Re: How to secure database server and others

[Ben Timby <asp () webexc com>]

Annie, I am not sure what another hacker would do, but I would search 
the web application code to retreive database connection information. 
This information I would then use to connect to the database server, and 
leech any data I thought was interesting. I would then proceed to 
elevate my priviledges (if I even needed to, which in my experience I 
would not) on the SQL server to gain access to other databases. If I 
could elevate my priviledges, I would then utilize eXtended Procedures, 
and other Sql trickery to try and own the SQL server behind the 
firewall. So, the potential pitfalls are:

1. Exposing connection information to attackers. Use Microsoft best 
practices to hide this information as best you can, unfortunately in 
most cases this will not prevent an attacker from connecting to your 
database, but can prevent them from retrieving the actual username and 
password. This might limit what they can do in terms of attacks.

2. Putting more data than necessary to run the application into sql 
server. You could setup an additional server, or just another instance 
on the same hardware to host unrelated data.

3. Place the SQL server in a DMZ or untrusted network. You definately 
want a firewall between it and any other internal servers.

4. Lock down the server in accordance with MS best practices to minimize 
the chances that an attacker can elevate their priviledges and "own" the 
database server.

5. You mentioned encryption, this is a good idea, however, you have to 
put alot of thought into the implementation. There are many pitfalls 
that can render your encryption worthless. One example is the common 
mistake of including the decryption routine and key as part of the web 
application. Hackers will find this information, and write their own 
attack tools (or use yours) to decrypt your data.

I hope this information is useful.

Leung, Annie LDB:EX wrote:
> Here is a scenario. Any input to threats and security are welcome.
>
> The web/application is running by an ISP (outsider). The database supporting
> the web application is in a database server (not a SQL server) running
> in-house. The traffic between the web/application server and database server
> is bypassing the firewall. There may be ACL rules in the router allowing
> traffic between the web server and database server. There are other
> databases in this database server. Internally, there is another client
> program accesses another database (in another server) that has a database
> link to this web application database.
>
> What could a hacker do if the web/application server was intruded and/or
> hijacked? Would it be typically that the hacker will probe the next system
> in the network (i.e. the database server)? If not much valuable information
> (such as connection passwords to legacy systems are encrypted), would the
> hacker simply launch a DOS attach to the database server? What else would
> the hacker do? Or, what else can the hacker do?
>
> Would it be better off to have a database server just for the web
> application with no other databases on it?
>
> I know that this is a poor scenario. But I believe this would be a common
> pattern for some small firms who start their web applications without too
> much thought about Internet threats.
>
> Thanks in advance,
>  
> Annie