Hardening a SQL Server 2008 Implementation

Hardening a SQL Server 2008 ImplementationRoss Mistry, Principal Consultant, Convergent Computing (CCO)Ross Mistry – Bio SummaryRoss Mistry, Principal Consultant & Partner w/ Convergent Computing (CCO)Convergent Computing, CCO is located in the San Francisco Bay Area / Silicon Valley.Specialize in SQL Server Database Administration, High Availability, Active Directory, Exchange, and Operations ManagerLead Author on “SQL Server 2005 Management and Administration” Based on Service Pack 2Co-Author on “Windows Server 2008 Unleashed”Contributing Writer on “Exchange Server 2007 Unleashed” and “SharePoint Server 2007 Unleashed”Technical Editor on “SQL 2005 Unleashed” and “SQL 2005 Changing the Paradigm”Upcoming Books “SQL Server 2008 Management and Administration”Frequent Speaker for PASS, Connections and SQL User GroupsBlog Site: http://www.networkworld.com/community/mistry3Topics Purpose & Challenges General Hardening and Security Techniques Security Configuration Tools Encryption4Purpose of Securing Data and it’s Challenges Data Explosion Hosts Mission Critical Information Repository for Sensitive Data Regulatory Compliance Responsible DBA Job Security  Where do I start?5General Hardening and Security TechniquesPART 1Understanding AuthenticationWindows Authentication• Default Setting• Leverages Active Directory Accounts / Groups• User & Service Accounts are governed by Active Directory Policies• Active Directory Audit Policies are Applied• Multiple Password Policies – W2K8 Enhancement• Domain Level Must be Windows Server 2008• Only one set of passwords can be applied• Kerberos Available with ALL protocols – SQL2K8 Enhancement7Understanding Authentication Cont’dSQL Server Authentication (Mixed Mode)• Leverages AD or SQL Server Accounts• SQL Server continues to offer Password and Lockout Policies based on the following items:Password ComplexityPassword ExpirationAccount LockoutsForce Users to Change Password on Next Logon 8Which Authentication Mode Should I Select?Windows Authentication is Recommended• Additional Level of Protection w\ Kerberos• More Mature and Robust• Best Practice – If possible use Windows AuthenticationMixed Mode may be Required• Need to Support Legacy Applications / Clients• Separation of Duties9SQL Server Account PoliciesScreenshots10