locked
Injection attack when moving database to another SQL server RRS feed

  • Question

  • I am using SQL Server and Classic ASP.

     

    My database is currently on a SQL Server 2000, which is shared with other customers of our hosting company.

     

    I am in the process of transferring it from this shared server to our own dedicated server which has SQL Server 2005 Express Edition installed, rented from the same company, because of size, performance and price reasons.

     

    When on the shared server, the current database was subject to injection attacks which stopped two months ago after implementing many changes, including moving queries into stored procedures, limiting special characters entered into forms, limiting the scope of the logons etc.

     

    I transferred the database from the shared server to our dedicated server using DTS, backup and then restore and then changed the ODBC link on our web server to connect to the dedicated server.

     

    Within half-an-hour of changing the connection from the shared to the dedicated server, I suffered an SQL Injection Attack.  Because of this, I have changed the connection back to the shared server whilst trying to understand how this injection attack occurred.

     

    Both the shared server and the dedicated server have the same two SQL authentication logons, one a db_owner and the other a db_writer and a db_reader.

     

    It seems that the problem may be caused by the security set up on the SQl Server 2005 Express on the dedicated server because the injection occurred only when I transferred the database to this server.  It doesn't appear to be a problem with the website coding as the injection attack no longer occurs when the database is on the shared server.

     

    Please advise what I should pay attention to on setting up the security of SQL Server 2005 Express to prevent these attacks. 

     

    Can you further recommend a turorial on SQL Server Security which covers Users, Schemas and Roles etc? 

     

    Thanking you in anticipation.

     

    Roger

     

     

     

     

     

    Wednesday, August 20, 2008 1:18 PM