Database Server Security Overview

When it comes to securing database servers, the actual database software usually provides some security features or mechanism which you can implement. A common database is Microsoft SQL Server which you can manage through its Enterprise Manager tool. The Enterprise Manager can be found in the SQL Server program group.

It is recommended that you do not expose your SQL Server databases to public networks such as the Internet. If you do have to connect a SQL Server database to the Internet, a firewall should be in place to protect the SQL Server database.

You can manage and control access to a database server by configuring settings via a data source name (DSN). The Information contained in the DSN is used by programs when connections to the data source needs to be established.Securing Database Servers

The information contained in the DSN includes:

  • Database name.
  • Database server which hosts the database.
  • Directory used for storage.
  • Driver which should be used for the connection.
  • Username and password for establishing a connection to the data source.

It is recommended that you use one of the authentication modes supported in SQL Server if a DNS is being used to establish connections with a SQL Server database.

The following modes of authentication are supported in SQL Server:

  • Windows Authentication Mode: In Windows Authentication Mode, Windows authentication of users forms the basis of granting logon access to users and group. This feature makes it possible for Administrators to use a single sign-on method for users. In addition, Windows security features can be used. Windows Authentication Mode is the default authentication mode used in SQL Server 2000.
  • Mixed Mode: Authentication can occur through either of these methods:

    • Windows authentication
    • SQL Server Authentication.

This basically means that with Mixed Mode, a user can also be authenticated through accounts that contain their user name and password credentials which are created and stored in SQL Server and maintained by SQL Server.

You can also configure permissions which control the activities a user can perform on the actual data within the SQL Server databases.

Permissions can be configured at the following levels:

  • Database server level
  • Application level
  • Table level

If necessary, you might also need to secure a database server using any other server roles which access the specific database.

The SQL Server authorization methods which you can configure are listed here:

  • Object permissions: These permissions are used to control access to databases, tables, and rows and columns. Object permission allows you to control whether a user has the ability to run stored procedures.
  • Statement permissions: These permissions are used to control all administrative activities. This includes creating/deleting a database, and adding/removing database objects. Standard logon accounts do not have statement permissions by default. Database owners and System Administrators only have statement permissions.
  • Implicit permissions: These permissions allow those individuals assigned the permissions to manage and control all aspects of the databases and database objects which are owned by them. Implicit permissions are usually assigned to the owners of databases and database objects.

Another security feature of SQL Server is its ability to be configured to log authentication specific eventsto the Application event log: The different levels of authentication logging which you can configure are listed here:

  • None: Authentication auditing is disabled.
  • Success: Authentication success events are added to the Application event log.
  • Failure: Authentication failure events are added to the Application event log.
  • All: Authentication success and failure events are added to the Application event log.