Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

NESQL User Group meeting recap

Friday, November 11, 2005 Comments

 .NET  ArchitecturePatterns  Database Development  Personal  Security  Speaking 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

I spoke to the New England SQL Server User Group last night in Waltham, MA on SQL Server Security. The group was a good mix of DBAs, wanna-be DBAs, developers forced at times to be DBAs, and developers. I covered the problems with trying to secure SQL Server (various types of attacks, etc.) as well ways to secure SQL Server 2000 and the newest features available in SQL Server 2005. As you can imagine, when I asked how many were still using and supporting SQL Server 2000, nearly every hand went up, compared to minimal number of those running anything on SQL Server 2005.

One method I mentioned to help secure SQL Server (both versions) is to use a least-privileged service account upon installation or change your default LocalSystem account to use a least-privileged account. I typically use a normal user, and restrict certain logon rights and apply other restrictions. Yesterday, I found a couple of interesting webcasts that discuss these same techniques:

Jesper Johansson's What Nobody Told You About Protecting SQL Server 2000 (here, he shows how you can also use a guest account to further restrict the service account for SQL Server 2000 plus other methods to lock down the product).

Chip Andrew's Minimizing SQL Server service, login, and user accounts (you will have to register to hear the webcast).

I placed my slides and code from last night's talk on my own site for download.

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook