Securing Your SQL Server Database - Phua Chiu Kiang

8/3/2019 Securing Your SQL Server Database - Phua Chiu Kiang

http://slidepdf.com/reader/full/securing-your-sql-server-database-phua-chiu-kiang 1/16

Securing Your SQL Server Database

Phua Chiu Kiang

MVP – SQL Server



Agenda

• Top Database Server Threats

• Secure the Server

• Deprive your Development Account

• Prevent SQL Injection• Encrypt Sensitive Information

•

Protect the Connection Strings



Top Database Server Threats



Secure the Server

• Physical security

– Protect the file system and backups

– Consider database encryption

•

Use a firewall – Default port 1433

• Reduce attack surface

• Disable unused network protocols



Secure the Server

• Use Windows Authentication Mode

• Enforce password policy for SQL logins

– SSL Network Encryption prevents sniffing

•Enable auditing (and monitor it!)



Deprive your Development Account

• Employ principle of least privilege

• Do not use sa/sysadmin/dbo account,even during development

–

“we will fix it before production” (yeah, right)• Create accounts and grant privileges as

required



SQL Injection

• An attack in which malicious code is

passed into strings for SQL Server toexecute

•

Most common form of injection are fromweb forms

• Affects almost all web and database

applications, not just SQL Server



SQL Injection Example 1strQuery = “SELECT * FROM users WHERE name = ‘” + userName + “’”

userName = Bill

strQuery = “SELECT * FROM users WHERE name = ‘Bill’”

userName = ‘ OR ‘1’=‘1

strQuery = “SELECT * FROM users WHERE name = ‘’ OR ‘1’=‘1’”

userName = x’; SELECT * FROM users; DROP TABLE users;--

strQuery = “SELECT * FROM users WHERE name = ‘x’; SELECT * FROMusers; DROP TABLE users;--’”



Demo #1Demo #1

SQL InjectionSQL Injection



SQL Injection Example 2• QueryString Injection

http://petshop.com/Category.aspx?categoryId=Fish' UNION SELECTTABLE_NAME, NULL, NULL FROM INFORMATION_SCHEMA.TABLES;--

• To determine number of columnshttp://petshop.com/Category.aspx?categoryId=Fish‘ ORDER BY 4 -- (Error)

http://petshop.com/Category.aspx?categoryId=Fish‘ ORDER BY 3 -- (OK)

• To retrieve column nameshttp://petshop.com/Category.aspx?categoryId=Fish‘ UNION SELECTCOLUMN_NAME, NULL, NULL FROM

INFORMATION_SCHEMA.COLUMNS; --



SQL Injection Mitigation• Follow the Golden Rule - All Input is Evil!

• Use parameterized queries• Filter input strings

• Use parameters with dynamic SQL

• Avoid disclosing error information• Use a scanning tool

private string SafeSqlLiteral(string inputSQL){ return inputSQL.Replace("'", "''");

}



Parameterized Query Sampleusing System.Data;

using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))

{

DataSet userDataset = new DataSet();

SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure", connection);

myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;

myCommand.SelectCommand.Parameters.Add("@id", SqlDbType.VarChar, 11);myCommand.SelectCommand.Parameters["@id"].Value = txtUserid.Text;

myCommand.SelectCommand.Parameters.Add("@pwd", SqlDbType.VarChar, 80);myCommand.SelectCommand.Parameters["@pwd"].Value = txtPassword.Text;

myCommand.Fill(userDataset);

}



Parameterized Query Sampleusing System.Data;

using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))

{

DataSet userDataset = new DataSet();

SqlDataAdapter myCommand = new SqlDataAdapter(“SELECT * FROM users WHERE id=@idAND password=@pwd", connection);

myCommand.SelectCommand.CommandType = CommandType.Text;myCommand.SelectCommand.Parameters.Add("@id", SqlDbType.VarChar, 11);myCommand.SelectCommand.Parameters["@id"].Value = txtUserid.Text;

myCommand.SelectCommand.Parameters.Add("@pwd", SqlDbType.VarChar, 80);myCommand.SelectCommand.Parameters["@pwd"].Value = txtPassword.Text;

myCommand.Fill(userDataset);

}



Encrypt Sensitive Information• Avoid creating your own encryption code

• SQL Server encryption mechanisms

– T-SQL functions (PWDENCRYPT, HASHBYTES)

–

Asymmetric keys – Symmetric keys

– Certificates

• Protect you connection strings!C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe-pef "connectionStrings" "C:\Microsoft .NET Pet Shop\Web"



Demo #2Demo #2

SQL ServerSQL ServerEncryptionEncryption



Thank YouThank YouQ&AQ&A

Documents

Securing Your SQL Server Database - Phua Chiu Kiang