Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview page 35

BlackBerry Enterprise Solution
Configuration option
shield your Microsoft SQL
Server installation from
Internet based attacks
Password-protect the service
account
Limit the privilege level of
Microsoft SQL Server Windows
services
Use the Microsoft SQL Server
Enterprise Manager
Make the Microsoft SQL Server
ports that are monitored by
default on your firewall
unavailable
Use a secure file system
www.blackberry.com
Recommendations
•
Require Windows Authentication Mode for connections to Microsoft
SQL Server to restrict connections to Microsoft® Windows® user and
domain user accounts and enable credentials delegation.
Windows Authentication Mode eliminates the need to store passwords
on the client side.
•
Use Windows security enforcement mechanisms such as stronger
authentication protocols and mandatory password complexity and
expiration.
Assign a string password to your sa account, even on servers that require
Windows Authentication.
A string password is designed to prevent exposure of a blank or weak sa
password if the server is ever reset for Mixed Mode Authentication.
Associate each service with a Windows account from which the service
derives its security context.
Microsoft SQL Server allows a user of the sa login and in some cases other
users to access operating system features derived from the security context
of the account that owns the server process. If the server is not secured, a
malicious user might use these operating system calls to extend an attack
to any other resource to which the Microsoft SQL Server service account
has access.
•
If your organization must change the account associated with a
Microsoft SQL Server service, the system administrator should use the
SQL Server Enterprise Manager to do so. The SQL Server Enterprise
Manager sets the appropriate permissions on the files and registry
keys that the Microsoft SQL Server uses.
•
Do not use the Microsoft Management Console Services applet to
change the account associated with a Microsoft SQL Server service.
Using this Services applet requires the system administrator to
manually adjust many registry and NTFS file system permissions and
Microsoft Windows user rights.
For more information, see the Microsoft Knowledge Base article How
to change the SQL Server or SQL Server Agent service account without
using SQL Enterprise Manager in SQL Server 2000 or SQL Server
Management Studio in SQL Server 2005.
Set your firewall to filter out packets that are addressed to TCP port 1433,
addressed to UDP port 1434, or associated with named instances.
•
Use NTFS for the Microsoft SQL Server because it is more stable and
recoverable than FAT file systems, and enables security options such
as file and directory ACLs and EFS.
•
Do not change the permissions that the Microsoft SQL Server sets
during installation. The Microsoft SQL Server sets appropriate ACLs on
registry keys and files if it detects NTFS.
•
If the system administrator must change the account that runs the
Microsoft SQL Server, decrypt the files under the old account and re-
encrypt them under the new account.
35