SQL Server Security – Additional Resources

[Prior Post in Series]

The intellectual property (IP) stored on SQL Server in your PLM may be your firm’s greatest asset. Its value is more than credit card records (credit cards can be cancelled if lost, IP can’t). It is equivalent to a state secret for your firm. The logical solution is not to try re-inventing security standards, but to implement existing best practices. Below are some resources you should review beyond that provided by SQL Server Best Practices Analyzer that I covered in a prior post.

Payment Card Industry Security Standards Council

The PCI SSC DSS is a mature standard with auditor certifications and regular reviews of security. They have a Self-Assessment Questionnaire that is well worth doing. There is a nice collection of related documents in their standards library. There is a little bit of allegoric translation needed, wherever you see “card”, substitute IP. I have already posted on how to implement some of these requirements on SQL Server.

NIST Security Automation Agenda

The National Institute of Standards and Technology has been active with the industry in developing security standards and components because it is very much in the national interest. It deals with issues of vulnerability and configurations across a wide range of products.

Checklists

NIST maintains a checklist at https://web.nvd.nist.gov/view/ncp/repository on best configuration practices. For SQL Server you will find the following documents:

Of course, you need to secure the Server and you will find the following documents:

There are many firms that provide certified tools that checks (and in some cases fix) the above items, see Security Content Automation Protocol (SCAP) Validation Program.

National Vulnerability Database

The Department of Homeland Security National Cyber Security Division/US-CERT maintains a database of known software vulnerabilities that Microsoft and others contributes to. The unfortunate reality is that not all vulnerabilities are fixed the day after they are discovered. For an example, see  "Apple Safari, Microsoft IE 8 Hijacked by Hackers at Pwn2Own Contest " . Most vulnerabilities can be mitigated – for example turning off or uninstalling a feature that is not used, by moving machines to isolated networks, or changing firewall settings. This database is at https://nvd.nist.gov/.

Software: Microsoft Security Compliance Manager

The Microsoft Security Compliance Manager may be used with some of the above to examine the security of your PLM system. The Microsoft Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility. This free product may be downloaded here.

Software: Firewall, Virus and other products

These items do not need to be explained in detail. One problematic scenario occurs if the server running SQL Server is isolated from the internet (good idea!) and the virus detection program gets updates from the internet. In this scenario, the latest virus detection updates may not reach the program resulting in a security exposure. You may wish to explicitly confirm that this is not the case with your server.

User Community

There are several websites that have good user content worth reviewing (as always, no responsibility for bad content or side effects). Always evaluate any advice on a test system because there may be conflicts with how your PLM does things. A few websites are:

Books

There are several books available dealing with SQL Server security, including:

Unfortunately, there is no comprehensive book dealing with security for SQL Server 2008 R2.