As Redmond's flagship RDBMS solution, SQL Server provides the underlying data platform for a broad range of Microsoft enterprise solutions— from Sharepoint to BizTalk Server. This, of course, makes bolstering SQL Server security a critical necessity for protecting MS-centric infrastructures against attackers. To this end, the following are 11 ways to harden MS SQL Server 2008 security.
Table of contents
- Disable the \BUILTIN\Administrators account for stronger security
- Create security groups for making specific modifications to SQL Server 2008
- Use non-default TCP/IP ports for accessing SQL Server 2008
- Only install the required SQL Server 2008 components and uninstall those not in use
- Disable the xp_cmdshell option
- Disable either Named Pipes or TCP/IP for connecting to SQL Server 2008
- Install SQL Server Reporting Services (SSRS) and the database server on separate servers
- Disable the SQL Server VSS Writer service
- Disable (or leave disabled) the SQL Server Browser service disabled
- Disable or rename the Guest database user
- Remove all sample databases
1. Disable the \BUILTIN\Administrators account for stronger security
For starters, the \BUILTIN\Administrators account should be deleted and the systems administrator (sa) account should be disabled. In general, system administrator privileges should be heavily restricted; instead, use server roles to give privileged users the necessary permissions t perform specific server-level tasks.
2. Create security groups for making specific modifications to SQL Server 2008
Individual user accounts should never be granted access to SQL Server. Instead, first create security groups in Active Directory (AD) for specific servers and permission sets. Individual user accounts should then be added to the appropriate groups as required.
3. Use non-default TCP/IP ports for accessing SQL Server 2008
Default TCP/IP ports are commonly known—and highly exploitable—by remote attackers. For example, SQL Server 2008 listens for incoming connections on TCP port 1433 by default. This and other open ports for database access should therefore be obscured with non-conventional port numbers.
4. Only install the required SQL Server 2008 components and uninstall those not in use
SQL Server 2008 contains a plethora of useful but mostly unnecessary components that increase the overall attack surface. Such items should therefore be uninstalled or skipped altogether during the initial installation. They can always be installed later, if needed. The SQL Server Analysis Services (SSAS), SQL Server Integration Services (SSIS), and the Full-Text Engine/Filter Daemon Launcher are a few examples of such components.
5. Disable the xp_cmdshell option
This value is disabled by default, but you should nonetheless verify that this is always the case. Any Windows process spawned by xp_cmdshell gains the same security rights as the SQL Server service account.
6. Disable either Named Pipes or TCP/IP for connecting to SQL Server 2008
That is, choose one or the other for connecting to the database, but not both. Select the protocol that best suits your needs and disable the other, as you'll only need one for connecting to SQL Server 2008.
7. Install SQL Server Reporting Services (SSRS) and the database server on separate servers
SSRS provides the full functionality of the report server through the Report Server Web service, which unfortunately leaves a gaping hole in your database's security layer. By keeping SSRS and the database server separate, you effectively close off this attack vector.
8. Disable the SQL Server VSS Writer service
The Volume Shadow Copy Service (VSS) is the only service that uses the VSS Writer service, so unless you're using applications that employ VSS to backup SQL databases, you can (and should) safely disable the VSS Writer service to eliminate related attack vectors.
9. Disable (or leave disabled) the SQL Server Browser service disabled
This service responds to SQL Server resource requests with the correct port in question. Again—as with item #3—obscuring ports is a key strategy for hardening MS SQL Server 2008. The SQL Server Browser service isn't usually required and should be disabled to hide ports related to SQL Server components.
10. Disable or rename the Guest database user
SQL Server 2008 databases include a Guest database user that cannot be dropped. This account serves as a sort of general user for logins that are not mapped to a specific database user. Because it exists by default and cannot be removed, it should be renamed or disabled to prevent exploitation.
11. Remove all sample databases
Sample databases (e.g., Northwind and Pubs) that come pre-installed with SQL Server 2008 are entirely unnecessary and should be dropped to eliminate the possibility of exploitation.
In short, these 11 hardening tips can set you off on the right track towards making your SQL Server 2008 more resilient to cyber attacks. If you're looking for a way to automatically scan for these vulnerabilities and more in your Windows environment, look no further—UpGuard can do this automatically with a few mouse clicks. Give it a test drive today, the first 10 nodes are on us.