Beruflich Dokumente
Kultur Dokumente
GmailSQLDBHardning
InstalltheLatestSQLServer
ServicePacksandHotfixes
Setthe'AdHocDistributed
Queries'ServerConfiguration
Optionto0
SQLServerpatchescontainprogramupdates
thatfixsecurityandproductfunctionality
issuesfoundinthesoftware.Thesepatches
canbeinstalledwithahotfixwhichisasingle
patch,acumulativeupdatewhichisasmall
groupofpatchesoraservicepackwhichisa
largecollectionofpatches.
TheSQLServerversionandpatchlevels
shouldbethemostrecentcompatiblewiththe
organizations'operationalneeds
SELECTSERVERPROPERTY('ProductLevel')as
SP_installed,
SERVERPROPERTY('ProductVersion')as
Version
AdHocDistributedQueriesAllowusersto
querydataandexecutestatementsonexternal
datasources.Thisfunctionalityshouldbe
disabled.
`
Setthe'CLREnabled'Server
ConfigurationOptionto0
Setthe'DatabaseMailXPs'
ServerConfigurationOptionto
0
Setthe'OleAutomation
Procedures'Server
ConfigurationOptionto0
Setthe'RemoteAccess'Server
ConfigurationOptionto0
Setthe'RemoteAdmin
Connections'Server
ConfigurationOptionto0
Setthe'ScanForStartup
TheCLRenabledoptionspecifieswhetheruser
assembliescanberunbySQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurationsWHEREname='clr
enabled'
Enablesthegenerationandtransmissionof
emailmessagesfromSQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='DatabaseMailXPs'
ExtendedstoredproceduresthatallowSQL
Serveruserstoexecutefunctionsexternalto
SQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='OleAutomationProcedures'
Enablestheexecutionoflocalstored
proceduresonremoteserversorremotestored
proceduresonlocalserver.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Remoteaccess'
ThisoptiondefineswhethertheDedicated
AdminConnection(DAC)islisteningon
localhostonlyorontheSQLServerIPaddress.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Remoteadminconnections'
ThisoptioncausesSQLServertoscanforand
automaticallyrunallstoredproceduresthatare
settoexecuteuponservicestartup.
SELECTname,
data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22
1/6
25/06/2015
GmailSQLDBHardning
Procs'ServerConfiguration
Optionto0
Setthe'SQLMailXPs'Server
ConfigurationOptionto0
10
Setthe'CrossDBOwnership
Chaining'ServerConfiguration
Optionto0
11
Setthe'Trustworthy'Database
PropertytoOff
12
13
ConfigureSQLServertouse
nonstandardports
Disablethe'sa'LoginAccount
RevokeExecuteon
'xp_availablemedia'toPUBLIC
14
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Scanforstartupprocs'
SQLMailprovidesamechanismtosend,
receive,delete,andprocessemailmessages
usingSQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='SQLMailXPs'
Thisoptionallowscontrollingcrossdatabase
ownershipchainingacrossalldatabases.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Crossdbownershipchaining'
TheTRUSTWORTHYoptionallowsdatabase
objectstoaccessobjectsinotherdatabase
undercertaincircumstances.
SELECTname
FROMsys.databases
WHEREis_trustworthy_on=1
ANDname!='msdb'
ANDstate=0
Ifenabled,thedefaultSQLServerinstancewill
beassignedadefaultportofTCP:1433for
TCP/IPcommunication.Administratorscanalso
configurenamedinstancestouseTCP:1433for
communication.TCP:1433isawidelyknown
SQLServerportandthisportassignment
shouldbechanged.
PSC:\>netstatano|selectstring1433.+listening
Thesaaccountisawidelyknownandoften
widelyusedSQLServeraccountwithsysadmin
privileges.
SELECTname,is_disabled
FROMsys.server_principals
WHEREsid=0x01
ExtendedStoredProcedures
Listsallavailablestoragedevicesthatmaybe
writtento.
