Securing Your SQL Server Database

Phua Chiu Kiang

MVP SQL Server

Agenda
Top Database Server Threats Secure the Server Deprive your Development Account Prevent SQL Injection Encrypt Sensitive Information Protect the Connection Strings

Top Database Server Threats

Secure the Server

Physical security
Protect the file system and backups Consider database encryption

Use a firewall
Default port 1433

Reduce attack surface Disable unused network protocols

Secure the Server

Use Windows Authentication Mode Enforce password policy for SQL logins
SSL Network Encryption prevents sniffing

Enable auditing (and monitor it!)

Deprive your Development Account

Employ principle of least privilege Do not use sa/sysadmin/dbo account, even during development
we will fix it before production (yeah, right)

Create accounts and grant privileges as required

SQL Injection
An attack in which malicious code is passed into strings for SQL Server to execute Most common form of injection are from web forms Affects almost all web and database applications, not just SQL Server

SQL Injection Example 1

strQuery = SELECT * FROM users WHERE name = + userName + userName = Bill strQuery = SELECT * FROM users WHERE name = Bill userName = OR 1=1 strQuery = SELECT * FROM users WHERE name = OR 1=1 userName = x; SELECT * FROM users; DROP TABLE users;-strQuery = SELECT * FROM users WHERE name = x; SELECT * FROM users; DROP TABLE users;--

Demo #1 SQL Injection

SQL Injection Example 2

QueryString Injection
http://petshop.com/Category.aspx?categoryId=Fish' UNION SELECT TABLE_NAME, NULL, NULL FROM INFORMATION_SCHEMA.TABLES;--

To determine number of columns

http://petshop.com/Category.aspx?categoryId=Fish ORDER BY 4 -- (Error) http://petshop.com/Category.aspx?categoryId=Fish ORDER BY 3 -- (OK)

To retrieve column names

http://petshop.com/Category.aspx?categoryId=Fish UNION SELECT COLUMN_NAME, NULL, NULL FROM INFORMATION_SCHEMA.COLUMNS; --

SQL Injection Mitigation

Follow the Golden Rule - All Input is Evil! Use parameterized queries Filter input strings
private string SafeSqlLiteral(string inputSQL) { return inputSQL.Replace("'", "''"); }

Use parameters with dynamic SQL Avoid disclosing error information Use a scanning tool

Parameterized Query Sample

using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure", connection); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; myCommand.SelectCommand.Parameters.Add("@id", SqlDbType.VarChar, 11); myCommand.SelectCommand.Parameters["@id"].Value = txtUserid.Text; myCommand.SelectCommand.Parameters.Add("@pwd", SqlDbType.VarChar, 80); myCommand.SelectCommand.Parameters["@pwd"].Value = txtPassword.Text; myCommand.Fill(userDataset); }

Parameterized Query Sample

using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myCommand = new SqlDataAdapter(SELECT * FROM users WHERE id=@id AND password=@pwd", connection); myCommand.SelectCommand.CommandType = CommandType.Text; myCommand.SelectCommand.Parameters.Add("@id", SqlDbType.VarChar, 11); myCommand.SelectCommand.Parameters["@id"].Value = txtUserid.Text; myCommand.SelectCommand.Parameters.Add("@pwd", SqlDbType.VarChar, 80); myCommand.SelectCommand.Parameters["@pwd"].Value = txtPassword.Text; myCommand.Fill(userDataset); }

Encrypt Sensitive Information

Avoid creating your own encryption code SQL Server encryption mechanisms
T-SQL functions (PWDENCRYPT, HASHBYTES) Asymmetric keys Symmetric keys Certificates

Protect you connection strings!

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -pef "connectionStrings" "C:\Microsoft .NET Pet Shop\Web"

Demo #2 SQL Server Encryption

Thank You Q&A