Why You Need to Secure Your SQL Server Instances

Why You Need to Secure Your SQL Server Instances

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Share on Reddit0
Database Management Systems (DBMSs) store data. They sure have added functionality and a huge set of significant features but again, in the end of the day, they store data. Your data. This makes your DBMSs one of the most valuable assets in your Organization and that’s why you need to keep them as secure as possible during their entire life cycle  within your Organization.

SQL Server is a very powerful data platform and part of this power, is to allow the user to control different settings, thus making it work the best for his/her needs. However, as in all systems, if these settings are misconfigured, or the proper precautions are not taken on the user’s side, then along with the functionality the user wants to enable, he or she possibly will create security risks.

Take for example, the ‘Password Expiration’ option. In case you have a SQL login which is used as a service account, then this could be a reason for not to have the ‘Password Expiration’ enabled for that login. If however, you have an SQL login which is used by a physical person and the ‘Password Expiration’ option is not enabled, this increases the risk of having the password guessed more easily than in the case where the password expires every X days (i.e. every 90 days) and thus the user needs to enter a new one.

Figure 1: Start Page.

Other examples of security risks are: using the same password as the username for SQL Logins, having ‘xp_cmdshell’ enabled without really needing it and without the proper design and accesses, having the BUILTINAdministrators local windows group on the database server as SysAdmins, etc.

There are many settings which can be incorrectly set by the user, either because of naivety, or lack of deep understanding about these settings, or any other reason.

By the time a DBMS hosts a single database, it is critical that you keep that DBMS instance as secure as possible. Misconfiguring your instance can be a source of vulnerabilities so you need to periodically check you instance about related security risks and take remediation actions when and where needed.

It is based on all the above that I have been developing during the last two years “DBA Security Advisor“. DBA Security Advisor is a powerful tool i released a few days ago, which assesses SQL Server instances for potential security risks based on a proven best practices set of security checks. Furthermore it provides recommendations for the detected security risks as well as remediation scripts and methods.

DBA Security Advisor comes in two editions: (i) A Community Edition which is free but with a limited set of security checks and limited functionality, and (ii) An Enterprise Edition where all security checks and other features are available. You can compare the available features per edition on this link.

The workflow of DBA Security Advisor (Enterprise Edition) is very straightforward:

1. You connect to a single or multiple SQL Server instances.
2. You select the security checks to run against the connected SQL Server instance(s) and run the assessment.
3. You go through the generated report with the security findings.
4. You study the recommendations and remediation scripts/methods and act accordingly towards resolving the security risks.
5. You re-run the security assessment and check if the previously-reported security risks have been eliminated after you took actions.

Figure 2: Connect to Multiple Instances (Enterprise Edition).
Figure 3: Select Security Checks (Enterprise Edition).
Figure 4: Embedded Report Viewer: Sample Security Risks.
Figure 5 Standalone Security Report Viewer with Recommendations and Remediation Scripts and Methods.

I believe that you will find DBA Security Advisor extremely useful. It will help you secure your SQL Server instances, as well as become compliant with a large number of security best practice factors. Test the Community Edition today which is free, and after you are convinced that DBA Security Advisor can help you in your everyday SQL Server administration and hardening process, you can consider upgrading to the Enterprise Edition, and thus unlock all security checks and the rest of its powerful features.



Reference: The SQL Server and .NET Hub (http://www.sqlnethub.com)


Resources:

Cheers,

Artemakis Artemiou
Microsoft Data Platform MVP
https://www.aartemiou.com
https://www.dbasecadvisor.com
https://www.inmemoltpsim.com


Recommended eBooks on SQL Server:

Tuning SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Tuning SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Administering SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Administering SQL Server: eBook by SQL Server MVP Artemakis Artemiou
Artemakis Artemiou
Artemakis Artemiou is a Senior SQL Server Architect, Author, Software Developer and a Microsoft Data Platform MVP. He has over 15 years of experience in the IT industry in various roles. Among other, via his initiative SQLEBooks.com, Artemakis authors and publishes eBooks on different topics on SQL Server. Artemakis currently serves as the President of the Cyprus .NET User Group (CDNUG) and the International .NET Association Country Leader for Cyprus (INETA). Additionally he is the founder of the SQLArtBits initiative that aims to provide the technical community with simple, yet powerful and high-quality SQL Server tools. Currently, the highlights of these tools are DBA Security Advisor and In-Memory OLTP Simulator. Artemakis's official website can be found at aartemiou.com. Artemakis's blogs can be found at: SQLNetHub.com and TechHowTos.com.