Thefollowingstepscanbeusedtoauditusing
SQLServerManagementStudio:
1.InObjectExplorer,navigatetotheSQL
Serverinstanceandexpandthepath:
Databases\SystemDatabases\master\
Programmability\ExtendedStored
Procedures\SystemExtendedStored
Procedures
2.Locatexp_availablemedia,rightclickand
selectProperties
3.SelectthePermissionstab
4.Ifthe'public'entrydoesnotexistwithinthe
UsersorRoleslistingtheserverisin
compliancewiththerecommendationandyou
canhaltfurthersteps.Ifthe'public'entrydoes
data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22
2/6
25/06/2015
GmailSQLDBHardning
15
Setthe'xp_cmdshell'optionto
disabled
16
RevokeExecuteon'xp_dirtree'
toPUBLIC
17
RevokeExecuteon
'xp_enumgroups'toPUBLIC
18
RevokeExecuteon
'xp_fixeddrives'toPUBLIC
19
RevokeExecuteon
'xp_servicecontrol'toPUBLIC
RevokeExecuteon
existproceedtostep5
5.Selectthe'public'entrywithintheUsersor
Roleslisting
6.IftheGrantcheckboxfortheExecute
permissionischeckedthePublicrolemaintains
Executepermissionontheprocedureandthe
listedremediationprocedureshouldbe
followed.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_availablemedia')AND[type]=
'EX'ANDgrantee_principal_id=0
Thexp_cmdshellprocedureallowsan
authenticatedSQLServerusertoexecute
operatingsystemcommandshellcommands
andreturnresultsasrowswithintheSQL
client.
EXECUTEsp_configure'showadvanced
options',1RECONFIGUREWITHOVERRIDE
EXECUTEsp_configure'xp_cmdshell'
EXECUTEsp_configure'showadvanced
options',1RECONFIGUREWITHOVERRIDE
EXECUTEsp_configure'xp_cmdshell',0
RECONFIGUREWITHOVERRIDE
Returnsaresultsetofthedirectorytreefora
givendirectorypath.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_dirtree')AND[type]='EX'AND
grantee_principal_id=0
ThisprocedureprovidesalistoflocalMicrosoft
Windowsgroupsoralistofglobalgroupsthat
aredefinedinaspecifiedWindowsmachine.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_enumgroups')AND[type]=
'EX'ANDgrantee_principal_id=0
Returnsalistofallharddrivesonthemachine
andthespacefreeinmegabytesforeachdrive.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_fixeddrives')AND[type]='EX'
ANDgrantee_principal_id=0
Canbeusedtostartandstopwindowsservices
runningontheSQLServermachine.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_servicecontrol')AND[type]=
'EX'ANDgrantee_principal_id=0
Listsallsubdirectorieslistedforagivenfolder
path.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22
3/6
25/06/2015
20
GmailSQLDBHardning
'xp_subdirs'toPUBLIC
21
RevokeExecuteon
'xp_regaddmultistring'to
PUBLIC
22
RevokeExecuteon
'xp_regdeletekey'toPUBLIC
23
RevokeExecuteon
'xp_regdeletevalue'toPUBLIC
24
RevokeExecuteon
'xp_regenumvalues'toPUBLIC
25
RevokeExecuteon
'xp_regremovemultistring'to
PUBLIC
26
RevokeExecuteon
'xp_regwrite'toPUBLIC
27
RevokeExecuteon
'xp_regread'toPUBLIC
SetThe'ServerAuthentication'
PropertyToWindows
Authenticationmode
28
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_subdirs')AND[type]='EX'
ANDgrantee_principal_id=0
Addsmultiplestringstotheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regaddmultistring')AND[type]
='EX'ANDgrantee_principal_id=0
Deletesregistrykeysfromtheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regdeletekey')AND[type]=
'EX'ANDgrantee_principal_id=0
Deletesvaluesfromtheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regdeletevalue')AND[type]=
'EX'ANDgrantee_principal_id=0
Enumeratesasetofvaluesfromaprovided
registrypath
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regenumvalues')AND[type]=
'EX'ANDgrantee_principal_id=0
Removesmultiplestringsfromtheserver's
registry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regremovemultistring')AND
[type]='EX'ANDgrantee_principal_id=0
Writeskeyvaluestotheserver'sregistry
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regwrite')AND[type]='EX'
ANDgrantee_principal_id=0
Readskeyvaluesfromtheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regread')AND[type]='EX'
ANDgrantee_principal_id=0
AuthenticationandAuthorization
UsesWindowsAuthenticationtovalidate
attemptedconnections.
