You are on page 1of 6

25/06/2015

GmailSQLDBHardning

InstalltheLatestSQLServer
ServicePacksandHotfixes

Setthe'AdHocDistributed
Queries'ServerConfiguration
Optionto0

SQLServerpatchescontainprogramupdates
thatfixsecurityandproductfunctionality
issuesfoundinthesoftware.Thesepatches
canbeinstalledwithahotfixwhichisasingle
patch,acumulativeupdatewhichisasmall
groupofpatchesoraservicepackwhichisa
largecollectionofpatches.
TheSQLServerversionandpatchlevels
shouldbethemostrecentcompatiblewiththe
organizations'operationalneeds
SELECTSERVERPROPERTY('ProductLevel')as
SP_installed,
SERVERPROPERTY('ProductVersion')as
Version

AdHocDistributedQueriesAllowusersto
querydataandexecutestatementsonexternal
datasources.Thisfunctionalityshouldbe
disabled.
`

Setthe'CLREnabled'Server
ConfigurationOptionto0

Setthe'DatabaseMailXPs'
ServerConfigurationOptionto
0

Setthe'OleAutomation
Procedures'Server
ConfigurationOptionto0

Setthe'RemoteAccess'Server
ConfigurationOptionto0

Setthe'RemoteAdmin
Connections'Server
ConfigurationOptionto0

Setthe'ScanForStartup

TheCLRenabledoptionspecifieswhetheruser
assembliescanberunbySQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurationsWHEREname='clr
enabled'
Enablesthegenerationandtransmissionof
emailmessagesfromSQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='DatabaseMailXPs'
ExtendedstoredproceduresthatallowSQL
Serveruserstoexecutefunctionsexternalto
SQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='OleAutomationProcedures'
Enablestheexecutionoflocalstored
proceduresonremoteserversorremotestored
proceduresonlocalserver.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Remoteaccess'
ThisoptiondefineswhethertheDedicated
AdminConnection(DAC)islisteningon
localhostonlyorontheSQLServerIPaddress.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Remoteadminconnections'
ThisoptioncausesSQLServertoscanforand
automaticallyrunallstoredproceduresthatare
settoexecuteuponservicestartup.
SELECTname,

data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22

1/6

25/06/2015

GmailSQLDBHardning

Procs'ServerConfiguration
Optionto0

Setthe'SQLMailXPs'Server
ConfigurationOptionto0

10

Setthe'CrossDBOwnership
Chaining'ServerConfiguration
Optionto0

11

Setthe'Trustworthy'Database
PropertytoOff

12

13

ConfigureSQLServertouse
nonstandardports

Disablethe'sa'LoginAccount

RevokeExecuteon
'xp_availablemedia'toPUBLIC

14

CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Scanforstartupprocs'
SQLMailprovidesamechanismtosend,
receive,delete,andprocessemailmessages
usingSQLServer.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='SQLMailXPs'
Thisoptionallowscontrollingcrossdatabase
ownershipchainingacrossalldatabases.
SELECTname,
CAST(valueasint)asvalue_configured,
CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Crossdbownershipchaining'
TheTRUSTWORTHYoptionallowsdatabase
objectstoaccessobjectsinotherdatabase
undercertaincircumstances.
SELECTname
FROMsys.databases
WHEREis_trustworthy_on=1
ANDname!='msdb'
ANDstate=0

Ifenabled,thedefaultSQLServerinstancewill
beassignedadefaultportofTCP:1433for
TCP/IPcommunication.Administratorscanalso
configurenamedinstancestouseTCP:1433for

communication.TCP:1433isawidelyknown
SQLServerportandthisportassignment
shouldbechanged.
PSC:\>netstatano|selectstring1433.+listening
Thesaaccountisawidelyknownandoften
widelyusedSQLServeraccountwithsysadmin
privileges.

SELECTname,is_disabled
FROMsys.server_principals
WHEREsid=0x01
ExtendedStoredProcedures
Listsallavailablestoragedevicesthatmaybe
writtento.
Thefollowingstepscanbeusedtoauditusing
SQLServerManagementStudio:
1.InObjectExplorer,navigatetotheSQL
Serverinstanceandexpandthepath:
Databases\SystemDatabases\master\
Programmability\ExtendedStored
Procedures\SystemExtendedStored
Procedures
2.Locatexp_availablemedia,rightclickand
selectProperties
3.SelectthePermissionstab
4.Ifthe'public'entrydoesnotexistwithinthe
UsersorRoleslistingtheserverisin
compliancewiththerecommendationandyou

canhaltfurthersteps.Ifthe'public'entrydoes

data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22

2/6

25/06/2015

GmailSQLDBHardning

15

Setthe'xp_cmdshell'optionto
disabled

16

RevokeExecuteon'xp_dirtree'
toPUBLIC

17

RevokeExecuteon
'xp_enumgroups'toPUBLIC

18

RevokeExecuteon
'xp_fixeddrives'toPUBLIC

19

RevokeExecuteon
'xp_servicecontrol'toPUBLIC

RevokeExecuteon

existproceedtostep5
5.Selectthe'public'entrywithintheUsersor
Roleslisting
6.IftheGrantcheckboxfortheExecute
permissionischeckedthePublicrolemaintains
Executepermissionontheprocedureandthe
listedremediationprocedureshouldbe
followed.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_availablemedia')AND[type]=
'EX'ANDgrantee_principal_id=0
Thexp_cmdshellprocedureallowsan
authenticatedSQLServerusertoexecute
operatingsystemcommandshellcommands
andreturnresultsasrowswithintheSQL
client.
EXECUTEsp_configure'showadvanced
options',1RECONFIGUREWITHOVERRIDE
EXECUTEsp_configure'xp_cmdshell'
EXECUTEsp_configure'showadvanced
options',1RECONFIGUREWITHOVERRIDE
EXECUTEsp_configure'xp_cmdshell',0
RECONFIGUREWITHOVERRIDE
Returnsaresultsetofthedirectorytreefora
givendirectorypath.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_dirtree')AND[type]='EX'AND
grantee_principal_id=0
ThisprocedureprovidesalistoflocalMicrosoft
Windowsgroupsoralistofglobalgroupsthat
aredefinedinaspecifiedWindowsmachine.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_enumgroups')AND[type]=
'EX'ANDgrantee_principal_id=0
Returnsalistofallharddrivesonthemachine
andthespacefreeinmegabytesforeachdrive.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_fixeddrives')AND[type]='EX'
ANDgrantee_principal_id=0
Canbeusedtostartandstopwindowsservices
runningontheSQLServermachine.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_servicecontrol')AND[type]=
'EX'ANDgrantee_principal_id=0
Listsallsubdirectorieslistedforagivenfolder
path.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,

data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22

3/6

25/06/2015

20

GmailSQLDBHardning

'xp_subdirs'toPUBLIC

21

RevokeExecuteon
'xp_regaddmultistring'to
PUBLIC

22

RevokeExecuteon
'xp_regdeletekey'toPUBLIC

23

RevokeExecuteon
'xp_regdeletevalue'toPUBLIC

24

RevokeExecuteon
'xp_regenumvalues'toPUBLIC

25

RevokeExecuteon
'xp_regremovemultistring'to
PUBLIC

26

RevokeExecuteon
'xp_regwrite'toPUBLIC

27

RevokeExecuteon
'xp_regread'toPUBLIC

SetThe'ServerAuthentication'
PropertyToWindows
Authenticationmode

28

'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_subdirs')AND[type]='EX'
ANDgrantee_principal_id=0
Addsmultiplestringstotheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regaddmultistring')AND[type]
='EX'ANDgrantee_principal_id=0
Deletesregistrykeysfromtheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regdeletekey')AND[type]=
'EX'ANDgrantee_principal_id=0
Deletesvaluesfromtheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regdeletevalue')AND[type]=
'EX'ANDgrantee_principal_id=0
Enumeratesasetofvaluesfromaprovided
registrypath
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regenumvalues')AND[type]=
'EX'ANDgrantee_principal_id=0
Removesmultiplestringsfromtheserver's
registry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regremovemultistring')AND
[type]='EX'ANDgrantee_principal_id=0
Writeskeyvaluestotheserver'sregistry
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regwrite')AND[type]='EX'
ANDgrantee_principal_id=0
Readskeyvaluesfromtheserver'sregistry.
selectOBJECT_NAME(major_id)as
'extended_procedure',permission_name,
'PUBLIC'as'to_principal'from
sys.database_permissionswheremajor_id=
OBJECT_ID('xp_regread')AND[type]='EX'
ANDgrantee_principal_id=0
AuthenticationandAuthorization
UsesWindowsAuthenticationtovalidate
attemptedconnections.
xp_loginconfig'loginmode'

data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22

4/6

25/06/2015

29

GmailSQLDBHardning

RevokeCONNECTpermissions
onthe'guestuser'withinall
SQLServerdatabases
excludingthemaster,msdb
andtempdb

DropOrphanedUsersFrom
SQLServerDatabases

31

Setthe'MUST_CHANGE'
OptiontoONforAllSQL
AuthenticatedLogins

32

Setthe'CHECK_EXPIRATION'
OptiontoONforAllSQL
AuthenticatedLoginsWithin
theSysadminRole

33

Setthe'CHECK_POLICY'
OptiontoONforAllSQL
AuthenticatedLogins

Setthe'Maximumnumberof
errorlogfiles'settingto
greaterthanorequalto12

30

34

35

Setthe'DefaultTraceEnabled'
ServerConfigurationOptionto

Removestherightofguestuserstoconnectto
SQLServeruserdatabases.
SELECTDB_NAME(),name
FROMsys.database_principals
WHEREname='guest'
Adatabaseuserforwhichthecorresponding
SQLServerloginisundefinedorisincorrectly
definedonaserverinstancecannotloginto
theinstanceandisreferredtoasorphanedand
shouldberemoved.
EXECsp_change_users_login
@Action='Report'
PasswordPolicies
SQLServerwillpromptforanupdated
passwordthefirsttimethealteredloginis
used.
1.OpenSQLServerManagementStudio.
2.OpenObjectExplorerandconnecttothe
targetinstance.
3.NavigatetotheLoginstabinObjectExplorer
andexpand.Rightclickonthedesiredlogin
andselectProperties.
4.VerifytheUsermustchangepasswordat
nextlogincheckboxischecked
Appliesthesamepasswordexpirationpolicy
usedinWindowstopasswordsusedinside
SQLServer.
SELECTSQLLoginName=sp.name,
PasswordExpirationEnforced=
CAST(sl.is_expiration_checkedASBIT)FROM
sys.server_principalsspJOINsys.sql_logins
ASslONsl.principal_id=sp.principal_id
WHEREsp.type_desc='SQL_LOGIN'
Appliesthesamepasswordcomplexitypolicy
usedinWindowstopasswordsusedinside
SQLServer.
SELECTSQLLoginName=sp.name,
PasswordPolicyEnforced=
CAST(sl.is_policy_checkedASBIT)FROM
sys.server_principalsspJOINsys.sql_logins
ASslONsl.principal_id=sp.principal_id
WHEREsp.type_desc='SQL_LOGIN'
AuditingandLogging
SQLServererrorlogfilesmustbeprotected
fromloss.Thelogfilesmustbebackedup
beforetheyareoverwritten.
1.OpenSQLServerManagementStudio.
2.OpenObjectExplorerandconnecttothe
targetinstance.
3.NavigatetotheManagementtabinObject
Explorerandexpand.RightclickontheSQL
ServerLogsfileandselectConfigure.
46|Page
4.VerifytheLimitthenumberoferrorlogfiles
beforetheyarerecycledcheckboxischecked
5.VerifytheMaximumnumberoferrorlogfiles
isgreaterthanorequalto12
Thedefaulttraceprovidesauditloggingof
databaseactivityincludingaccountcreations,
privilegeelevationandexecutionofDBCC
commands.
SELECTname,
CAST(valueasint)asvalue_configured,

data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22

5/6

25/06/2015

GmailSQLDBHardning

CAST(value_in_useasint)asvalue_in_use
FROMsys.configurations
WHEREname='Defaulttraceenabled'

36

Set'LoginAuditing'toBoth
failedandsuccessfullogins

Settinglogsbothsuccessfulandfailedlogin
SQLServerauthenticationattempts.
XP_loginconfig'auditlevel'

data:text/htmlcharset=utf8,%3Cbr%20class%3D%22Appleinterchangenewline%22%3E%3Ctable%20border%3D%220%22%20cellspacing%3D%220%22

6/6