How to get more security from MSSQL

**Chakradev** · 13-02-2010

Hi all,

SQL currently testing intensified the attacks, many large websites and forums have been filled. I am using sites are mostly commonly used SQL SERVER database, precisely because of this, many people begin to doubt the security of SQL SERVER. In fact, SQL SERVER 2000 has already passed the U.S. government's C2-level security certification - which is the industry's highest certification level can have, so use the SQL SERVER is still quite safe. Of course, and ORCAL, DB2, etc. there are still gaps, but the SQL SERVER, or the ease of use and breadth to be the reason that we continue to be used. Then how can make the settings SQL SERVER assured people to more secure. Please advice.

**kelfro** · 13-02-2010

Marked with SQL SERVER with the latest security patches. The second step is to modify the default 1433 port, and will hide the SQL SERVER. That this will attempt to enumerate the network against an existing SQL Server client issued by the broadcast respond. In addition, the need TCP / IP filtering port 1433 will be masked, the hidden as much as possible for your SQL SERVER database. Check and reply.

**MindSpace** · 13-02-2010

Use the Query Analyzer to carry out a remote login the attack. Solely from the ASP, PHP and other pages, then construct a malicious statement, there is need to check the return value of the problem, not as a direct query analyzer is more clear-cut. Therefore, we must first be injected even let other people do not allow an attacker to do Soon as the next step. Modification method: Enterprise Manager - "your data sets -" attribute - "General -" network configuration -> TCP / IP -> Properties, here will change your default port, and SQL SERVER hidden. Check and reply.

**Modifier** · 13-02-2010

MSSQL often generate WEB CODE. But as a system administrator or database administrator, can not always see every piece of code in. Even though often look at the code, we can not guarantee that we neglect in the above. The role you have to start from the database, so that the database user's permissions to the lowest point of division. The default permissions for SQL SERVER people are really a headache, so large that very high authority, powers and what little can be done, SYSADMIN and db_owner people really love-hate relationship. Best of luck.

**Praetor** · 13-02-2010

Attacker has a Web site but confirmed that there is SQL INJECTION loopholes, there must be a step steps is to test the site with a little SQL SERVER user permissions. Usually with SELECT IS_SRVROLEMEMBER ( 'sysadmin'), or SELECT IS_MEMBER ( 'db_owner'), then or use user = 0 and other statements to be tested. If the site's database user permission to use the SA, together with confirmed WEB situated in the absolute path, then your website declared OVER. db_owner rights, too, if confirmed by the absolute path, then a 50% chance to give your machine the way on the WEB Trojan. Best of luck.

**Reegan** · 13-02-2010

You can also create SQL Server database role. For this follow the steps:
1. Expand the server group, and then expand the server.
2. Expand "database" folder, and then expand the role in which you want to create the database.
3. Right-click the "role", and then click "New Database Role" command.
4. In the "Name" box, enter the new role name.
5. Click the "Add" to add members to the "standard role" in the list, and then click to add one or multiple users.