Patches are released often for a good reason use them. Microsoft spends a lot of money to ensure the best possible security. I often see SQL Servers that have never been patched or updated since the installation – both the SQL Server and the Windows Server. If you don’t have AD, you will have to manage potentially lots of accounts across many servers. Active Directory authentication has security benefits (Kerberos) and improved account management. Don’t extend your “office” Active Directory forest into DMZ create a new separate and limited forest.This way, you are mitigating the exposure of underlying OS to a public network and only opening SQL ports on the first firewall from DMZ. Public |> DMZ ||> Databases <|| Workstations. For those serving public applications, a two or more firewalls setup may be appropriate: Don’t put your database servers in DMZ.Have “jump serves” bridging your disparate networks – these could be your existing “DBA Management” servers that you will likely already have.Restrict your server’s ability to connect to the internet. Leverage physical or logical ( VLAN) network isolation and put your servers in a separate network from your workstations and other devices with internet access.I will write more about the benefits of Kerberos authentication in future posts. If you don’t have Active Directory, don’t create the same “local admin” account with the same password on every single server.Consider using a separate AD forest for the production environment to eliminate cross-contamination with desktop accounts.Never give privileged access to the end-users, even for a short time.Although UAC has significantly mitigated this risk, there is still some risk, and it better be safe than sorry. This prevents downloaded malware from running under your account with elevated privileges and potentially gaining access to the entire network where admin access is unrestricted. Do not use your admin account for browsing the internet etc. Use a limited user account and a dedicated privileged (admin) account.Use the dedicated account for any server access, and don’t make your SQL Server sysadmin account a local admin account on Windows. Do not use the same Active Directory account for your daily desktop activities like internet browsing and email and server access.Hopefully, you will find my tips helpful. I was lucky enough to have spent much of my career in enterprise-grade Data Centers with thousands of servers where security was a top priority. I will ignore any SMB (Windows File Share) vulnerabilities that allow unauthorised access, as this is a different subject. If your computer gets infected, it may spread to all network resources to which your account has access. Similarly to any other computer virus, ransomware will spread through phishing emails, infected websites and physical media such as USB drivers. We also never know if we will get the keys or if the decryption works. It encourages attackers to carry on the attacks. The only way to decrypt that garbage is to obtain the original encryption key by paying a ransom. All files on our computer, server or even the entire network become a pile of garbage. Without the original key, the data becomes unusable. The same key is then required to decrypt scrambled data to its original format. Encryption is the process of scrambling original data using an encryption key. A quite common “locking mechanism” is by encrypting all files on a user computer, server or even the entire network. Ransomware is malicious software that blocks access to user files until a ransom is paid.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |