SQL Server Security Checklist


SQL Server Security Checklist

This check list provides, the bare minimum security requirements, you should consider when installing a new SQL Server. These requirements are important in protecting data and preventing data breaches.  This checklist provides guidelines and recommendation that i use and are focused on for main areas:  Physical, Operating System, User Configuration and SQL Server Configuration.

Physical Security

Securing the hardware that run a SQL Server database is critical. In today’s technological landscape organization’s are moving to cloud services making it less critical to worry about physically securing servers in data centers. For those that still have servers on premise server and infrastructure need to be secured.

    1. Limit the number of people who have access to the physical Server.
      1. Hardware should be stored in a secured room
      2. Access to the room should be controlled and monitored
      3. Access should be limited to only authorized personnel
    2.  Store backup media offsite at a secure location
      1. SQL Server backups should be stored internally and offsite for increased security.(Life happens be prepared)
    3. Configure alerts for hardware warnings
      1. Hardware alerts should be setup and reviewed for action
      2. Log these error for action and remediation and revisit them as often as necessary.

Securing the Operating System

  1. Ensure cumulative updates operating system patches are installed.
    1. Create a process to routinely test and install critical updates.
    2. Subscribe to Security publications and alerts
      1. US Computer Emergency Readiness team  (United State Government)
      2. Microsoft Security Response Center (MSRC) blog (Microsoft)
      3. Security Update Release (Microsoft)
  2. Configure Firewall
    1. These configuration vary based on the needs of the organization and can be hardware or software.
    2. Windows has a software firewall that can be used.
  3. Limit the number of  account that are Windows Administrators with access to SQL Server
    1. Best practices limit access to only people who need it.
    2. Consideration should be made  for VMWare and Remote Desktop Services should be included.
    3. Consider limiting access to SQL Server Admins and Network Admins.

SQL Server Install

There are a number of security threats exposed by improperly setup SQL servers. When setting up new SQL Servers consider the following guidelines.

  1. Install only required components
  2. Install SQL Server service packs and fixes
  3. Disable Unused features
  4. Disable unused SQL Server Protocols
  5. Change SQL default port configurations
  6.  Disable the SQL Server browser service
  7. Restrict SQL Server Data file and configuration access
  8. Enable TDE
  9. Revoke execute rights to Public account on extended stored procedures
    1. Deprecated feature of SQL Server
    2. Prevent Applications from running extended stored Procedures
      1. xp_availablemedia
      2. xp_dirtree
      3. xp_enumgroups
      4. xp_fixeddrives
      5. xp_regaddmultistring
      6. xp_regdeletevalue
      7. xp_reenumvalues
      8. xp_regremovemultistring
      9. xp_regwrite
      10. xp_regread
      11. xp_servicecontrol
      12. xp_subdirs
  10. Disable xp_cmdshell
    1. This allow bat files to be call from SQL Server

User Account Level Security

Pay close attention to administrator and services accounts. These are privileged accounts and if they are not handle properly they can lead to data being compromised.

  1. Disable and Rename the SA account
    1. This aid in the prevention of unauthorized access using this known admin account
  2. Remove the BuiltIn\Administrator group from SQL Server Logins
      1. Following the principle of least privilege
  3. Use Windows Integrated Authentication
    1. Check using Server property
  4. Administrators need Named login do not allow shared logins
    1. Following this allows identifications of those making DB Changes
    2. Accurate account listing.
  5.  All user account access should be controlled by Active Directory.
    1. Do not create SQL Server Logins
    2. Using AD allow granting access via AD Groups and Group Policy
  6.  Enable Login Auditing
    1. Audit Failed and Success Login Attempts
    2. Review these logs regularly for intrusion attempts
  7. Service Accounts
    1. Should be configured with Least Privilege
    2. Create descriptive names and descriptions for any accounts
    3. Require a complex password policy and enforce it
  8. User account permissions
      1. Assign the minimum rights for each user to the their job
      2. Document all user accounts with Elevated Permissions
      3. Document Managerial approvals for all accounts with elevated permissions.

Thank you for reading. If you haven’t subscribed do it now or drop a comment.


Leave a Reply