Security: Best Practices for SQL or MSDE Security
Intro
This guide is intended to serve as an outline of best practices for users on MSDE or SQL server. It is written for the Power User or Network Administrator and is by no means inclusive. It should be used as a starting point to help maintain a smooth running network and to keep your MSDE/SQL databases in a healthy state.
The information provided in the SOAPware, Inc. Knowledge Base Articles is provided “as is” without warranty of any kind. SOAPware, Inc. disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall SOAPware, Inc. or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if SOAPware, Inc. or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
In order to be prepared for the worst, it is very important that you take cautions to prevent issues before they arise. You can do this by:
· Hiring a competent Network Administrator to install, configure, and maintain your network.
· Keeping abreast of the latest security information and patches.
· Securing hardware and educating personnel on “smart computing practices”.
· Securing Internet access if used at your site.
· Installing and configuring a firewall.
· Installing and configuring antivirus software.
· Using appropriate backup and recovery practices.
· Regularly performing database maintenance.
This section outlines how to keep your network and MSDE/SQL Server running smoothly. These recommendations are based on our years of experience at SOAPware, Inc. and will help you create a smooth running environment.
One of the best network decisions that you can make is to hire a Network Administrator. We recommend that the Network Administrator have Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Database Administrator (MCDBA), or similar industry-standard certifications and two years of experience in the field. They should be available on call or on a scheduled appointment basis as needed. If a problem with your network should arise, a competent Network Administrator should be able to help out.
Security Information and Patches
In order to keep your MSDE or SQL Server updated or secure, it is important that you stay abreast of current security issues or threats and keep your system(s) up to date with the latest patches and service packs.
To obtain the latest security information, SOAPware, Inc. recommends that you subscribe to several security-related newsletters and check some of the main MSDE/SQL security websites for news and information. Links to these sites are included at the end of this guide. On occasion a security-related issue, virus, or worm is hazardous enough to make it into the mainstream media. If you notice something like this being reported in the news, it is recommended that you do the appropriate research and take precautions against it.
In addition to security-related patches, we also recommend that you keep you software up to date with the latest patches. www.windowsupdate.microsoft.com is a great starting place for operating system updates. You can find the latest software downloads for MSDE and SQL at http://www.microsoft.com/sql/downloads/default.asp.
It is also recommend that you stay current in your equipment and personnel practices. Check to make sure that all hardware is secure and doesn’t have the potential to “walk out” of the office. Also make sure that your personnel are using smart computing practices and they are using strong passwords and not bringing floppy disks or software from home to install on the network. Make sure that everyone in the office understands the importance of patient data and security.
If your site does not require access to the Internet then we highly suggest that you cutoff access to it or limit your access to one computer that is not connected to your network and is not used to run SOAPware. This is the easiest step in helping secure your MSDE or SQL Server setup. Simply put, if you do not have access out, then hackers do not have access in.
We also recommend that you install and configure a firewall if your site has Internet access. A firewall is a piece of hardware or software that can protect your system from unauthorized access from the internet. Note, if your network (or any of the computers on your network) is not connected to the internet you do not need to install a firewall.
There are several types of firewalls available, but they
can all be divided into two categories; software and hardware firewalls.
Software firewalls run from free to fairly inexpensive and can provide
adequate system protection. Hardware
firewalls are boxes – much like a small computer – that offer the best
system protection available and are more configurable.
Regardless of the type of firewall you choose to install, it is very important that it is properly configured and maintained. Just like antivirus programs, firewall companies constantly release updates and patches.
If you are running MSDE or SQL and you DO NOT need access to the server from a remote location, we highly recommend that you configure your firewall to block ports 1433 and 1434. These are the ports that SQL server runs on. If these two ports are blocked your SQL server should be inaccessible from anyone outside of your network.
Even if you are not connected to the internet, it is highly recommended that you install, configure and maintain an antivirus software program such as Norton Antivirus Corporate Edition http://www.symantec.com/ or McAfee Security http://mcafee.com/.
It is recommended that you backup all of your databases at least once per day. Some sites go as far as making a backup in the middle of the day, say at lunch, and then they make another backup at the end of the day. It’s up to your site to determine your backup frequency. SOAPware, Inc. does not recommend less that one backup per day. Remember that if disaster should strike, rolling back to your last back might be your only option so it’s important to keep your backup set current.
For a more comprehensive guide to backups, please see the SOAPware, Inc. Backup Guide.
It is important that you perform regular database maintenance. You can do this by creating a scheduled maintenance task through the SOAPware, Inc. MSDE Manager or by creating a maintenance plan through SQL Server that runs a DBCC on your databases. It is recommended that you perform database maintenance daily right after a backup, and make a backup of your databases before and after the maintenance. For more information regarding setting up maintenance plans, with the MSDE Manager, please see the MSDE Manager Users’ Guide.
You can easily help prevent a disaster from happening by following the guidelines in this guide. At the bare minimum you should block ports 1433 and 1434 with your firewall and install and update antivirus software and security patches for your Operating System (OS).
You can plan for what to do in a database disaster by testing your backups and knowing how to restore them if needed. It might be helpful to educate two members of your office staff in this area and create a data disaster outline - preparedness is the key here.
If something should go wrong, the disaster recovery should happen in a timely manner in order to get the clinic up and running again. Below is an outline of what should happen:
§
Determine the cause of the disaster.
Was it a hacker, virus, etc.?
Note,
in case of a hack attack, please contact your Network Administrator or local
authorities before continuing.
§ Resolve the issue. Secure the network, disinfect hard drives, etc.
§ Restore a backup of the databases.
§ Reconnect systems to the databases if needed.
For more information regarding MSDE/SQL, SOAPware, Inc. recommends the following resources:
Admin911: SQL Server 2000 by Brian
Knight
SQL Server Backup and Recovery: Tools and Techniques by Frank McBath
http://www.sqlsecurity.com/DesktopDefault.aspx
The site for SQL security.
http://www.microsoft.com/security/
The Microsoft Security & Privacy center.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/sql/default.asp
The Microsoft SQL Server TechNet center.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp
The Microsoft Security Tools and Checklists.
http://securityresponse.symantec.com/
The security response section of the Symantec website
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/Security/tools/tools/MBSAHome.ASP
The Microsoft Baseline Security Analyzer
http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=ONGXRHYTINMHDKDCWLL
Free online security checks from Symantec.
A great source for free internet security downloads and an online port scanner.
http://www.trusecure.com/knowledge/curricula/
Training and presentation information collected from
TruSecure.
http://www.trusecure.com/knowledge/whitepapers/
Whitepapers collected from TruSecure; complete with a HIPAA regulatory section.
http://www.microsoft.com/security/security_bulletins/decision.asp
Microsoft Security Update – for home users and users with
less technical experience.
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp
Microsoft Product Security Notification Service – for IT
professionals and other users with a strong understanding of technical issues.
http://securityresponse.symantec.com/avcenter/newsletter_regions/en.html
Symantec Security Response Newsletter – a monthly newsletter covering the latest virus threats, worms, and software vulnerabilities.
The information provided in the SOAPware, Inc. Knowledge Base is provided "as is"
without warranty of any kind. SOAPware, Inc. disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness for
a particular purpose. In no event shall SOAPware, Inc. or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if SOAPware, Inc.
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation may not apply.
| Published | J03//03/2003 | Issue Type: Security | |
| Last Modified | 05/09/2007 12:50:45 | ||
| Keywords | Security, SQL, MSDE, IT | ||