The importance of server access control policies

Any server, security and performance are two timeless themes. As the information security personnel of the enterprise, the main task is how to improve the security of the server under the premise of guaranteeing the server performance. To do this, the server's access control strategy is undoubtedly one of the important links. The author of the Enterprise recently on a new database server, I designed for him some authority control means. Although these methods do not guarantee the security of the database server, these are still the essential factors in the database server security policy. He has an indelible effect on improving the security of the database server.

In fact, these control strategies are not only effective to the database server, but still have reference value to other application servers.

Give the user the minimum permissions they need

Do not provide database users with more permissions than they need. In other words, just give the user the permissions they really need to do the job efficiently and succinctly. The truth is easy to understand. It's like preventing professional corruption. If you only give an employee a fee that is necessary to get the job done, where is the corruption?

such as from the database server perspective to consider this issue, which requires the database administrator to set user access rights, attention to the following issues.

One is to limit the number of database administrator users. In any server, the administrator has the highest privileges. To keep the database running properly, you must configure the database administrator account. Otherwise, when the database fails, there is no suitable user to maintain it. However, the number of this administrator account should be strictly limited. Not for the sake of convenience, the individual users are set to become administrators. such as the author enterprise, in a database server running two instances, but, only one database administrator responsible for the day-to-day maintenance of the database. So, there's only one admin account.

Second, select the appropriate account to connect to the database. Access to a general database can be controlled in two ways. One is through the foreground application. That is, the connection to the database is a unified account, such as an administrator account, but a number of checkpoints are set up in the foreground application to control the user's access rights. This approach can reduce the amount of work that the foreground program develops, but it is bad for the security of the database server. The second is in the foreground program, directly using the account of the employee login to the database system. Although this approach can improve the security of the database, the workload of its foreground configuration is more cumbersome. And the author often uses the compromise method. There are two types of accounts in the database, one is the administrator account, only the foreground system administrator can use this kind of account to log into the database system. The other is a common account, which can access all the non-system objects in the database, but they are not able to modify the database system's operating parameters. Then access to the specific data object is controlled by the foreground application. In this way, the front Office application staff only need to connect to the database system through the same account. If the system administrator needs to do system maintenance, such as database system backup and restore, you can connect to the database system through the database administrator account. It facilitates the configuration efficiency of the foreground application and improves the security of the database server. In conclusion, our goal is to limit the number of users who are connected to the database as a database administrator.

In other application servers, there are also administrator accounts and regular accounts. When assigning permissions, it is also a good idea to give users only the minimum permissions they need to secure the database server.

Second, do not need to cancel the default account permissions

When creating an account, the server tends to give it some default permissions. As in the database, public is the default role granted to each user. Any user can grant permissions to the public group as long as no specific roles are specified. This includes the ability to execute various SQL statements. In this way, it is possible for users to exploit this management vulnerability to access packages that are not allowed to be accessed directly. Because of this default permission, it is very useful for those who need them and need to configure and use them properly, so the system is not prohibited by default. However, these packages may not be suitable for use with other applications. Therefore, unless absolutely necessary, it should be removed from the default defect.

That is, usually the default permissions for an account, which is relatively large. For databases, the default permissions for their accounts are access to all of the non-system object tables. Database design, the main purpose is to consider the convenience of new users. Also, when you create a new user, the database does not recognize which user objects the user has access to. However, it is not safe for an enterprise application system to have such a large access to each employee by default.

The author's practice is that the application system's default user rights are set to the minimum, and some even the default user rights are all canceled. This forces the server administrator to assign an administrator a predetermined role to the account when setting up the account. This can effectively prevent administrators from "lazy". When creating an account, you do not specify a role.