ITIC Microsoft SQL Server Windows Server Security Paper Final Version

INFORMATION TECHNOLOGY
INTELLIGENCE CONSULTING
SQL Server 2008 R2 and

Windows Server 2008 R2
Deliver
Industry-Leading Security
January 2011
Copyright 2010, Information Technology Intelligence Corp. (ITIC) All rights reserved.
Other products and companies referred to herein are trademarks or registered trademarks of their respective companies or mark holders.
Executive Summary...................................................................................................3
Introduction..............................................................................................................8
Data & Analysis....................................................................................................... 10
SQL Server Takes Broad, Deep Security Focus ....................................................... 10
Windows Server Security Steps Up........................................................................ 10
Hardening Windows ......................................................................................... 11
Security Intelligence Report (SIR) ..................................................................... 16
SQL Server Security Step-by-Step ......................................................................... 16
SQL Server Security Enhancements....................................................................... 17
Stronger Security = Lower TCO, Faster ROI .......................................................... 19
SQL Server Security: Define Your Business Goals ................................................... 20
SQL Server Security: Users Weigh In .................................................................... 22
Conclusions ............................................................................................................ 24
Recommendations................................................................................................... 26
Appendices ............................................................................................................. 27
Links ................................................................................................................... 28
Government Sites with SQL Server-Related Content ............................................... 28
Microsoft SQL Server Sites ................................................................................... 28
Third-Party SQL Server Sites ................................................................................ 29
Microsoft Windows Server Sites ............................................................................ 30
SQL Server Security Best Practices ........................................................................ 31
Windows Server Security Best Practices ................................................................ 32
Methodology ....................................................................................................... 33
Survey Demographics ....................................................................................... 34
Copyright 2011 Information Technology Intelligence Consulting (ITIC). All rights reserved.
Page 2
Executive Summary
By Laura DiDio
This January marked the ninth anniversary of the launch of Microsofts Trustworthy Computing
Initiative. At that time Microsoft halted all new code development in order to solidify and harden
security across its product lines.
Microsofts ongoing Trustworthy Computing Initiative has resulted in tangible gains in the
security and overall reliability and performance of its products most notably two of its core
platforms: SQL Server and Windows Server. The enhanced security and strong synergies
between the underlying Windows Server 2008 R2 Operating System and the SQL Server 2008
R2 database platform provides organizations with arguably the most reliable and secure
operating environment in the history of these solutions.
Separately and in combination, SQL Server 2008 R2 and Windows Server 2008 R2 deliver best
in class security. This in turn bolsters and enhances the overall performance and reliability of
both platforms.
The results of ITICs latest 2010-2011 Global Server Hardware and Server OS Reliability survey
indicated that organizations of all sizes and across all vertical markets feel that it is important to
monitor the Server Operating System and the associated Server-based line of business (LOB)
applications for vulnerabilities. A 51 percent majority of businesses feel that the security of the
OS has an impact on the overall security and reliability of the network. Specifically, 60 percent
of respondents indicated they place equal importance on monitoring the vulnerabilities of all
network components followed by 56 percent that rated the OS as crucial and 42 percent that say
they feel the security of their databases and other main LOB applications are pivotal to the
overall security of their network computing environments.
Since 2002, Microsofts SQL Server has compiled an enviable record. It is the most secure of
any of the major database platforms. SQL Server has recorded the fewest number of reported
vulnerabilities just 49 from 2002 through 2010 of any major database. These statistics
were compiled independently by the National Institute of Standards and Technology (NIST), the
government agency that monitors security vulnerabilities by technology, vendor, and product
(see Exhibit 1). In 2010, SQL Server compiled a perfect record no security vulnerabilities
were recorded by NIST CVE.
Page 3
Exhibit 1. NIST Statistics Show SQL Server Records the Least Number of
Reported Security Vulnerabilities of Any Database Platform
NIST Statistics Show SQL Server Records the Least Number

of Reported Security Vulnerabilities of Any Database Platform
69
SQL Server
Oracle
DB2
MySQL
53
55
53
* SQL Server recorded zero

