Hi All,
I was wondering if anyone could help with the task of hardening a SQL 2008 instance. I have a basic understanding of the audit and policy definition features of SQL 2008, but I was wondering if anyone knew of a guide that I could follow. I think I can manage through it, but I would love a reference to check against, in the spirit of leaving no stone unturned.
I have been all over MS TechNet and SQLPASS, and haven't found anything. Am I just missing it?
Thanks,
Chris
A guide which was used by the operations guys at my last employer when hardening for PCI DSS can be found here. I'm not sure though if they did anything on top of what was mentioned in there in order to pass PCI, however.
Google has a lot to give you: http://www.google.co.uk/search?sourceid=chrome&ie=UTF-8&q=hardening+sql+server+2008
and then there is Books OnLine http://msdn.microsoft.com/en-us/library/ms130214.aspx
and SQLBits IV had a session on it that was recorded http://sqlbits.com/Agenda/event4/Securing_and_Hardening_a_SQL_Server_Implementation_-_Notes_from_the_Field/default.aspx
and a SQL Server security specialist is K Brian Kelly and his site http://www.truthsolutions.com/
Hopefully these will get you started and undoubtedly lead you to other sources and reference.
I am currently working with infrastructure team to becoming PCI compliant by JULY 2010.I started auditing by reading articles about SQL Server Security Audit from sql-performance.com. especially try to read the first three parter article on server, database and OS security. Document your findings and discuss with your team and management and then take ACTION!!
Although the majority of my servers are 2005, it may apply to 2008. Since your environment is sql 2008 I suggest you read about Policy based management and take advantage of it.
Please post here if you find a better resource while working on hardening sql server.
Hope this helps!
Good Luck!
