Doing SQL Hardening

Many times I have noticed that people are totally clueless about how to do SQL Database Hardening, So Just writing a small guide for that, now i m not expert in SQL Hardening but people say that i do good sql hardening so writing a guide,

If you want to try then try otherwise don't try as simple as that...........

Now First that are two option,

1) To understand how SQL Works, what is the software, hardware requirement, its functionality and etc...

2) Directly do SQL Hardening

so we will do directly SQL Hardening because as you are on the level of doing hardening it means that you already know how SQL Works so, why waste time ??

so starting with SQL Database Hardening,

We are taking SQL Server 2005 as example,

Rule 1:

DO NOT JUST GO TO INTERNET AND DOWNLOAD ANY RANDOM CHECKLIST, THERE ARE SOME RULES FOR HARDENING IT GOES FOR ALL, WINDOWS, ROUTERS, DATABASES EVERYTHING....................

SO TO START WITH,

Divide all the rules in Groups, To create groups just think, Its Simple

Think......................

...................
.................


..........................


so for SQL It will be,

1) Access Controls
2) Account & Passwords
3) Auditing & Monitoring
4) Backup & Restore
5) Capacity Planning
6) Documentation
7) Encryption
8) Fault Tolerance
9) File Permissions
10) Local and Remote Settings
11) Updates and Patches
12) User Privileges

Now evaluate your settings as per best practices described for each and every group by Security Configuration available for SQL Database.

for example as per best practices ,

1) Access Controls

SQL Server 2005 should be configured to use the Windows Authentication method to authenticate users.

A Firewall or other access control mechanism should be installed to control access to MS SQL Server 2005.

SQL Server should be installed on a server which is not a Domain Controller.

MS SQL Server 2005 should be configured to use the Windows Authentication method to authenticate replication agents.

2) Account & Passwords

The MS SQL Server 2005 administration login ("sa") should have a hard-to-guess password.

Granting of administrative privileges to MS SQL Server 2005 through database roles should follow the "least privilege principle".

Granting of administrative privileges on MS SQL Server 2005 through server roles should follow the "least privilege principle".

3) Auditing & Monitoring

MS SQL Server's auditing feature should be enabled.

SQL Server audit logs should be checked regularly.

A retention period should be defined for MS SQL Server 2005 audit log files.

and so on........

Obviously I am not going to give entire checklist for free.......... I have given Imp. steps now u just need to find out the security controls which will fit in those groups.

Word Of Caution " Many times SQL Server is loaded with lots of Data, It is used by many clients so before doing SQL Hardening Take Backup, Sit with administrator, Take Down Time and Verify that Hardening is not effecting any of the Connected clients, write down each and every step so u can undo it if required"