Tuesday 7 April 2015

MS SQL Server Hardening

21:25  NullPort  No comments

Hi friends, Today we are going to discuss about the MS SQL Database Security configuration and Hardening. In this post we are going to discuss about the various security controls in the MS SQL Database and how to configure then so that we can move in the secure environment of the database.

In this post we are going to discuss about the following security controls in the MS SQL database.

Bellow are the few main points you should know about the database while configuring database server.


  1. Install only the required components : number of installed components, number of problems increases .
  2. Install all service packs and critical fixes for database server : It is vary necessary to implement all critical fixes to ensure that there are no known holes on your security.
  3. Disable unnecessary services and features : Disable all the unnecessary services you can disable database by using SQL Server configuration manager.                  
  4. Disable the unused SQL Server protocols : Disable all the unused SQL Server protocols. SQL Server support 4 types of protocols these protocols as shown in image below. use the minimum protocols and disable the other protocols.                                                                                                          
  5. Change the default port number : As we knows that SQL Server is running on the default port 1433 to secure and if you want that nobody identify the sql server then change the default port. 
  6. Hide server instance and turn off the SQL browser service :  you can configure the SQL Server instance as hidden the main purpose of the SQL Server Browser is to provide instance and port information to incoming connection request.
  7. Restrict the access to the SQL Server configuration and database files : you should also protect the file system to prevent unauthorized file deletion, copying or alteration of data. 
  8. Restrict the access to the SQL Server backup folders :
  9. use Transparent data encryption :
  10. remove executive rights to PUBLIC on extended stored procedures : Ju st Remove the execute permission to PUBLIC on extended stored procedure.below extended stored procedure should not be executed by application : xp_availablemedia, xp_dirtree, xp_enumgroups, xp_fixeddrivers, xp_regaddmultistring, xp_regdeletekey, xp_regdeletevalue, xp_regenumvalues, xp_regremovemultistring, xp_regread, xp_regwrite, xp_servicesontrol, xp_subdirs.
  11. Disable the xp_cmdshell option : you must have disable the xp_cmdshell option stored procedure from your database. 
  12. Rename and disable the SA account : as  we all knows SA is Super Admin for the SQL Server. any attacker knows about this account so if your machine is in the network then he can brute force this usernam and can easily take controls. To protect this user account you need to rename or delete this users as shown in the image below 

  13. Remove the Administrator group from the SQL Server logins : as we all knows in windows administrator is a default user or group so we are disclosing one user here.So for security resigns we need to change the administrator account name and we need to remove administrator so to rename or removing administrators user and group. as we knows "sa" is super administrator as in above point we rename the sa account with any other named account so first of all logged in with sa and ensure that all the user roles and power is given to any other users and then we can remove administrator account from the users and groups list. 
  14. Use windows authentication mode : mainly there are two ways of SQL Server authentication logins. windows authentication mode and windows and SQL Server authentication mode ( Mixed mode). In windows authentication we can only use windows logins to connect to SQL Server. In this type of authentication windows login credentials are normally Active  Directory domain credentials. and in mixed mode authentication, we can use either windows authentication or SQL Server Authentication to connect to SQL Server. So always select the windows authentications to connect to the SQL Server. to enable windows authentication you need to just right click on instance and select security option and now you can select authentication mode as shown in the image below.
  15. All accounts for named user access should be controlled by Active Directory : always use the named accounts which is connected with the active directory instead of the conman name for all the users. 
  16. Use service accounts with the least privileges : It is most recommended to use different accounts for different services. Suppose if you want to manage the database then you can use dbuser to handle the DB operations only and users must have list privileges . No need to having rights to make changes on OS level to the DB Users.
  17. The user privileged should be minimized : as discussed in the above point that we need to have names users with different and low privileges. 
  18. All Administrator accounts should have a complex password and password change should be enforced : always apply password policy according to the baselines settings in your company. to apply password policy can select it from the Local security policy user administrative Tools >> Local Security Policy. as shown in the below image and always select password enforced
  19. Configure SQL Server login auditing to log both failed and successful logins : always audit the logs, logs for both success and failure. that mean system need to have backup for all success and failure activities. you can select audit policy at Administrator  Tools >> Local Security Policy >> Local Policy as shown in the image below. 
these are the basics hardening security controls in the SQL Database Servers. If you want to tell me any more security controls then you can contact me ...

Posted in:

0 comments:

Post a Comment