application , security , web-services

SQL Security Overview

February 28, 2010

SQL, maintains it own internal security umbrella including password encryption, password aging, minimum length restrictions on passwords and user account management resources. Integrated security relies on trusted connections, which are only available with both named pipes protocol and MS new RPC based multi-protocol net library. Because SQL Server supports many different network options simultaneously, clients running TCP/IP can connect to SQL Server along with clients using IPX/SPX all at the same time! SQL Server installs different network libraries during installation to handle network communication with other servers and client workstations. SQL Server always installs the named-pipes protocol. You have the option during installation (and after) to install one or more network libraries. Keep in mind the type of network support you select determines the security mode you can use for SQL Server. Microsoft SQL

  • Server supports virtually all corporate network environments;
  • Novell® NetWare® IPX/SPX,
  • Microsoft Named Pipes (including Windows NT, Windows for Workgroups, Windows 95, LAN Manager)
  • TCP/IP sockets, Banyan®
  • VINES®
  • DECnet, AppleTalk®, multiprotocol networks.

 

Assigning User and Group Privileges

By default, SNA Server does not allow users to access the resources defined within the SNA Server domain. Access privileges must be explicitly granted. To grant access rights to users and groups, open the Users and Groups window.

SQL security considerations:

  • Disable the xp_cmdshell stored procedure and disable access to the Registry from stored procedures
  • Run SQL Server under a user account (not a system account) with restricted permissions
  • Change the systems administrator password
  • Install SQL Server on a computer hidden from the Internet
  • Don’t debug programs on a computer connected to the Internet
  • Don’t run any Web scripts from the sa account
  • Disable the Guest account everywhere
  • Don’t run NMA on a computer inside a public network
  • Set only Execute rights for Web-script folders
  • Install all patches from the Microsoft Web site 

 

Disable NetBIOS over TCP/IP (NetBT)? NetBT performs name-to-IP address mapping for name resolution. To hide the server(s).  

You need to know that you can set up SQL Server with one of three security modes: standard, integrated, or mixed. The method you use to enter the SQL Server login determines the security mode you use. But whichever security mode you use, you must still create mappings to database users. Which mode are they using?