SQL Server2000 effectively help protect the 10 steps

  In order to improve the security of servers, one of the most effective way is to upgrade to SQL Server 2000 Service Pack 3a (SP3a).    To download SP3a, please visit the SQL Server 2000 SP3a pages. 

  In addition, you should also install all the security updates have been released.    To subscribe to the new security update notification, please visit the product safety notice pages. 

  Using the Microsoft Baseline Security Analyzer (MBSA) to assess the security of the server. 
  MBSA scan is a variety of Microsoft products unsafe configuration tools, including SQL Server and Microsoft SQL Server 2000 Desktop Engine (MSDE 2000).    It can be run locally, can also run through the network.    Below the tool against the problem of SQL Server installed for testing: 

  Too many members of sysadmin fixed server role. 
  Granted sysadmin role other than to create CmdExec operating rights. 
  Empty or simple password. 
  Fragile authentication mode. 
  Administrators group granted too many rights. 
  SQL Server data directory incorrect Access Control List (ACL). 
  Installation of the use of text-only documents the sa password. 
  Grant guest account too many rights. 
  At the same time the system is the domain controller running SQL Server. 
  All (Everyone) group is not properly configured to provide specific registry keys visit. 
  SQL Server services account is not properly configured. 
  No need to install the service pack and security updates. 
  Microsoft offers a free download MBSA.    MBSA to understand all the documents and the latest version, please visit the MBSA pages. 

  Use Windows authentication mode. 
  In any possible time, you should point to the SQL Server connection requires Windows authentication mode.    Through the restrictions on Microsoft Windows ® users and domain user account access, the protection of SQL Server tools from the Internet most of the violation.    Moreover, your server will also enhance Windows security mechanisms to benefit, such as stronger authentication agreement and mandatory password complexity and time expired.    In addition, the certificate assigned (in multiple servers bridge between the certificate of capacity) only in the Windows authentication used in the model.    On the client, Windows authentication model no longer need to store your password.    The password is stored using a standard SQL Server sign the application of one of the major loopholes. 

  SQL Server in the Enterprise Manager install Windows authentication mode, follow these steps: 

  Start the server group. 
  Right-click on the server, then click Properties. 
  In the safety of the tab Authentication, click only Windows. 
  For more information, please see the SQL Server Books Online or MSDN the "authentication model." 

  Isolation of your servers, and regularly backup. 
  Physical and logical isolation on the composition of the SQL Server security of the foundation.    The presence of the database in a machine should be protected from the physical form, preferably in a locked room, equipped with flood detection and fire detection / fire control system.    Database should be installed on the internal network of security in the region, not directly connected to the Internet.    Regular backup of all data, and will save a copy in a safe place outside the site.    Of the backup process and other operational best practice guidelines, please see the SQL Server 2000 operational guidelines. 

  Distribution of a strong sa password. 
  sa account the total should have a strong password, even in Windows configured to require authentication server also the case.    This will ensure that in future server was re-configured to mixed mode authentication, no gaps or weak sa. 

  To be assigned sa password, please follow these steps: 

  Start the server group, followed by the server. 
  Security start, and then click on the login. 
  In the details pane, right-click SA, and then click Properties. 
  In the password box, enter a new password. 
  For more information, please see the SQL Server Books Online or MSDN the "system administrator (sa) sign" theme. 

  Restrictions on the competence of SQL Server services. 
  SQL Server 2000 and SQL Server Agent is running as a Windows service.    Each service must be linked to a Windows account, and derived from this account in a security context.    SQL Server allows users log sa (sometimes also include other users) to access the operating system features.    These operating systems called servers owned by the process of the security of your account to create the context.    If the server was hacked, then the operating system may be used for calls to other resources to carry out attacks, as long as owned by the process (SQL Server service account) can visit them.    Therefore, in order to SQL Server service only granted the necessary permissions is very important. 

  We recommend that you use the following settings: 
  SQL Server Engine / MSSQL Server 
  If you have a specific example, they should be named MSSQL $ InstanceName.    As a general user access to Windows domain user account running.    Not as a local system, local administrator or domain administrator account to run. 
  SQL Server Agent Service / SQL ServerAgent 
  If you do not need the environment, disable the service; Otherwise, as a general user access to Windows domain user account running.    Not as a local system, local administrator or domain administrator account to run. 

  Focus: If one of the following conditions, then SQL Server Agent will need Windows local administrator privileges: 

  SQL Server Agent uses the standard SQL Server authentication to connect to the SQL Server (not recommended). 
  SQL Server Agent use of multi-server management of the main server (MSX) account, the account using a standard SQL Server authentication connect. 
  SQL Server Agent running non-sysadmin fixed server roles owned by members of the Microsoft ActiveX ® script or CmdExec operations. 
  If you need to change and SQL Serve r services associated with the account, please use the SQL Server Enterprise Manager.    SQL Server Enterprise Manager will be used by the registry key set of documents and the appropriate authority.    Do not use Microsoft Management Console "service" (in the control panel) to change these accounts, because it needs a lot of manually modulation registry keys and NTFS file system permissions and Micorsoft Windows user rights. 

  For more information, please see the Microsoft Knowledge Base article does not use the SQL Server 2000 in Enterprise Manager to change the SQL Server service account. 

  Account information changes will next take effect when the service started.    If you need to change with SQL Server and SQL Server Agent associated with the account, then you must use the Enterprise Manager respectively of the two services make the changes. 

  Disable the firewall on the SQL Server port. 
  SQL Server's default installation will monitor TCP port 1433 and UDP port 1434.    Configure your firewall to filter out at these ports of data packets.    Moreover, it should also be on the block in the firewall associated with the designated examples of other ports. 

  The use of the security file system. 
  NTFS is the most suitable for the installation of SQL Server file system.    It than FAT file system more stable and more easily resume.    But it also includes some security options, such as files and directories and file encryption ACL (EFS).    During the installation process, if detected NTFS, SQL Server will be in the registry keys and documents set on the right ACL.    Should not be to change these rights. 

  By EFS, database files will be running SQL Server account under the identity of encryption.    This is the only account of these documents can be declassified.    If you need to change the running SQL Server account, you must first of all in the old account declassified documents, and then again in the new account is encrypted. 

  Delete or protect the old installation files. 
  SQL Server installation files may contain from simple text-only or encrypted documents and other records during the installation of sensitive configuration information.    The preservation of these log files depends on the location of the installation of SQL Server version.    In SQL Server 2000, the following documents may be affected: the default installation    : Program FilesMicrosoft SQL ServerMSSQLInstall folder, and the designation of the examples    : Program FilesMicrosoft SQL Server MSSQL $    Install folder in the sqlstp.log, sqlsp.log and setup.iss 

  If the current system is installed from the SQL Server 7.0 upgrade from, should also check the following documents:% Windir% folder in the Windows Temp setup.iss and folders in sqlsp.log. 

  Microsoft has released a free utility Killpwd, it from your system to find and remove these passwords.    To learn more about this free download, see the Microsoft Knowledge Base article package may be installed in the document preservation standard secure password. 

  Audit at the SQL Server connection. 
  SQL Server can record the incident, the system administrator for the review.    At least you should record the failure of the SQL Server connection attempt, and regularly check the logs.    Where possible, do not these logs and data files stored in the same hard drive. 

  SQL Server in the Enterprise Manager in the audit failed connection, follow these steps: 

  Start the server group. 
  Right-click on the server, then click Properties. 
  Security tab in the examination grades, click failure. 
  To set up this force, you must stop and restart the server. 

  For more information, please refer to Microsoft TechNet in the "SQL Server 2000 audit" and SQL Server Books Online MSDN or the "use of the audit log." 

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Google
  • DZone
  • Netvouz
  • NewsVine
  • Technorati

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button