xp_loginconfig'loginmode'
data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22
4/6
25/06/2015
29
GmailSQLDBHardning
RevokeCONNECTpermissions
onthe'guestuser'withinall
SQLServerdatabases
excludingthemaster,msdb
andtempdb
DropOrphanedUsersFrom
SQLServerDatabases
31
Setthe'MUST_CHANGE'
OptiontoONforAllSQL
AuthenticatedLogins
32
Setthe'CHECK_EXPIRATION'
OptiontoONforAllSQL
AuthenticatedLoginsWithin
theSysadminRole
33
Setthe'CHECK_POLICY'
OptiontoONforAllSQL
AuthenticatedLogins
Setthe'Maximumnumberof
errorlogfiles'settingto
greaterthanorequalto12
30
34
35
Setthe'DefaultTraceEnabled'
ServerConfigurationOptionto
Removestherightofguestuserstoconnectto
SQLServeruserdatabases.
SELECTDB_NAME(),name
FROMsys.database_principals
WHEREname='guest'
Adatabaseuserforwhichthecorresponding
SQLServerloginisundefinedorisincorrectly
definedonaserverinstancecannotloginto
theinstanceandisreferredtoasorphanedand
shouldberemoved.
EXECsp_change_users_login
@Action='Report'
PasswordPolicies
SQLServerwillpromptforanupdated
passwordthefirsttimethealteredloginis
used.
1.OpenSQLServerManagementStudio.
2.OpenObjectExplorerandconnecttothe
targetinstance.
3.NavigatetotheLoginstabinObjectExplorer
andexpand.Rightclickonthedesiredlogin
andselectProperties.
4.VerifytheUsermustchangepasswordat
nextlogincheckboxischecked
Appliesthesamepasswordexpirationpolicy
usedinWindowstopasswordsusedinside
SQLServer.
SELECTSQLLoginName=sp.name,
PasswordExpirationEnforced=
CAST(sl.is_expiration_checkedASBIT)FROM
sys.server_principalsspJOINsys.sql_logins
ASslONsl.principal_id=sp.principal_id
WHEREsp.type_desc='SQL_LOGIN'
Appliesthesamepasswordcomplexitypolicy
usedinWindowstopasswordsusedinside
SQLServer.
SELECTSQLLoginName=sp.name,
PasswordPolicyEnforced=
CAST(sl.is_policy_checkedASBIT)FROM
sys.server_principalsspJOINsys.sql_logins
ASslONsl.principal_id=sp.principal_id
WHEREsp.type_desc='SQL_LOGIN'
AuditingandLogging
SQLServererrorlogfilesmustbeprotected
fromloss.Thelogfilesmustbebackedup
beforetheyareoverwritten.
1.OpenSQLServerManagementStudio.
2.OpenObjectExplorerandconnecttothe
targetinstance.
3.NavigatetotheManagementtabinObject
Explorerandexpand.RightclickontheSQL
ServerLogsfileandselectConfigure.
46|Page
4.VerifytheLimitthenumberoferrorlogfiles
beforetheyarerecycledcheckboxischecked
5.VerifytheMaximumnumberoferrorlogfiles
isgreaterthanorequalto12
Thedefaulttraceprovidesauditloggingof
databaseactivityincludingaccountcreations,
privilegeelevationandexecutionofDBCC
commands.
SELECTname,
CAST(valueasint)asvalue_configured,
data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22
5/6
25/06/2015
GmailSQLDBHardning
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Defaulttraceenabled'
36
Set'LoginAuditing'toBoth
failedandsuccessfullogins
Settinglogsbothsuccessfulandfailedlogin
SQLServerauthenticationattempts.
XP_loginconfig'auditlevel'
data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22
6/6