DB SRRChklst Section 3B V5r1 MSE安全攻防资料 checklist

Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 1 UNCLASSIFIED V5R1 December 2002 53B DATABASE CHECKLIST AND PROCEDURES FOR MICROSOFT SQL SERVER This section details the procedures needed to perform a security readiness review SRR of a Microsoft SQL Server RDBMS installed in a Windows NT or Windows 2000 host operating system environment This checklist will become effective on January 24 2003 1 Reviewer Notes 3 2 Reviewer Interfaces 4 3 Process Notes 8 4 PDI Numbering scheme 8 5 RDBMS Version specific Checks 8 6 Script and Manual Checks 8 DM1459 Blank sa password found on Microsoft SQL Server 9 DM5145 Temporary Stored Procedures version 7 only 10 DM5408 Incomplete Argument Validation version 7 only 11 DM1758 Xp cmdshell Procedure Has Not Been Removed 12 DM1703 Auditing Level 13 DM1709 Guest User Ids 14 DM3763 CmdExec Jobs 15 DM3566 Login Mode 16 DM2119 Registry Procedure Permissions 17 DM1761 Startup Stored Procedures 18 DM2095 OLE Automation Procedure Permissions 19 DM1759 Unauthorized Object Owners 20 DM1760 Statement Permissions 21 DM1803 Encrypted Stored Procedures 23 DM1715 Group Permissions 24 DM1757 Allow Updates to System Tables 25 DM5144 With Grant Option 26 DM1714 User Permissions 27 DM2142 Allow Remote Access 28 DM1749 System Table Permissions 29 DM1762 Extended Stored Procedures 30 DM1769 Microsoft SQL Server Service Packs 31 DM5432 Auditing of Security Events version 8 only 32 DM5268 Trace Status version 8 Only 34 DM5267 Trace File Rollover version 8 only 35 DM2133 Replication 36 DM0500 SYSADMIN Fixed Server Role 37 DM0550 Dedicated Database Datafiles 38 DM0510 C2 AUDIT MODE Version 8 only 39 DM0590 MS SQL Server Version 40 DM0630 Active Application Object Owner Account 41 DM0530 Fixed Server and Database Roles 42 DM0690 Application Administrator and Application User Roles 43 DM0660 Database Instance Names Version 8 only 44 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 2 UNCLASSIFIED V5R1 December 2002 DG0010 COTS Software Modification 45 DG0030 Audit Trail Maintenance 46 DG0060 Shared Database Accounts 47 DG0070 Valid User Accounts 48 DM0710 SQL Server Text Formatting Functions Contain Unchecked Buffers 49 DM0900 SQL Mail is enabled 50 DM0901 SQLServerAgent email is not documented with the ISSO 51 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 3 UNCLASSIFIED V5R1 December 2002 1 Reviewer Notes The review procedures and utilities listed are intended to be run from a Windows client workstation An individual server may provide RDBMS services to several different RDBMS systems In such cases each RDBMS system requires a separate SRR If the RDBMS systems are not found via network communications using default TCP IP address and port assignments then the reviewer must query the Database Administrator DBA or SA and adjust accordingly The focus of this procedures checklist is to ensure the operation of a secure RDBMS service This includes forms of security and security vulnerabilities such as retrieving unauthorized information making malicious alterations to data unauthorized alterations of the server configuration relayed attacks and denial of service attacks Note Windows conventions used in this document Start Programs means click on the Start button in the Windows task bar and then select the icon entitled Programs Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 4 UNCLASSIFIED V5R1 December 2002 2 Reviewer Interfaces The entire review may be run from the Reviewer s workstation if the information provided by the SA DBA is correct and the reviewer logs n account with Administrator privileges on the host system and SYSADMIN privileges on the RDBMS The reviewer workstation requires installation of MS SQL Server client components including Management tools and Client connectivity The review utilizes the following applications SQL Server Client Network Utility Enterprise Manager Microsoft Management Console with SQL Server plug ins Query Analyzer SQL Server Client Network Utility The reviewer must first use this utility to configure the network connection to the SQL Server instance Enterprise Manager uses the connection definition To access the utility NT Start Programs Microsoft SQL Server Client Network Utility To configure a TCP IP connection Select General tab Confirm add network protocol used by the SQL Server host system Server Network Utility to Enabled Protocols Select Alias tab Click Add button Enter a name in server alias text box that is meaningful to you the reviewer Enter the name or TCP IP address of the host server in Server Name text box De select dynamically configure port of more than one SQL Server instance is running on the host server and enter the port number in the text box if the port is not the default port of 1433 To determine the port setting for an instance of SQL Server 1 at the host system console select Start Programs Microsoft SQL Server Server Network Utility 2 Select instance to review from the pull down menu 3 highlight TCP IP in the enabled protocols list 4 click on the Properties button 5 note the default port listed Click OK to save Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 5 UNCLASSIFIED V5R1 December 2002 The Network Client Utility Alias tab screen is shown below The example above shows connections defined for two instances on the same host server The alias name is defined by the reviewer It is connected to the specific instance by use of the host name IP address and port number for TCP IP connections To access Enterprise Manager