x

SQL 2008 Hardening Advice

Hi All,

I was wondering if anyone could help with the task of hardening a SQL 2008 instance. I have a basic understanding of the audit and policy definition features of SQL 2008, but I was wondering if anyone knew of a guide that I could follow. I think I can manage through it, but I would love a reference to check against, in the spirit of leaving no stone unturned.

I have been all over MS TechNet and SQLPASS, and haven't found anything. Am I just missing it?

Thanks,

Chris

more ▼

asked Apr 08 '10 at 11:17 AM in Default

Chris 4 gravatar image

Chris 4
21 1 1 1

I posted this question on other boards and to other SQL-smart people I have encountered. One of them did pass back a link to a MS-authored security document:

http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx.

I will pull information from all available resources, but I really like having something from the software vendor as a baseline.

Thanks to everyone that has responded so far...
Apr 09 '10 at 09:43 AM Chris 4
(comments are locked)
10|1200 characters needed characters left

3 answers: sort voted first

A guide which was used by the operations guys at my last employer when hardening for PCI DSS can be found here. I'm not sure though if they did anything on top of what was mentioned in there in order to pass PCI, however.

more ▼

answered Apr 08 '10 at 11:48 AM

Matt Whitfield gravatar image

Matt Whitfield ♦♦
29.4k 61 65 87

Is this an excerpt from the book by Ross Mistry? I just read the whole chapter...thanks!
Apr 08 '10 at 03:14 PM DaniSQL
@DaniSQL - yes it is...
Apr 09 '10 at 05:40 AM Matt Whitfield ♦♦
(comments are locked)
10|1200 characters needed characters left

Google has a lot to give you: http://www.google.co.uk/search?sourceid=chrome&ie=UTF-8&q=hardening+sql+server+2008
and then there is Books OnLine http://msdn.microsoft.com/en-us/library/ms130214.aspx
and SQLBits IV had a session on it that was recorded http://sqlbits.com/Agenda/event4/Securing_and_Hardening_a_SQL_Server_Implementation_-_Notes_from_the_Field/default.aspx
and a SQL Server security specialist is K Brian Kelly and his site http://www.truthsolutions.com/

Hopefully these will get you started and undoubtedly lead you to other sources and reference.

more ▼

answered Apr 08 '10 at 11:49 AM

Fatherjack gravatar image

Fatherjack ♦♦
41.3k 73 77 107

+1 for the sqlbits link.
Apr 08 '10 at 03:15 PM DaniSQL
(comments are locked)
10|1200 characters needed characters left

I am currently working with infrastructure team to becoming PCI compliant by JULY 2010.I started auditing by reading articles about SQL Server Security Audit from sql-performance.com. especially try to read the first three parter article on server, database and OS security. Document your findings and discuss with your team and management and then take ACTION!!

Although the majority of my servers are 2005, it may apply to 2008. Since your environment is sql 2008 I suggest you read about Policy based management and take advantage of it.

Please post here if you find a better resource while working on hardening sql server.

Hope this helps!

Good Luck!

more ▼

answered Apr 08 '10 at 03:11 PM

DaniSQL gravatar image

DaniSQL
4.9k 33 35 39

(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

New code box

There's a new way to format code on the site - the red speech bubble logo will automatically format T-SQL for you. The original code box is still there for XML, etc. More details here.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.

Topics:

x1816
x158

asked: Apr 08 '10 at 11:17 AM

Seen: 3406 times

Last Updated: Apr 08 '10 at 11:17 AM