February 8, 2017 at 5:09 am
Hello everyone!
Does anyone here hardening project of sql server?
What major parts of this project and what is your recommendation?
If you have links to videos / articles please hare it here
Thanks in advance!!!
February 8, 2017 at 5:27 am
What do you mean by hardening SQL Server?
February 8, 2017 at 6:11 am
Hi,
Recources, security etc
February 8, 2017 at 6:40 am
Sorry, there still isn't much information here. Are you trying to find out how to improve security for your databases and what do you mean by hardening resources? What resources?
Thanks
February 8, 2017 at 7:29 am
i had quite a bit of luck finding some resources here:
https://www.google.com/search?q=hardening+sql+server&rlz=1C1CHBF_enUS707US707&oq=hardening+sql+server&aqs=chrome..69i57j69i60.3839j0j7&sourceid=chrome&ie=UTF-8
this one has a decent checklist of things to do, but not the scripts and details:
https://www.mssqltips.com/sqlservertip/3159/sql-server-security-checklist/
are you looking for a step-by-step white paper?
Lowell
February 8, 2017 at 7:39 am
You learn something new everyday. This is not a term I'd come across before.
February 9, 2017 at 7:10 am
One thing I have found is adding 'sa' to an account could be added by accident.... added to an account with the thought of it being temporary for an application upgrade and then forgotten to be removed. SO... I run SQL once a month that shows what IDs have elevated rights and verify that the elevated rights are on the right accounts and no ID had elevated rights that shouldn't.
February 9, 2017 at 7:17 am
server hardening starts with the basics
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 9, 2017 at 7:41 am
Look into implementing TDE (transparent database encryption). It will automagicly keep your data pages encrypted, so database files and backups are not readable should they fall into enemy hands. Once implemented, it's completely transparent, and restoring the database on another server involves simply restoring the certificate file first, so it fairly easy to understand and maintain from a DBA perspective. I know most folks chuckle when someone presents the scenario where a burglar or rogue employee walks out the door with the server hardware, but I can tell you from first hand experience that it actually happens, especially in an industry like retail or healthcare where you have a geographically dispersed database servers and inconsistent security policies in place depending on the location.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 9, 2017 at 9:51 am
Eric M Russell - Thursday, February 9, 2017 7:41 AMLook into implementing TDE (transparent database encryption). It will automagicly keep your data pages encrypted, so database files and backups are not readable should they fall into enemy hands. Once implemented, it's completely transparent, and restoring the database on another server involves simply restoring the certificate file first, so it fairly easy to understand and maintain from a DBA perspective. I know most folks chuckle when someone presents the scenario where a burglar or rogue employee walks out the door with the server hardware, but I can tell you from first hand experience that it actually happens, especially in an industry like retail or healthcare where you have a geographically dispersed database servers and inconsistent security policies in place depending on the location.
the first item on my list above usually negates most of the above. The servers should be kept in a locked room out of reach of prying hands. The security some organisations employ on securing their server rooms would fox most burglars\thieves.
TDE can be negated if you take the time and trouble to harden the server and secure the NTFS file system. By not granting the world and his wife local admin permission, you remove the possibility of gaining file access
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 9, 2017 at 11:14 am
Perry Whittle - Thursday, February 9, 2017 9:51 AMEric M Russell - Thursday, February 9, 2017 7:41 AMLook into implementing TDE (transparent database encryption). It will automagicly keep your data pages encrypted, so database files and backups are not readable should they fall into enemy hands. Once implemented, it's completely transparent, and restoring the database on another server involves simply restoring the certificate file first, so it fairly easy to understand and maintain from a DBA perspective. I know most folks chuckle when someone presents the scenario where a burglar or rogue employee walks out the door with the server hardware, but I can tell you from first hand experience that it actually happens, especially in an industry like retail or healthcare where you have a geographically dispersed database servers and inconsistent security policies in place depending on the location.the first item on my list above usually negates most of the above. The servers should be kept in a locked room out of reach of prying hands. The security some organisations employ on securing their server rooms would fox most burglars\thieves.
TDE can be negated if you take the time and trouble to harden the server and secure the NTFS file system. By not granting the world and his wife local admin permission, you remove the possibility of gaining file access
Sure, one approach is keeping the server locked in an on-premises vault protected 24x7 by security guards.According to Microsoft, SQL Server's TDE offers performance improvements over Windows Server EFS or BitLocker when applied to database files. Also, relying on encryption at file system level means relying on the server administrator(s), which could be a larger group of people than what is desired. For cloud hosted databases, there is no certainty about the facility or personnel. TDE is a good option when the DBA does not have absolute control over physical access.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 10, 2017 at 4:25 am
i'm not talking about encryption at file system level, i'm talking about securing your NTFS filesystem with appropriate ACLs, inline with best practice.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 12, 2017 at 11:49 am
Have you taken a look at the DoD's guidelines for securing SQL Server? It covers many facets of he
Application Security - Database A To Z
http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx
Joie Andrew
"Since 1982"
February 13, 2017 at 7:42 am
Joie Andrew - Sunday, February 12, 2017 11:49 AMHave you taken a look at the DoD's guidelines for securing SQL Server? It covers many facets of heApplication Security - Database A To Z
http://iase.disa.mil/stigs/app-security/database/Pages/index.aspx
In the aftermath of Snowden, I hope DoD is implementing document level encryption.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 13, 2017 at 8:18 am
Well, Snowden wasn't DoD, but yeah, several layers of encryption are usually looked at if feasible. That is the main concept by Defense-in--Depth I believe.
Joie Andrew
"Since 1982"
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply