This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Improving Web Application Security: Threats and Countermeasures
J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
See the Landing Page for the starting point and a complete overview of Improving Web Application Security: Threats and Countermeasures.
Contents
How to Use This Checklist Installation Considerations for Production Servers Patches and Updates Services Protocols Accounts Files and Directories Shares Ports Registry Auditing and Logging SQL Server Security SQL Server Logins, Users, and Roles SQL Server Database Objects Additional Considerations Staying Secure
How to Use This Checklist
This checklist is a companion to Chapter 18, "Securing Your Database Server." Use it to help you secure a database server and also as a snapshot of the corresponding chapter.
Installation Considerations for Production Servers
Check
Description
Upgrade tools, debug symbols, replication support, books online, and development tools are not installed on the production server.
Microsoft ® SQL Server® is not installed on a domain controller.
SQL Server Agent is not installed if it is not being used by any application.
SQL Server is installed on a dedicated database server.
SQL Server is installed on an NTFS partition.
Windows Authentication mode is selected unless SQL Server Authentication is specifically required, in which case Mixed Mode is selected.
A strong password is applied for the sa account or any other member of the sysadmin role. (Use strong passwords for all accounts.)
Unnecessary Microsoft Windows® services are disabled on the database server.
All optional services, including Microsoft Search Service, MSSQLServerADHelper, and SQLServerAgent, are disabled if not used by any applications.
The Microsoft Distributed Transaction Coordinator (MS DTC) is disabled if it is not being used by any applications.
A least-privileged local/domain account is used to run the various SQL Server services, for example, back up and replication.
Protocols
Check
Description
All protocols except TCP/IP are disabled within SQL Server. Check this using the Server Network Utility.
The TCP/IP stack is hardened on the database server.
Accounts
Check
Description
SQL Server is running using a least-privileged local account (or optionally, a least-privileged domain account if network services are required).
Unused accounts are removed from Windows and SQL Server.
The Windows guest account is disabled.
The administrator account is renamed and has a strong password.
Strong password policy is enforced.
Remote logons are restricted.
Null sessions (anonymous logons) are restricted.
Approval is required for account delegation.
Shared accounts are not used.
Membership of the local administrators group is restricted (ideally, no more than two administration accounts).
Files and Directories
Check
Description
Restrictive permissions are configured on SQL Server installation directories (per the guide).
The Everyone group does not have permission to access SQL Server installation directories.
Setup log files are secured.
Tools, utilities, and SDKs are removed or secured.
Sensitive data files are encrypted using EFS (This is an optional step. If implemented, use EFS only to encrypt MDF files, not LDF log files).
Shares
Check
Description
All unnecessary shares are removed from the server.
Access to required shares is restricted (the Everyone group doesn't have access).
Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
Ports
Check
Description
Restrict access to all ports on the server except the ports configured for SQL Server and database instances (TCP 1433 and UDP 1434 by default).
Named instances are configured to listen on the same port.
Port 3389 is secured using IPSec if it is left open for remote Terminal Services administration
The firewall is configured to support DTC traffic (if required by the application).
The Hide server option is selected in the Server Network Utility (optional).
Registry
Check
Description
SQL Server registry keys are secured with restricted permissions.
The SAM is secured (standalone servers only).
Auditing and Logging
Check
Description
All failed Windows login attempts are logged.
All failed actions are logged across the file system.
SQL Server login auditing is enabled.
Log files are relocated from the default location and secured with access control lists.
Log files are configured with an appropriate size depending on the application security requirement.
Where the database contents are highly sensitive or vital, Windows is set to Shut Down mode on overflow of the security logs.
SQL Server Security
Check
Description
SQL Server authentication is set to Windows only (if supported by the application).
The SQL Server audit level is set to Failure or All.
SQL Server runs using a least-privileged account.
SQL Server Logins, Users, and Roles
Check
Description
A strong sa password is used (for all accounts).
SQL Server guest user accounts are removed.
BUILTIN\Administrators server login is removed.
Permissions are not granted for the public role.
Members of sysadmin fixed server role are limited (ideally, no more than two users).
Restricted database permissions are granted. Use of built-in roles, such as db_datareader and db_datawriter, are avoided because they provide limited authorization granularity.
Default permissions that are applied to SQL Server objects are not altered.
SQL Server Database Objects
Check
Description
Sample databases (including Pubs and Northwind) are removed.
Stored procedures and extended stored procedures are secured.
Access to cmdExec is restricted to members of the sysadmin role.
Additional Considerations
Check
Description
A certificate is installed on the database server to support SSL communication and the automatic encryption of SQL account credentials (optional).
NTLM version 2 is enabled by setting LMCompatibilityLevel to 5.
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
.png "patterns & practices Developer Center")
.gif "Ff648235.z02bthcm01(en-us,PandP.10).gif")