OWASP Backend Security Project SQLServer Hardening

= Overview = In this section there are some best practices concerning the security of SQL Server 2005. The operating system under SQL Server is Windows Server 2003.

= Description =

Installation of the Engine
The prerequisites for the installation are:
 * .NET Framework 2.0
 * Microsoft SQL Native Client
 * Microsoft SQL Server 2005 Setup Support Files.

The installation consist of a large amount of services that are shortly descripted: During the installation the thing to remind is that from a security point of view, only what is strictly needed must be installed. To install a tipycal minimal configuration, the SQL Server Database Services and some Client Components (Connectivity components and Management Tools) can be installed.
 * SQL Server Database Services (install SQL Server database engine and tools for managing relational and XML data, replication and full text search)
 * Analysis Services (install analysis services and tools used to support online analytical procession OLAP and data mining. Install also Integration Services)
 * Notification Services (installs notification services a platform for developing and deploying applications that send personalized, timely notifications to a variety of devices or applications)
 * Integration Services (install a set of tools and programmable objects for creating and managing packages that extract, transofrm and load data, as well perform task)
 * Client Components (install management tools, development tools and legacy components)
 * Documentation, samples and sample databases (installs books online documentation, sample databases and sample applications for all sql 2005 components)

Services
In SQL Server every service can run under a particular Windows account. The choices for the service's accounts are:


 * Local user that is not a Windows administrator
 * Domain user that is not a Windows administrator
 * Local Service account
 * Network Service account
 * Local System account
 * Local user that is a Windows administrator
 * Domain user that is a Windows administrator

There is not only a solution to configure the service's account, but there are two rules to follow that enforce to behave in certain way: Follow this, probably an administrator account (local or domain) has much more privileges than needed, indipendently of the service. The Local System account has to many privileges and it's not indicated for a service's account On the other hand Local Service and Network Service have not much privileges, but they are used for more Windows services, so there is no account isolation.
 * minimum privileges
 * account isolation

So the more secure solution for the Sql Server Service's Account is to use Local User or Domain User not Administrators. For example imagine that are installed the trhee main services: The task is to create three Windows Local User Account, belonging to User Group, protected with password, and assign them to the services. In this manner there are exactly two concepts: minimum privileges and account isolation.
 * Sql Server
 * Sql Server Agent
 * Sql Server Browser

Authentication Mode
Sql Server provides two kinds of authentication: SQL Server Authentication and Windows Authentication. During the installation is possible to enable both (Mixed Mode) or only the Windows Authentication (Windows Mode)

If there is an homogeneous Windows environment, the more secure solution is to enable the Windows mode Authentication, because the administration of the logins is made in the Windows Server and the credentials are not passed through the network, because Windows Authentication uses NTLM or Kerberos Protocols. If there is an heterogeneous environment, for example no domain controller or there are some legacy applications that have to connect to Sql Server, only the Mixed Mode solution is possible. In this second case the administration of the logins is made inside SQL Server and the credentials are necessarily passed through the network.

Is important to say that in a Windows Mode Authentication, the "sa" user (system administrator) is not enabled. In a mixed mode is enabled. So in an environment with Mixed Mode Authentication, to avoid the attacks against "sa" user, is better to:
 * rename "sa" with another name
 * use a strong password for the renamed "sa"

Processes
Every services that is installed in Sql Server could be administrated through the tool "Sql Server Configuration Manager" that is possible to install, enabling the client component of Sql Server. With this tool is possible to realize the two best practices for the account's services, assigning to every service a specific account protected with password, that authenticates against Windows. Every service could be started or stopped in a manual or automatic manner, like other Windows Services.

Surface Area Reduction (services and connections)
The Surface Area Reduction is a powerful tool provided with Sql Server 2005 to configure:
 * Services & Connections

Services

Every Service installed could be rapidly managed. It's posssible in every moment to:
 * Manage the status of the service with the possibilities: Start/Stop & Pause/Resume
 * Manage the action of the operating system on startup for that service: Automatic, Manual, Disabled.

The concept is to configure automatic start only for those services that are immediately needed, disabling or manually starting others services that are not necessary.

Connections

For every instance of SQL Server is possible to allow: In a distributed environment probably it's necessary to allow both the connection's type, but it's easy to understand that allowing remote connections expose the server more easily. So for the remote connections Sql Server could allow two kind of protocols: For the normal use the better thing is to configure only TCP/IP, because Named Pipes need more open port to work. Additionally there are others two kinds of connections to the server: VIA (Virtual Interface Adapter protocol ) works with VIA hardware. Shared Memory is a protocol that is possible to use only by local connections. Using the Sql Server Configuration Manager the best solution is enable TCP/IP for remote connections and Shared Memory for the local connections.
 * Only local connection to the server
 * Local and remote connections to the server
 * TCP/IP
 * Named Piped
 * VIA
 * Shared Memory

Surface Area Reduction (features)
This is a series of interfaces for enabling or disabling many Database Engine, Analysis Services, and Reporting Services features. The most important are the features of the Database Engine:


 * Ad hoc distributed queries
 * Common language runtime (CLR) integration
 * Dedicated administrator connection (DAC)
 * Database Mail
 * Native XML Web services
 * OLE Automation stored procedures
 * Service Broker
 * SQL Mail
 * Web Assistant stored procedures
 * xp_cmdshell

Ad hoc distributed queries (default is disabled)

This feature enable the OPENROWSET and OPENDATASOURCE calls, to connect to an OLE DB data source. The reconfiguration to use this feature is:

EXEC sp_configure 'show advanced options',1 reconfigure EXEC sp_configure 'Ad Hoc Distributed Queries',1 reconfigure

It's recommended to disable this feature, because in a case of Sql Injection, an attacker could use OPENROWSET to connect to a database.

Common language runtime (CLR) integration (default is disabled)

This feature give the possibility to write stored procedures, triggers, user defined functions using a .NET Framework language. So if the server is not used with this aim, or if all the databases object are written with T-SQL, there's no reason to enable this. To configure this use:

EXEC sp_configure 'show advanced options',1 reconfigure EXEC sp_configure 'clr enabled',1 reconfigure

Dedicated administrator connection (DAC) (default is disabled)

This feature eneable the possibility to execute diagnostic queries and troubleshoot problems when there are some problems to connect with standard mode to the server. The uses are tipically:
 * Querying some dynamic management views of SQL Server to obtain informations about the "status health"
 * Basic DBCC commands (for example DBCC SHRINKDATABASE to cut the log file)
 * Kill the PID of processes

Asymmetric with certificate
= References =