SQL Server Security – Additional Resources
The intellectual property (IP) stored on SQL Server in your PLM may be your firm’s greatest asset. Its value is more than credit card records (credit cards can be cancelled if lost, IP can’t). It is equivalent to a state secret for your firm. The logical solution is not to try re-inventing security standards, but to implement existing best practices. Below are some resources you should review beyond that provided by SQL Server Best Practices Analyzer that I covered in a prior post.
Payment Card Industry Security Standards Council
The PCI SSC DSS is a mature standard with auditor certifications and regular reviews of security. They have a Self-Assessment Questionnaire that is well worth doing. There is a nice collection of related documents in their standards library. There is a little bit of allegoric translation needed, wherever you see “card”, substitute IP. I have already posted on how to implement some of these requirements on SQL Server.
NIST Security Automation Agenda
The National Institute of Standards and Technology has been active with the industry in developing security standards and components because it is very much in the national interest. It deals with issues of vulnerability and configurations across a wide range of products.
Checklists
NIST maintains a checklist at https://web.nvd.nist.gov/view/ncp/repository on best configuration practices. For SQL Server you will find the following documents:
- Defense Information Systems Agency, Database Security Checklist for MS SQL Server 2005 (Version 8, Release 1.4)
- Center for Internet Security (CIS), CIS SQL Server 2005 Benchmark (v1.1.1)
Of course, you need to secure the Server and you will find the following documents:
- Microsoft Corporation
- Windows Server 2008 Security Guide (Microsoft-Produced) (1.0)
- Microsoft Security Compliance Manager - Microsoft Windows Server 2008 R2 (1.0)
- Microsoft Security Compliance Manager - Windows Server 2008 SP2 (1.0)
- Microsoft Security Compliance Manager - Windows Server 2003 SP2 (1.0)
- Windows Server 2003 Security Guide for Member Servers (2.1)
- Microsoft Security Compliance Manager - Windows Server 2003 SP2 (1.0)
- Center for Internet Security (CIS)
- Defense Information Systems Agency
There are many firms that provide certified tools that checks (and in some cases fix) the above items, see Security Content Automation Protocol (SCAP) Validation Program.
National Vulnerability Database
The Department of Homeland Security National Cyber Security Division/US-CERT maintains a database of known software vulnerabilities that Microsoft and others contributes to. The unfortunate reality is that not all vulnerabilities are fixed the day after they are discovered. For an example, see "Apple Safari, Microsoft IE 8 Hijacked by Hackers at Pwn2Own Contest " . Most vulnerabilities can be mitigated – for example turning off or uninstalling a feature that is not used, by moving machines to isolated networks, or changing firewall settings. This database is at https://nvd.nist.gov/.
Software: Microsoft Security Compliance Manager
The Microsoft Security Compliance Manager may be used with some of the above to examine the security of your PLM system. The Microsoft Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility. This free product may be downloaded here.
Software: Firewall, Virus and other products
These items do not need to be explained in detail. One problematic scenario occurs if the server running SQL Server is isolated from the internet (good idea!) and the virus detection program gets updates from the internet. In this scenario, the latest virus detection updates may not reach the program resulting in a security exposure. You may wish to explicitly confirm that this is not the case with your server.
User Community
There are several websites that have good user content worth reviewing (as always, no responsibility for bad content or side effects). Always evaluate any advice on a test system because there may be conflicts with how your PLM does things. A few websites are:
Books
There are several books available dealing with SQL Server security, including:
- SQL Injection Attacks and Defense, Justin Clarke , Syngress, 2009
- The Database Hacker's Handbook: Defending Database Servers, David Litchfield, Chris Anley, John Heasman, Bill Grindlay, Wiley, 2005
- Implementing Database Security and Auditing: Includes Examples for Oracle, SQL Server, DB2 UDB, Sybase, Ron Ben Natan , Digital Press, 2005
- SQL Server Security Distilled, Morris Lewis , Apress, 2004
- SQL Server Security, David Litchfield, McGraw-Hill Osborne Media, 2003
Unfortunately, there is no comprehensive book dealing with security for SQL Server 2008 R2.