Some suggestions for improving SQL Server Security (1)

1. Install the latest service package

To improve SQL Server security, the most effective method is to upgrade to SQL Server 2000 Service Pack 3a (SP3a ). To download SP3a, visit the SQL Server 2000 SP3a page. In addition, you should install all released security updates. To subscribe to notifications of new security updates, visit the product security notification page.

2. Use Microsoft Baseline Security Analyzer (MBSA) to evaluate server security

MBSA is a tool that scans insecure configurations of multiple Microsoft products, including SQL Server and Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 ). It can run locally or through the network. This tool detects the installation of SQL Server for the following issues:

Too many sysadmin fixed server role members.

Authorize a role other than sysadmin to create a CmdExec job.

Empty or simple password.

Fragile Authentication mode.

Grant too many permissions to the Administrator group.

Incorrect access control table (ACL) in the SQL Server data directory ).

Use the plain text sa password in the installation file.

Grant excessive permissions to the guest account.

Run SQL Server in a system that is also a domain controller.

The owner (Everyone) group is incorrectly configured to provide access to a specific registry key.

The SQL Server service account is incorrectly configured.

No necessary service packages and security updates are installed.

3. Use Windows Authentication Mode

Whenever possible, you should require the Windows Authentication Mode for the connection to the SQL Server. It restricts®The connection between users and domain user accounts protects SQL Server from most Internet tools ,. In addition, your server will also benefit from Windows security enhancement mechanisms, such as stronger authentication protocols and mandatory password complexity and expiration time. In addition, credential delegation (the ability to bridge creden between multiple servers) can only be used in Windows Authentication mode. On the client, password is no longer required for Windows Authentication mode. Password Storage is one of the major vulnerabilities in applications that use standard SQL Server to log on. To install Windows Authentication Mode in EntERPrise Manager of SQL Server, follow these steps:

◆ Expand the server group.

◆ Right-click the server and click Properties.

◆ On the Security tab, click authentication only for Windows.

4. Isolate your server and regularly back up

Physical and logical isolation forms the foundation of SQL Server Security. The machine hosting the database should be physically protected, preferably a locked data center equipped with a flood detection and fire detection/Fire Fighting System. The database should be installed in the security area of the enterprise intranet. Do not directly connect to the Internet. Regularly back up all data and store copies outside the secure site. For a guide to the backup process and other operational best practices, see the SQL Server 2000 operation guide.

5. assign a strong sa Password

The sa account should always have a strong password, even on Servers configured to require Windows authentication. This will ensure that no blank or fragile sa will appear when the server is reconfigured as a hybrid authentication.

◆ To assign a sa password, follow these steps:

◆ Expand the server group and then expand the server.

◆ Expand security, and then click log on.

◆ In the details pane, right-click SA and click Properties.

◆ In the password box, enter a new password.