SQL Server Security Part 1

I have several posts on the go at anyone time. I am posting come security series at blog.solutionsctrl.com but wanted to keep all the SQL stuff also on my own site so these are re-posts from solutionsCtrl with some updates that WordPress allows that Silvrback doesn’t so they might look different.  I’ll reference the original one anyway

Security part 1:- Security and bespoke TinyURL (http://blog.solutionsctrl.com/sql-security-part-1)

I have worked across a lot of SQL Server systems; seen some amazing things, applications using the SA accounts, system administrators with some seriously complex passwords (so complex you have no choice but to write it down) while the good old SQL 2000 SA password is still blank and enabled.
I have recently been involved in a piece of work around database governance and thought it would be useful to share some of the things I’ve been working on, from a complete set of Standards, Policies , Procedures for the DBA function’s roles and responsibilities to Security policies and HA strategies.

I’ll cover off some of the more useful security information. I am not a hacker but if I was I think I might have a field day as a lot of systems I’ve seen have a lot of holes in them.
As with all my posts I’ll share my working, I am a big advocate of saving time, being pro-active and through this blog series I am going to start to push this as far as I can.
The first bit is – as always – there are a lot of resources available out there. The two main ones around security that I’d recommend are the SQL 2008 R2 and SQL 2012 Security best practice whitepapers. I created some bespoke tinyurl tabs, this in itself is such a cool tool. You can give the URL your own personal name so I created SQL2008Security and SQL2012Security as shortcut
Can you imagine emailing a client the following links

http://tinyurl.com/SQL2008Security
http://tinyurl.com/SQL2012Security

or this one

https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CCAQFjAAahUKEwiLkqeBrtPIAhWFzRQKHTXJADk&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F8%2FF%2FA%2F8FABACD7-803E-40FC-ADF8-355E7D218F4C%2FSQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx&usg=AFQjCNFNrqRQqLTEwRcCR5zXD1jIPSZVEw&sig2=NkMT-G9nUwUdq13raK3dwA&bvm=bv.105454873,d.bGQ

The first just looks a bit more professional no?
SQL Server as it turns out is a lot more secure than some of the other systems I could mention, but it wasn’t always the case (see blank SA password aka SQL 2000) . The later the version the more secure it is out of the box (as long as you follow best practices!!) but I don’t see that all the time.
So many times components are installed when they are not needed – Integration Services anyone?
Well I might want to use it one day, it’s easier to install upfront else I’ll have to go through change control later, any of this sound familiar?

Do you have build documentation for the SQL servers?
Are they all the same? Are you sure?
Do they have the same collations?

The same setup?
The same configuration and setup?

Next time I’ll cover Security Best practices and how you can tell if you have issues or not.

Advertisements
This entry was posted in SQL Security and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s