Brian Kelley on Security at SQL Server Connections

Random notes from Brian Kelley’s security talk. Brian spent a number of years working a a security guy for a bank in the Windows and infrastructure teams.

Networking, the UDP port is 1434. This is the listener and browser for SQL.

Default Tcp1433 is the default port for SQL. What about TCP 2433? In SQL Server 2000, the “hide my server” button moved the listener to 2433.

If you are a worthwhile target, a hacker might take weeks to dig through the access points for your servers.

Those hallways conversations matter. You never know when someone is actively listening to get information about your internal systems. Tom Clancy is a perfect example. “The Hunt for Red October” contained a lot of classified information about submarines, Mr. Clancy was questioned by the CIA to determine how he learned things. He did a lot of research, listened a lot around personnel and put various pieces of information together to understand how submarines work,

These are hacking tools and you should use them with caution and with permission in your organization. use them carefully.
Nmap is a port scanner.
Quest’s Discovery Wizard – will find sql servers
SQL Ping – similar to the Discovery Wizard
Perl, Python, PowerShell scripting
Nessus and other scanners

What do you check? Blank sa or simple sa password. Using “sa”, “dba”, “password” or anything like this is a problem, once someone can get into one server, they often jump to another one,

What was the last SQL server vulnerability? I didn’t remember, but Brian told us it was MS09-004, which affected SQL Server 2000 SP4 and SQL Server 2005 SP2. It allowed access through a replication extended stored procedure.

People hop from server to server, so it’s a good reason to have separate service accounts for each instance.

The standard hacker methodology is to find a weak point, attach, and then expand your attack. Move from machine to machine, or grow to more privileged accounts. This is why you need to provide a series of barriers, enforce auditing, and be diligent on vulnerabilities.

Third party apps are a problem, often with weak passwords, sometimes stored on the file system, if someone can get that file, they can attack your sql server.

Lots of scary stuff. It paints a picture that makes it seem like you cannot protect your serveres. After 45 minutes of scary ways to attack, Brian goes into a series of ways to protect your servers. Firewall your servers at the network layer, and remember to cover domain controllers, backup servers, dns servers, and other servers that your sql server might talk to.

A intrusion detection system behind your firewall is a good idea.

Most issues come from user workstations. Limit the accesss their systems have to the server, remove netbios, file shares, etc.

Pen test your systems. Run real world tests. Watch out for maintenance crews, cleaning crews, weekend open doors, etc. Watch out for backup tapes. They are a source of vulnerability. Data center tours are an issue, if you have a large data center.

Watch out for open sessions, remaining logged in, your password is in memory and if someone can get to the server, they can get logged in users’ passwords.

SQL Server and Windows 2008 are much more secure. Many of the known vulnerabilities from the past will not work. A good reason to upgrade past 2003/2005.

Overall i think that a good firewall protects most of your systems, but there is s lot of education needed among both administrators and non IT people to keep secrets secret, be aware of conversations away from your office, and dont take shortcuts, most security isn’t hard. It might be a pain, but often putting up with a little inconvenience can greatly increase your security.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Blog and tagged , , . Bookmark the permalink.