The database is the basis of e-commerce, finance, and ERP systems, usually saved important business partners and customer information. Most enterprises, organizations, and government departments are saved in various databases, they use these databases to save some personal information, such as employee salary, personal information, etc. The database server also masters sensitive financial data. Including transaction records, business matters, accounts, strategic or professional information, such as patents and engineering data, and even market plans, etc. should protect the information to prevent competitors and other illegal people. Data integrity and legal access are subject to a lot of security threats, including password policies, system latte, database operations, and security schemes. However, the database usually does not have emphasizable in security as an operating system and network. Microsoft's SQL Server is a widely used database, many e-commerce websites, enterprise internal information platforms, etc. Based on SQL Server, the security of the database has not been more systematic, and most management The staff believes that all the applications are safe as long as the security of the network and the security system is safe. Most system administrators are unfamiliar with the database and the database administrator has too small security issues, and some security companies also ignore database security, which makes the database security issues more serious. The security vulnerabilities and improper configurations present in the database system usually cause serious consequences, and it is difficult to find. Database applications are usually closely related to the highest administrator of the operating system. The extensive SQL Server database is a "port" database, which means that anyone can use the analysis tool to try to connect to the database, thus bypass the security mechanism of the operating system, and break into the system, destroy and steal data. Even destroying the entire system. Here, we mainly talk about the security configuration of the SQL Server2000 database and some related security and use issues. Before performing the security configuration of the SQL Server 2000 database, you must first secure the operating system to ensure your operating system is safe. Then, the necessary security audit you want to use, such as the scripts such as ASP, PHP, this is a safe riscriminally imposed security hazard based on the database-based web application, and the script is mainly a filter problem, it needs to filter Some similar, '; @ / and other characters to prevent destroyers from constructing malicious SQL statements. Next, please put on patch SP1 and the latest SP2 after installing SQL Server 2000. The download address is: http://www.microsoft.com/sql/downloads/2000/sp1.asp and http://www.microsoft.com/sql/downloads/2000/sp2.asp is doing the above three-step basis After that, let's discuss the security configuration of SQL Server. 1. Use a secure password policy We put the password policy to all security configurations. Please note that many database accounts are too simple, which is too simple to follow the system password. For SA, you should pay more, do not let the SA account password written in the application or script. The robust password is the first step! When SQL Server2000 is installed, if you use a mixed mode, you need to enter the password of the SA, unless you confirm that you must use an empty password. This has been improved than previous versions. At the same time, develop a good habit of regularly modify the password. Database administrators should regularly check if there is an account that does not meet the password requirements. For example, use the following SQL statement:
Use master
Select Name, Password from syslogins where password is null
2. Use a secure account policy. Since SQL Server does not change the SA user name, we cannot delete this super user, so we must make the strongest protection for this account, of course, including using a very strong password, it is best not to use the SA account in the database application, SA is only used if there is no other method to log in to the SQL Server instance (for example, when other system administrators are not available or forgotten). It is recommended that the database administrator has newly established a super user with the SA-like authority to manage the database. A secure account policy also includes not to let the accounts of the administrator privilege. SQL Server's authentication mode has two types of Windows authentication and mixed identity authentication. If the database administrator does not want the operating system administrator to contact the database through the operating system, you can delete the system account "Builtin / Administrators" in the account management. However, the result of this is that once the SA account forgot the password, there is no way to recover. Many hosts use database applications just to do simple features such as queries, modifications, and assign accounts according to actual needs, and give only privileges that can meet application requirements and needs. For example, as long as the query function, you can use a simple public account to select it. 3, strengthen the record of the database log. Review the "failure and success" of the database login event, select "Security" in the instance properties, select the audit level as all, so in the database system and the operating system log, all account login events have been recorded in detail. . Figure: Please check the SQL Server log check whether there is a suspicious login event, or use the dos command.
FINDSTR / C: "Login" D: / Microsoft SQL Server / MSSQL / LOG / *.
4. Manage the expansion stored procedure for large surgery for the stored procedure, and the permission to extend the extension stored procedure on the account is cautious. In fact, how many system stored processes are not used in most applications, and so many system stored procedures for SQL Server are only used to adapt to the user needs, so please delete unnecessary stored procedures, because some system stored processes can be very It is easy to use to improve permissions or destruction. If you don't need to extend the stored procedure xp_cmdshell, please remove it. Use this SQL statement:
Use master
sp_dropextendedProc 'XP_cmdshell'
XP_cmdshell is the best shortcut to enter the operating system
It is a large back door for the database to leave the operating system.
If you need this stored procedure, please use this statement to recover.
sp_addextendedProc 'XP_cmdshell', 'XPSQL70.DLL'
If you don't need to discard the OLE auto stored procedure (which can cause certain features in the manager), these processes include the following:
SP_OACREATE SP_OADESTROY SP_OAGETERRORINFO SP_OAGETPROPERTY
SP_OAMETHOD SP_OASETPROPERTY SP_OASTOP
Remove the stored procedures for unwanted registry access, the registry stored procedure can even read the password of the operating system administrator, as follows:
XP_REGADDMULTISTRING XP_REGDELETEKEY XP_REGDELETEVALUE
XP_REGENUMVALUES XP_REGREAD XP_REGREMOVEMULTISTRING XP_REGWRITE
There are some other extension stored procedures, you also check the inspection. When processing stored procedures, please make sure to avoid harm to databases or applications.
