Secure Your Microsoft SQL Server: Security Best Practices
A Microsoft SQL server is a central repository of sensitive data and information for organizations and enterprise level companies, thus it is important to ensure that the only authorized users will gain access to the sensitive data stored in the server. Security is a must. We know that there are thousands of hackers that operate and wreck chaos to different servers. Organizations using SQL servers need to outsmart these hackers to ensure the safety of their information, servers and networks. However, securing the SQL server that will not create errors is a hard task. Database administrators need to perform additional steps to make the configuration hacker proof and harden the implementation of the SQL server someone with their online masters degree in information security.
Protect And Outsmart
There are best practices that were already in use all over the database community. The tips below can serve as a checklist to help database administrators manage and protect the database form external and internal attack.
- Authentication. Microsoft SQL server supports two types of authentication – Mixed Mode Authentication and Windows Authentication. The standard practice is to choose Windows Authentication for the SQL server installation unless legacy applications require the latter mode, Mixed Mode Authentication for access and backward compatibility. Windows Authentication is more secure and once enabled, the Windows credentials are trusted to gain access to the SQL server. The log in process uses encrypted messages to authenticate the SQL server, plus the password are not passed all over the network upon authentication. This security process will result in an authentication that is more reliable. Mixed Mode Authentication on the other hand almost does the opposite. The log on password is passed through the network upon authentication making it less secure compared to the Windows authentication process.
- Securing sysadmin account. The sysadmin account will be left vulnerable when it exits unchanged. Hackers are well aware of this and it makes their work a lot easier if they take control of this account. To prevent this an attack on the account form happening, you have to rename the SA account to a different account name. To change it , in Orbit Explorer expands Logins, then right click on the account and then click on Rename from the menu showing. You can also try to execute this script in renaming the SA account:
ALTER LOGIN sa WITH NAME = [<New-name>]
- Make use of complex password for the SQL specific log ins and sysadmin. If the Mixed Mode Authentication is used, make sure to use complex passwords for the SQL server specific log ins and sysadmin. You have to check the “Enforce password expiration” and the “Enforce password policy” options. The two options will ensure all SQL specific logins are standard with the log in the policies of the operating system.
- SQL Server Administration. Try to avoid managing SQL server using sysadmin or other SQL login accounts that have been granted CONTROL SERVER access or a member of a sysadmin fixed server role. Use dedicated Windows logins for database administrators instead and then assign these log in sysadmin rights on SQL server administration processes.
- Disable guest user access. Guest users are enabled in system databases by default. This is a potential risk especially in a locked down environment. Revoke access of guest users, this will ensure that the public server role members will not be able to gain access to the SQL server unless they are given permission by the DBAs.
- Reduce the SQL server surface area. Disable unwanted features and configure the server with the required features only. The Policy-based management can also be used to implement configuration settings for one or more SQL servers.
- Disable the SQL Browser service. Make sure that this feature is only running on SQL servers where multiple instances of SQL servers are running on one server. The browse service will enumerate the server information on the network which is a potential security risk in a locked down environment.
- SQL Server ErrorLogs and registry keys should be secured. Securing the SQL Server ErrorLogs and registry keys using NTFS permissions will help in making the system more secure and attack proof. If this step is not done, it reveals great information about the SQL server instance and its installation.
Security is one important aspect that an organization should never ignore. It attacks can happen anytime, anywhere that’s why database administrators and the whole database team should ensure the server’s safety and security. If an attack happened either internally or externally, it is one big situation for everybody within the organization. Don’t let this happen.