Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

SQL Injection

Fuel injection is generally considered to be a good thing for cars, while IT professionals consider SQL injection to be a bad thing.  The technique does not exploit weaknesses in the the database , but how it and the relevant web server are configured.  In the Microsoft world a lot of work has been done about this based on the following principle included in its Trustworthy Computing Initiative:

  • Secure by Design.  All the Microsoft product teams go to a lot of trouble to make each new version secure and SQL Server and Windows Server are no exceptions. By the same token the bespoke applications you develop should follow these principles and part of this is ensure that there are no vulnerabilities in your code that a SQL injection attack could exploit.  Help is at hand here in the shape of a special tool available here that does that analysis for you.
  • Secure by Default.  All new Microsoft products are shipped with what James T Kirk and James O’Neill refer to as shields up; all the security features are turned on and all of the connectivity features are turned off. You then have to explicitly turn on features open ports etc. to get started and you should only turn on what you need.   To get advice on what to configure check this blog post on SQL Injection attacks from the Microsoft Security Vulnerability & Defense Team.
  • Secure by Deployment.  The process of keeping all of the installed products patched and up to date to meet new threats as they arise.

Stating the obvious here, but Microsoft applies this guidance internally and applies it to all the sites including  MSDN  & TechNet which all use IIS and SQL Server. If these sites were compromised then this story would be all over the cloud in seconds, so the advice works, so please use it as well.