Step 8. Registry

Previous page
Table of content
Next page

When you install SQL Server, it creates a number of registry entries and subentries that maintain vital system configuration settings. It is important to secure these settings to prevent an attacker from changing them to compromise the security of your SQL Server installation.

When you install SQL Server, it creates the following registry entries and subentries:

  • For a default instance: 

     HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MSSQLSERVER

  • For a named instance: 

     HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\MICROSOFT SQL SERVER\INSTANCENAME

  • For the SQL service: 

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER

In this step, you:

  • Verify permissions for the SQL Server registry keys .

  • Secure the SAM (stand-alone servers only) .

Verify Permissions for the SQL Server Registry Keys

Use Regedt32.exe to verify the Everyone group does not have permissions on the SQL Server registry keys, listed above. The following controls are in place by default: 

 Administrators: Full Control SQL Server service account: Full Control
Note  

The Microsoft Baseline Security Analyzer will verify the registry permissions. Use the tool as an alternative to manually verifying the permissions with Regedt32.exe.

Secure the SAM (Stand-alone Servers Only)

Stand-alone servers store account names and one-way password hashes (LMHash) in the local SAM database, which is part of the registry. Generally, only members of the Administrators group have access to the account information.

Although the passwords are not actually stored in the SAM and password hashes are not reversible, if an attacker obtains a copy of the SAM database, he or she can use brute force password cracking techniques to obtain valid credentials.

Restrict LMHash storage in the SAM by creating the key (not value) NoLMHash in the registry as shown below. 

 HKLM\System\CurrentControlSet\Control\LSA\NoLMHash

For more information, see Microsoft Knowledge Base article 299656, "New Registry Key to Remove LM Hashes from Active Directory and Security Account Manager."



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
A+ Fast Pass
Oracle Developer Forms Techniques
Snort Cookbook
The Java Tutorial: A Short Course on the Basics, 4th Edition
Extending and Embedding PHP
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy