Detailed steps and methods for MSSQL Security Settings

The first step must be to install the latest security patch for SQL SERVER. If this step is not completed, we will not continue.

Step 2: Modify the default port 1433 and hide the SQL SERVER. In this way, it is prohibited to respond to broadcasts that attempt to enumerate existing SQL Server clients on the network. In addition, you also need to block port 1433 in TCP/IP filtering to hide your SQL SERVER database as much as possible. In this way, the SQL SERVER account is created for the attack, and the query analyzer cannot be used to remotely log on to launch the next attack immediately. If you construct malicious statements from pages such as ASP and PHP, you still need to view the returned values. This is not the case when you directly query analyzer. Therefore, we must first make sure that, even if others are injected, attackers cannot take the next step. Modification Method: Enterprise Manager> your database group> Properties> General> network configuration> TCP/IP properties. Modify your default port here, and SQL SERVER hiding.

Step 3 is an important step. SQL INJECTION is usually generated in WEB CODE. As a system administrator or database administrator, you cannot view every piece of code frequently. Even if we often read the code, we cannot ensure that we are negligent in the above process. What should we do? We need to start with the Data Base Role to divide the permissions of database users to the lowest point. The default permissions of SQL SERVER are really a headache. The permissions are very high, and you can't do anything with low permissions. SYSADMIN and db_owner are really annoying. Once the attacker confirms that the website has the SQL injection vulnerability, the next step is to test the SQL SERVER user permissions of the website. Generally, Select IS_SRVROLEMEMBER ('sysadmin'), or Select IS_MEMBER ('db _ owner'), or use user = 0 to compare characters and numbers, SQL SERVER will prompt the error message, from which you can know some sensitive information) and other statements for testing. There are still methods, and I am afraid to say more. One is afraid of mistakes, and the other is afraid of flattening people in the alliance. At present, if the database user of the website uses the SA permission and confirms the absolute path where the WEB is located, the website is OVER. The same is true for db_owner permissions. If you confirm the absolute path, there is a 50% chance to give your machine a WEB-based Trojan, such as Haiyang. So here we have confirmed that we must create our own permissions so that attackers can't find anything. Here is an example of SQL SERVER online help:

How to create an SQL Server database role (Enterprise Manager)
Create an SQL Server database role
1. Expand the server group and then expand the server.
2. Expand the "Database" folder, and then expand the database in which you want to create a role.
3. Right-click "role" and click the "Create Database role" command.
4. enter the name of the new role in the "name" box.
5. Click "add" to add members to the "Standard roles" list, and then click one or more users to add. (Optional)
Only users in the selected database can be added to the role.
Object permission
The permission category that is called the object permission when processing data or executing the process:
· Select, Insert, Update, and Delete statement permissions, which can be applied to the entire table or view.
· Select and Update statements, which can be selectively applied to a single column in a table or view.
· Select permissions, which can be applied to user-defined functions.
· Insert and Delete statement permissions, which affect the entire row. Therefore, they can only be applied to tables or views, but not individual columns.
· EXECUTE statement permissions, which can affect stored procedures and functions.
Statement permission
The activities involved in creating a database or a database item (such as a table or stored procedure) require the permission of another type called statement permission. For example, if you must be able to Create a TABLE in the database, you should grant the Create TABLE statement permission to the user. Statement permissions (such as Create DATABASE) apply to the statement itself, rather than specific objects defined in the DATABASE.
Statement permissions:
· BACKUP DATABASE
· BACKUP LOG
· Create DATABASE
· Create DEFAULT
· Create FUNCTION
· Create PROCEDURE
· Create RULE
· Create TABLE
· Create VIEW
Implicit permission
Implicit permission controls activities that can only be performed by members of predefined system roles or database object owners. For example, sysadmin fixed Server role members automatically inherit all permissions for operations or viewing during SQL Server installation.
The database object owner also has the explicit permission to perform all activities on the object. For example, users with tables can view, add, or delete data, Modify Table definitions, or control the permissions that allow other users to operate on tables.
Db_owner has all permissions in the database.
Db_accessadmin can add or delete user IDs.
Db_securityadmin can manage all permissions, object ownership, roles, and role membership.
Db_ddladmin can issue all ddl statements, but cannot issue GRANT, REVOKE, or DENY statements.
Db_backupoperator can issue DBCC, CHECKPOINT, and BACKUP statements.
Db_datareader can select all data in any user table in the database. Db_datawriter can change all data in any user table in the database.
Db_denydatareader cannot select any data in any user table in the database.
Db_denydatawriter cannot change any data in any user table in the database.
Configure the permissions of the newly created database role, such as the table, view, and stored procedure to be used. Then, cancel Db_owner, db_securityadmin, and db_backupoperator without giving the attacker the opportunity to back up the DATABASE and Create TABLE. Once the attacker has these two permissions, your website is still in a very dangerous state. Note that you cannot select a server role when creating a database account.
Step 4: Modify the SQL SERVER internal storage process. It is estimated that SQL SERVER is built into a batch of dangerous stored procedures for installation or other purposes. Can read registry information, can write registry information, can read disk sharing information, etc ...... as you may see, I may be thinking, my website has other code, and it is not like the query analyzer that can query and output the results. I can't help you with this permission, but I still can't see the information. If you think this way, it's a big mistake. Note: If the attacker has the Create TABLE permission, Create a temporary TABLE, Insert the information to the TABLE, Select the TABLE, and compare it with a number, so that SQL SERVER reports an error, then the results are all ...... therefore, we have to handle the mistake and try to fix it.
First, list dangerous internal storage processes:
Xp_mongoshell
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumkeys
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
ActiveX automatic script:
Sp_OACreate
Sp_OADestroy
Sp_OAMethod
Sp_OAGetProperty
Sp_OASetProperty
Sp_OAGetErrorInfo
Sp_OAStop
Delete the SQL process with security issues. It is comprehensive. Everything is safe!
Delete extensions with security risks:
Exec sp_dropextendedproc 'xp _ export shell' [after this extension is deleted, the database cannot be remotely connected]
Exec sp_dropextendedproc 'xp _ dirtree '[after you delete this extension, you cannot create or attach a database]
Exec sp_dropextendedproc 'xp _ enumgroups'
Exec sp_dropextendedproc 'xp _ fixeddrives'
Exec sp_dropextendedproc 'xp _ loginconfig'
Exec sp_dropextendedproc 'xp _ regaddmultistring'
Exec sp_dropextendedproc 'xp _ regdeletekey'
Exec sp_dropextendedproc 'xp _ regdeletevalue'
Exec sp_dropextendedproc 'xp _ regread'
Exec sp_dropextendedproc 'xp _ regremovemultistring'
Exec sp_dropextendedproc 'xp _ regwrite'
Exec sp_dropextendedproc 'xp _ enumerrorlogs'
Exec sp_dropextendedproc 'xp _ getfiledetails'
Exec sp_dropextendedproc 'xp _ regenumvalues'
Restore Expansion
Exec sp_addextendedproc 'xp _ cmdshell', 'xp log70. dll'
Exec sp_addextendedproc 'xp _ dirtree ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ enumgroups ', 'xp log70. dll'
Exec sp_addextendedproc 'xp _ fixeddrives ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ loginconfig', 'xp log70. dll'
Exec sp_addextendedproc 'xp _ regaddmultistring ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ regdeletekey ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ regdeletevalue ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ regread ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ regremovemultistring ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ regwrite', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ enumerrorlogs', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ getfiledetails ', 'xpstar. dll'
Exec sp_addextendedproc 'xp _ regenumvalues ', 'xpstar. dll'
Copy all to "SQL query analyzer"
Click -- "query" -- "execute" on the menu to delete the SQL process with security issues (the above is the technical support of genuine users of 7i24)
Change the default SA blank password. Do not use SA account for database links. Separate Account for a single database. Only public and db_owner permissions are granted.
Do not place the database in the default location.
Do not Install SQL in the PROGRAM FILE directory.
In this example, the xp_shortshell blocking method is sp_dropextendedproc 'xp _ shortshell'. If necessary, use sp_addextendedproc 'xp _ shortshell' and 'xp sql70. dll. If you do not know which. dll file is used by xp_cmdshell, you can use sp_helpextendedproc xp_cmdshell to check which dynamic connection library is used by xp_cmdshell. In addition, after xp_mongoshell is blocked, we also need to change the name of the xpsql70.dll file to prevent attackers from recovering the file.
Here, your SQL SERVER is basically safe. However, information can still be leaked. After all, we cannot cancel the Select statement unless your website uses HTML. The prevention of SQL INJECTION requires the attention of our programmers. This is the cure.