vulnerabilities for 2010.
34
24
28
25
21
8
0
2002
76
5
2003
Source: NIST 2010
16
16
11
10
1
2004
25
21
21
17
20
5
0
2005
29
0
2006
6
0
*
2007
2008
2009
2010
Statistics as of the end of December 2010
Source: ITIC 2010, All Rights Reserved
Source: NIST 2010
As the Exhibit illustrates, SQL Server was the most secure database by a wide margin: Its closest
competitor, MySQL (which was owned by Sun Microsystems until its January 2010 acquisition
by Oracle) recorded 99 security flaws or twice as many as SQL Server over the same period.
By contrast, during the same period spanning 2002 through 2010, the NIST CVE recorded 337
security vulnerabilities associated with the Oracle database platform, the highest total of any
major vendor. Oracle had almost seven times as many reported security flaws as SQL Server
during the same time span. And not only has Oracle had many more reported vulnerabilities
than SQL Server, the patching processes for Oracle databases are quite complicated so much so
that anecdotal data obtained from a large number of Oracle DBAs, indicates they do not patch
their Oracle databases. For IBM, NIST CVE statistics recorded 138 security-related issues for
the IBM DB2 platform during this same time frame.
Solid security is an essential element for many mainstream LOB applications, and a crucial
cornerstone in the foundation of every organizations network computing infrastructure.
Databases are the information repositories for many organizations; they contain much of the
Page 4
sensitive corporate data and intellectual property. If database security is compromised, the entire
business is potentially at risk.
The Server Operating System upon which the database runs is an equally crucial component in
the network computing environment. As the saying goes, the chain is only as strong as the
weakest link. The SQL Server database platform requires a strong foundation upon which to
run and Windows Server 2008 R2 provides just that.
Windows Server 2008 R2, the latest version of Microsofts Server Operating System is receiving
similarly high security reviews from customers. Ninety percent of the 468 respondents to ITICs
2010-2011 Global Server Hardware and Server OS Reliability survey rated the security of
Windows Server 2008 R2 as Excellent or Very Good (See Exhibit 2). Windows Server
2008 R2 received the highest security ratings out of 18 different Server Operating System
distributions.
Exhibit 2. Windows Server 2008 R2 Delivers Rock Solid Security
Rate the security of Windows Server 2008 R2
6%
4%
42%
Excellent
Very Good
Good
Satisfactory
48%
NOTE: None of the respondents gave
Windows Server 2008 R2 a Poor or
Unsatisfactory rating
Source: ITIC 2010 Copyright All Rights Reserved
Page 5
The responses to the independent ITIC survey, conducted during November 2010 through
February 2011 indicate that the security, reliability and uptime of all of the Windows Server
distributions over the past eight years: Windows Server 2003, Windows Server 2008 and in
particular, Windows Server 2008 R2 have measurably improved. Windows Servers security,
performance and reliability are on par (and in many instances, superior to) the other major Server
OS distributions.
Windows Server 2008 R2 provides a strong, stable foundation and further fortifies the strong
security within SQL Server 2008 and SQL Server 2008 R2. Additionally, the strong synergies
within the respective code bases of the two Microsoft Server platforms allow organizations to
achieve optimal performance and eases ongoing management.
Over half 56% of the ITIC survey respondents indicated that Windows Server 2008 and
Windows Server 2008 R2 security have improved significantly over Windows Server 2003;
and 36% of the participants said that Windows Server 2003 security has improved over the past
three years.
The Windows Server security statistics mirror the results of an ITIC independent Web-based
survey on SQL Server security that polled 400 companies worldwide during May and June 2010.
The results of the ITIC 2010 SQL Server Security survey support the NIST CVE findings.
Those survey highlights revealed:
An 83% majority rated SQL Server security excellent or very good (see Exhibit 2).
None of the 400 survey respondents gave SQL Server security a poor or
unsatisfactory rating.
A 97% majority of survey participants said they experienced no inherent security issues
with SQL Server.
Anecdotal data obtained during first-person customer interviews also elicited a very high
level of satisfaction with the embedded security functions and capabilities of SQL Server
7, SQL Server 2000, SQL Server 2005, SQL Server 2008, and the newest SQL Server
2008 R2 release. In fact, database administrators, CIOs and CTOs interviewed by ITIC
expressed their approbation with Microsofts ongoing initiatives to improve SQL
Servers overall security and functionality during the last decade starting with SQL
Server 2000.
SQL Servers and Windows Servers top ranked security records/ratings are no fluke. They are
the direct result of significant Microsoft investment in its Trustworthy Computing Initiative. The
Trustworthy Computing Initiative has three main goals. They are to make Microsoft software:
Secure by default
Secure by design
Secure in deployment
Page 6
Al Comeau, the Security Lead for SQL Server, noted that Microsoft is focused on continually
improving its track record by following the aforementioned precepts. The strategy is working. In
the past 24 months since January 2009, Microsoft has issued only eight (8) SQL Server securityrelated alerts. In 2010, there were no SQL Server vulnerabilities recorded by Microsoft or NIST.
Microsoft is the only major database vendor with a spotless security record in 2010.
Patrick Hevesi, Enterprise Technology Architect &Worldwide Security Lead reveals that
Microsoft shored up Windows security by hardening the core OS and reducing the attack
surface by 80 to 90 percent -- companies dont have to load the user interface (UI), where many
of the attacks occur; less than five percent of the attacks are leveraged against the OS kernel.
Microsofts efforts have resulted in tangible security gains, according to ITIC survey
participants.
We have not experienced any security issues with any version of SQL Server in over six
years. Im impressed with the way Microsoft continually improves the database
platforms security, ease-of-use and granular management capabilities. We have the
utmost confidence in both SQL Server 2005 and SQL Server 2008 security, IT manager
at a Midwest law firm.
We've used MS Server products for as long as they've been out and W2K8 R2 is so far the most
stable and secure we've ever seen, Network administrator at an enterprise consulting firm with
over 1,000 Servers.
Security issues have a far greater impact on our uptime than hardware issues. Windows
2008R2 has proven to be very stable and has a much better security model than any earlier
Server OS from Microsoft, so in many cases we have been upgrading from 2003 directly to 2008
R2,A Senior Support Engineer at an enterprise manufacturing firm with 501 to 1,000 Servers.
This report details specific improvements Microsoft has made to strengthen the security of the
SQL Server database as well as the core Windows Server Operating System and the positive
impact on total cost of ownership (TCO), return on investment (ROI), and risk mitigation efforts.
Specifically, TCO is lowered when administrators spend less time doing reliability remediation
particularly for the more severe Tier 2 and most serious Tier 3 incidents, companies save time
and resources that are better devoted to other tasks.
Page 7
Introduction
Strong security is a must for every organization irrespective of size or vertical industry.
Databases are among the most crucial applications in the entire network infrastructure.
Information in databases is the organizations intellectual property and life blood. And the Server
Operating System is the foundation of the business network computing operations.
Databases are essentially a companys electronic filing system. The information contained in the
database directly influences and impacts every aspect of the organizations daily operations
including relationships with customers, business partners, suppliers and its own internal end
users. All of these users must have the ability to quickly, efficiently and securely locate and
access data. The database platform must be secure. An insecure, porous database platform will
almost certainly compromise business operations and by association, any firm that does business
with it. Any lapses in database security, including deliberate internal and external hacks,
inadvertent misconfiguration, or user errors can mean lost or damaged data, lost revenue, and
damage to the companys reputation, raising the potential for litigation and loss of business.
New slide 4 (8-25-10)
Exhibit 3. What is Your Experience with SQL Server Security?
4%
Excellent
13%
Very Good
Good
40%
Satisfactory
43%
***
None of the
respondents
gave SQL Server
a Poor or
Unsatisfactory
rating
Sample size: N = 417

As seen in Exhibit 3 above, Microsofts nearly decade-long Trustworthy Computing Initiative

resulted in a demonstrably improved SQL Server security experience, according to the ITIC
survey responses. This achievement is even more impressive when one considers that SQL
Server has many millions of lines of code.
Page 8
Exhibit 4. NIST Common Vulnerabilities and Exposures (CVE) Cumulative

Total of Database Security Flaws 2002 2010
NIST Common Vulnerabilities and Exposures (CVE)

Cumulative Total of Database Security Flaws,
2002 2010
16%
8%
SQL Server (49)
Oracle (337)
22%
DB2 (138)
54%
MySQL (99)
It is important to note that the security vulnerabilities cited in the NIST CVE in Exhibits 1 and 4
are reported flaws that anyone can audit. Over time, some of the vulnerabilities do get resolved
by the database vendors and/or third party ISVs, although that information is not always
communicated in a public forum.
Additionally, it is important to note that some companies report vulnerabilities in arrears
spanning the end of one calendar year and the beginning of the next. For example, a NIST CVE
with a date designation of 2010 (CVE-2010-wxyz) occurring late in calendar year 2010, may not
have been reported until the first part of 2011. For the sake of consistency across vendors, in this
paper for these cases, the reported vulnerabilities are based on Original Release Date or
Published date in the NIST NVD.
Page 9
Data & Analysis

SQL Server Takes Broad, Deep Security Focus
Microsofts SQL Server security initiative has hundreds of focus areas. Figuring prominently in
SQLs feature support are the Three As of security: authentication, auditing and authorization.
IT departments and DBAs that consistently align their databases around Microsoft SQL Servers
feature support for these three feature sets and deploy them properly are well on their way
to securing their database systems.
In a recent interview, Al Comeau, a 25-year security practitioner (25 years in Server database
development, and eight focused on security), said many DBAs arent able to maintain this
standard. Many DBAs have their hands tied. Theyre administering hundreds of Servers,
thousands of databases and the focus is keeping the system up and running and not necessarily
on security and access rights.
SQL Server security is a two-way street between Microsoft and its customers. The corporate
customer must be sufficiently knowledgeable about SQL Servers functions and security
capabilities. At the same time, Microsoft has the responsibility to provide the baseline
functionality, which is secure by design, secure by default and secure in deployment, and also
delivers the right degree of flexibility, usability and manageability.
The secure-by-default mandate is designed to help organizations including SMBs that frequently
lack skilled DBAs, to securely deploy SQL Server. Starting with SQL Server 2005, significant
parts of SQL Server were turned off by default, Comeau said, noting that, Its basic human
nature to follow the path of least resistance that is most expedient and boot it straight out of the
box.
Windows Server Security Steps Up

