Novick Software SQL Server Consulting Design Programming Training  

  sql server mvp

 

 

SQL Server Security Consulting

SQL Sever Security Implementation

SQL Server functions as the backend database for many applications on the web.  The coding of these applications leaves SQL Server vulnerable to attack, particularly by SQL Injection and cross site scripting. It doesn't matter much what the front end development tool is vulnerabilities are found in ASP.Net, PHP, Ruby, Java and others.  Classic ASP is particularly vulnerable, as the numbers show.

Security consulting beings by examining the degree of vulnerability in the front end application based on:

  • The development tools used

  • Specific coding technology, such as SQL commands and stored procedures.

  • Use of dynamic SQL and the source of the dynamic SQL.  Is it in the stored procs?  In the UI layer?

  • Degree of protective measures employed

The next level is the degree of security used in the application connection to SQL Server:

  • Windows Integrated Security vs SQL Logins

  • Kerberos vs NTLM and the number of hops

  • Password requirements or other measures

  • Use of SSL for the full conversation with SQL Server. 

Next comes the security practices employed within the SQL Server.  Here I use the Microsoft guidance supplemented with my own list.

  • Removal of default accounts such as BUILTIN/Administrators, guest, etc.

  • Minimizing the surface area of SQL Server by disabling services that are not in use

  • Minimizing the surface area of SQL Server by disabling features that are not in use.

  • Turing off xp_cmdshell and COM activation extended stored procs.  Alternatives must be found for the vulnerable features that are actually used.

  • Many more....

Encrypting sensitive data is a regulatory requirement in almost every case.  Using SQL Server's column level encryption it is possible to encrypt data.  If the application is difficult or impossible to change it can even be done without application changes and without using Transparent Database Encryption (TDE), which is expensive in both licensing cost (Enterprise Edition only) and hardware costs due to it's near 100% CPU overhead.  Of course, once encryption is employed a set of key management practices must be put into place.

Finally, factors that are unique to each site must be taken into account.  The most cost effective fixes chosen and then proceed to apply the fixes.

If you're looking for this type of help, please call Andrew Novick at 978-440-8126 or email anovick @ novicksoftware.com

Look here for information on other Novick Software projects.

 

Technologies:

SQL Server 2000
SQL Server 2005
SQL Server 2008
Reporting Services
SSIS
Data Layer
Encryption
C#
VB 6
VB.Net
ASP.Net
Compact Framework
Web Services
ASP
XML
XML DOM
XMLHTTP
SQL XML
HTTP
TCP/IP
HTML
Project Management
SourceSafe
IIS
IIS Admin
URLSCAN
T-SQL
ADO
ADO.Net
InterDev
Web Design
n-Tier
Fat Client
Database Administration
SQL Server 7
.Net
.Net Framework
.Net Security
dot Net
Encryption
Remoting
Structured Design
Structured Analysis
Entity-Relationship Diagrams
Data-Dictionary
State Diagrams
Object Design
UML Modeling
Use-Case Analysis

Locations:

Boston, MA
Nashua, NH
Cambridge, MA
Lexington, MA
Salem, MA
Gloucester, MA
Beverly, MA
Peabody, MA
Burlington, MA
Concord, MA
Belmont, MA
Arlington, MA
Woburn, MA
Reading, MA
Wakefield, MA
Lynn, MA
Somerville, MA
Charlestown, MA
Medford, MA
Watertown, MA
Nashua, NH
Manchester, NH
Boston
New Hampshire
Natick, MA
Framingham, MA
Wayland, MA
Maynard, MA
Acton, MA
Bedford, MA
Waltham, MA
Newton, MA
Needham, MA
Wellesley, MA
Weston, MA
Lincoln, MA
Marlborough, MA
Stow, MA
Berlin, MA
Bolton, MA
Littleton, MA
Chelmsford, MA
Hopkinton, MA
Ashland, MA
Franklin, MA
Worcester, MA

 

 

 

   


RSS as HTML

information about novick software site

Personal Blog

Photos

New Tips:

Use dsinit to set the SQL Server instance for Windows Azure dev storage

Upcoming
Presentations:

SQL PASS
Nov 7, '12
Biggest
Loser: DB
Edition


Full Schedule

 

 

Available Now

Transact-SQL
User-Defined Functions

Get it wtih the Bonus 100 UDF Library

Latest News

Novick Software Celebrates 10 Years in Business