Never run SQL server service as localSystem or administrator Apply latest service packs and security patches Always set strong password for SA Do not change default permissons on xp_cmdshell Do not set the proxy account to be an administrator Default audit is none...change to at least Failed Audit Run MBSA tool on a regular basis (http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp) When changing service accounts always go use the Enterprise Manager tool Install a SSL certificate to secure authentication
Avoid SQL Injection attacks SQL Injection attacks
Class of attack where attacker can insert or manipulate queries made by application to backend
Example
Application code
var ShipCity;
ShipCity = Request.form("ShipCity");
var sql = "SELECT * FROM OrdersTable WHERE ShipCity = '" + ShipCity + "'";
Good User
Inputs Miami in the form
Query to backend is:
SELECT * FROM OrdersTable WHERE ShipCity = 'Miami'
Malicious User
Inputs the following in the form:
Redmond' DROP TABLE OrderTable --
Query to the backend is:
SELECT * FROM OrdersTable WHERE ShipCity = 'Miami'
DROP TABLE OrdersTable --'Mitigate SQL injection Attacks
- Validate all User Input
- Explicitly reject all input that is invalid
- Define (if possible) the set of valid input and accept only those- Prune all error messages flowing back to the client
- Error messages can be a useful tool to attackers- Run applications in minimally privileged contexts
- Use Integrated Security to connect to back end...Avoid storing passwords