SlideShare ist ein Scribd-Unternehmen logo

SQL Server Security and Intrusion Prevention

Als PPTX, PDF herunterladen
Gabriel Villa
Gabriel Villa

Is your data secured? Are you a victim of a SQL injection hack? In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.

Technologie
1 von 24
 Recently moved to Colorado Springs  SQL Server 7, 2000, 2005 and 2008  .Net Developer VB.Net and C#  www.extofer.com  twitter: @extofer
 Security Model  Authentication  Passwords  Threats  Physical Security and other best practices
 Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users  Roles DB Roles  Groups  Securables Schemas  Schemas
 Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
 Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
 Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols)  l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
 DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code  SQLPing checks for default passwords  Change passwords frequently  Do Not use the same passwords
 Social Engineering  SQL Injection  Beware of Port Sniffers
 Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
 SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
 Check for Valid Input  DDL Triggers  Use Stored Procedures  Use Parameters  Customize Error Messages  Avoid errors returning securable names
 Change default port
 Lock server room or rack when not in use  Restrict access to unauthorized individuals  If feasible, use security cameras
 Second Tuesday of every month  Test updates or hotfixes immediately on non-production servers  Schedule patches soon after tested
 Avoid network shares on servers  Don’t surf the Web on the server  Only enable required protocols  Keep servers behind a firewall
 Encrypt your DB backups  Test backups by restoring  Restrict System Stored Proc’s and XP
http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer

Empfohlen

Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server SecurityGabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTGabriel Villa
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Securitysunitkanyan
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: SecurityLearnNowOnline
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server SecurityVinod Kumar
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security TaskYaakub Idris
 

Empfohlen

Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
Denali Sql Server Security
Denali Sql Server SecurityDenali Sql Server Security
Denali Sql Server SecurityGabriel Villa
 
Securing you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTSecuring you SQL Server - Denver, RMTT
Securing you SQL Server - Denver, RMTTGabriel Villa
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Securitysunitkanyan
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: SecurityLearnNowOnline
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server SecurityVinod Kumar
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
SQL Server 2012 Security Task
SQL Server 2012 Security TaskSQL Server 2012 Security Task
SQL Server 2012 Security TaskYaakub Idris
 
Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NETMikhail Shcherbakov
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure websiteClick Ripple Solutions
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed
 
Sql injection
Sql injectionSql injection
Sql injectionThe Avi Sharma
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Securing you SQL Server
Securing you SQL ServerSecuring you SQL Server
Securing you SQL ServerGabriel Villa
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionBert Wagner
 
t r
t rt r
t relectronicmingle01
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azuresaitoserge
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
Sql injection
Sql injectionSql injection
Sql injectionTech Bikram
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRaghav Bisht
 
Stroke mimics
Stroke mimicsStroke mimics
Stroke mimicsDr Pradip Mate
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementJohn Sterrett
 

Weitere ähnliche Inhalte

Was ist angesagt?

Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host SecurityEng Teong Cheah
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net frameworkLalit Kale
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Securing you SQL Server
Securing you SQL ServerSecuring you SQL Server
Securing you SQL ServerGabriel Villa
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionBert Wagner
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge frameworkOWASP
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azuresaitoserge
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL InjectionMd Syed Ahamad
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRaghav Bisht
 

Was ist angesagt? (20)

Practice of AppSec .NET
Practice of AppSec .NETPractice of AppSec .NET
Practice of AppSec .NET
 
Top Keys to create a secure website
Top Keys to create a secure websiteTop Keys to create a secure website
Top Keys to create a secure website
 
Compute Security - Host Security
Compute Security - Host SecurityCompute Security - Host Security
Compute Security - Host Security
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Sql injection
Sql injectionSql injection
Sql injection
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no input
 
Securing you SQL Server
Securing you SQL ServerSecuring you SQL Server
Securing you SQL Server
 
SQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET EditionSQL Injection Attacks: Is Your Data Secure? .NET Edition
SQL Injection Attacks: Is Your Data Secure? .NET Edition
 
t r
t rt r
t r
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Class Project: Security in Microsoft Azure
Class Project: Security in Microsoft AzureClass Project: Security in Microsoft Azure
Class Project: Security in Microsoft Azure
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web Application Security II - SQL Injection
Web Application Security II - SQL InjectionWeb Application Security II - SQL Injection
Web Application Security II - SQL Injection
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 

Andere mochten auch

Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementJohn Sterrett
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeAshwin Haridas
 
Basic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brainBasic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brainaViVian
 
Approach to a patient with stroke
Approach to a patient with stroke Approach to a patient with stroke
Approach to a patient with stroke Ashwin Haridas
 
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...Arlyn Valencia, M.D.
 