To reiterate, it is now nine years since Microsoft publicly launched its Trustworthy Computing
Initiative. And the results are measurably improved security across all Microsoft desktop and
Server Operating Systems and applications software. But nowhere is the hardened security more
evident and more welcome than in Microsoft Windows Server.
Page 10
The latest survey data indicates:
Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2 are the only
three Operating Systems out of the 18 different Server OSes in the ITIC poll in which
the majority of the respondents indicated that the security has improved over the past 3
years. For all of the other 15 OS distributions in the ITIC poll, the majority of survey
participants indicated that the security has remained the same.
Windows Server 2008 R2 is among the most reliable of the 18 Server OSes in recording
the fewest number of the most severe Tier 3 outages along with IBM AIX 7 and
Novells (now Attachmates) SuSE Linux Enterprise Server 11.
Over nine out of ten of the 460 survey participants 91 percent -- rate the security of
Windows Server 2008 R2 as Excellent or Very Good. This is an 18 percentage point
improvement over Windows Server 2008 and a 30 percentage point jump in the number
of survey participants who gave a similar rating to Windows Server 2008.
Most importantly, none 0 percent of the survey participants gave any of the Windows
Server OS distributions an Unsatisfactory or Poor rating.
Those that rated UNIX and Linux operating systems as Poor had a familiar refrain.
When a vulnerability was found on a particular OS, it was difficult to locate the
appropriate fix and there was little regression testing. In other words, even if the security
patch was located, it often caused other problems in the system due to incompatibilities
such as drivers and other applications.
Hardening Windows
As with SQL Server, Microsofts security team set specific goals to shore up the security of
Windows Server.
Microsofts Hevesi came onboard just as the Trustworthy Computing Initiative was getting
underway and became one of the Security Architects working on the Security Development
Lifecycle and Threat Modeling for the different product groups.
After the security-focused Service Packs on Windows XP and Server 2003, the Windows team
began development on hardening the Windows Server services and reducing the attack surface
via its Server Core.
In the past we had all services running with full Local System access; that meant if one service
got compromised, they were all possibly in danger, Hevesi said.
Page 11
That changed in Windows Server 2008 when Microsoft inserted miniature firewalls in between
[the services] and inserted a lower program rights option. Microsoft also created more granular
levels of administrator rights. This enables IT managers to designate only those rights and
privileges that are necessary for lower level system administrators or developers to perform
specific tasks.
By default, the advanced security and Windows Firewall is now turned on by default in both
Windows Server 2008 and 2008 R2 and thats a big improvement, he adds. In addition,
Microsoft initiated a Server Core option in Windows Server 2008, which was specifically
designed to lower the attack surface by 80 to 90 percent. Prior to this, administrators would
have to install everything. Now with Server Core in both Windows Server 2008 and 2008 R2
organizations do not have to load the user interface (UI), but instead they have a command line
interface thus hardening the Server, Hevesi notes.
The majority of the attacks occur at the UI layer; less than 5 percent of the attacks are leveraged
against the OS kernel. And all the browser-based exploits are gone because theres no browser
on the Server, Hevesi says. Another plus is that other common applications like Adobe Flash,
Acrobat Reader and iTunes as well as specific types of attacks like malicious Active-X controls,
browser redirects, and so on are not valid on Windows Servers running Server Core.
With Server Core, he explains, you cant log in and then launch a browser, there is only a
command prompt interface. This causes the IT organizations to change the way they administer
the Servers. IT organizations will now have to leverage a central location to remotely administer
the Servers running in Server Core. This simplifies the management of multiple Servers,
reducing the time needed to log into each Server and do configuration management.
Microsoft also provides the Microsoft Security Compliance Manager Windows Server 2008 R2
Security Baseline to help users further harden their Windows Server installations and continue to
monitor their compliance to ensure their systems do not deviate from security policies. This tool
pulls from a database of security recommendations built from the experience of Microsoft
security professionals and assists the customer in creating desired configurations, helping to
ensure those policies are adhered to throughout their environment.
With the release of Windows Server 2008 R2, the ASP.net and PowerShell frameworks were
componentized and now run in Server Core, which allows for more dynamic services and
applications. Microsoft is looking at continuing to add additional enterprise services and
applications into the Server Core.
It makes sense to put all code into the Server Core so that the enterprise applications are
leveraging the same design approach. Our intent is to continue to reduce the attack surface of the
Server platform, Hevesi says. Microsoft continues to drive Security and Management
improvements into the OS platforms and enterprise applications through the Common
Engineering Criteria which, in turn, increases overall Server reliability.
Page 12
The results of the ITIC 2010-2011 Global Server Hardware and Server OS Reliability Survey
clearly indicate that organizations recognize the need for strong security and rate it as one of the
most crucial components of their network computing infrastructure. Overall, as Exhibit 5
indicates, a 51% majority of the 468 organizations polled believe that Server OS security has a
tangible impact on overall network reliability. Only 9 percent believe that Server OS security has
no impact on overall network reliability, and a 6 percent minority dont keep track at all.
Exhibit 5. Estimate the impact (or perceived impact) of Server
OS security on overall network reliability
Estimate the impact (or perceived impact) that server

OS security has on overall network reliability
None - they are separate
and distinct
6%
9%
Minimal impact
14%
Moderate impact
Significant impact
34%
16%
Extremely crucial security and reliability are

interwined
We do not keep track
21%
N= 468 respondents
Page 13
The majority of organizations though recognizes and appreciates the enhancements to Windows
Server security. As we can see from Exhibit 6, a 58 percent majority of ITIC survey participants
say that the security of Windows Server 2008 R2 has improved significantly over prior
versions while 22 percent believe it has improved somewhat. These are the highest positive
response rates on Server OS security among any of the 18 Server distributions.
Exhibit 6. Estimate how the security of Windows Server 2008

R2 has improved or declined in the last three years
Estimate how the security of Windows Server 2008 R2

has changed for better or worse in the last three years
0% 0%
18%
22%
Improved somewhat
Improved significantly
Stayed the same
Gotten slightly worse
Gotten significantly worse
Unsure
58%
NOTE: None of the 468 respondents said

that the security of Windows Server R2
2008 had gotten slightly or significantly
worse
Equally important: none of the survey participants said that the security of Windows Server 2008
R2 had declined when compared with earlier releases.
The ongoing, incremental improvements to the core OS kernel via the Server Core have
tangibly improved the baseline security of the Windows Server platform and by extension, the
key Windows Server-based applications such as SQL Server. As Exhibit 7 illustrates, an
overwhelming 90 percent of ITIC survey respondents gave Windows Server 2008 R2
Excellent or Very Good ratings. Thats an increase of 30 percentage points from the 60
percent who rated Windows Server 2003 Excellent or Very Good and a 12 percentage point
improvement over the 78 percent of participants that said Windows Server 2008 security was
Excellent or Very Good.
Page 14
Exhibit 7. Rate the Security of your Server Operating Systems
Rate the security of your server operating system(s)

Excellent
Windows Server 2003
Very Good
Good
21%
Windows Server 2008
28%
Red Hat Ent. Linux 5
28%
SuSE Linux Ent. 11

