What Nobody Told You About Hardening SQL Server

Transcription

1 ARC211 What Nobody Told You About Hardening SQL Server Jesper M. Johansson Enterprise Security Architect Security Business and Technology Unit

2 Defense in Depth Using a layered approach: Increases an attacker s s risk of detection Reduces an attacker s s chance of success Data Application Host Internal Network Perimeter Physical Security People, Policies, & Process ACL, encryption Application hardening, antivirus OS hardening, patch management, authentication, HIDS Network segments, IPSec, NIDS Firewalls, VPN quarantine Guards, locks, tracking devices User education

3 Fundamental Tradeoff Secure You get to pick any two! Usable Cheap

4 SQL Server Security SQL Server 2000 Service Pack 4 Supported tweaks in nol/sql/2000/maintain/sp3sec00.mspx Can you do more?

5 Unsupported Tweaks Make SQL run as a guest Minimum permissions Minimum privileges Restrict account from local logon Restrict access to XProcs Drop XProcs Disable Resolver Secure access from web site

6 WARNING THESE TWEAKS ARE UNSUPPORTED! If you configure a system this way PSS will only be able to provide best effort support, which may be limited to helping you reinstall.

7 Demo Make SQL Run As A Guest

8 Using Enterprise Manager You Get SeTcbPrivilege SeAssignPrimaryToken Full control over everything under %ProgramFiles%\Microsoft SQL Server\<InstanceName InstanceName> HKLM\SOFTWARE SOFTWARE\Clients\Mail HKLM\SOFTWARE SOFTWARE\Microsoft\Microsoft SQL Server\80 HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\MSSQLServer HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\<instancename> HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\Providers HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\Replication HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\SetupSetup HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\SQLServerAgentSQLServerAgent HKLM\SOFTWARE SOFTWARE\Microsoft\MSSQLServer\Tracking HKLM\SOFTWARE SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentVersion\Perflib

9 What Breaks Replication Clustering SQL Agent xp_cmdshell sa account???

10 How to undo Use Enterprise Manager to configure service account

11 Demo Set Permissions on SProcs and XProcs

12 What Breaks Replication Many SQL Tools and scripts???

13 How to undo Use Enterprise Manager to change permissions No way to return to defaults Keep good records!

14 Demo Drop SProcs and XProcs

15 What Breaks Replication Many SQL Tools and scripts Service pack installation? Other things dependent on what you drop If you remove xplog70.dll xp_sscanf xp_sprintf xp_msver SQLDiag SQLDMO SQLTrace Index Tuning Wizard xp_enumgroups xp_logevent

16 Things that depend on xp_cmdshell Object sp_activedirectory_scp sp_adddistpublisher sp_adddistributiondb sp_attachsubscription sp_changedistpublisher sp_copysubscription sp_mscopyscriptfile sp_mscopysnapshot sp_msget_file_existence sp_msremove_userscript sp_replicationoption sp_resolve_logins sp_vupgrade_replication Sp_set_local_time sp_msx_enlist sp_msx_defect Sp_Msdeletefoldercontents Sp_Msreplremoveuncdir Purpose Add/change/delete AD objects Replication Replication Replication Replication Replication Replication Install Replication Replication Install Replication Install Replication Log Shipping Replication Install Changing the time Replication Replication

17 How to undo sp_addextendedproc Underlying DLL must still exist xplog70.dll xp_cmdshell xpstar.dll xp_reg*

18 Demo Block the Resolver

19 What Breaks The Resolver (duh) Clustering Server Enumeration

20 How to undo Unassign the filter

21 Demo Secure Access From Web Site

22 What Breaks Nothing if done properly Unsafe web apps Improperly written web apps

23 How to undo Don t Fix the app instead

24 When Will These Be Supported? SQL 2005??? For SQL 2000

25 For more information Jesper and Steve finally wrote a book! Order online: title/ Use promo code JJSR6437 [email protected]

26 Your Feedback is Important! Please write the number located in the bottom left hand corner of your name badge, on the top of the Evaluation Form. This number links back to your registration details so that we can contact you after TechEd. When completing the Evaluation Form, please tick the number that best corresponds to your experience at TechEd. For additional comments, use the comments section at the end of each form.

27 Jesper M. Johansson 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

28