Last night we spent a decent amount of time discussing the database level of a database server as well as the operating system level of a database server. Why do you think we spent so much time discussing this? What are two main levels of security that affect a database server (hint: there are tables within the db itself, but these tables all boil down to files in a folder in windows) How do we ensure both levels are secured?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Heiang Cheung says
As future IT auditors, we need to know how databases work because we need to know how and where the information is being pulled from. Also, this could be an access control who is allowed to create table in the database.
Zhixin Wei says
All versions of SQL Server use role-based security, which allows you to assign permissions to a role, or group of users, instead of to individual users.
Patrick J. Wasson says
Exactly! We also want to make sure we give the least amount of permissions required for each user. If a user does not need to write to a database then they should not have write permissions!
Chenhui Lai says
Vulnerabilities exploited by SQL injection include:
1.Poor input validation in your Web applications
2.Unsafe, dynamically constructed SQL commands
3.Over-privileged application logins to the database
4.Weak permissions that fail to restrict the application’s login to the database
To counter SQL injection attacks:
1.Your application should constrain and sanitize input data before using it in SQL queries.
2.Use type safe SQL parameters for data access. These can be used with stored procedures or dynamically constructed SQL command strings. Using SQL parameters ensures that input data is subject to type and length checks and also that injected code is treated as literal data, not as executable statements in the database.
3.Use a SQL Server login that has restricted permissions in the database. Ideally, you should grant execute permissions only to selected stored procedures in the database and provide no direct table access.
Patrick J. Wasson says
Great response Chenhui!
Linlan Chen says
because database serve play an important role in the system, from database serve, It auditor can know where is the data or information come from.
Xinteng Chen says
The security database is important, because there are customer information on the database. The largest risk is that the database is attacked by hackers. It causes information leakage. To ensure the security of the database, organizations should have strong firewall to control the access rights.
Hanqing Zhou says
To easily manage the permissions in your databases, SQL Server provides several roles which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database-level roles are database-wide in their permissions scope.
SQL Server provides server-level roles to help you manage the permissions on a server. These roles are security principals that group other principals. Server-level roles are server-wide in their permissions scope. (Roles are like groups in the Windows operating system.)
It is important for Auditor to know because both database server is relating to SQL, and the SQL is an important part for us in the future works.
Andres Galarza says
The two things that I think you’re referring too:
System privileges and object privileges. System privileges allow a user to perform administrative actions in a database. These include privileges (as found in SQL Server) such as: create database, create procedure, create view, backup database, create table, create trigger, and execute.
Object privileges allow for the use of certain operations on database objects as authorized by another user. Examples include: usage, select, insert, update, and references.
Above per, Wikipedia. (https://en.wikipedia.org/wiki/Database_security#Privileges)
Unless both are secure, the database is vulnerable.
Somayeh Keshtkar says
This was an important topic to discuss because not only a database requires privileges and permission levels at its core, or database server level, but it also requires securing the data that are stored in directories in the host operating system. We should ensure that users have secured access to the database by controlling users and roles in user table of database, and also make sure that the root access of database is secured. On the other hand, the data files on host operating systems (such as Windows or Linux) should have permissions on them to make sure unauthorized users cannot read or write the data in directories that MySQL stores its data to. Additionally, any app (web based or OS based app) that uses the database as its back-end storage should be protected against any sql injection.
Karabo Ntokwane says
According to Davis 2011, A database is implemented as a software system, and as such, it comprises a core set of operating system files. These files include the executable files that will run the database management system. It also may contain other non executable program files. As an auditor the important take away was that the database also needs to have controls in place to prevent authorized access, modification and availability. That users are given only the privileges that they need to perform their daily functions and not more than that.
Yijiang Li says
Both privilege and permission are important to affect the security of database server. In other words, only protecting the database itself is definetely not enoguh, however, protecting your operating system is more essential. If a person doesn’t even have permission to login in your operating system, it is quite difficult to affect your database server.
As a IT auditor, when you perform the audit work for a database server, please remerber auditing both database itself and its operating system and then define some risks area for them seperately, so it would be helpful for the client to make any changes accurately.
