Skip navigation
Menu
Security

Assessing Security Threats to SQL Server

When did you last profile your SQL Server 2000 system for potential threats? If you haven't done so, you might want a toolkit and some easy-to-understand guidelines.

 

Next Generation Security Software (NGSSoftware) recently published "Threat Profiling Microsoft SQL Server," which describes in detail tools and procedures that you can use to gauge your exposure to intruders. According to NGSSoftware, the paper has "four main sections. The first section will cover attacks that do not require the attacker to have a user ID and password for the SQL Server, that is, the attacks are unauthenticated. The second section will cover those attacks that do require authentication; to succeed the user must be logged onto the SQL Server. The third section will consider those attacks that can be launched from a compromised server. The final and fourth section will touch briefly upon attacks via the Web using SQL Injection."

   http://www.nextgenss.com/papers/tp-SQL2000.pdf

 

"Threat Profiling Microsoft SQL Server" discusses SQL Monitor port attacks, network-sniffing opportunities, brute-force attacks, file-system attacks, Trojan horses in extended stored procedures, client attacks (e.g., against Enterprise Manager), navigating the database server, password cracking, bypassing access controls, and more. The paper lists a series of tools you need to obtain before you start. Minimally, you'll need various SQL client tools (such as Query Analyzer and ODBCPing), Microsoft Visual C++, SQLPing, NGSSQuirreL, NGSSQLCrack, and NGSSniff. The SQL Server CD-ROM contains SQL client tools. SQLSecurity.com (see the first URL below) offers SQLPing. NGSSoftware offers the latter three tools through the company's Web site (see the second URL below). According to NGSSoftware, NGSSQuirreL is an auditing tool that can find and fix holes in the SQL Server; NGSSQLCrack can crack the passwords of standard SQL logins; and NGSSniff is a network traffic capture and analysis tool. Overall, the paper contains a wealth of information about securing your SQL Server.

   http://www.sqlsecurity.com/desktopdefault.aspx

   http://www.nextgenss.com

 

Other steps you can take toward SQL Server security include keeping up with Microsoft security bulletins and reviewing other resources. Microsoft has issued 11 security bulletins for SQL Server 2000 so far, including a cumulative patch in August 2002 that contains all the other security patches. Be sure you've loaded the ones you might need--or the cumulative patch if you want to load them all. http://www.microsoft.com/technet/security/current.asp?productid=30 

 

SQL Server Magazine and its related Web site often discuss SQL Server security. For example, when you visit the Web site (see the URL below), you'll find Michael Otey's article "Free SQL Server Tools," which discusses his favorite free SQL Server tools, among which are security-related tools. You'll also find Kalen Delaney's article "Safe Transit," which discusses how to ensure that usernames and passwords match up after a database restoration. http://www.sqlmag.com 

 

Regularly reviewing the potential threats to your SQL Server will help keep it secure. I hope the resources mentioned will support that review process.

TAGS: Security SQL
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024
cleaning products
6 Essential Steps for Spring Cleaning Your Website
Mar 21, 2024