0 ratings 0% found this document useful (0 votes) 31 views 26 pages Week 3-Security 1
The document discusses the importance of database security, highlighting the risks associated with sensitive data and potential attacks on other systems. It outlines general strategies for hardening databases across Oracle, SQL Server, and MySQL, emphasizing principles such as least privilege, password security, and disabling unnecessary components. Additionally, it provides specific recommendations for securing each database type, including managing default accounts and using encryption for sensitive data traffic.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content,
claim it here .
Available Formats
Download as PDF or read online on Scribd
Go to previous items Go to next items
Save Week 3-Security 1 For Later @ DATABASE SECURITY
The more you sweat in training, the less you'll
bleed in battle.
Robert Vinson ~ IT Security Analyst
The University of lowa�OUTLINE
o Why is database security important?
o Our environment
o General Strategies and Tactics for Hardening
Databases
o Oracle
o SQL Server
o MySQL�WHy IS DATABASE SECURITY IMPORTANT?
o Databases often store data which is sensitive in
nature
o Incorrect data or loss of data could negatively
affect business operations
o Databases can be used as bases to attack other
systems from�OUR ENVIRONMENT
Database Services*
| SQL Server
Oracle
= MySQL
“Figures found by scanning for open ports commonly used by the respective software. @�HARDENING DATABASES — GENERAL
STRATEGIES AND TACTICS
o Principle of Least Privilege!
o Stay up-to-date on patches
o Remove/disable unneeded default accounts
o Firewalling/Access Control
o Running Database processes under dedicated
non-privileged account.
o Password Security
o Disable unneeded components
o Stored Procedures and Triggers�PRINCIPLE OF LEAST PRIVILEGE
o If X service doesn’t need access to all tables in Y
database... then don’t give it access to all tables.
« Example: A web application that reads a list of people
from a database and lists them on a website. The
database also contains sensitive information about
those people. The account used by the web
application should not be allowed to read the table
that contains sensitive non-public information.
o Do not give accounts privileges that aren’t
needed
« Unneeded privileges to accounts allow more
opportunity for privilege escalation attacks. O�HARDENING DATABASES —
FIREWALL/ACCESS CONTROL
o Throttling connections — make it harder for the
bad guys to brute-force or guess passwords
« Use firewall software like IPTables
« Xinetd may be useful for throttling
It’s possible that throttling could deny access to
applications which make a large amount of
connections legitimately.
o Reducing the surface area of attack with firewall
rules
« Don’t let the world connect to your database server.�HARDENING DATABASES — PASSWORD
SECURITY
o Strong passwords are a must
« Constant brute-force attacks are happening across
campus. Esp. against SQL Server
o Default passwords are a problem
o MySQL: root@localhost:
o SQL Server: sa: (Old, but still seen
sometimes)
o Oracle: ...
o Built in password policy control seems rare
« How can we enforce password policy?�HARDENING DATABASES — STORED
PROCEDURES, TRIGGERS
o Stored Procedures and Triggers can lead to
privilege escalation and compromise. Be sure to
be thinking about security implications when
allowing the creation of, and creating these.�HARDENING DATABASES — DISABLE
UNNEEDED COMPONENTS
o Just like disabling unneeded services for an
operating system is a good idea disabling
unneeded components for databases is a good
idea.
« XML FTP (Oracle)
« Named Pipes access (SQL Server)�SELECT slides FROM
prcentavion Oracle�ORACLE’S VULNERABILITY HISTORY
If [the] Oracle could see into the future... the
“Unbreakable” marketing campaign may have
not been a good idea.
o A search on milwOrm’s exploit catalogue returns
« 27 exploits dated from 11/16/2000 — 07/19/2007�VULNERABILITY HISTORY (CONT.)
Data and quote from The Oracle Hacker’s Handbook:
1999
2000
2001 = Vulnerabilities
2002
0 20 40 60
“[...] 2003 and beyond [...] the numbers went through the roof [...]”�HARDING ORACLE - TNS LISTENER
TNS Listener
“The TNS Listener is the hub of all communications
in Oracle. [...] When a client wishes to access the
database server, the client connects first to the
Listener. [...] In versions of Oracle prior to 10g, the
TNS Listener could be administered remotely What
makes this particularly dangerous is the fact that by
default the Listener is installed without a password
Less]
— The Database Hacker’s Handbook�HARDING ORACLE - TNS LISTENER
o Set a password for TNS Listener Administration
« listener.ora file
o PASSWORDS_listenername = somepass
« Use the Isnrctl utility
o LSNRCTL> change_password�HARDENING ORACLE - DEFAULT
ACCOUNTS
o Decent amount of default accounts
e Be aware what they are
« Ensure the passwords do in fact get changed
appropriatly
© 10g forces admin to set passwords for many
default accounts on install and may lock or expire
them.�SELECT slides FROM
presentation. S QL S erver�HARDENING SQL SERVER — LOCAL
ADMINS
o Removing Local Builtin\Administrators group
from sysadmins
« If they are an administrator on a system running
SQL Server they can get to anything in any database.�HARDENING SQL SERVER -
AUTHENTICATION
o If configured to use Windows Authentication
password policy can be enforced!�HARDENING SQL SERVER — XP_CMDSHELL
o Do not enable this on install of SQL Server 2k5
unless absolutely necessary�SELECT slides FROM
presentation WY E QL�HARDING MYSQL — DISABLING NETWORK
ACCESS
o If your Database is only for being accessed by
someone/something on the same machine
« disable network-based access with the --skip-
networking option
« Firewall off the port MySQL is listening on (typically
port 3306)�HARDENING MySQL - ACCOUNT TYPES
o Identity is determined by username AND the
location connected from - Coolness
o Scope Identities appropriately
« Allow bob to login from any uiowa.edu hostname
o GRANT [...] ON somedb.sometable TO BOB@’%.uiowa.edu’;
« Allow bob to login from any campus IP address
o GRANT [...] ON somedb.sometable TO
BOB@’128.255.0.0/255.255.0.0°;�HARDENING MYSQL — ENCRYPTING
TRAFFIC
o MySQL supports encrypting traffic with SSL
« Consider using GRANT ... REQUIRE SSL or similar
for an account
o Useful for accounts that may be accessing sensitive data
and/or data that is required to be encrypted by some
requirement.�RESOURCES
© D.Litchfield, C.Anley, J. Heasman, B. Grindlay, The Database
Hacker’s Handbook — Defending Database
Servers, indianapolis: Wiley Publishing Inc., 2005.
« Available on Books 24x7
© DLitchfield, The Oracle® Hacker’s Handbook:
Hacking and Defending Oracle, indianapolis: Wiley
Publishing Inc., 2007.
» Available on Books 24x7
o http://databasesecurity.com
o http://blogs.msdn.com/raulga/archive/2007/01/04/dyna
mic-sql-sql-injection.aspx
© http://msdn.microsoft.com/msdnmag/issues/05/06/SQL
ServerSecurity/default.aspx
o http://www.cgisecurity.com�Questions or Comments?
