MS SQL Server Security Overview presented at BlackHatWindows 2001

by Chip Andrews,

Summary : As organizations get better at configuring firewalls and intrusion detection systems, what may be left out of the security equation is database server security. As Microsoft's flagship relational database product and with chart-topping TPC benchmarks, SQL Server is poised to serve as the backbone of many corporate and eCommerce infrastructures. With all of these SQL Server installations around, who is going to secure them? How SQL Server security conscious are the people developing the products? How can SQL Server be transformed from a vessel of your corporate jewels into an injection vector for exploits, rootkits, and other shenanigans?
The SQL Server security presentation will begin with an overview and evolution of the SQL Server security model. Discussion will include the differences between users and logins, database and server roles, SQL Server service security contexts, and the security of the various net-libs. There will also be some discussion of the scope of SQL Server's enterprise presence as it has found its way into numerous commercial products that may exist in multiple locations of many shops.
The following section will describe typical SQL Server fingerprinting, information gathering, account acquisition, and privilege escalation techniques used by attackers. There will be some discussion of the various tools available to the general community to both attack and defend SQL Server installations. Finally, there will be a clear suggestion for how SQL Server administrators and developers can defend against these attacks including doing some intrusion detection on SQL Server itself.
The final section will discuss the growing problem of SQL-injection attacks and how they affect SQL Server specifically. There will be a demonstration of exactly how attackers inject SQL code into applications and the tricks they use to bypass even the most vigilant input validation. Best practice development techniques will be demonstrated and how even ad-hoc queries might be better constructed as to not let attackers inject trojan SQL code into your applications.
Chip Andrews (MCDBA, MCSE+I) has been a programmer (currently VB/SQL/Java/C++) and an independent computer security consultant for more than 16 years and specializes in applying the skills obtained through security consulting to every aspect of product development. Chip maintains the web site that focuses on SQL Server security issues. He currently works as a Software Security Architect for Clarus Corporation (, a leader in B2B e-Commerce software applications.
Their Presentation! (PowerPoint 239k) SQLPing tool (Zip 19k)