Re: Security lockdown for SQL 2005

---

• From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
• Date: Sun, 22 Apr 2007 09:51:38 +0000 (UTC)

---

gocrm (gocrm@xxxxxxxxxxxxxxxxxxxxxxxxx) writes:

Thanks Uri. I don't need to know the detail security of the SQL itself.
I just needed to know how to secure the server and prevent any
unnecessary open holes. Do you know where I can get started? Any
links?

The problem with your question is that there is always a trade-off between
security and business requirements. If all you want is tight security, just
pull the network cable and put the server in a safe.

A default install of SQL 2005 ships have many potentially insecure features
turned off: the CLR is disabled, cross-database chaining is disabled,
xp_cmdshell is disabled, OPENROWSET is disabled, SQL Server authentication
is disabled, users don't have access to metadata for objects they may not
access. But there are many applications that depend on these features being
available, so just turning them off blindly if they are on, will only
cause you grief.

And a lot of the security work is not about configuring the server itself,
but how applications use SQL Server. Web applications that logs into SQL
Server with elevated privileges and are open to SQL injection is the prime
example, particularly if they are exposed on the Internet.

So if you want deal with security in SQL Server, you really need to learn
it first, so that you can understand what trade-offs you need to make.
The SQL Server Books Online (that what's what Uri meant with BOL), is a
starting point.

--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.

---

• References:
  • Re: Security lockdown for SQL 2005
    • From: Uri Dimant

• Prev by Date: Re: Security lockdown for SQL 2005
• Next by Date: Determining DB rights from vb.net 2005
• Previous by thread: Re: Security lockdown for SQL 2005
• Next by thread: Determining DB rights from vb.net 2005
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: hack using xp_cmdshell ... I'm no security expert, so please forgive if I'm not using the right ... install SQL Server in Windows Only mode and then Switch down to Mixed mode, ... Is the SQL Server instance a default instance? ... > port 65300, which has never been open on my firewall. ... (microsoft.public.sqlserver.server) Re: Why is SQL Server account used? ... > have a security monitoring application that monitors security across the ... > enterprise (Windows server, Unix servers and mainframes) and uses SQL ... Tibor Karaszi, SQL Server MVP ... (microsoft.public.sqlserver.server) RE: SBS 2003 Unable to connect to database STS_Config ... Uninstall the SQL server from the SBS 2k3 server from add/remove programs ... Uninstall Microsoft SQL Server Desktop Engine (SHAREPOINT) ... If AV software install any extra IIS virtual directory, ... (microsoft.public.windows.server.sbs) RE: migrating from wmsde to sql server ... Click Start, point to All Programs\Microsoft SQL Server, and then click ... then click New SQL Server Registration. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) RE: SBS 2003 Unable to connect to database STS_Config ... Uninstall the SQL server from the SBS 2k3 server from add/remove programs ... Uninstall Microsoft SQL Server Desktop Engine (SHAREPOINT) ... If AV software install any extra IIS virtual directory, ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2007-04