Debian GNU/Linux 4
30%
HP UX 11i
IBM AIX 6
26%
32%
IBM AIX 7
21%
26%
38%
37%
9% 2%2%
18%
11%
13%
3%3%
16%
13%
13%
3%
7% 2%2%
11%
15%
34%
4%
13%
18%
37%
34%
7%
7%
10% 3%
13%
36%
35%
2%
15%
16%
39%
39%
IBM AIX 5.3
2%
15%
10%
11%
39%
38%
7%
14%
14%
17%
41%
32%
7%
16%
19%
30%
33%
7%
14%
40%
32%
Oracle Solaris 10
22%
37%
26%
Ubuntu Server 9
8%
6% 4%
42%
23%
12% 1%
14%
42%
Ubuntu Server 10
Oracle Solaris 9
28%
48%
25%
Debian GNU/Linux 5
Unsatisfactory
45%
42%
Apple Mac OS X 10.x
SuSE Linux Enter.10
Poor
39%
33%
Windows Server 2008 R2
Red Hat Ent. Linux 5.5
Satisfactory
5%
16%
15%
15%
3%
10% 3%
7% 2%
Further examining the responses to our survey, none of the respondents rated any of the IBM
distributions AIX 5.3, AIX 6.1 or AIX 7.1 Unsatisfactory, and only a few rated it Poor.
Upon questioning those respondents ITIC determined that the biggest customer complaint was
not with the inherent security of AIX but rather in finding a fix and getting technical service and
support when the organization was stymied. In these particular instances, the organizations were
very large enterprises and searching for a fix was like finding the proverbial needle in a
haystack. This is a common thread throughout the interview responses. Since the underlying
reliability and security of nearly all the Server Operating Systems and Server hardware has
improved, the majority of the more moderate and severe Tier 2 and Tier 3 outages are mainly
due to integration and interoperability issues e.g., incompatible applications or drivers.
With respect to security, some users expressed frustration when they had to report a security
bug/hole/vulnerability to a vendor and there was no patch for it. Theres good news and bad
news for Microsoft in this scenario: the bad news is, customers will sometimes complain about a
big Patch Tuesday. The good news is that as Microsoft has stepped up its security initiatives, it
is doing a very credible job of being both proactive and reactive. Also, customers praised
Microsoft for being very quick to respond to any issues and for having a wealth of available
documentation on security issues.
Page 15
The fact that Microsoft continues to bolster Windows Server security also boosts corporations
confidence in the platform. One IT manager at a Midwest retail firm with over 1,000 Servers
noted Windows Server 2008 and Windows Server 2008 R2 have the best security of any
Windows Server release to date. The security is extremely solid and stable and it stacks up very
well against all the leading Nix [UNIX and Linux] distributions. He added, I have a lot of
confidence in the inherent security of the current Windows Server releases.
The greater Windows Server security, coupled with the improvements to SQL Server, have also
had a net positive impact on SQL Server Security and reliability.
Security Intelligence Report (SIR)

Microsoft also keeps customers apprised of the latest security data, risks and threats via its
Security Intelligence Report (SIR)
SIR provides organizations with a comprehensive evaluation of the evolving threat landscape
and trends so that they can stay informed and proactively make sound risk-management
decisions and take the appropriate action(s) to update and adjust their security measures. SIR
receives data from more than 600 million systems and internet services worldwide. Microsoft
updates SIR on a regular basis. Organizations who peruse the Website will find:
Featured intelligence on specific threats and how to combat them
Key Findings that detail data and trends analysis by Microsoft security analysts
Tips for managing risk
A Reference Guide for discussion points
Global Threat Assessment which provides the latest statistics on global botnet and
malware infections
SQL Server Security Step-by-Step

In 1997, SQL Server was in its infancy. There were approximately 50 people in the group at
Microsoft. Since then, the SQL Server group has grown into an entire platform division with
several thousand people.
Security has become so ingrained into the SQL Engineering System (a comprehensive set of
processes that guide how the database is built) that the teams and individuals involved may not
even realize that some of their actions are security-motivated, Comeau said. That translates into
significant numbers of Microsoft workers paying attention to the smallest detail where security is
concerned.
Page 16
Comeaus SQL Server security team spends the bulk of its time on collaboration with various
teams during the design phase. The high degree of automation for code and testing enables the
team to focus on the bigger picture, Comeau said.
In the early days you didnt have to work hard to break into SQL Server, Comeau
acknowledged. People would expose the database directly to the Internet and forget to include a
password; in SQL Server 2000 you could get right into Port 1433. In this instance, it was not the
product that was deficient, but the deployment practices.
Microsoft has since changed the setup, making it impossible for users to complete the installation
without first installing a strong administrator password. SQL Server 2005 and subsequent
versions will block installation until the user supplies a strong password.
The SQL Server security team is also tasked with inventing attack techniques and fuzz testing
to stay one step ahead of the hacker and malware community, and to achieve the smallest
possible surface area of attack. If its not necessary to daily operations, the feature is turned off:
We leave it up to the user to decide whats essential to their organizations needs, Comeau said.
SQL Server Security Enhancements

Microsoft strengthened the security of SQL Server 2005 and subsequent versions with the
addition of specific utilities designed to reduce the attack surface of the database, thus raising the
degree of difficulty for hackers. An example is the Surface Area Configuration (SAC) Tool, a
GUI-based utility for DBAs to decide what default capabilities to turn on/off for business needs.
Although Microsoft claims to have begun scrubbing the SQL Server code as far back as 2002,
many of the most notable present-day security improvements in the platform were included
starting with SQL Server 2005. They included such elements as:
Context-switching or impersonation capabilities that enable DBAs to grant users only

the necessary or minimal permissions needed to access resources, using impersonation to
elevate permissions as necessary.
User-schema separation, a mechanism that decouples the linkage between a user and
schema. By separating the user from the schema, a user may be dropped without affecting
the schema or the objects within the schema. This has the added benefit that reliance
upon the schema can be reduced.
State-of-the-art encryption that for the first time in SQL Server 2005 lets developers
and DBAs construct a certificate store, create symmetric or asymmetric keys, and use a
variety of algorithms to secure data. In addition, SQL Server 2008 introduced transparent
data encryption (TDE) for protecting data at rest and Extensible Key Management to
allow SQL Server to leverage hardware security modules (HSMs) and external key
managers.
Page 17
Stronger password policies and protection. Starting with SQL Server 2005, Windows
group password policies can be applied to SQL logins. This allows password history,
ageing, complexity, and lockout rules to be applied to all logins. In addition, SQL Server
2005 automatically generates secure socket layer (SSL) certificates and encrypts the
channel automatically by default when transmitting login requests.
Granular permission sets, which is a more flexible, user-friendly way to assign

permissions to a single resource or a combination of resources.
The Surface Area Configuration (SAC) utility, which enables DBAs to oversee
internal and external resources from a single location using an intuitive GUI.
Catalog view security, which provides a higher level of security by allowing users to see
only the metadata for the objects for which they have permission rights.
Data definition language (DDL) triggers, which enable DBAs to compose Server or
database-level triggers for specific database related functions. This improves auditing and
security capabilities and lets administrators program automatic logging triggers to capture
and monitor events as they occur. In addition, login triggers were introduced to permit
connections to SQL Server to be determined by a flexible set of conditions, for example,
time of day.
Security Catalog Views that make it easy for the DBA to determine the access rights and
permissions of individual users.
Advanced security via Module Signing User Certificates: SQL Server 2005 lets
organizations sign modules such as stored procedures, functions, triggers, or assemblies,
within a database. This lets DBAs elevate privileges without switching user context.
Granular permissions were also bolstered in SQL Server 2005. DBAs and IT managers
can grant users the minimum permissions required to do their tasks, following
Microsofts basic Principle of Least Privilege.
Microsoft refined all of these security capabilities with each successive release of SQL Server.
The latest releases of the Microsoft database platform, SQL Server 2008 and 2008 R2, include:
Transparent data encryption (TDE), which allows an entire database to be encrypted to

provide data-at-rest protection. The encrypted nature of the database is transparent to the
application and the claimed performance cost is almost insignificant. Enabling TDE also
ensures that the log files and backups are encrypted.
Extensible Key Management is a feature that allows SQL Server to leverage third-party
key managers and HSMs to provide an additional level of security and management with
respect to the cryptographic keys.
SQL Server Audit is a key feature that provides enterprise-level auditing functionality.
All activity in the instance can be captured and recorded in a secure fashion to various
targets such as a file system or the Windows Security Log. In addition, SQL Server Audit
is capable of scoping the actions that generate audit events to specific queries on a
specific table by a particular user, group, or role.
Page 18
All of these security enhancements ensure and support:
Optimal levels of productivity for users, administrators and developers
The overall security and reliability of the SQL Server platform
The scalability of the database as organizations increase the size and scope of their
database implementations and upgrade to newer releases
The ability of SQL Server to deliver business intelligence throughout the enterprise
The inclusion of all of these features and enhancements strengthens the core SQL Server
database platform and ultimately helps the organization tangibly lower TCO and accelerate ROI.
The NIST statistics, coupled with the results of the ITIC 2010 SQL Server Survey and customer
interviews, affirm the strong security embedded in SQL Server. Customer interviews emphasize
both the crucial role of database security in the overall network environment, and the importance
that organizations place on database security as crucial to their business operations.
Microsofts improvements to the intrinsic security SQL Server platform during the past several
years have enabled the Redmond, Wash. software company to assemble the best record in terms
of the least number of reported vulnerabilities of any of the major database platforms since 2003,
according to the NIST National Vulnerability Database (NVD), the U.S. government repository
of standards-based vulnerability management data. This data enables automation of vulnerability
management, security measurement, and compliance, including databases of security checklists,
security related software flaws, misconfiguration, product names, and impact metrics. The NVD
is a product of the NIST Computer Security Division (http://csrc.nist.gov/) Information
Technology Laboratory, and is sponsored by the Department of Homeland Securitys National
Cyber Security Division (http://www.us-cert.gov/).
Stronger Security = Lower TCO, Faster ROI

The stronger security and reliability of SQL Server 2008 R2 and Windows Server 2008 R2
separately and in tandem, enables organizations to lower TCO and ROI in very measurable ways.
Fewer security incidents mean fewer calls to the Help Desk and less intervention required by IT
administrators to take Servers offline or perform remediation. Consider the following: ITIC
survey data indicates that the average cost of an IT administrator or security manager who makes
an hourly wage of $50 to $60 (US) to attend to a security issue is as follows:
Tier 1: $37 (based on a duration of up to 30 minutes remediation performed by a single

administrator)
Tier 2: $120 to $480 (based on a duration of one to four hours involving two security
administrators performing remediation)
Tier 3: $360 to $1,800 (based on a duration of four to 10 hours and conservatively

involving three security administrators fixing the issue)
Page 19
The above are just the hourly labor costs associated with recovering from a security incident.
Organizations must also weigh the hourly cost of downtime involving both the Windows Server
and the SQL Server and the impact on productivity of the employees who are affected by the
security breach and possible outage. ITIC has calculated the average cost of a single hour of
downtime for a single SQL Server to range from $3,000 for an SMB with under 50 employees
(involving a non-transaction or data intensive application environment) to well over $20,000 for
a large enterprise (involving a non-transaction or data intensive application environment). These
figures can increase exponentially in a data intensive, transactional processing environment such
as financial trading, stocks, or banking applications and cost a corporation millions of dollars for
a single hour of downtime.
When calculating TCO, organizations must also factor in the impact and cost on customers,
business partners and suppliers. There is also the potential for litigation in the event any of the
companys aforementioned customers are impacted by a security breach.
Another consideration, which is much more difficult to calculate in strictly monetary terms, is
the possible damage to a companys reputation as a consequence of a moderate or severe Tier 2
or Tier 3 security outage involving a SQL Server database and/or the Windows Server platform.
While the actual TCO statistics will vary by organization, a company that reduces both the
number of actual incidents and cuts down on the more moderate and severe Tier 2 and Tier 3
incidents will substantially reduce its TCO.
SQL Server Security: Define Your Business Goals

SQL Server, particularly the latest SQL Server 2008 R2, incorporates all the capabilities
businesses need to fulfill their security requirements. There are no absolutes. A company, for
example, that allows its application developers to write applications without incorporating strong
security are creating a big security gap.
In practical terms, just as a three-legged table will not stand on one or two legs, a corporation
cannot reasonably expect to achieve a truly secure SQL Server database configuration without
input and agreement from all appropriate parties in the organization. It is incumbent on
individual corporations and individual business groups within the organization to define their
goals and apply the most appropriate level of security. Ultimately, the technical capabilities only
constitute part of the equation. Communication, cooperation and collaboration amongst the
various business groups, the software developers, C-level executives and IT departments is the
only way to achieve consensus.
Similarly, the IT department must take a holistic system-wide approach to security and safeguard
the entire infrastructure, not just the SQL Server database or the Exchange or Windows Servers.
Page 20
Microsoft aims to assist customers in their pursuit of heightened SQL Server security by raising
the security IQ via free compliance papers and security tools that provide detailed information
on common vulnerabilities like SQL Injection (see Appendix). SQL Injection is a long-standing
vulnerability category that manifests itself in the applications customers write. It one of the
hottest security topics discussed by SQL Server developers on user forums.
Microsoft is also actively developing a Solution Accelerator, which will be available free of
charge to the public (the ship date is still to be determined). The Solution Accelerator includes a
set of best-practices guidelines for deploying SQL Server.
There is strong evidence that Microsofts SQL Server Trustworthy Computing Initiatives are
having a net-positive impact. An overwhelming 97% of ITIC SQL Server Security survey
respondents indicated they have not experienced or uncovered any inherent security
vulnerabilities in SQL Server during the last three years (see Exhibit 8, below).
Exhibit 8: Has Your Organization Experienced any SQL

Server Security Issues?
1%
2%
Yes
No
97%
Unsure
Sample size: N = 417

Page 21
SQL Server Security: Users Weigh In

C-level executives, IT managers and DBAs interviewed by ITIC regarding SQL Server security
reported very positive experiences.
Steven Sommer has used SQL Server for 15 years, first in his capacity as CIO and CTO at
Hughes, Hubbard & Reed and most recently as the head of SLS Consulting in NYC where he
recommends the database to his clients, such as Stromberg & Forbes, a venture capital firm
based in Marco Island, Fla. He recalls that SQL Server 6.0 circa 1995 was extremely buggy and
insecure.
Its obvious that Microsoft paid more attention to security; its much stronger and more
flexible, Sommer said. I appreciate the fact that Microsoft also does more regression testing,
hosts more seminars and provides a plethora of free documentation. I have full confidence in
SQL Server security. The security is top-notch and Microsoft is very proactive and quick to
respond to any issues, he added.
Sommer said he also appreciates the intuitive administrative capabilities and the fact that
Microsoft provides a double layer of security via SQL Servers own embedded functions and
the security and management components that tie into Active Directory. Sommers consulting
practice specializes in healthcare, legal, banking and government accounts where security is
especially sensitive due to the nature of the business and the growing number of regulatory
compliance demands, such as the Sarbanes-Oxley Act of 2002 (SOX) and the Health Insurance
Portability and Accountability Act (HIPAA) of 1996.
I highly recommend SQL Server security. It gives me granularity and control over database
administrative roles, access rights and privileges and it does so in such a way that it provides me
with maximum flexibility and ease of deployment, Sommer said.
Aaron Horn, IT manager at Becker Underwood, a manufacturer of specialty bio-agronomic and
colorant products for turf, vegetation, and forestry management based in Ames, Ia. said his firm
has not experienced any security issues or hacks into its SQL Server 2005 database. The
embedded SQL Server security features and capabilities particularly the database services
are intuitive and easy to configure, Horn said.
Horn noted that he and his DBAs were especially pleased with the more granular security
capabilities. One of the biggest improvements in SQL Server 2005 is the separation of the
components of SQL Server (such as database services, analysis services, and integration
services). This allows us to install only those components that we need, thus minimizing the
risks, Horn said, adding, and they each can be configured to run with their own service
account.
Ian Melton, an IT manager at an SMB automotive firm in Australia, voiced appreciation for the
strong security of SQL Server and the ease of configuration. Were a small shop and we have
Page 22
limited IT resources, and yet we require the same level of security as a large enterprise. SQL
Server security gives us that.
Andrew Baker is another longtime SQL Server user, who has worked with the Microsoft
database for the last 15 years. In his capacity as VP of IT and Security at a number of
organizations including Bear Stearns, Warner Music Group, the Princeton Review and ARGI,
hes witnessed the security enhancements firsthand. With respect to SQL Server security, I
knew that things were pretty quiet in terms of fixes for the last several years, Baker said. SQL
Server 2005 and 2008 have been very stable and secure.
Page 23
Conclusions
Microsofts proactive, aggressive approach to solidifying SQL Server and Windows Server
security, as part of the companys overarching Trustworthy Computing Initiative, tangibly
improved the inherent security of the core Server Operating System and the database platform
during the past eight years.
SQL Server is indisputably the most secure database platform of the major commercial
databases, according to NIST. Specifically in this paper, NIST reported vulnerabilities were
evaluated for the database solutions IBM DB2, Microsoft SQL Server, Oracle Database, and
Oracle MySQL.
SQL Server has the fewest recorded vulnerabilities, according to independent statistics provided
by NISTs National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures
(CVE) software lists, the primary government agency tasked with tracking computer security
issues. Since 2003, the year after Microsofts intensive Trustworthy Computing efforts launched,
NIST recorded only 25 security vulnerabilities associated with Microsofts SQL Server Database
platform. Through the end of 2010, NIST had reported no SQL Server security flaws for the
year.
The vendor whose database platform comes closest to SQL Server in terms of the least number
of security issues associated with the platform is Oracles MySQL. NIST recorded 91 known
reported MySQL vulnerabilities during the period spanning 2003 through 2010: thats more than
three times the number of security issues associated with SQL Server for the same period.
During this same 8-year time frame, NIST listed 316 vulnerabilities associated with Oracles
database, including 55 during 2009 and 34 in 2010.
ITICs independent survey data and first-person customer interviews validate NIST findings. The
ITIC 2010 SQL Server Security survey data indicates 97% of the more than 400 respondents
have not experienced any security issues with the Microsoft database platform during the last
five years. Customers interviewed by ITIC expressed high praise for the ease-of-use, improved
manageability and the breadth and depth of the documentation available for SQL Server. The
high user satisfaction rate was typified by the comment of a database administrator at a MidAtlantic bank. The financial institution has 3,000 end users and recently switched from the
Oracle database to SQL Server 2008. We wanted to improve the security and performance of
our database platform. We chose to migrate to SQL Server 2008 specifically because of its tight
security [compared to Oracle], the DBA said. SQL Server is reliable and consistent. Me and
my fellow DBAs are sleeping much more peacefully these days, he added.
Among the 2% of survey participants that did report security issues with SQL Server, the
overwhelming majority 87% attributed the problems to third-party tools or
misconfiguration errors.
Page 24
There is no such thing as 100% fool-proof security. The security initiatives undertaken by
Microsoft during the past eight years have greatly reduced the attack surface of the database and
the Server OS. They have made SQL Server and Windows Server genuinely:
Secure by design
Secure by default
Secure in deployment
Overall customer confidence in the security safeguards in SQL Server and Windows Server is
extremely high. Organizations of all sizes and across all vertical markets extolled the granular
manageability capabilities and the widespread availability of detailed technical documentation
(such as TechNet articles and white papers) available for the Microsoft Windows Server
Operating System and SQL Server database platforms.
Microsofts ongoing enhancements to the platform make SQL Server a worthy competitor to
Oracle Database 11g in the enterprise. To aggregate the survey findings: three-quarters of the
more than 400 survey respondents rated the performance, features and reliability of SQL Server
Excellent or Very Good.
Likewise, the ITIC 2010-2011 Global Server Hardware and Server OS Reliability indicates that a
91 percent majority of organizations rate Windows Server 2008 R2 security, Excellent or
Very Good.
The statistics compiled by NIST, the ITIC independent survey data and customer case-study
interviews all underscore the fact that SQL Server 7, SQL Server 2000, SQL Server 2005, SQL
Server 2008, and SQL Server 2008 R2 provide tight security.
Ongoing security improvements in SQL Server provide organizations with the most solid, stable
foundation of any mainstream commercial database platform currently available. Businesses that
perform due diligence, get appropriate training for their DBAs and IT staff and strictly adhere to
best deployment practices will reap the rewards.
Microsoft has provided a wide array of embedded security mechanisms within SQL Server and
Windows Server. It is up to organizations to implement them wisely.
Page 25
Recommendations
There is no substitute for performing due diligence: Before beginning any Windows Server and
SQL Server deployment, organizations are well advised to familiarize themselves with all of the
specifics of the platforms. Corporations should also construct pilot networks for Windows Server
and SQL Server well in advance of any deployment, to simulate their intended production
environment as closely as possible. Customers should also avail themselves of Microsofts
TechNet, which includes a comprehensive list of technical documentation. There are also many
Windows Server and SQL Server security-related application compatibility sites and forums.
These provide invaluable detailed guidance to avoid problems and troubleshoot any technical
issues that arise.
Its also crucial that businesses actively check both the Microsoft and NIST sites regularly for
any new reported security vulnerabilities, and stay up-to-date on patches. Customers should also
contact their OEM and third-party hardware and application ISVs, systems integrators and
consultants and familiarize themselves with Windows Server and SQL Server security and
overall systems requirements. Organizations should also prevail upon these vendors to disclose
any known Windows Server and SQL Server issues or incompatibilities and, if any exist, when
they expect to issue patches.
Page 26
Appendices
Below is a detailed list and links to the flaws and security vulnerabilities of each major database
platform as logged and reported in the National Institute of Standards and Technologys
Common Vulnerabilities and Exposure (NIST CVE). All database security vulnerability statistics
ITIC analysts cited in this report are directly sourced from the NIST CVE. Statistics on database
security vulnerabilities referenced in Exhibit 1 are current through December 2010.
Microsoft
Report Site: http://web.nvd.nist.gov/view/vuln/search-advanced?cid=2
Parameters: Vulnerability Criteria: Software Flaws
CPE Name, Vendor: Microsoft Corporation
CPE Name, Product: sql_server, sql_server, sql_server_desktop_engine,
sql_server_express_edition, sql_server_reporting services, sql_srvsql_srv_desktop_engine
Published Date Range: Start Date: January [Year], End Date: December [Year]
Last Modified Date Range: Unspecified (no entry)
Oracle
CPE Name, Vendor: Oracle
CPE Name, Product: Any [Evaluate each CVE individually to determine if the Vulnerable
software and versions section lists a configuration containing database product(s)]
IBM DB2
CPE Name, Vendor: IBM
CPE Name, Product: db2, db2_content_manager, db2_content_manager_toolkit, db2_server,
db2_universal_database
MySQL
CPE Name, Vendor: mysql, mysql-ocaml, mysql_auction, mysql_eventum, mysql_quick_admin,
mysqldumper, mysqlnewsengine
CPE Name, Product: Any
Page 27
Links
This list contains several of the best online sites devoted to SQL Server security, including NIST.
It also contains links to more general information SQL Server sites. They are organized
according to affiliation (for example, government sites, Microsoft sites and third-party sites).
Government Sites with SQL Server-Related Content

National Institute of Standards and Technology (NIST)
http://www.nist.gov/
Part of the U.S. Commerce Department, NIST is the government agency responsible for
setting standards and measurements on a wide variety of biological, scientific and hightechnology topics. It also provides access to NISTs Computer Security Divisions
National Vulnerability Database (NVD).
NIST NVD
http://nvd.nist.gov/
Provides the public with one of the most comprehensive lists of known computer and
software vulnerabilities, arranged by date, year and type. It currently contains information
on more than 42,000 known security vulnerabilities.
The U.S. Computer Emergency Readiness Team (US-CERT)
http://www.us-cert.gov/cas/techalerts/
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the
Department of Homeland Security (DHS) in Washington, D.C. This site is an invaluable
resource for anyone searching for detailed information on current security issues,
vulnerabilities and exploits involving high-technology vendors and products.
Common Vulnerabilities and Exposure (CVE)
http://cve.mitre.org/about/
The Common Vulnerabilities and Exposure (CVE) site provides a listing of common
names for all known security vulnerabilities. CVE is a global community effort and
receives input from a multiplicity of computer security organizations worldwide. NISTs
NVD site is synchronized with, and based on, the CVE list.
Microsoft SQL Server Sites

Microsoft Security
www.microsoft.com/security
This Microsoft site provides customers with the latest information on security news,
alerts, products, tools and available updates.
Page 28
Microsoft TechNet Magazine: Overview of Security Features in SQL Server 2008

http://technet.microsoft.com/en-us/magazine/2008.04.sqlsecurity.aspx
This Microsoft TechNet article provides a detailed overview of the security
enhancements in SQL Server 2008.
Microsofts Security Developer site
msdn.microsoft.com/en-us/security
Microsofts Security Developer site provides information and tools to developers to assist
them in writing secure code.
Microsoft TechNet Security Bulletin Search
www.microsoft.com/technet/security/current.asp
At this Microsoft hosted site, customers will find a comprehensive list of the latest
Microsoft product security bulletins. Users can search the site by product, technology and
TechNet Knowledge Base (KB) article.
MSDN SQL Server Forum
http://social.msdn.microsoft.com/Forums/en-US/category/sqlserver
The MSDN SQL Server Forum is a useful tool for helping others grow in their
knowledge, and to find answers if you are stuck.
Third-Party SQL Server Sites

Below is a list of popular third-party SQL Server sites. These sites are not sanctioned by nor
affiliated with Microsoft and therefore, Microsoft does not vouch for or validate the accuracy of
the information found on these sites. ITIC lists them here for informational purposes.
SQLServerPedia
http://www.sqlserverpedia.com
An aggregate SQL Server supersite, this contains a plethora of technical information and
blogs by nearly 60 SQL Server experts. This is a question-and-answer system hosted by
SQL Server Central.
SQL-Server-Performance.com
http://www.sql-server-performance.com
SQL-Server-Performance.com is a community Web site that aims to assist users in
achieving optimal SQL Server performance. It includes a wide variety of technical
articles, blogs and forums.
Page 29
Microsoft Windows Server Sites

The Windows Server Catalog
http://www.windowsservercatalog.com/
This is a must-see site for any organization that has deployed or is considering deploying
Windows Server. It contains a definitive listing of all of the compliance status of the
software and hardware devices that are tested and certified for the Windows Server 2008
R2 platform.
The Windows Server Support Site
http://support.microsoft.com/kb/894199
This page is targeted at administrators and contains a cumulative list of content changes
that have been made available for WSUS, Windows Update, and Microsoft Update.
Microsofts Common Engineering Criteria
http://www.microsoft.com/cec/en/us/cec-overview.aspx
This site is the main resource for the CEC program which is designed to reduce the
overall total cost of ownership (TCO) through improved integration, manageability,
security, reliability, and other critical infrastructure attributes.
Third Party Windows Server Sites

Paul Thurotts Windows SuperSite
www.winsupersite.com/
Technical expert Paul Thurotts site is a must-see for any serious Windows user. It is
simply one of the best, most detailed sites for expert advice, articles, documentation,
commentary, news, reviews and blogs on everything pertaining to Windows.
Mark Minasis Windows Site
http://www.minasi.com
Like Paul Thurott, Mark Minasi is a well-known, highly regarded author, columnist and
alpha geek who is quite simply one of the most knowledgeable Windows experts.
Page 30
SQL Server Security Best Practices

Microsofts Comeau advises organizations to abide by companys three basic SQL Server
security tenets. They are:
The Principle of Least Privilege Grant only those privileges necessary to do the job.
The Principle of Economy of Movement Enable only the capabilities the

organization needs.
The Principle of Least Astonishment Microsoft takes responsibility for not putting
its customers in a position of being surprised that a specific feature/function is turned on
by default.
Comeau also detailed specific ways in which IT departments and database administrators can
practically apply the aforementioned principles. They include:
Dont create an administrator for regular activities: Follow the Least-Privileged

Principle. When adding a user to the SQL Server database, for example, only grant them
the access rights and privileges they absolutely need. In many organizations, IT
departments are assailed by requests from power users or knowledge workers who
directly influence the corporate revenue stream (such as doctors, lawyers, engineers,
software developers, and salespersons) to have administrative privileges. In almost all
cases, with rare exceptions, the IT department should deny such requests. In the event a
particular end user is granted administrative privileges, the user should be closely
monitored and must adhere strictly to the companys computer security policies and
procedures or suffer the consequences.
Dont have SQL Server run as a local system or low-level account: This practice is
asking for trouble, since it dilutes the embedded security capabilities of the database,
making it easier prey for internal and external hackers.
Dont grant more privileges than is necessary to do the job: It may be tempting to do
so, because of pleas from an end user, software engineer or even a low-level
administrator. However, indiscriminately bestowing higher level and additional privileges
increases the attack surface and raises the overall risk to the corporation.
Economy of movement: The fewer moving parts to the database, the less opportunity
there is for something to go awry. As Comeau and indeed, all of the DBAs and IT
managers we spoke with noted, the majority of all data loss, as much as 75%, is the result
of human error rather than a technical flaw in the database software.
Pay attention to the SQL Server rules of installation: Always start SQL Server in
default mode, which is the most secure option.
Enable only those functions necessary for your organization: This reduces the attack
surface. If a function is not turned on, theres nothing for a hacker to exploit.
Determine the correct level of security needed for particular applications: SLSs
Sommer, who spent 25 years as both a CIO and CTO, echoes Comeaus advice on
Page 31
limiting privileges to a strictly as-needed basis. He adds that DBAs and IT managers
should solicit and follow the lead of the end users that use the application. Financial
applications, for example, are key to the business, so the chief financial officer should
have control and set the priorities for access; the HR manager should have input into
access privileges for the HR and personnel database and so on, Sommer said.
Physically secure the database Servers: This may seem obvious and indeed it is, but
one of the most common ways to compromise the security of SQL Server or any other
Server-based application is to allow unfettered access to the Server room. The Servers
should always be housed in a physically secure room, with key card access.
Conduct regular data backups and secure data behind the firewalls.
Install SQL Server on its own Server: Do not put SQL Server on the same physical
Server as other Server-based applications, such as Exchange messaging.
Never loan the DBA password unless there is a specific reason to do so: Again, this
should be intuitive, but it isnt always the case. In 1997, a disgruntled former DBA at the
U.S. Coast Guard persuaded a former colleague to loan his password and then proceeded
to hack into the database and alter her own personnel files. The hack exposed weaknesses
in the database, caused the systems to crash and resulted in lost data. The remediation
effort lasted several weeks and cost tens of thousands of dollars.
Use only Microsoft approved, compatible hardware, device drivers and certified
third-party applications with SQL Server: Using non-certified or unapproved
components can result in a rash of security and performance problems ranging from
poorly written installation scripts, which may cause anomalies such as incorrect version
checking, to applications that seemingly work fine in some instances only to crash upon
regular use.
Windows Server Security Best Practices

