CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.3  Application Hardening                 9  3.5.3.9  Data Repositories

3.5.3.9.1  Directory Services 1 2 3 3.6  Summary

Concentric Rings of Security

If your tables are well protected and your database software is patched with the latest security fixes, why care about this? It’s all about providing concentric rings of security – defense in depth. For example, locking down your tables and keeping up to date with patches does not necessarily protect you from a zero-day exploit that misuses vulnerability in the database server software. Once there, an attacker can attempt to brute force the DBA’s database password, look at other databases on the server which might not be as well-protected as the one accessed from the web, etc.

One final note: Remember default passwords? Some databases have them, too. Make sure you change the password of any account installed with your database installation (or use a method of authentication that verifies identity other than by password). EVERYONE knows the default account and password for older versions of SQL Server (no, we won’t add to the problem by repeating it here); surprisingly few people change it. Combine this with a network configuration that allows the database server to be accessed from the Internet, and a tool such as sqlpoke that allows a cracker to search for SQL Servers out on the Internet that use the default account and password³⁸⁴, and it’s not a pretty sight. (As Scambray and McClure say about this, “sleep tight!”)

And now that we’ve wrapped up our discussion of infrastructure security, it’s on to the next chapter, which fittingly (now that we’ve just talked about passwords for databases) concerns the topic of Cryptography.

3.5.3.9.1  Directory Services 1 2 3 3.6  Summary