The following suggestions and references are for secure Oracle, SQL, Informix, DB2 and other database servers:

Patches and Security Updates

• Ensure that the operating system has the latest updates, patches and service packs.
• Similarly the database server and any database connectivity components like ODBC and JDBC drivers are patched and up to date.

Access Controls

• Block all unnecessary ports and services and allow only the specific ports needed by the database server being used.
• Do not run multiple services such as FTP or NNTP of the same machine.
• Ensure there are no world writable files and that all files are permissioned according to the business logic.
• Disable extended stored procedures that allow command execution if not needed by the application.

Configuration

• Ensure that the accounts being used by the database daemon or service adhere to the principle of least privilege.
• Delete any unused accounts such as guest.
• Rename the default super user account and use a strong password.
• Disable unsecured remote logons such as Telnet and enable SSH or other secure remote logon protocols only if needed.
• All sample databases and tables must be removed from the production web servers.
• Database files maybe stored on an encrypted file system if supported by the operating system and database server.

Auditing and Logging

• All login failures must be logged along with the source of the failed login.
• Enable database server logging.
• Resource access failures must be logged.
• Logs could be written to a remote hardened logging server.
• Log files must be regularly backed up and archived.

Factory Defaults

• Change the default database administrator password.
• Change the default port used by the database server for additional security.
• Ensure that the database server roles do not contain any unnecessary users such as the guest or anonymous account and disable unused roles.