SQL 2008 Hardening Advice

Hi All,

I was wondering if anyone could help with the task of hardening a SQL 2008 instance. I have a basic understanding of the audit and policy definition features of SQL 2008, but I was wondering if anyone knew of a guide that I could follow. I think I can manage through it, but I would love a reference to check against, in the spirit of leaving no stone unturned.

I have been all over MS TechNet and SQLPASS, and haven't found anything. Am I just missing it?

Thanks,

Chris

asked Apr 08 '10 at 11:17 AM in Default

Chris 4
21 ● 1 ● 1 ● 1

I posted this question on other boards and to other SQL-smart people I have encountered. One of them did pass back a link to a MS-authored security document:

http://www.microsoft.com/sqlserver/2008/en/us/wp-sql-2008-security.aspx.

I will pull information from all available resources, but I really like having something from the software vendor as a baseline.

Thanks to everyone that has responded so far...

Apr 09 '10 at 09:43 AM Chris 4

(comments are locked)

3 answers:

A guide which was used by the operations guys at my last employer when hardening for PCI DSS can be found here. I'm not sure though if they did anything on top of what was mentioned in there in order to pass PCI, however.

answered Apr 08 '10 at 11:48 AM

Matt Whitfield ♦♦
29.2k ● 56 ● 63 ● 87

Is this an excerpt from the book by Ross Mistry? I just read the whole chapter...thanks!

Apr 08 '10 at 03:14 PM DaniSQL

@DaniSQL - yes it is...

Apr 09 '10 at 05:40 AM Matt Whitfield ♦♦

(comments are locked)

Google has a lot to give you: http://www.google.co.uk/search?sourceid=chrome&ie=UTF-8&q=hardening+sql+server+2008
and then there is Books OnLine http://msdn.microsoft.com/en-us/library/ms130214.aspx
and SQLBits IV had a session on it that was recorded http://sqlbits.com/Agenda/event4/Securing_and_Hardening_a_SQL_Server_Implementation_-_Notes_from_the_Field/default.aspx
and a SQL Server security specialist is K Brian Kelly and his site http://www.truthsolutions.com/

Hopefully these will get you started and undoubtedly lead you to other sources and reference.

answered Apr 08 '10 at 11:49 AM

Fatherjack ♦♦
38.8k ● 55 ● 69 ● 104

+1 for the sqlbits link.

Apr 08 '10 at 03:15 PM DaniSQL

(comments are locked)

I am currently working with infrastructure team to becoming PCI compliant by JULY 2010.I started auditing by reading articles about SQL Server Security Audit from sql-performance.com. especially try to read the first three parter article on server, database and OS security. Document your findings and discuss with your team and management and then take ACTION!!

Although the majority of my servers are 2005, it may apply to 2008. Since your environment is sql 2008 I suggest you read about Policy based management and take advantage of it.

Please post here if you find a better resource while working on hardening sql server.

Hope this helps!

Good Luck!

answered Apr 08 '10 at 03:11 PM