Andere mochten auch (11)

Stroke mimics
Stroke mimicsStroke mimics
Stroke mimics
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based ManagementEvaluating Daily Checklist Against 1000 Servers using Policy Based Management
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
 
BRAIN CT SCAN
BRAIN CT SCANBRAIN CT SCAN
BRAIN CT SCAN
 
Approach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of strokeApproach to a patient with stroke - Pathophysiology of stroke
Approach to a patient with stroke - Pathophysiology of stroke
 
Basic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brainBasic reading computed tomography (ct) of brain
Basic reading computed tomography (ct) of brain
 
Approach to a patient with stroke
Approach to a patient with stroke Approach to a patient with stroke
Approach to a patient with stroke
 
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
STROKE LECTURE By Arlyn M. Valencia, M.D. Associate Professo University Of Ne...
 
Stroke
StrokeStroke
Stroke
 
Approach to head ct
Approach to head ctApproach to head ct
Approach to head ct
 
Stroke syndromes
Stroke syndromesStroke syndromes
Stroke syndromes
 
BASICS of CT Head
BASICS of CT HeadBASICS of CT Head
BASICS of CT Head
 

Ähnlich wie SQL Server Security and Intrusion Prevention

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersTobias Koprowski
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developerswebhostingguy
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hydewebhostingguy
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilitiesAleksandar Bozinovski
 

Ähnlich wie SQL Server Security and Intrusion Prevention (20)

SqlSa94
SqlSa94SqlSa94
SqlSa94
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
Day2
Day2Day2
Day2
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
SQLCLR For DBAs and Developers
SQLCLR For DBAs and DevelopersSQLCLR For DBAs and Developers
SQLCLR For DBAs and Developers
 
Dr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. HydeDr. Jekyll and Mr. Hyde
Dr. Jekyll and Mr. Hyde
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Windows network
Windows networkWindows network
Windows network
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 

Kürzlich hochgeladen

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Kürzlich hochgeladen (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

SQL Server Security and Intrusion Prevention

  • 1.
  • 2.
  • 3. Recently moved to Colorado Springs  SQL Server 7, 2000, 2005 and 2008  .Net Developer VB.Net and C#  www.extofer.com  twitter: @extofer
  • 4.  Security Model  Authentication  Passwords  Threats  Physical Security and other best practices
  • 5. Principal Windows Users SQL Login  Windows Users  SQL Logins Database Users  Roles DB Roles  Groups  Securables Schemas  Schemas
  • 6. Windows Authentications  Domain or local Windows Account  Active Directory Integration  Supports Groups  Use Whenever Possible
  • 7. Mixed Authentication  Legacy or Hard Coded Referenced Logins  Non Windows Clients  Connections over Internet
  • 8.
  • 9. Strong Password  10 – 12 characters in length  Use Upper and Lower Case  Numbers  Special Characters (symbols)  l33t speak  E = 3 or A=4 or @, T= + or 7  l33t password generator
  • 10. DO NOT hardcode passwords  ASP.Net encrypt web.config  Encrypt password in your code  SQLPing checks for default passwords  Change passwords frequently  Do Not use the same passwords
  • 11.  Social Engineering  SQL Injection  Beware of Port Sniffers
  • 12. Social Engineering  Manipulating people to gather data  Not using technical cracking tools or techniques
  • 13.
  • 14. SQL Injection  Vulnerable to any RDBMS, not just MS SQL Server  Attacker post SQL commands via front end applications  Tools: ‘ , --, ;
  • 15. Check for Valid Input  DDL Triggers  Use Stored Procedures  Use Parameters  Customize Error Messages  Avoid errors returning securable names
  • 16. Change default port
  • 17.
  • 18.
  • 19.  Lock server room or rack when not in use  Restrict access to unauthorized individuals  If feasible, use security cameras
  • 20.  Second Tuesday of every month  Test updates or hotfixes immediately on non-production servers  Schedule patches soon after tested
  • 21.  Avoid network shares on servers  Don’t surf the Web on the server  Only enable required protocols  Keep servers behind a firewall
  • 22.  Encrypt your DB backups  Test backups by restoring  Restrict System Stored Proc’s and XP
  • 23. http://www.sqlservercentral.com/Books/  Defensive Database Programming by Alex Kuznetsov  Protecting SQL Server Data by John Magnabosco  SQL Server Tacklebox by Rodney Landrum
  • 24. Slide Deck at http://www.extofer.com Gabriel Villa email: extofer@gmail.com blog: www.extofer. com twitter: @extofer