Security Best Practices Checklist

Physical security

• Ensure the physical security of your server.

Isolation of services

• Isolate services to reduce the risk that a compromised service could be used to compromise others.

• Never install SQL Server on a domain controller.

• Run separate SQL Server services under separate Windows accounts.

• In a multi-tier environment, run Web logic and business logic on separate computers.

File System

• Use NTFS.

• Use RAID for critical data files.

Latest version and service pack

• Always install the latest service packs and security patches.

Authentication mode

• Require Windows Authentication for connections to SQL Server.

Delete or secure old setup files

• Delete or archive the following files after installation: sqlstp.log, sqlsp.log, and setup.iss in the <systemdrive>:\Program Files\Microsoft SQL Server\MSSQL\Install folder for a default installation, and the <systemdrive>:\Program Files\Microsoft SQL Server\ MSSQL$<Instance Name>\Install folder for named instances.

• If the current system is an upgrade from SQL Server 7.0, delete the following files: setup.iss in the %Windir% folder, and sqlsp.log in the Windows Temp folder.

Set login auditing level

• Set login auditing level to failure or all.

Secure sa even in Windows Authentication Mode

• Assign a strong password to the sa account, even on servers that are configured to require Windows Authentication.

Security model

• Learn to work with the SQL Server security model.

Surface and feature reduction

• Reduce the surface area of your system that is exposed to attack by running only those services and features needed in your environment.

Strong passwords

• Ensure that you use complex passwords for all SQL Server accounts.

Xp_cmdshell

• By default, only members of the sysadmin role can execute xp_cmdshell. You should not change this default.

• Do not grant execute permission on xp_cmdshell to users who are not members of the sysadmin role.

Roles and groups

• Collect users into SQL Server roles or Windows groups to simplify permissions administration.

Distributed queries

• When setting up SQL Server in an environment that supports distributed queries, use linked servers rather than remote servers.

• Allow linked server access only to those logins that need it.

• Disable ad hoc data access on all providers except SQL OLE DB, for all users except members of the sysadmin fixed server role.

• Allow ad hoc data access only on trusted providers.

Service accounts

• If you need to change the account associated with a SQL Server service, use SQL Server Enterprise Manager.

• If you change multiple services, you must apply the changes to each service separately using Enterprise Manager.

Microsoft Baseline Security Analyzer

• Add MBSA to your weekly maintenance schedule, and follow up on any security recommendations that it makes.

Enumerate fixed role membership

• Periodically scan fixed server and database roles to ensure that membership is only granted to trusted individuals.

Login-to-user mapping

• Ensure that the mapping between database users and logins at the server level is correct.

• Run sp_change_users_login with the report option regularly to ensure that the mapping is as expected.

Cross database ownership chaining

• Use sp_dboption to enumerate and validate databases for which cross database ownership chaining has been enabled.

Instance detection and enumeration

• Keep an inventory of all versions, editions, and languages of SQL Server for which you are responsible.

• Include instances of MSDE in your inventory.

• Use SQL Scan and SQL Check, available from the Microsoft Web site, to scan for instances of SQL Server within your domain.

Patch application

• Maintain test systems that match the configuration of you production systems, and are readily available for testing new patches.

• Test patches carefully before applying them to production systems.

• Consider patching development systems with relatively little testing.

Use ownership chaining effectively

• Use ownership chaining within a single database to simplify permissions management.

• Avoid using cross database ownership chaining when possible.

• If you must use cross database ownership chaining, ensure that the two databases are always deployed as a single administrative unit.

Turn on encryption (SSL or IPSEC)

• Enable encrypted connections to your server, and consider allowing only encrypted connections.

• When allowing SQL Server Authentication, you are strongly urged to encrypt either the network layer with IPSec or the session with SSL.

Prevent SQL injection

• Defend against SQL injection by validating all user input before transmitting it to the server.

• Limit the scope of possible damage by permitting only minimally privileged accounts to send user input to the server.

• Run SQL Server itself with the least necessary privileges.

Same/trusted domain (complete Windows Authentication)

If the application server and the database server are within the same domain, or within trusted domains, you should use Windows Authentication and configure for "full provisioning" in which all client contexts are tunneled to SQL Server. This makes it possible to audit all users who access SQL Server, enables Windows security policy enforcement, and makes it unnecessary to store credentials in the middle tier. In this scenario, the client connects to the application server, which in turn impersonates the client and connects to SQL Server.

• Every user on the application server must have a valid Windows login on the database server and delegation must be enabled.

• All systems interacting in this scenario, including the Domain Controller, must run Windows 2000 or higher.

• The account the application is running under must be trusted for delegation (that is, the Active Directory option Account is trusted for delegation must be turned on for this account).

• The client account must be able to be delegated (ensure that the Active Directory user account option Account is trusted and cannot be delegated is unchecked).

• The application service must have a valid Service Principal Name (SPN).

  Note: Full provisioning is not recommended in cross-enterprise or Internet-scale installations, when your security plan calls for minimizing user access to the database server, or in enterprises with policies prohibiting delegation.

Different non-trusted domains or no domains (no Windows Authentication)

When Windows Authentication between tiers is not possible, you should require SSL encryption of the login sequence. Encrypting the entire session is preferable.

• You should also use DPAPI to encrypt credentials that must be stored.

• You should store encrypted credentials in a registry key protected with an ACL.

Understanding various security issues

• Ensure that members of your development team understand major security issues: current threats, security trends, changing security environments, and attack scenarios.

• Require relevant security training for all developers and testers.

• Increase the awareness of issues like cross-site scripting, buffer overflows, SQL injection, and dangerous APIs.

• Identify specific categories of threats that apply to your product — for example, denial of service, escalation of privileges, spoofing, data tampering, information disclosure and repudiation.

• Analyze security threats to your product, component-by-component.

• Create a security threat checklist based on your product.

• Add security reviews to all stages (from design to testing) of your product development cycle.