I will divide the entire defense program into two parts: Defense of MS SQL Server service itself, prevent SQL injection script attacks
s solution.
1) Defense MS SQL Server service itself vulnerability solution
1 Use the network firewall to filter non-local service requests for MS SQL Server.
The easiest way is to add the following rule groups on the MS SQL Server local host.
Rules 1: Allow this unit to access local TCP1433 and UDP1434 ports
Rule 2: Block all addresses from accessing this machine TCP1433 and UDP1434 port
Note: The priority level of the rules must be high than the rules.
that's it.
2 Regularly use MBSA to scan the server of MS SQL Server and make sure that MS SQL Server's patch version is the latest version.
-------------------------------------------------- --------------------------------------------
Appendix: MBSA's instructions, please see:
http://demonalex.nease.net/mbsa/index.html
-------------------------------------------------- --------------------------------------------
3 Check if there is a weak draw problem.
2) A solution to prevent SQL injection script attacks
1 Modify the default setting path of the IIS directory.
2 Use Secureiis to filter special characters / strings.
-------------------------------------------------- --------------------------------------------
Appendix: Special characters / strings include:
There is a SQL statement that is likely to be used by an attacker.
Select, Having, Group, From, Where, Update, INSERT, CREATE, EXEC, EXECUTE
Extended stored procedures that are likely to be used.
XP_, SP_
Some special symbols.
@,%,;, ', ",!, -, 1 = 1
-------------------------------------------------- --------------------------------------------
3 Set special error information in IIS to ensure that attackers cannot get any information they want to get in the error message.
-------------------------------------------------- --------------------------------------------
Appendix: The specific operation is as follows:
Open the "Properties" - "" Properties "-" "Configuration ..." button - "Application Debug" column - "Selected"
Send a text error message to the customer "-" "OK"
-------------------------------------------------- --------------------------------------------
4 Do not use operator (DBO) or SA account as much as possible to reduce the risk of intrusion when calling the database.
5 Guarantee the script source code used by the website is confidential.
6 Strengthen the strongness of the administrator entrance path.
