CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.5  Security Baselines            9  3.5.3  Application Hardening                 9  3.5.3.9  Data Repositories

3.5.3.9.1  Directory Services 1 2 3 3.6  Summary

A database is a collection of information – about a company’s products, its customers, its financial records, etc. Databases are quite useful tools from a hacker’s perspective. For one thing, they contain data that the company considers valuable enough to retain for some reason or another.

As with hardening a web server, hardening a database server tends to be a multi-step process, in which you harden the database server software itself, and then any custom applications/databases your organization’s staff has set up. Don’t overlook the step of checking for security updates for your database server software. While database servers are not as visible on the Internet as web servers are, they’re often not completely invisible either (particularly if a cracker has broken into your web server), and the potential value of their contents makes them an interesting target.

The most straightforward issue with databases is simply configuration of the database for appropriate levels of data privacy and integrity. Your database administrator should be responsible for maintaining the necessary security on the sets of data stored in the database. Each data table can often be assigned its own permissions, which may for example allow web users to just read, or just add to a table. If you need to apply different rules to different users, many databases can be configured to accept individual user logins as well as general connections without authentication, and then match the user login with access rules for the data in the database, to determine what kind of access (delete records, add new records, change records, read only) the user has to each type of data in the database.

Not only can databases contain valuable data, but also they’re often a handy portal into command line access to the OS – sometimes with system administrator privileges – due to programming errors in the database software itself, or in applications written by others, attached to the database server. Some databases feature the concept of a “stored procedure” – small programs stored within the database server to do a series of things (like, often, run certain command line commands) when they are invoked by database users.

The stored procedures often take user-provided data as parameters, to determine exactly what the stored procedure will do. As with CGI script exploits and buffer overflows, it’s sometimes possible to creatively manipulate this data to do something other than what you might expect.

3.5.3.9.1  Directory Services 1 2 3 3.6  Summary