Malicious crackers love to crash corporate networks via Web servers, but Windows administrators should spend more time locking down the place where they keep the company crown jewels -- the database servers.
From an installation and configuration standpoint, Microsoft SQL Server gives attackers plenty of opportunities to crack the network, said David Litchfield, co-founder and managing director at Next Generation Security Software (NGSS), a London-based consulting firm that also sells security tools.
"If a box is on the Internet, it's easier, but even behind a firewall there are ways to get to some of the SQL Server services to breach security," Litchfield said.
SQL Server is most commonly used as a data warehouse, where many companies store such valuable information as customer mailing lists and financial, inventory and payroll data. Many security-savvy IT executives keep their databases well-protected by keeping a tight lid on who can get in and out.
"The best way to maintain your database is in a fashion that allows programs that you've written [to] access and maintain the database, but don't let a user with a utility get to it," said Mark Resh, chief information officer at SFI, the Palm Beach, Fla., office supply distributor formerly known as Standard Forms Inc.
The way security is devised at Resh's company, "even if a user were to log into a program with ODBC [Open Database Connectivity] access to the database, even if they could get to the driver and had a password, they would be rejected."
But many more IT administrators view these critical servers as back-end systems that are not as vulnerable as Web servers, which are directly exposed to the Internet, said Tim Mullen, a security expert, CIO and chief software architect at AnchorIS, a Charleston, S.C., company that deals in financial accounting software.
The fact is that Internet users can access that database using an insecure Web application. Most database administrators spend their time worrying about performance when they should be thinking about security, Mullen said.
Since summer, Microsoft has provided six patches for SQL Server to fix more than 10 security vulnerabilities. NGSS found more than half of them. For the record, Oracle has also published some patches to fix security holes in its database software, so database security is not something about which only Microsoft customers should be concerned.
"Just a one-character password would have protected them from the attack, but [DBAs were] leaving it blank," Mullen said.
One system integrator advised customers to do more than just ensure that every database is on the LAN side of a firewall. Deepak Thadani, president of SysIntegrators LLC in New York, said that if there is going to be any kind of external access to the database, it's a good idea to keep the Web server in the demilitarized zone (DMZ), put the database server on the LAN, and limit access to the database from the outside to just the Web server.
"Only open up the ports that are required," Thadani said.
Outside of a company, users of the public network can only access the DMZ. Customers are also advised to install a small firewall in front of the database server inside the LAN. Even users on the LAN should have access to the database that is limited to only certain ports on the database, Thadani said.
Some IT administrators should consider putting an extra firewall in front of a database even though it will make access less convenient and more painful. But the less painful it is to access, the easier it is to crack, he said.
Although Resh said that he doesn't see the immediate need to put in additional firewall protection, he does know of several companies that have a second firewall line between end users and the main data center. Internal firewalls open up to specific services to perform a task.
Sheryl Tullis, product manager for SQL Server, said this fall that Microsoft will release a white paper that describes best practices for securing SQL Server. The company is also creating something called an "installer" that will do a better job automating the process of patch installation, she said.
Microsoft recommends that IT administrators use the integrated security mode that comes with Windows security to create a single sign-on for both Windows and SQL Server. If users must utilize the mixed security mode feature that allows them database access without first logging into Windows, then strong passwords are a must.
Yukon, the version of SQL Server due in late 2003, will also include some security enhancements which will give customers more granular control of who gets to access what data on the server.
Of course, one of the big shifts in Windows, as of the release of .NET Server 2003, will be that all software will ship in a locked-down mode. This means that with Yukon and .NET Server 2003, no one will have access to information unless they are granted access, Tullis said.
Microsoft spent three months earlier this year reviewing SQL Server code and checking for vulnerabilities. The company placed one of its lead database architects, James Hamilton, in charge of securing its database software.
Litchfield said that IT administrators should not find the task of securing the database to be difficult. There is a great deal of free help available on the Internet, as well as some advanced security auditing tools from his own company, such as NGSSQuirrel. Litchfield offers his own top five recommendations that all database administrators should follow: