Snapshot of a Secure Database Server

Patches and Updates

Latest service packs and patches are applied for Windows 2000 and SQL Server

Services

Nonessential services are disabled.

The MSDTC is disabled if not used.

The MSSearch service is disabled if not required.

The SQLServerAgent service is disabled if not required.

The MSSQLServerADHelper service is disabled if not required.

Protocols

Unnecessary protocols are removed or disabled.

The following protocols are not enabled on the server: NetBIOS and SMB.

The TCP/IP stack is hardened .

Accounts

SQL Server service account is secured (least privileged).

Unnecessary Windows accounts are deleted or disabled.

The Windows guest account is disabled.

A new administrator account is created.

Strong password policy is enforced.

Remote logons are restricted.

Null sessions (anonymous logons) are disabled.

Approval is required for account delegation.

Shared accounts are not used.

Membership of the local Administrators group is limited ( ideally , no more than two members ).

The administrator account is limited to interactive logins (or a secure remote administration solution is provided).

NTLMv2 authentication is enabled and enforced (LMCompatibilityLevel is set to 5).

Files and Directories

Volumes are formatted with NTFS.

Everyone group has no rights to system or tools directories.

Samples directories, Help directories, and unused admin directories are removed from the server.

Permissions are hardened on SQL Server installation folder.

Passwords removed from Service Pack 1 and Service Pack 2 setup log files.

Tools, utilities and SDKs are removed.

Unused applications are removed.

Sensitive data files are encrypted using EFS. (This is optional for database files (.mdf), but not for log files (.ldf)).

Shares

Unnecessary shares are removed from the server.

Access is restricted to required shares.

Shares are not accessible by Everyone , unless necessary.

Administration shares (C$, Admin$) are removed if they are not required.

Ports

All ports except SQL Server listening port [Default 1433] are blocked

Named instances are configured to listen on the same port.

A non-standard SQL Server port (not TCP 1443) is used as an additional layer of defense.

The hide server option is used as an additional layer of defense (optional).

The firewall is configured to support DTC traffic (if necessary).

A firewall is used to separate users from the SQL TCP/IP port.

Registry

Everyone group is removed from SQL Server registry keys.

SAM is secured (stand-alone servers only).

Auditing and Logging

Failed Windows logon attempts are logged.

Failed actions across the file system are logged.

SQL Server login auditing is enabled.

SQL Server Settings

SQL Server Security

Authentication setting for SQL Server is Windows Only if possible.

SQL Server audit level set to Failure or All.

The SQL Server Startup Service account is a least privileged account.

SQL Server Logins, Users and Roles

The sa account has a strong password.

SQL Server guest accounts are removed from non-system databases.

The BUILTIN\Administrators group is removed from the SQL Server logins.

The sysadmin role does not contain the BUILTIN\Administrators group.

Permissions are not granted for the public role.

The sysadmin role contains no more than two users.

Restricted (granular) database permissions are granted (Built-in, non-granular roles such as db_datareader and db_datawriter are avoided)

Default permissions for SQL Server objects are not changed.

SQL Server Database Objects

All sample databases are removed from the server.

Stored procedures are secured.

Extended stored procedures are secured.

cmdExec is restricted to the sysadmin role only.