Hacking into web servers and replacing home pages with pictures of scantily clad
females and clever, self-ingratiating quips is all fine and dandy, but what can we
do about hackers intent on doing more than defacing a few pages? Sooner or later
you’ll be up against an opponent intent on taking your most valuable assets either for
spite or profit. What could be more valuable than the information locked deep in the
bowels of your database? Employee records, customer accounts, passwords, credit card
information—it’s all there for the taking.
For those companies utilizing Microsoft technologies, a popular data store is
Microsoft’s SQL Server relational database as well as the various MSDE (Microsoft Data
Engine) variants that ship with more than 220 known software packages. MSDE has become ubiquitous, thanks to its price (free) and power. However, since users are not usually aware that MSDE has been installed, it is rare to find a well-secured MSDE instance.
Unfortunately, despite all of the concerns about scalability and reliability that most
companies have when planning and implementing SQL Server, they often overlook a key
ingredient in any stable SQL Server deployment—security. It’s a common tragedy that
many companies spend a great deal of time and effort protecting the castle gates and
leave the royal vault wide open.
Also, as the SQL Slammer worm taught us, other potential repercussions are possible when SQL Server security is neglected. When a six-month-old SQL Server vulnerability can nearly bring the Internet
to its knees, two things become obvious: there are a lot of SQL Server installations out
there and no one seems to be keeping them properly secured.
In this chapter, we’re going to outline how attackers footprint, attack, and compromise SQL Server, followed by solutions for mitigating these threats. We’ll begin with a
case study outlining common attack methodologies, followed by a more in-depth discussion of SQL security concepts, SQL hacking tools and techniques, and countermeasures.
From there, we will continue detailing the technologies, tools, and tips for making SQL
Server secure.
Download: Hacking_Exp_c11.pdf (458.5 KB)
Enjoy!