In terms of security best practices, a very useful tool for customer is the Windows Server 2008
R2 Solution Accelerator. The Windows Server 2008 R2 Security Baseline is part of the
Microsoft Security Compliance Manager tool, related to the Solution Accelerator. It is designed
to provide users with an end-to-end solution to help them plan, deploy, and monitor security
baselines for computers running Windows Server 2008 R2 in their environment.
The Solution Accelerator is available here:
http://technet.microsoft.com/en-us/library/gg236605.aspx
Page 32
Methodology
Microsoft commissioned ITIC to research and write a report on the state of SQL Server security
in the summer/fall of 2010. ITIC interviewed Microsoft security experts and also conducted
independent primary research to verify and validate Microsofts claims regarding the inherent
security of the SQL Server database. ITIC obtained information from NISTs National
Vulnerability Database (NVD), which is the U.S. government repository of standards-based
vulnerability management data. This data enables automation of vulnerability management,
security measurement, and compliance. NVD includes databases of security checklists, security
related software flaws, misconfigurations, product names, and impact metrics.
Microsoft then commissioned ITIC to write this updated version of the original paper in
December 2010. This expanded version contains the latest SQL Server security statistics from
NIST. And it also includes new sections on Windows Server security.
ITIC also conducted three separate, independent Web-based surveys. The ITIC 2010 SQL
Server Security survey, referenced in the Executive Summary, focused specifically on
corporate user experience and satisfaction with Microsoft SQL Server 2005 and SQL Server
2008/SQL Server 2008 R2 security. The ITIC 2010 Technology Trends and Deployment
survey polled 800 customers on a variety of technology issues and usage trends including
databases and server operating systems in June 2010. The most recent survey was the ITIC
2010 - 2011 Global Server Hardware and Server OS Reliability survey. Conducted in October
through December 2010, this Web based survey polled 460 C-level executives and IT
administrators in the reliability and security of 18 different Server Operating Systems and over
one dozen Server hardware platforms. Microsoft had no influence or input into the survey
responses, nor did it sponsor any of the surveys. ITIC accepted no vendor sponsorship monies
from any vendors. ITIC employed authentication and tracking mechanisms to prevent
tampering and to prohibit multiple responses by the same parties. None of the respondents
received any remuneration for their participation in this survey.
The three surveys contained multiple-choice questions and essay responses. ITIC analysts
supplemented the Web surveys by conducting two dozen first-person customer interviews. The
ITIC 2010 Database Deployment Survey was conducted during November/December 2009. It
polled C-level executives and IT managers at 450 corporations worldwide, and queried
organizations on a wide variety of database-related topics including their primary database
vendor, the reason(s) they chose a particular vendor, what business and technology factors
influenced their purchasing decisions, and the likelihood of switching database platforms.
In researching this report, ITIC conducted first-person interviews with one dozen SQL Server
corporate customers in a variety of vertical industries. The industries included academic,
banking and finance, government, healthcare, legal, manufacturing and retail. Anecdotal data
obtained from these interviews validates the survey responses and provides deeper insight into
the database security issues challenges confronting businesses in the immediate and long term.
Page 33
Survey Demographics
Companies of all sizes and all vertical markets were represented in both surveys. Respondents
ranged from small and medium businesses (SMBs) with fewer than 100 workers, to large
enterprises with more than 100,000 employees.
Some 35% of the survey respondents hailed from the SMB segment with 1 to 99 employees;
24% of those polled were from midsize companies with 100 to 499 employees; 6% were drawn
from corporations employing 500 to 999 employees; and 38% of respondents worked in large
enterprises with 1,000 to more than 100,000 workers.
All three surveys were truly global in scope. Approximately 84% of respondents came from
North America. The remaining 16% hailed from 18 countries and regions including Europe,
Asia, Australia, New Zealand, South America and Africa.
The three surveys polled organizations from 37 vertical market segments. The top 10 segments
represented 83% of the respondents in the ITIC 2010 SQL Server Security survey. They are:
IT/technology services provider 15%
Consulting 11%
Government 10%
Manufacturing 9%
Legal 8%
Banking and finance 8%
Healthcare 8%
Academic 6%
Insurance 4%
Construction 4%
The ITIC 2010-2011 Global Server Hardware and Server OS Reliability survey also incorporated
segmentation from 37 vertical markets. The top 10 verticals represented 79 percent of the
participants. They are:
IT/technology services provider 20%

Consulting 11%
Government 10%
Manufacturing 9%
Legal 8%
Banking and finance 9%
Healthcare 8%
Media and Entertainment 6%
Academic 5%
Insurance 4%
Page 34

ITIC Microsoft SQL Server Windows Server Security Paper Final Version

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

ITIC Microsoft SQL Server Windows Server Security Paper Final Version

Hochgeladen von

Copyright:

Verfügbare Formate

INFORMATION TECHNOLOGY

SQL Server 2008 R2 and

NIST Statistics Show SQL Server Records the Least Number

* SQL Server recorded zero

Source: NIST 2010

Statistics as of the end of December 2010

Source: ITIC 2010, All Rights Reserved

Source: NIST 2010

Exhibit 2. Windows Server 2008 R2 Delivers Rock Solid Security

Rate the security of Windows Server 2008 R2

Source: ITIC 2011, All Rights Reserved

Source: ITIC 2010 Copyright All Rights Reserved

New slide 4 (8-25-10)

Exhibit 3. What is Your Experience with SQL Server Security?

Sample size: N = 417

As seen in Exhibit 3 above, Microsofts nearly decade-long Trustworthy Computing Initiative

Exhibit 4. NIST Common Vulnerabilities and Exposures (CVE) Cumulative

NIST Common Vulnerabilities and Exposures (CVE)

Source: ITIC 2010, All Rights Reserved

Source: ITIC 2010 Copyright All Rights Reserved

Data & Analysis

Windows Server Security Steps Up

The latest survey data indicates:

Estimate the impact (or perceived impact) that server

Extremely crucial security and reliability are

Source: ITIC 2011 Copyright All Rights Reserved

Exhibit 6. Estimate how the security of Windows Server 2008

Estimate how the security of Windows Server 2008 R2

NOTE: None of the 468 respondents said

Source: ITIC 2010, All Rights Reserved

Source: ITIC 2011 Copyright All Rights Reserved

Exhibit 7. Rate the Security of your Server Operating Systems

Rate the security of your server operating system(s)

Windows Server 2008

Red Hat Ent. Linux 5

SuSE Linux Ent. 11

IBM AIX 5.3

Apple Mac OS X 10.x

SuSE Linux Enter.10

Windows Server 2008 R2

Red Hat Ent. Linux 5.5

Source: ITIC 2010, All Rights Reserved

Source: ITIC 2011 Copyright All Rights Reserved

Security Intelligence Report (SIR)

Featured intelligence on specific threats and how to combat them

Tips for managing risk

A Reference Guide for discussion points

SQL Server Security Step-by-Step

SQL Server Security Enhancements

Context-switching or impersonation capabilities that enable DBAs to grant users only

Granular permission sets, which is a more flexible, user-friendly way to assign

Transparent data encryption (TDE), which allows an entire database to be encrypted to

All of these security enhancements ensure and support:

Optimal levels of productivity for users, administrators and developers

The overall security and reliability of the SQL Server platform

Stronger Security = Lower TCO, Faster ROI

Tier 1: $37 (based on a duration of up to 30 minutes remediation performed by a single

Tier 3: $360 to $1,800 (based on a duration of four to 10 hours and conservatively

SQL Server Security: Define Your Business Goals

Exhibit 8: Has Your Organization Experienced any SQL

Sample size: N = 417

SQL Server Security: Users Weigh In

Government Sites with SQL Server-Related Content

Microsoft SQL Server Sites