SQL Server security has always been important. Protecting the enterprise data resources stored in SQL Server databases is arguably the prime responsibility of an organization’s DBAs. The performance and availability of mission-critical database applications quickly become irrelevant in the aftermath of a data breach. Data assets must be secured if they are to be used productively.
Remote work, which greatly expanded due to the COVID-19 pandemic, adds to security concerns and makes it more difficult to protect valuable databases. Potentially unsecured devices being used to access sensitive data present inviting new targets for hackers. There is no lack of cybercriminals who would like nothing better than to compromise your SQL Servers.
Some fairly recent examples illustrate the dangers your SQL Servers are under every day. Hacker campaigns such as Vollgar are affecting thousands of instances with malware designed to mine cryptocurrency. Malware infections can create backdoor access to SQL Servers like that seen in the Skip-2.0 exploitation tool. The tool allows remote attackers to use a “magic” password to connect to any account and hides its tracks by disabling logging while performing an intrusion.
Needless to say, these are the kinds of stories that give database teams nightmares. They need to accept the fact that their systems are potentially subject to malicious internal or external entities who want to compromise their data. Traditional hacking methods like brute force attacks and SQL injection are still used to take advantage of vulnerable systems.
This is a troubling state of affairs, but some remedies can help alleviate security concerns and enable team members to get a better night’s sleep. These best practices offer essential recommendations to increase the security of enterprise SQL Server databases.
What Can a DBA Do?
There are many ways in which a DBA can strengthen the SQL Server security landscape. With the right mix of configuration decisions and regular activities, system security can be substantially increased. Here are some of the things the database team can do to protect their SQL Servers more effectively.
- Keep SQL Servers and the Windows machines on which they are installed updated with security patches. If at all possible, patches should first be introduced in a test environment rather than risk problems with production systems. Run periodic patch audits to ensure all systems are up to date from a security perspective and address any identified issues immediately.
- Use stored procedures whenever possible. Since they depend on specific input, it is less likely that SQL injection attacks by random hackers will succeed.
- Employ Windows authentication over SQL authentication to provide enhanced security using operating system tools and the ability to centralize accounts with Active Directory. If SQL authentication is being used, disable the SA account as it is a favorite target of hackers looking for a backdoor into your systems.
- Isolate SQL Servers on subnetworks away from general network traffic. Don’t provide Internet access to the servers and consider using nonstandard port numbers to thwart hackers.
- Limit the applications running to one per server if possible. Do not install unnecessary components and refrain from running non-utility, non-SQL apps on the server. Fewer applications mean fewer opportunities for vulnerabilities to be exploited.
- Institute strong access control policies that assign role-based permissions. In some cases, you may find it necessary to define more granular permissions, including row-level security to limit access to table information. Try to balance security and functionality when implementing access control to avoid breaking the application or making it too hard to manage while demonstrating regulatory compliance.
- Use strong passwords. Brute force attacks are still used by hackers because they work. Stronger password cracking algorithms combined with increased computing power have made traditional guidelines for creating strong passwords obsolete. You should consider using password generators to obtain long sequences of random characters for extra security.
- Perform regularly scheduled security audits to identify violations and uncover unusual access patterns that may indicate malicious activity. Excessive numbers of failed logins can be the result of brute force password attacks and should be thoroughly investigated.
A Tool for Enhanced SQL Server Security
A TechGenix webinar sponsored by IDERA and presented by Brien Posey and Elan Kol goes into more detail concerning the methods DBAs can use to strengthen SQL Server security using SQL Secure. This dedicated SQL Server security tool provides DBAs with valuable features to harden database defenses. Its features include:
- The ability to identify users’ effective rights and find gaps in your security models;
- Details on who has access to sensitive data resources and how they are being used;
- Customizable policy templates so you can audit for compliance with regulatory standards;
- Weak password detection;
- Access to historical security information for analysis of changes;
- A security scorecard to quickly identify potential issues;
- Over 20 out of the box reports enabling security information to be shared across the enterprise.
DBAs interested in securing their SQL Servers should take the time to view the webinar and take advantage of the free 14-day trial of SQL Secure. Testing the full functionality of the product will demonstrate how it can help you protect your enterprise databases.
Ask any victim of a data breach if they wish they had taken stronger measures to prevent it. With the right tools and best practices, you can make it harder for hackers to gain access to your SQL Servers. It’s worth the effort.