron Speed
 
PPTX
Sql injection
The Avi Sharma
 
PPTX
Secure Code Warrior - Trust no input
Secure Code Warrior
 
PPT
Securing you SQL Server
Gabriel Villa
 
PPTX
SQL Injection Attacks: Is Your Data Secure? .NET Edition
Bert Wagner
 
PDF
t r
electronicmingle01
 
PDF
[OWASP Poland Day] Security knowledge framework
OWASP
 
PPTX
Class Project: Security in Microsoft Azure
saitoserge
 
PPTX
security misconfigurations
Megha Sahu
 
PPT
Secure code practices
Hina Rawal
 
PPTX
CSS 17: NYC - Stories from the SOC
Alert Logic
 
PPTX
Sql injection
Tech Bikram
 
PDF
Web Application Security II - SQL Injection
Md Syed Ahamad
 
PDF
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
PPTX
Sql injection attack
Raghav Bisht
 
Practice of AppSec .NET
Mikhail Shcherbakov
 
Top Keys to create a secure website
Click Ripple Solutions
 
Compute Security - Host Security
Eng Teong Cheah
 
Implementing application security using the .net framework
Lalit Kale
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Securing Your .NET Application
Iron Speed
 
Sql injection
The Avi Sharma
 
Secure Code Warrior - Trust no input
Secure Code Warrior
 
Securing you SQL Server
Gabriel Villa
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
Bert Wagner
 
t r
electronicmingle01
 
[OWASP Poland Day] Security knowledge framework
OWASP
 
Class Project: Security in Microsoft Azure
saitoserge
 
security misconfigurations
Megha Sahu
 
Secure code practices
Hina Rawal
 
CSS 17: NYC - Stories from the SOC
Alert Logic
 
Sql injection
Tech Bikram
 
Web Application Security II - SQL Injection
Md Syed Ahamad
 
Web Application Security 101 - 03 Web Security Toolkit
Websecurify
 
Sql injection attack
Raghav Bisht
 
Ad

Viewers also liked (11)

PPTX
Stroke mimics
Dr Pradip Mate
 
PPTX
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 
PPTX
BRAIN CT SCAN
Joann Vargas
 
PPTX
Approach to a patient with stroke - Pathophysiology of stroke
Ashwin Haridas
 
PPT
Basic reading computed tomography (ct) of brain
aViVian
 
PPT
Approach to a patient with stroke
Ashwin Haridas
 
PPTX
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
Arlyn Valencia, M.D.
 
PPT
Stroke
Carlos Rene Espino de la Cueva
 
PPT
Approach to head ct
DrLokesh Mahar
 
PPTX
Stroke syndromes
Sathish Kumar
 
PPTX
BASICS of CT Head
Kunal Mahajan
 
Stroke mimics
Dr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
John Sterrett
 
BRAIN CT SCAN
Joann Vargas
 
Approach to a patient with stroke - Pathophysiology of stroke
Ashwin Haridas
 
Basic reading computed tomography (ct) of brain
aViVian
 
Approach to a patient with stroke
Ashwin Haridas
 
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
Arlyn Valencia, M.D.
 
Stroke
Carlos Rene Espino de la Cueva
 
Approach to head ct
DrLokesh Mahar
 
Stroke syndromes
Sathish Kumar
 
BASICS of CT Head
Kunal Mahajan
 
Ad

Similar to SQL Server Security and Intrusion Prevention (20)

PPT
Fortress SQL Server
webhostingguy
 
PPTX
SqlSa94
Gabriel Villa
 
PPTX
Geek Sync | SQL Security Principals and Permissions 101
IDERA Software
 
PDF
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
 
PDF
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
 
PPTX
The Spy Who Loathed Me - An Intro to SQL Server Security
Chris Bell
 
PPTX
SQL Injection Attacks cs586
Stacy Watts
 
PPTX
Day2
madamewoolf
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
PPT
SQL Server Security - Attack
webhostingguy
 
PPT
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
PPTX
Secure Software Engineering
Rohitha Liyanagama
 
PPT
Where should I be encrypting my data?
Information Technology Society Nepal
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
PDF
Dr3150012012202 1.getting started
Namgu Jeong
 
PPTX
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
PPTX
SQLi for Security Champions
PetraVukmirovic
 
PPTX
Unit 2 - Chapter 7 (Database Security).pptx
SakshiGawde6
 
PPTX
Sql injection
Nuruzzaman Milon
 
PPSX
Web application security
www.netgains.org
 
Fortress SQL Server
webhostingguy
 
SqlSa94
Gabriel Villa
 
Geek Sync | SQL Security Principals and Permissions 101
IDERA Software
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
 
The Spy Who Loathed Me - An Intro to SQL Server Security
Chris Bell
 
SQL Injection Attacks cs586
Stacy Watts
 
Day2
madamewoolf
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
SQL Server Security - Attack
webhostingguy
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
Secure Software Engineering
Rohitha Liyanagama
 
Where should I be encrypting my data?
Information Technology Society Nepal
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Dr3150012012202 1.getting started
Namgu Jeong
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
SQLi for Security Champions
PetraVukmirovic
 
Unit 2 - Chapter 7 (Database Security).pptx
SakshiGawde6
 
Sql injection
Nuruzzaman Milon
 
Web application security
www.netgains.org
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Approach and Philosophy of On baking technology
30anthuong17
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A Presentation on Artificial Intelligence
memembruh336
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 

SQL Server Security and Intrusion Prevention

  • 3. Recently moved to Colorado Springs  SQL Server 7, 2000, 2005 and 2008  .Net Developer VB.Net and C#  www.extofer.com  twitter: @extofer
  • 4.  Security Model  Authentication  Passwords  Threats  Physical Security and other best practices
  • 5. Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users  Roles DB Roles  Groups  Securables Schemas  Schemas
  • 6. Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
  • 7. Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
  • 9. Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols)  l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
  • 10. DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code  SQLPing checks for default passwords  Change passwords frequently  Do Not use the same passwords
  • 11.  Social Engineering  SQL Injection  Beware of Port Sniffers
  • 12. Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
  • 14. SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
  • 15. Check for Valid Input  DDL Triggers  Use Stored Procedures  Use Parameters  Customize Error Messages  Avoid errors returning securable names
  • 16. Change default port
  • 19.  Lock server room or rack when not in use  Restrict access to unauthorized individuals  If feasible, use security cameras
  • 20.  Second Tuesday of every month  Test updates or hotfixes immediately on non-production servers  Schedule patches soon after tested
  • 21.  Avoid network shares on servers  Don’t surf the Web on the server  Only enable required protocols  Keep servers behind a firewall
  • 22.  Encrypt your DB backups  Test backups by restoring  Restrict System Stored Proc’s and XP
  • 23. http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
  • 24. Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer