Gianluca Sartori, profile picture
Uploaded byGianluca Sartori
PPTX, PDF516 views

Sql server security in an insecure world

This document discusses SQL Server security best practices. It begins by noting that data breaches are common and costly for businesses. The presenter then covers security principles of confidentiality, integrity and availability. Various attack methods are described, demonstrating how quickly an unsecured system can be compromised. The presentation recommends implementing security policies across physical, network, host, application and database layers. Specific issues like SQL injection and authentication/authorization approaches are discussed. New SQL Server 2016 security features such as Always Encrypted and row-level security are also mentioned. Resources for further information are provided.

Embed presentation

Download to read offline
SQL Server Security in an Insecure World Gianluca Sartori @spaghettidba sqlconsulting.it
Say thank you to our Sponsors :
Gianluca Sartori  Independent SQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  DBA @ Scuderia Ferrari  Blog: spaghettidba.com  Twitter: @spaghettidba
Agenda  Security Matters  What should I protect?  How can I prevent attacks?
 Data Breaches are Common  Data Breaches are Costly  $450.000- $850.000 for large business  $35.000 - $65.000 for small businesses  + Reputational damage  + Legal risks -- Source: UK Government Security Matters
Security Matters  Security must be considered from the start  Securing afterwards is extremely costly  Poorly secured ecosystems are not always possible to fix  Security is a process, not a product  No single “magic” solution  Ongoing process  Attackers get smarter  Security must be stronger
Information Security Principles CIA triad
Information Security Principles  Confidentiality  Information cannot be disclosed to unauthorized individuals  Integrity  Data cannot be modified in an unauthorized or undetected manner  Availability  Information must be available when needed
What happens to insecure systems?  Confidentiality  Data leaks  Integrity  Unauthorized data modifications  Frauds  Availability  Outages
Attack Methodology 1. Scan for Vulnerabilities / Access 2. Gain Access 3. Escalate Privileges 4. Maintain Access 5. Cover Tracks Looks complicated? It’s not!
DEMO How fast can a [poorly configured] system be compromised? … damn fast!
How can I prevent it? Implement security policies at all levels  Physical Security  External Network  Internal Network  Host OS  Application  Database
Physical security  Disallow physical access to the infrastructure  Servers  Console  Ports  Disks  Clients  DBA workstation   + L  What about the cloud?  Networking devices  Switches  Routers  Cables
Network Security  Exclude External network as far as possible  Implement proper network segmentation  vLANs separate servers in groups  Role  Sensitivity  Reduce “implied trust” relationships between servers  Users / Servers is NOT proper segmentation  Encrypt communications
Host OS  Regular patching  Antivirus  Configuration  security best practices  Shut down unneeded services  Reduce attack surface  Permissions  Least Privilege  Auditing  Logging
Application Application is the most vulnerable component in the stack  Secure from the start  Thorough design and code security review  Input validation  Authentication  Authorization  Error handling  Auditing  Logging
SQL Injection
SQL Injection
SQL Injection  Has been known for years  …yet N.1 in OWASP TOP 10 security risks  Easy to detect with automated tools (SQLmap)  …yet very common in the wild  Potentially destructive
Injection techniques  OR-based injection  Stacked queries injection  UNION-based injection  Error-based injection  Boolean-based blind injection  Time-based blind injection
DEMO Let’s sneak in!!
SQL Injection –Fixes  Use bind parameters  Enforces parameter data type  Is not affected by regional settings  Allows complex input  Aggressive input sanitation does not
SQL Injection – False fixes  ORMs do not avoid it  Stored Procedures do not avoid it  Input validation is not enough  Obfuscated attacks  Headers / query strings can be manipulated  Not limited to web applications  NoSQL is vulnerable as well!  .NET’s String.Format is just plain concatenation!!!
DEMO Let’s break things!!
What happened?  We damaged the database, the instance and the OS because we could  Apply least privilege  At the Database level  At the Instance level  At the OS level  … at every level!
 Authenticate the user or the application?  Prefer Windows Authentication when possible  No need to provide password  No need to store passwords in config files  SQL Authentication is less secure  Clear text < SQL2005  RC4 < SQL2012  Password policies SQL Server Security - Authentication
SQL Server Security - Authentication  Passwords are problematic  Users tend to forget  Sticky Notes  Same password, multiple places  Have I been pwnd?  Use passwords that you cannot remember  Use a Password Safe  Keepass Password Safe
SQL Server Security - Authorization Principle of least privilege:  Users must be granted only the privileges essential for their work  Typical scenario:  users are granted sysadmin role  users are granted db_owner role  very common!  users are granted built-in database roles  Security must be taken into account from the start!!!
SQL Server Security Best Practices: 1. Create application specific roles with no privileges 2. Grant minimum needed permissions to roles 3. Add users to roles 4. Don’t grant permissions to users 5. Use application roles to enhance security  Windows groups <> database roles  NEVER, EVER grant server roles to “regular” users
SQL Server Security Additional features:  TDE: Transparent Data Encryption Encrypts database files and backup files  SSL Network Encryption Encrypts the communications channel between SQL Server and client computers
SQL Server 2016 New Security Features  Always Encrypted Column-Level encryption Data is encrypted both at rest and in memory Decryption happens on the client  Row-Level Security Filters rows available to users  Dynamic Data Masking Obfuscates sensitive information
Resources  OWASP http://www.owasp.org  Security checklist for the Database Engine http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx  Troy Hunt’s blog http://www.troyhunt.com  Troy Hunt’s free Pluralsight webinar: Why SQL Injection Remains the #1 Web Security Risk Today http://www.troyhunt.com/2015/06/free-recorded-webinar-on- pluralsight.html
Q&A Questions?
Stick around for RAFFLE and the AFTER EVENT!  All our volunteers and organisers do not get paid for organizing this event – If you see them, please:  Give them a hug  Shake their hand  Say thank you  Spread the word  Get involved yourself  Don’t forget to thank the sponsors for their support  Thank the speakers for donating their time, energy and expenses  Don’t forget the feedback!

More Related Content

PPTX
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
PPTX
SQL Server Security and Intrusion Prevention
byGabriel Villa
 
PPT
SQL Server Security
bysunitkanyan
 
PPTX
Azure Security Fundamentals
byLorenzo Barbieri
 
PPT
Securing you SQL Server - Denver, RMTT
byGabriel Villa
 
PPTX
Denali Sql Server Security
byGabriel Villa
 
PPTX
SQL Server 2012 Security Task
byYaakub Idris
 
KEY
SQL Server: Security
byLearnNowOnline
 
Sql injections (Basic bypass authentication)
byRavindra Singh Rathore
 
SQL Server Security and Intrusion Prevention
byGabriel Villa
 
SQL Server Security
bysunitkanyan
 
Azure Security Fundamentals
byLorenzo Barbieri
 
Securing you SQL Server - Denver, RMTT
byGabriel Villa
 
Denali Sql Server Security
byGabriel Villa
 
SQL Server 2012 Security Task
byYaakub Idris
 
SQL Server: Security
byLearnNowOnline
 

What's hot

PPTX
Sql injection
byThe Avi Sharma
 
PPTX
Web & Cloud Security in the real world
byMadhu Akula
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PPTX
Windows Azure Security Features And Functionality
byvivekbhat
 
PPTX
Azure security basics
byStas Lebedenko
 
PDF
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
PDF
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
PDF
Azure Penetration Testing
byCheah Eng Soon
 
PPT
Sql Server Security
byVinod Kumar
 
PDF
[OWASP Poland Day] Security knowledge framework
byOWASP
 
PPT
Securing Your .NET Application
byIron Speed
 
PPTX
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
PDF
Compute Security - Host Security
byEng Teong Cheah
 
PPTX
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
PDF
Protecting Against Web App Attacks
byAlert Logic
 
PDF
IglooConf 2019 Secure your Azure applications like a pro
byKarl Ots
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
PPTX
CSS 17: NYC - Building Secure Solutions in AWS
byAlert Logic
 
PDF
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
byITProceed
 
PDF
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 
Sql injection
byThe Avi Sharma
 
Web & Cloud Security in the real world
byMadhu Akula
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Windows Azure Security Features And Functionality
byvivekbhat
 
Azure security basics
byStas Lebedenko
 
Security in practice with Java EE 6 and GlassFish
byMarkus Eisele
 
Managed Threat Detection & Response for AWS Applications
byAlert Logic
 
Azure Penetration Testing
byCheah Eng Soon
 
Sql Server Security
byVinod Kumar
 
[OWASP Poland Day] Security knowledge framework
byOWASP
 
Securing Your .NET Application
byIron Speed
 
ASP.NET security vulnerabilities
byAleksandar Bozinovski
 
Compute Security - Host Security
byEng Teong Cheah
 
CSS 17: NYC - Protecting your Web Applications
byAlert Logic
 
Protecting Against Web App Attacks
byAlert Logic
 
IglooConf 2019 Secure your Azure applications like a pro
byKarl Ots
 
Extending Amazon GuardDuty with Cloud Insight Essentials
byAlert Logic
 
CSS 17: NYC - Building Secure Solutions in AWS
byAlert Logic
 
ITPROCEED_WorkplaceMobility_Windows 10 in the enterprise
byITProceed
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
byMasoud Kalali
 

Viewers also liked

PPTX
Learn software development
byEduonix Learning Solutions
 
PDF
ASLGConf2014LizDandDonnaOD 2016
byLiz Dore
 
PPTX
BRAIN CT SCAN
byJoann Vargas
 
PDF
Topdown parsing
byRoyalzig Luxury Furniture
 
PPTX
Approach to a patient with stroke - Pathophysiology of stroke
byAshwin Haridas
 
PDF
A review of Zimbabwe's draft minerals policy by ZELA
byZELA_infor
 
PPTX
Stroke mimics
byDr Pradip Mate
 
PPT
Wilson chemicals ltd
byCamilh
 
PPTX
Ultimate android app development course
byEduonix Learning Solutions
 
PPTX
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
byJohn Sterrett
 
PPTX
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
byznsaja
 
PPT
The Tipping Point - Final Presentation
byCamilh
 
PDF
Codflorestal port digital
byLiliane Almeida
 
PPTX
Pregunta de investigacion
byYefferson Nicolas Lopez Buirago
 
PDF
Learn angularjs step by step
byEduonix Learning Solutions
 
PDF
6 Summer Projects You'll Love
byMelton Design Build
 
PDF
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
byjnash2012
 
PDF
Jason Tomas by Ryan
byJolinspeeps
 
Learn software development
byEduonix Learning Solutions
 
ASLGConf2014LizDandDonnaOD 2016
byLiz Dore
 
BRAIN CT SCAN
byJoann Vargas
 
Topdown parsing
byRoyalzig Luxury Furniture
 
Approach to a patient with stroke - Pathophysiology of stroke
byAshwin Haridas
 
A review of Zimbabwe's draft minerals policy by ZELA
byZELA_infor
 
Stroke mimics
byDr Pradip Mate
 
Wilson chemicals ltd
byCamilh
 
Ultimate android app development course
byEduonix Learning Solutions
 
Evaluating Daily Checklist Against 1000 Servers using Policy Based Management
byJohn Sterrett
 
Multilevel Marketing Success Suggestion : Averting Burnout And Dissatisfaction
byznsaja
 
The Tipping Point - Final Presentation
byCamilh
 
Codflorestal port digital
byLiliane Almeida
 
Pregunta de investigacion
byYefferson Nicolas Lopez Buirago
 
Learn angularjs step by step
byEduonix Learning Solutions
 
6 Summer Projects You'll Love
byMelton Design Build
 
Joshua Nash 2015 Calendar Project-Burgess Falls State Park- Sparta,TN
byjnash2012
 
Jason Tomas by Ryan
byJolinspeeps
 

Similar to Sql server security in an insecure world

PPTX
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
byWinWire Technologies Inc
 
PPTX
basic to advance network security concepts
byamansinght675
 
PPT
Fortress SQL Server
bywebhostingguy
 
PPTX
SQL Injection Attacks cs586
byStacy Watts
 
PPTX
Secure Software Engineering
byRohitha Liyanagama
 
PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PPT
DB security
byERSHUBHAM TIWARI
 
PDF
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
byTobias Koprowski
 
PPTX
Database security in database management.pptx
byFarhanaMariyam1
 
DOCX
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
PDF
Better to Ask Permission? Best Practices for Privacy and Security
byEric Kavanagh
 
DOCX
Sql server 2008 r2 security overviewfor admins
byKlaudiia Jacome
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
byTobias Koprowski
 
PDF
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
byITCamp
 
PDF
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
byTobias Koprowski
 
PDF
5db-security.pdf
byHODCA1
 
PPTX
The Spy Who Loathed Me - An Intro to SQL Server Security
byChris Bell
 
PDF
A Review Report on Security Threats on Database
byShivnandan Singh
 
PPTX
We are all info sec
byMichael Swinarski
 
PDF
KoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
byTobias Koprowski
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
byWinWire Technologies Inc
 
basic to advance network security concepts
byamansinght675
 
Fortress SQL Server
bywebhostingguy
 
SQL Injection Attacks cs586
byStacy Watts
 
Secure Software Engineering
byRohitha Liyanagama
 
SQLi for Security Champions
byPetraVukmirovic
 
DB security
byERSHUBHAM TIWARI
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
byTobias Koprowski
 
Database security in database management.pptx
byFarhanaMariyam1
 
Understanding SQL Injection_ A Guide to Website Security.docx
byOscp Training
 
Better to Ask Permission? Best Practices for Privacy and Security
byEric Kavanagh
 
Sql server 2008 r2 security overviewfor admins
byKlaudiia Jacome
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
byTobias Koprowski
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
byITCamp
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
byTobias Koprowski
 
5db-security.pdf
byHODCA1
 
The Spy Who Loathed Me - An Intro to SQL Server Security
byChris Bell
 
A Review Report on Security Threats on Database
byShivnandan Singh
 
We are all info sec
byMichael Swinarski
 
KoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
byTobias Koprowski
 

More from Gianluca Sartori

PPTX
SQL Server Worst Practices
byGianluca Sartori
 
PPTX
SQL Server 2016 New Security Features
byGianluca Sartori
 
PPTX
Sql server infernals
byGianluca Sartori
 
PPTX
Benchmarking like a pro
byGianluca Sartori
 
PPTX
Responding to extended events in near real time
byGianluca Sartori
 
PPTX
SQL Server Worst Practices - EN
byGianluca Sartori
 
PPTX
SQL Server Benchmarking, Baselining and Workload Analysis
byGianluca Sartori
 
PPTX
A performance tuning methodology
byGianluca Sartori
 
PPTX
TSQL Advanced Query Techniques
byGianluca Sartori
 
PPTX
My Query is slow, now what?
byGianluca Sartori
 
SQL Server Worst Practices
byGianluca Sartori
 
SQL Server 2016 New Security Features
byGianluca Sartori
 
Sql server infernals
byGianluca Sartori
 
Benchmarking like a pro
byGianluca Sartori
 
Responding to extended events in near real time
byGianluca Sartori
 
SQL Server Worst Practices - EN
byGianluca Sartori
 
SQL Server Benchmarking, Baselining and Workload Analysis
byGianluca Sartori
 
A performance tuning methodology
byGianluca Sartori
 
TSQL Advanced Query Techniques
byGianluca Sartori
 
My Query is slow, now what?
byGianluca Sartori
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
November Patch Tuesday
byIvanti
 
PPTX
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
FastTrack CISSP Reference By Jobyer Ahmed
bysocial72
 
PPTX
IT Leaders Generative AI Implementation Roadmap
byChristine Shepherd
 
PDF
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PPTX
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
November Patch Tuesday
byIvanti
 
Cyber Security Quiz 1st Year CSE CS Students
bynirmalamca
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
FastTrack CISSP Reference By Jobyer Ahmed
bysocial72
 
IT Leaders Generative AI Implementation Roadmap
byChristine Shepherd
 
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Webinar: Introduction to LF Energy SEAPATH
byDanBrown980551
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Building powerful web apps to improve productivity and engagement - Esri UK W...
byEsri UK
 

Sql server security in an insecure world

  • 1.
    SQL Server Securityin an Insecure World Gianluca Sartori @spaghettidba sqlconsulting.it
  • 2.
    Say thank youto our Sponsors :
  • 3.
    Gianluca Sartori  IndependentSQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  DBA @ Scuderia Ferrari  Blog: spaghettidba.com  Twitter: @spaghettidba
  • 4.
    Agenda  Security Matters What should I protect?  How can I prevent attacks?
  • 5.
     Data Breachesare Common  Data Breaches are Costly  $450.000- $850.000 for large business  $35.000 - $65.000 for small businesses  + Reputational damage  + Legal risks -- Source: UK Government Security Matters
  • 6.
    Security Matters  Securitymust be considered from the start  Securing afterwards is extremely costly  Poorly secured ecosystems are not always possible to fix  Security is a process, not a product  No single “magic” solution  Ongoing process  Attackers get smarter  Security must be stronger
  • 7.
  • 8.
    Information Security Principles Confidentiality  Information cannot be disclosed to unauthorized individuals  Integrity  Data cannot be modified in an unauthorized or undetected manner  Availability  Information must be available when needed
  • 9.
    What happens toinsecure systems?  Confidentiality  Data leaks  Integrity  Unauthorized data modifications  Frauds  Availability  Outages
  • 10.
    Attack Methodology 1. Scanfor Vulnerabilities / Access 2. Gain Access 3. Escalate Privileges 4. Maintain Access 5. Cover Tracks Looks complicated? It’s not!
  • 11.
    DEMO How fast cana [poorly configured] system be compromised? … damn fast!
  • 12.
    How can Iprevent it? Implement security policies at all levels  Physical Security  External Network  Internal Network  Host OS  Application  Database
  • 13.
    Physical security  Disallowphysical access to the infrastructure  Servers  Console  Ports  Disks  Clients  DBA workstation   + L  What about the cloud?  Networking devices  Switches  Routers  Cables
  • 14.
    Network Security  ExcludeExternal network as far as possible  Implement proper network segmentation  vLANs separate servers in groups  Role  Sensitivity  Reduce “implied trust” relationships between servers  Users / Servers is NOT proper segmentation  Encrypt communications
  • 15.
    Host OS  Regularpatching  Antivirus  Configuration  security best practices  Shut down unneeded services  Reduce attack surface  Permissions  Least Privilege  Auditing  Logging
  • 16.
    Application Application is themost vulnerable component in the stack  Secure from the start  Thorough design and code security review  Input validation  Authentication  Authorization  Error handling  Auditing  Logging
  • 17.
  • 18.
  • 19.
    SQL Injection  Hasbeen known for years  …yet N.1 in OWASP TOP 10 security risks  Easy to detect with automated tools (SQLmap)  …yet very common in the wild  Potentially destructive
  • 20.
    Injection techniques  OR-basedinjection  Stacked queries injection  UNION-based injection  Error-based injection  Boolean-based blind injection  Time-based blind injection
  • 21.
  • 22.
    SQL Injection –Fixes Use bind parameters  Enforces parameter data type  Is not affected by regional settings  Allows complex input  Aggressive input sanitation does not
  • 23.
    SQL Injection –False fixes  ORMs do not avoid it  Stored Procedures do not avoid it  Input validation is not enough  Obfuscated attacks  Headers / query strings can be manipulated  Not limited to web applications  NoSQL is vulnerable as well!  .NET’s String.Format is just plain concatenation!!!
  • 24.
  • 25.
    What happened?  Wedamaged the database, the instance and the OS because we could  Apply least privilege  At the Database level  At the Instance level  At the OS level  … at every level!
  • 26.
     Authenticate theuser or the application?  Prefer Windows Authentication when possible  No need to provide password  No need to store passwords in config files  SQL Authentication is less secure  Clear text < SQL2005  RC4 < SQL2012  Password policies SQL Server Security - Authentication
  • 27.
    SQL Server Security- Authentication  Passwords are problematic  Users tend to forget  Sticky Notes  Same password, multiple places  Have I been pwnd?  Use passwords that you cannot remember  Use a Password Safe  Keepass Password Safe
  • 28.
    SQL Server Security- Authorization Principle of least privilege:  Users must be granted only the privileges essential for their work  Typical scenario:  users are granted sysadmin role  users are granted db_owner role  very common!  users are granted built-in database roles  Security must be taken into account from the start!!!
  • 29.
    SQL Server Security BestPractices: 1. Create application specific roles with no privileges 2. Grant minimum needed permissions to roles 3. Add users to roles 4. Don’t grant permissions to users 5. Use application roles to enhance security  Windows groups <> database roles  NEVER, EVER grant server roles to “regular” users
  • 30.
    SQL Server Security Additionalfeatures:  TDE: Transparent Data Encryption Encrypts database files and backup files  SSL Network Encryption Encrypts the communications channel between SQL Server and client computers
  • 31.
    SQL Server 2016New Security Features  Always Encrypted Column-Level encryption Data is encrypted both at rest and in memory Decryption happens on the client  Row-Level Security Filters rows available to users  Dynamic Data Masking Obfuscates sensitive information
  • 32.
    Resources  OWASP http://www.owasp.org  Securitychecklist for the Database Engine http://msdn.microsoft.com/en-us/library/ff848778(v=SQL.105).aspx  Troy Hunt’s blog http://www.troyhunt.com  Troy Hunt’s free Pluralsight webinar: Why SQL Injection Remains the #1 Web Security Risk Today http://www.troyhunt.com/2015/06/free-recorded-webinar-on- pluralsight.html
  • 33.
  • 34.
    Stick around forRAFFLE and the AFTER EVENT!  All our volunteers and organisers do not get paid for organizing this event – If you see them, please:  Give them a hug  Shake their hand  Say thank you  Spread the word  Get involved yourself  Don’t forget to thank the sponsors for their support  Thank the speakers for donating their time, energy and expenses  Don’t forget the feedback!