for SQL Server Start Programs Microsoft SQL Server Enterprise Manager Expand the SQL Server group Select the SQL Server just scanned Below is a picture of the Enterprise Manager with selected SQL Servers expanded Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 6 UNCLASSIFIED V5R1 December 2002 To access Query Analyzer Start Programs Microsoft SQL Server Query Analyzer Or from within Enterprise Manager Select Tools from the menu bar select Query Analyzer from the drop down menu Below is a picture of the Query Analyzer GUI with a SQL statement and its results displayed Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 7 UNCLASSIFIED V5R1 December 2002 Host Review The review may also be performed directly on the SQL Server host using an account with Administrator priviledges on the host and SYSADNMIN priviledges within the RDBMS Script Process Execute the batch command dbsrr SQL SRR bat This script will ask the reviewer if integrated security is being used If integrated security is not being used the script will prompt for a SQL Userid and password that is a member of the sysadmin role The script will then ask if the review is being performed on the local host If it is not it will prompt the user for the server and instance name of the SQL Server to be reviewed The output will be a single file The first part of the file will be a list of all potential findings that are open require validation or were not reviewed The second part of the file is the input file to be used as input into VMS Vulnerability Management System The output file will be stored on the C temp srr directory and will be named dbsrr sql output txt Subsequent executions of the script will overwrite the existing file Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 8 UNCLASSIFIED V5R1 December 2002 3 Process Notes Information Assurance Vulnerability Management IAVM IAVM alerts bulletins and advisories were instituted to provide positive control of vulnerability notification and corresponding corrective action within DoD All DoD program managers and system administrators and or other personnel responsible for system networks shall comply with the IAVM process Definitions for Category of Findings Category I findings are any vulnerabilities that provide an attacker immediate access into a machine allow superuser access or bypasses a firewall Category II findings are any vulnerabilities that provide information that has a high potential of giving access to an intruder Category III findings are any vulnerabilities that provide information that potentially could lead to compromise Category IV vulnerabilities when resolved will prevent the possibility of degraded security 4 PDI Numbering scheme Database PDI numbers are begin with the letter D for Database are followed by either O M or G indicating an Oracle specific check a Microsoft SQL Server specific check or a General check respectively 5 RDBMS Version specific Checks Checks that apply only to a specific version of the RDBMS are so noted Other versions to which the check does not apply should be marked N A for that check 6 Script and Manual Checks Manual validation checks are required for any checks that are listed with a status of Validate Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 9 UNCLASSIFIED V5R1 December 2002 MS SQL Server Checks and Procedures DM1459 Blank sa password found on Microsoft SQL Server Description By default the sa account is blank If the sa account is left without password protection anyone can act as administrator on the SQL server Once an authorized user gains access to the sa account it is easy to gain access to admin privileges on the Windows NT Server by using commands such as xp cmdshell Script Output If the status for this check is Open then this is a Finding Manual Check From Query Analyzer connect to database and enter in query window select name from sysxlogins where password is null and name sa Press F5 to execute If an sa record is returned then this is a Finding Category I PDI DM1459Blank sa password found on Microsoft SQL Server Reference Database STIG D 3 6 Script Check 5604 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 10 UNCLASSIFIED V5R1 December 2002 DM5145 Temporary Stored Procedures version 7 only Description Permission checking in temporary stored procedures may be bypassed allowing any user to execute a stored procedure from within a temporary stored procedure When a temporary stored procedure calls another stored procedure in a database whose owner is sa normal permission checking is bypassed Since any user can create a temporary stored procedure and the master database is owned by sa this vulnerability allows any user to execute most system stored procedures including extended procedures such as xp cmdshell Depending on the context under which xp cmdshell run this could allow any user to gain administrative access to the server Script Output Check Status Temporary Stored Procedures If the status for this check is Open then this is a Finding Manual Check From Enterprise Manager right click on SQL server name select General tab review Product version The build number for Version 7 0 with service pack 3 reads 7 00 961 If the version is not at least 7 00 961 then this is a Finding Note this vulnerability was reported in MS Security Bulletin MS00 048 and corrected in Service Pack 3 and discussed in MS Knowledge base article Q266766 Category I PDI DM5145No permission checking detected in temporary stored procedures Reference Database STIG D 1 Script Check 5663 