Home >> System Security >> Hardening Database MSSQL server

Introducion

Hi everybody in this tutorial i will help you how to config security for MSSQL, i will illustraction step by step for you easy follow.

1. Secure Version Requirement

– Risk: Using old MSSQL versions has risks of escalating privilege, or get ”sa” account or even take control over the server.
– Solution: Install the latest MS SQL Server service packs and updates: if using SQL Server 2012 require SP1 or later; or if using SQL Server 2008 require SP3 or later, or using SQL Server 2005 require SP4 or later.
Step 1: Access Update Center for Microsoft SQL Server page in url: http://technet.microsoft.com/en-us/sqlserver/ff803383.aspx
Step 2: Select the update of installed version to download and then install it.

mssql hardening 1

2. Create new user running MSSQL Service

Step 1: Right Click on My Computer icon -> Manage -> Local Users and Groups. Right click on Users then select New User.

mssql hardening 2

Step 2: In New User window, create user name, pasword, and uncheck at User must change password at next logon, and check at User cannot change password và Password never expires.

mssql hardening 3

Step 3: Remove the user which you have just created in Users group.

mssql hardening 4

Step 4: Click Start -> All Programs -> Microsoft SQL Server -> Configuration Tools -> SQL Server Configuration Manager.
Step 5: Select SQL Server Services -> Right click on SQL Server and select Properties.

mssql hardening 5

Step 6: Select the user which you have just made to run MS SQL service.

mssql hardening 6

3. Remove unused databases and accounts

Step 1: To remove unused databases: Open Microsoft Server Management Studio, then delete all unnecessary databases.

mssql hardening 7

Step 2: To remove unused accounts: Open Microsoft Server Management Studio, in Security section -> Logins, delete all unnecessary accounts.

mssql hardening 8

4. Apply strong password policy for database accounts

Step 1: Go to Run then type gpedit.msc, select Computer Configuration -> Security Settings -> Accounts Policies -> Password Policy, then set Minimum password length with 8, and Enable Password must meet complexity requirement as follow:

mssql hardening 9

Step 2: Apply password policy of Windows for all accounts of SQL Server:

Open SQL Server Management Studio -> Security -> Right click on Logins then select New Login -> create new user with Enforce password policy.

mssql hardening 10

5. Grant Least Privilege to accounts of MS SQL

Step 1: Map database to corresponding user: Open SQL Server Management Studio -> Security -> Logins -> Right click on the user who is allowed to connect with this database then select Properties -> General -> Default database -> Select corresponding database.

mssql hardening 11

Step 2: To grant privilege, we open User Mapping: Select database which user have privilege to manipulate as follow:

mssql hardening 12

Step 3: Only grant least privilege to account with SELECT, UPDATE, INSERT.
Right click on the database -> Select Properties -> Permissions -> Select proper account -> select SELECT, UPDATE, and INSERT.

mssql hardening 13

Step 4: Check the privileges of account by clicking on Effective tab.

mssql hardening 14

6. Minimize the accessing database scope

Objective: Using Windows firewall to restrict connections from unnecessary hosts.

Step 1: Open Windows Firewall with Advanced Security by launching Control Panel -> System and Security -> Windows Firewall. To create new inbound rule: Advanced settings -> Inbound Rules -> New Rule -> select port in Rule Type -> Select TCP and Specific local ports is 1433 -> Allow the connection -> It is easy to review this rule by creating a rule name -> Finish.

mssql hardening 15

Step 2: Right click on the rule which has just been created, then select Properties -> Add allowed IP addresses in Remote IP address of Scope tab -> OK.

mssql hardening 16

mssql hardening 17

7. Turn off xp_cmdshell

– Risk: While xp_cmdshell is enabled, accounts can execute OS commands and then take control over the server.
– Solution: Disable xp_cmdshell.
To disable xp_cmdshell run SQL commands as follow:

mssql hardening 18

8. Log all failed connections to MS SQL.

Objective: For tracking when SQL Server has problem.
Step 1: Open SQL Server Management Studio -> Properties

mssql hardening 19

Step 2: Security -> In Login Auditing, select Both failed and successfull logins or Failed Logins only.

mssql hardening 20

the author

3Comments

  1. www.bing.com says:

    You made some good points there. I did a search on the subject and found most people will
    agree with your website.

  2. bing.com says:

    I am curious to find out what blog system you are using?

    I’m having some small security problems with my latest blog and
    I’d like to find something more risk-free.
    Do you have any solutions?

Leave a Reply

Your email address will not be published. Required fields are marked *

Top