Marsha Billups says
Both database server and operating system security affect a database server. You want to ensure that users don’t have excessive data to either your OS or db server to reduce risk.
Dongjie Wang says
I think both database level of a database server and the operating system level of a database server are critical for helping us to better understand the risks of databases. the two efficient way to secure database are least privilege and encryption. Least privilege can limit the access rights, so only the group need the data is permitted for use. Encryption can protect the data in the database even if hackers get in the database.
Raisa Ahmed says
Database servers and operating systems affect a database server. Therefore, both must be managed and secured. SQL Server utilizes a role-based security, allowing an individual to assign permissions to a role or a group of users, instead of to an individual user. It is important for an Auditor to know this because both database servers relates to SQL. Also, the database needs to have controls in place to prevent authorized access, modification, and availability.
Fraser G says
Last night we spent a decent amount of time discussing the database level of a database server as well as the operating system level of a database server. Why do you think we spent so much time discussing this? What are two main levels of security that affect a database server (hint: there are tables within the db itself, but these tables all boil down to files in a folder in windows) How do we ensure both levels are secured?
SQL is such an ubiquitous database in corporate IT that understanding the basics can go a long way. Chances are high we will work with and around systems that incorporate it.
It’s important to understand SQL Security in terms of Roles and Privileges. Roles allow you to assign privileges. Roles are essentially packages of permissions – allowing you to interact with SQL and data in certain ways. One role may be view only, another role may be view and modify. For example Amazon SELLERS should be able to modify PRICE in a database, while Amazon CONSUMER should only be able to view the price. The seller and consumer are different roles, with different privileges.
Folake Stella Alabede says
We spent so much time discussing the database level of a database server as well as the operating system level of a database server probably because database security is an important part of any company; and database security includes hardware, software, data etc.
Operating system level of a database server.
Operating system security is a very important characteristic in database administration. Some dominant features of database systems will possibly be a crack for the underlying operating system. Thus, the responsible person should very thoroughly scan the relations between a feature of database and it is operating system.
As the database system is at the service and application layer, it is existed in above the operating system layer. If the weaknesses of the operating system platforms are identified, then those weaknesses may lead to illegal database access or manipulation. Database configuration files and scripts are at server level resources and they should be sheltered severely to ensure the reliability of the database environment. In many database environments, membership in Operating system group is authorized full power of controlling over the database. Role based security should be adopted. To keep away from mistreatment and exploitation of the membership, those users’ membership and access to the database should be checked and audited frequently.
Security that can affect a database server is Database injection attacks, and the two major types of database injection attacks are SQL injections that target traditional database systems and NoSQL injections that target big data platforms. “A crucial point to realize here is that, although it is technically true that big data solutions are impervious to SQL injection attacks because they don’t actually use any SQL-based technology, they are, in fact, still susceptible to the same fundamental class of attack,” Gerhart said. “In both types, a successful input injection attack can give an attacker unrestricted access to an entire database.” (Wikipedia)
With a SQL injection attack, the attacker exploits vulnerabilities in the application’s input validation and data access code to run arbitrary commands in the database using the security context of the Web application. The best ways to protect against these threats are to
-protect web-facing databases with firewalls and to test input variables for SQL injection during development.
-The application should constrain and sanitize input data before using it in SQL queries.
– Use type safe SQL parameters for data access. These can be used with stored procedures or dynamically constructed SQL command strings. Using SQL parameters ensures that input data is subject to type and length checks and also that injected code is treated as literal data, not as executable statements in the database.
-Use a SQL Server login that has restricted permissions in the database. Ideally, you should grant execute permissions only to selected stored procedures in the database and provide no direct table access.
Yingyan Wang says
Database play an important role in the system, so that database level of database server is critical and significant as well as the operating system level of a database server. Least privilege and encryption are two efficient way to secure our database. Least privilege is a tool of access control, which only permitting the authorized group of users to access. Encryption is a tool to protect data stored in the database so that reduce the negative impact if the database was hacked in unfortunately.