May 18, 2003, 4:05 PM — Attackers continue to target and exploit our database assets. SQL vulnerabilities continue to be a major source for compromise in many environments. With so much riding on these important systems, what steps can be taken to better protect them from harm?
First, the SQL Server should be isolated from web infrastructures and direct Internet access. If there is an absolute requirement for SQL access across the Internet, it should only be available via a proxy system that enforces strict rules and scrubs out data streams that could compromise or damage the system or the data it contains. Further, all indirect access via web sites, online applications and the like should include appropriate bounds checking and input validation. All forms of SQL delimiters must be stripped from input prior to passing them to the database system. Values for SQL access should always be contained and managed only on the server side of the application, as client manipulation of any client side values is likely and dangerous.
Next, appropriate steps must be taken to be sure that all SQL servers are up to date on patch levels. That includes both the underlying operating system and the SQL applications themselves. There has been a history of exploitation on most SQL platforms of buffer overflows and input validation attacks against faulty modules and procedures. For this reason, it is imperative that application-level patches be applied on a consistent basis.
Authentication mechanisms must also be hardened. Ownership of databases and access to stored procedures should be a highly guarded set of processes. Changing default login account names and using strong passwords is extremely important. Tools exist to brute force SQL database logins with every word in the English dictionary in just less than two minutes! Obviously, accounts with administrative privileges should use long passwords with mixed case and special character rules also applied. Careful review of access and application logs should also be performed on a regular basis.
By paying close attention to the exposure and configurations of your database systems, you can protect them and the data they hold. Remaining vigilant against new vulnerabilities and emerging SQL threats will also allow you added confidence in the performance and security of these core devices. By following these steps you can keep your data your own.