Hiding SQL Server from External Crackers

Published Mar 23 2019 12:57 PM 208 Views
Microsoft
First published on TECHNET on Oct 15, 2012

We harden SQL Server to minimize the threats to SQL Server from rouges/hackers and crackers, but it may be equally important to harden systems other than SQL Server to protect our data. For example, coders and DBA's need to ensure that calls to SQL Server are protected from SQL Injection attacks. Another valuable tactic is to prevent bad guys from finding the servers with SQL Server on them, and we can help guard against that by disabling NetBIOS and Small Message Blocks (SMB) on Internet-connected servers that don't need them.


The Database STIG makes clear that any unnecessary network protocols should be disabled on the server hosting an instance of SQL Sever, but what I'm pointing out in this post is that network protocols on other servers may also need to be secured to provide maximum security for SQL Server.


If you have a web server or DNS server exposed to the Internet, as is very common, they normally don't need NetBIOS or SMB. If they're enabled and a cracker compromises one of them, they may be able to use them to find instances of SQL Server. The MSDN article "Security Considerations for a SQL Server Installation" ( http://msdn.microsoft.com/en-us/library/ms144228(v=sql.105).aspx ) covers this issue, among others.


If you want to harden your web servers and DNS servers, here are links to articles descibing how to disable NetBIOS and SMB. Note that in Device Manager, you may have an entry of "NETBT" instead of "NetBios over TCP/IP" (both represent netbt.sys).


How to Disable NetBIOS
(Netbt.sys)
http://msdn.microsoft.com/en-us/library/ms143696(v=SQL.90).aspx


How to Disable SMB
http://msdn.microsoft.com/en-US/library/ms143455(v=sql.90).aspx

%3CLINGO-SUB%20id%3D%22lingo-sub-384141%22%20slang%3D%22en-US%22%3EHiding%20SQL%20Server%20from%20External%20Crackers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-384141%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Oct%2015%2C%202012%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EWe%26nbsp%3Bharden%20SQL%20Server%20to%20minimize%20the%20threats%20to%20SQL%20Server%20from%20rouges%2Fhackers%20and%20crackers%2C%20but%20it%20may%20be%26nbsp%3Bequally%20important%20to%20harden%20systems%20other%20than%20SQL%20Server%20to%20protect%20our%20data.%20For%20example%2C%20coders%20and%20DBA's%20need%20to%20ensure%20that%20calls%20to%20SQL%20Server%20are%20protected%20from%20SQL%20Injection%20attacks.%20Another%20valuable%20tactic%20is%20to%20prevent%20bad%20guys%20from%20finding%20the%20servers%20with%20SQL%20Server%20on%20them%2C%20and%20we%20can%20help%20guard%20against%20that%20by%20disabling%20NetBIOS%20and%20Small%20Message%20Blocks%20(SMB)%20on%20Internet-connected%20servers%20that%20don't%20need%20them.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThe%20Database%20STIG%20makes%20clear%20that%20any%20unnecessary%20network%20protocols%20should%20be%20disabled%20on%20the%20server%20hosting%20an%20instance%20of%20SQL%20Sever%2C%20but%20what%20I'm%20pointing%20out%20in%20this%20post%20is%20that%20network%20protocols%20on%20other%20servers%20may%20also%20need%20to%20be%20secured%20to%20provide%20maximum%20security%20for%20SQL%20Server.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EIf%20you%20have%20a%20web%20server%20or%20DNS%20server%20exposed%20to%20the%20Internet%2C%20as%20is%20very%20common%2C%20they%20normally%20don't%20need%20NetBIOS%20or%20SMB.%20If%20they're%20enabled%20and%20a%20cracker%20compromises%20one%20of%20them%2C%20they%20may%20be%20able%20to%20use%20them%20to%20find%20instances%20of%20SQL%20Server.%20The%20MSDN%20article%20%22Security%20Considerations%20for%20a%20SQL%20Server%20Installation%22%20(%20%3CA%20href%3D%22http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms144228(v%3Dsql.105).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms144228(v%3Dsql.105).aspx%20%3C%2FA%3E%20)%20covers%20this%20issue%2C%20among%20others.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EIf%20you%20want%20to%20harden%20your%20web%20servers%20and%20DNS%20servers%2C%20here%20are%20links%20to%20articles%20descibing%20how%20to%20disable%20NetBIOS%20and%20SMB.%20Note%20that%20in%20Device%20Manager%2C%20you%20may%20have%20an%20entry%20of%20%22NETBT%22%20instead%20of%20%22NetBios%20over%20TCP%2FIP%22%20(both%20represent%20netbt.sys).%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EHow%20to%20Disable%20NetBIOS%20%3CBR%20%2F%3E%20(Netbt.sys)%20%3CBR%20%2F%3E%20%3CA%20href%3D%22http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms143696(v%3DSQL.90).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms143696(v%3DSQL.90).aspx%3C%2FA%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EHow%20to%20Disable%20SMB%20%3CBR%20%2F%3E%20%3CA%20href%3D%22http%3A%2F%2Fmsdn.microsoft.com%2Fen-US%2Flibrary%2Fms143455(v%3Dsql.90).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20http%3A%2F%2Fmsdn.microsoft.com%2Fen-US%2Flibrary%2Fms143455(v%3Dsql.90).aspx%3C%2FA%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-384141%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Oct%2015%2C%202012%20We%26nbsp%3Bharden%20SQL%20Server%20to%20minimize%20the%20threats%20to%20SQL%20Server%20from%20rouges%2Fhackers%20and%20crackers%2C%20but%20it%20may%20be%26nbsp%3Bequally%20important%20to%20harden%20systems%20other%20than%20SQL%20Server%20to%20protect%20our%20data.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-384141%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerSecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 23 2019 12:57 PM
Updated by: