locked
How can I secure my SQL Server installation RRS feed

  • Question

  • I'm new to SQL Server and want to know what steps can I perfrom to secure my SQL Server installation.

    Monday, July 30, 2012 1:57 PM

Answers

  • Below are some of the security best practices which I've taken from my blog post here. By following these will ensure your SQL Server is secure:

    Measure

    Reason

    1

    Strong password to be set for the sa login, even if not using SQL Server authentication

    Anyone who has access to the registry can change the authentication mode, so sa password needed in case this happens

    2

    Separate service account to be created on the domain for each service on each server

    To avoid having to give any particular service accounts unnecessary permissions

    3

    All service accounts to be removed from groups such as Everyone and Domain users

    If SQL Server security is compromised, this measure will minimise the effect on the rest of the domain

    4

    All service accounts to be assigned the Deny logon locally right

    So that anyone who gets hold of the password cannot log on and gain access to server resources

    5

    Folders containing data files to be accessible only by SQL Server service account and local administrators

    To prevent unauthorised users from gaining access to the data files

    6

    Windows guest account to be disabled

    To help prevent unauthorised access to the server

    7

    SQL Server TCP port number to be changed from the default of 1433

    To make it more difficult for unauthorised hosts to connect to the server

    8

    Sample code, sample databases and development tools not to be installed

    To reduce the surface area available to any attacker of the server

    9

    Audit successful and failed accounts

    To facilitate detection of suspicious patterns of behaviour

    10

    Drop the BUILTIN\Administrators login

    To help prevent unauthorised access

    11

    Restrict NTFS permissions on the installation folders.  Only local admins and the service accounts should have access

    To minimise the likelihood of important files being changed or deleted

    12

    Similarly restrict permissions on SQL Server registry keys

    To minimise the likelihood of registry entries being added, changed or deleted

    13

    Disable all network libraries except TCP/IP

    Makes unauthorised remote access more difficult

    14

    Apply the latest service pack and cumulative update

    So that all known security vulnerabilities are patched


    Regards, Basit A. Farooq (MSC Computing, MCITP SQL Server 2005 & 2008, MCDBA SQL Server 2000) http://basitaalishan.com

    • Proposed as answer by Basit Farooq Monday, July 30, 2012 2:04 PM
    • Marked as answer by Basit1981 Monday, July 30, 2012 2:05 PM
    Monday, July 30, 2012 2:03 PM

All replies

  • Below are some of the security best practices which I've taken from my blog post here. By following these will ensure your SQL Server is secure:

    Measure

    Reason

    1

    Strong password to be set for the sa login, even if not using SQL Server authentication

    Anyone who has access to the registry can change the authentication mode, so sa password needed in case this happens

    2

    Separate service account to be created on the domain for each service on each server

    To avoid having to give any particular service accounts unnecessary permissions

    3

    All service accounts to be removed from groups such as Everyone and Domain users

    If SQL Server security is compromised, this measure will minimise the effect on the rest of the domain

    4

    All service accounts to be assigned the Deny logon locally right

    So that anyone who gets hold of the password cannot log on and gain access to server resources

    5

    Folders containing data files to be accessible only by SQL Server service account and local administrators

    To prevent unauthorised users from gaining access to the data files

    6

    Windows guest account to be disabled

    To help prevent unauthorised access to the server

    7

    SQL Server TCP port number to be changed from the default of 1433

    To make it more difficult for unauthorised hosts to connect to the server

    8

    Sample code, sample databases and development tools not to be installed

    To reduce the surface area available to any attacker of the server

    9

    Audit successful and failed accounts

    To facilitate detection of suspicious patterns of behaviour

    10

    Drop the BUILTIN\Administrators login

    To help prevent unauthorised access

    11

    Restrict NTFS permissions on the installation folders.  Only local admins and the service accounts should have access

    To minimise the likelihood of important files being changed or deleted

    12

    Similarly restrict permissions on SQL Server registry keys

    To minimise the likelihood of registry entries being added, changed or deleted

    13

    Disable all network libraries except TCP/IP

    Makes unauthorised remote access more difficult

    14

    Apply the latest service pack and cumulative update

    So that all known security vulnerabilities are patched


    Regards, Basit A. Farooq (MSC Computing, MCITP SQL Server 2005 & 2008, MCDBA SQL Server 2000) http://basitaalishan.com

    • Proposed as answer by Basit Farooq Monday, July 30, 2012 2:04 PM
    • Marked as answer by Basit1981 Monday, July 30, 2012 2:05 PM
    Monday, July 30, 2012 2:03 PM
  • Look this benchmark: https://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.sql2005.200

    IMHO is the best (so far) collection of security best practices.


    Tks. Fausto Fiorese Branco MCTS, MCITP/DBA 2005 | MCITP/DBA 2008 São Paulo - Brasil * http://www.linkedin.com/in/faustobranco

    Monday, July 30, 2012 2:42 PM