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 11 UNCLASSIFIED V5R1 December 2002 DM5408 Incomplete Argument Validation version 7 only Description SQL Server 7 0 performs incomplete argument validation on certain types of SQL statements If a user submits a certain type of query that user can gain access to the underlying operating system because permissions to execute the query arguments are not properly checked This type of query takes advantage of the fact that remote data can be accessed through an OLE DB data source the user can then pass a query to the provider The query itself is not checked for proper permissions Script Output Check Status Incomplete Argument Validation If the status for this check is Open then this is a Finding Manual Check From Enterprise Manager right click on SQL server name select General tab review Product version The build number for Version 7 0 with service pack 3 reads 7 00 961 If the version is not at least 7 00 961 then this is a Finding Note this vulnerability was reported in MS Security Bulletin MS00 014 and corrected in Service Pack 2 and discussed in MS Knowledge base article Q256052 Category I PDI DM5408Server is vulnerable to incomplete query validation on certain types of queries Reference Database STIG D 1 Script Check 5667 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 12 UNCLASSIFIED V5R1 December 2002 DM1758 Xp cmdshell Procedure Has Not Been Removed Description The xp cmdshell procedure allows a user to execute operating system commands from Microsoft SQL Server as if at a command line prompt Logins with sa or sysadmin server role execute the commands in the security context of the MSSQLServer service s account In SQL Server 6 5 a configuration option determines whether non sa logins execute xp cmdshell in the context of the SQLExecutiveCmdExec Windows NT account In SQL Server 7 0 this account is SQLAgentCmdExec Users who are not in the sysadmin server role run under this account without having to change any configuration option Depending on your security requirements this procedure should be restricted to users with sa or sysadmin role Care should be taken in granting access to this account to non sa logins Script Output Check Status xp cmdshell Procedure Permissions If the status for this check is Validate then ensure ISSO has documentation allowing the use of this If there is no documentation this is a finding Manual Check From Enterprise Manager connect open SQL server expand Databases expand Master database expand Extended Stored Procedures Scroll through list to see if xp cmdshell is listed If it is listed then ensure ISSO has documentation allowing the use of this If there is no documentation this is a finding Category I PDI DM1758Extended stored procedure xp cmdshell has not been removed Reference Database STIG D 10 Script Check 5625 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 13 UNCLASSIFIED V5R1 December 2002 DM1703 Auditing Level Description Microsoft SQL Server can be configured to provide an audit trail of successful or failed logins The information in the error logs includes which login ID attempted to log in whether they succeeded or failed if the connection was standard or trusted the time and the date Proper configuration of the auditing level is critical in detecting stale logins login attacks and logon hours violations Script Output Check Status Auditing Level If the status for this check is Open then this is a Finding Manual Check From Enterprise Manager right click on SQL server select Properties Select Security tab review Security Audit level selection If Both or Failure is not selected then this is a Finding Category II PDI DM1703Microsoft SQL Server is not configured to audit failed logins Reference Database STIG D 4 Script Check 5609 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 14 UNCLASSIFIED V5R1 December 2002 DM1709 Guest User Ids Description Found guest user IDs The guest user ID in a database allows access by all login IDs If the user ID guest exists in the database all logins not mapped or aliased to a user ID are allowed access to the database as guest The guest account cannot be removed from the master or tempdb database The use of the guest user ID in other databases should be limited Script Output Check Status Guest User Ids If the status of the check is Open then this is a Finding Manual Check From Enterprise Manger connect expand SQL Server database expand Databases expand each database select Users scroll to user Guest Repeat for each database except Master and Tempdb For any Guest users listed each is a Finding Category II PDI DM1709Microsoft SQL Server guest user IDs found Reference Database STIG D 3 9 Script Check 5615 Database Security Checklist V5R1 December Field Security Operations Section 3B MS SQL Server Checklist Procedures Defense Information Systems Agency 3B 15 UNCLASSIFIED V5R1 December 2002 DM3763 CmdExec Jobs Description SQL Server Agent allows users to create and schedule jobs that execute commands on the selected subsystem depending on the job type Jobs of type TSQL run SQL statements against the server while CmdExec jobs can run commands or execute programs just as if you were at an operating system prompt Jobs that execute under the CmdExec or ActiveScripting subsystems can execute operating system commands This condition poses a security risk and should be restricted The SQL Server agent should be configured so that only users with sysadmin role can run these types of jobs Script Output None Manual Check From Enterprise Manager c