TXT

ppt_SQL server

By Clyde Gibson,2014-05-27 15:17
13 views 0
ppt_SQL server

     ??ÎÄÓÉhoweryan??Ï×

    pptÎĵµ?ÉÄÜÔÚWAP?Ëä?ÀÀÌåÑé???Ñ????ÒéÄúÓÅÏÈÑ?ÔñTXT???òÏÂÔØÔ?ÎÄ?þµ????ú?é????

     Welcome to CIW

     Lesson 1:Security of Database

     Topics:

     ?C ?C ?C ?C ?C

     Security Policy of Database Security Elements of Database Hiberarchy of database security Basic Principia Overview of risk

     Lesson 1:Security of Database

     Security Policy of Database

     Physical policy of database Logical Policy of database

     ?C ?C

     Data security Link security

     Denial of lawless inbreak Divide to separate level

     Lesson 1:Security of Database

     Security Element of Database

     Controling data security

     ?C ?C ?C

     Data integrity Data confidentiality Non-repudiation

     Flexible and scalable Link security(Authentication) Session security(Denial of spoofing)

     Lesson 1:Security of Database

     Hiberarchy of Database Security

     Register and permission Access control Increase limit

     Lesson 1:Security of Database

     Basic Principia

     Discretionary Access Controls (DAC) User authentication Permission to users/roles/tables/views Auditing database security

     Lesson 1:Security of Database

     Overview of risk

     Software venture Management venture user action venture Back door/hole of DBS

     Welcome to CIW

     Lesson 2:Introduction and Analyzer

     Topics: Overview of SQL Server Security Security Facilities in SQL Server SQL Server Security Modes

     Lesson 2:Introduction and Analyzer

     Overview of SQL Server Security

     Overview of authentication in SQL Server SQL Server security planning issues SQL Server security terminology Barriers to accessing SQL Server data

     Lesson 2:Introduction and Analyzer

     Security Facilities in SQL Server

     Multiple authentication and security modes Logins ,users, object permissions,and roles

     Lesson 2:Introduction and Analyzer

     SQL Server Security Modes

     User connection types Windows NT Server authentication mode Mixed Mode Configuring Windows NT authentication mode

     Welcome to CIW

     Lesson 3:Security Management

     Topics Creating and Managing Logins Database User IDs and Roles Using the Create Login Wizard

     Lesson 3:Security Management

     Creating and Managing Logins

     Creating user logins Excluding NT users from SQL Server Managing logins for administrators

     Lesson 3:Security Management

     Database User IDs and Roles

     Creating and managing database user IDs Managing SQL Server roles

     Lesson 3:Security Management

     Using the Create Login Wizard

     About the Create Login Wizard Creating standard logins Creating logins for NT users Creating logins for NT global groups Reasons for excluding an NT user Excluding NT users

     Welcome to CIW

     Lesson 4:Attacks and Defense

     Topics: Confidentiality Attacks and Defense Availability Attacks and Defense Integrity Attacks and Defense Hardening Default Installation

     Lesson 4:Attacks and Defense

     Existing SQL Server Vulnerabilities

     Hole zone Confidentiality attacks Availability attacks Integrity attacks

     Lesson 4:Attacks and Defense

     Hole Zone

     Security identity SQL server

     Account locked Rename 'sa' password Old Account Password Limiting login No No No No No No

     Sybase

     No No No No Yes No

     Oracle 7/8

     No/Yes No No/Yes No/Yes No/Yes No

     Lesson 4:Attacks and Defense

     Confidentiality Attacks

     Using mixed mode during system patching Password retrieval from DTS

    (Data Transformation Service )packages Poor "Encryption" of 'sa' password SQL Server 7.0 service pack password

    vulnerability(%TEMP%\sqlsp.log and %WINNT%\setup.iss)

     Lesson 4:Attacks and Defense

     Availability Attacks

     Malformed TDS(Tabular Data Stream) packet header Extended Stored Procedure Parameter Parsing Vulnerability

     Lesson 4:Attacks and Defense

     Integrity Attacks

     SQL query abuse

     ?C ?C

     for example:'or'1'='1(1234'"&"'or ??. where ??. or 1=1 Separator:0xa5 Comparison table

     1=1 )

     Weak password policy

     ?C ?C

     a:0xb3 b:0x83 c:0x93 d:0xe3 e:0xf3 f:0xc3 g:0xd3 h:0x23 i:0x33 j:0x03 k:0x13 l: 0x63 m:0x73 n:0x43 o:0x53 p:0xa2 q:0xb2 r:0x82 s:0x92 t:0xe2 u:0xf2 v:0xc2 w:0xd2 x: 0x22 y:0x32 z: 0x02 ????????

     Lesson 4:Attacks and Defense

     Integrity Attacks

     SQL multiple query

     ?C

     for example: ??.'delete from user where' 1'='1 SQL Server port 1434

     D.o.S attack:UDP reply

     ?C

     Lesson 4:Attacks and Defense

     Hardening Default Installation(1)

     Physical Server Security Underlying OS Security Install SQL Server on a drive with NTFS Run services under a predetermined account Change the 'sa' password(!) Once installation is complete, apply appropriate service packs Remove problematic default accounts and extended stored procedures

     Lesson 4:Attacks and Defense

     Hardening Default Installation(2)

     Drop all sample databases Realize who ends up in the database by default Choose an appropriate network library For TCP/IP library, change default port Drop problematic stored procedures Secure the MSSQL\ directories with NTFS permissions Use Windows NT Security

     Welcome to CIW

     Lesson 5:Security Auditing

     Topics: Overview of Security Auditing in SQL Server The Process of Auditing Auditing of SQL Server

     Lesson 5:Security Auditing

     Overview of Security Auditing

     What is an auditor? What does an auditor do? Auditor roles and perspectives Conducting a SQL Server risk assessment

    Discovery,penetration and control

     Lesson 5:Security Auditing

     The Process of Auditing

     Discovery methods and scans Auditing SQL Server penetration and attacks Techniques Security auditing in SQL Server and the control phase Auditing and log analysis

     Lesson 5:Security Auditing

     Auditing of SQL Server

     Make sure appropriate service packs have been applied Check for default databases on the server that may not be desirable Check for logins with NULL passwords Issue the last set of database backups

     Lesson 5:Security Auditing

     Conclusions

     Protect sensitive information Difficult to configure Basic status in information system Affect other system

??TXTÓÉ??ÎÄ?â????ÏÂÔØ:http://www.mozhua.net/wenkubao

Report this document

For any questions or suggestions please email
cust-service@docsford.com