SQL Server Database Security Audit

The document summarizes a SQL Server security audit workshop where students: 1. Restored the AdventureWorld2019 database to their SQL Server and performed an audit to scan for vulnerabilities. 2. After correcting an error, they ran the audit again and exported the results to Excel. 3. They also audited the master database and a database called "BIBLIOTECA" they created in a previous class, resolving any errors found.

Uploaded by

Javii

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

153 views6 pages

SQL Server Database Security Audit

Uploaded by

Javii

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Escuela Tecnológica Instituto Técnico Central

Tecnólogo en Desarrollo de Software

Asignatura: Bases de Datos II
Estudiantes: Javier Sánchez / José Reinoso

TALLER DE SEGURIDAD SQL SERVER

Restauramos la base de datos AdventureWorld2019 en nuestro SQL Server.

Hacemos auditoría a la base de datos, escaneamos las vulnerabilidades.

Luego de corregir un error, pasamos nuevamente la auditoría.

Exportación de la auditoría realizada a Excel.

Hacemos auditoría a la base de datos master

Ahora, realizamos la auditoría con una base de datos creada en clases pasadas,
en este caso será “BIBLIOTECA”

Una vez solucionados los errores presentados en la auditoría, la realizamos

nuevamente. Observando que, no se encontraron “failing check”
Anexos
Scripts sugeridos y usados para la corrección de los errores presentados en la
primera auditoría.
Scripts completos:

IF((SELECT count(*) from sys.database_principals WHERE principal_id >= 5 AND

principal_id < 16384 ) > 0) SELECT 0 AS [Violation] 1
ELSE SELECT 1 AS [Violation]

SELECT CASE WHEN EXISTS

( SELECT *
FROM [Link]
WHERE name = db_name() 2
AND is_encrypted = 0)
THEN 1
ELSE 0
END AS [Violation]

SELECT permission_name AS [Permission]

,schema_name AS [Schema]
,object_name AS [Object]
FROM (
3
SELECT [Link] COLLATE database_default AS object_type
,schema_name(schema_id) COLLATE database_default AS schema_name
,[Link] COLLATE database_default AS object_name
,user_name(grantor_principal_id) COLLATE database_default AS
grantor_principal_name
,permission_name COLLATE database_default AS permission_name
,[Link] COLLATE database_default AS TYPE
,STATE COLLATE database_default AS STATE
FROM sys.database_permissions AS perms
INNER JOIN [Link] AS objs
ON objs.object_id = perms.major_id
WHERE [Link] = 1 -- objects or columns. Other cases are handled by VA1095
which has different remediation syntax
AND grantee_principal_id = DATABASE_PRINCIPAL_ID('public')
AND [state] IN (
'G'
,'W'
)
AND NOT (
-- These permissions are granted by default to public
permission_name = 'EXECUTE'
AND schema_name(schema_id) = 'dbo'
AND STATE = 'G'
AND [Link] IN (
'fn_sysdac_is_dac_creator'
,'fn_sysdac_is_currentuser_sa'
,'fn_sysdac_is_login_creator'
,'fn_sysdac_get_username'
,'sp_sysdac_ensure_dac_creator'
,'sp_sysdac_add_instance'
,'sp_sysdac_add_history_entry'
,'sp_sysdac_delete_instance'
,'sp_sysdac_upgrade_instance'
,'sp_sysdac_drop_database'
,'sp_sysdac_rename_database'
,'sp_sysdac_setreadonly_database'
,'sp_sysdac_rollback_committed_step'
,'sp_sysdac_update_history_entry'
,'sp_sysdac_resolve_pending_entry'
,'sp_sysdac_rollback_pending_object'
,'sp_sysdac_rollback_all_pending_objects'
,'fn_sysdac_get_currentusername'
)
OR permission_name = 'SELECT'
AND schema_name(schema_id) = 'sys'
AND STATE = 'G'
AND [Link] IN (
'firewall_rules'
,'database_firewall_rules'
,'ipv6_database_firewall_rules'
,'bandwidth_usage'
,'database_usage'
,'external_library_setup_errors'
,'sql_feature_restrictions'
,'resource_stats'
,'elastic_pool_resource_stats'
,'dm_database_copies'
,'geo_replication_links'
,'database_error_stats'
,'event_log'
,'database_connection_stats'
)
OR permission_name = 'SELECT'
AND schema_name(schema_id) = 'dbo'
AND STATE = 'G'
AND [Link] IN (
'sysdac_instances_internal'
,'sysdac_history_internal'
,'sysdac_instances'
)
)

) t

SQL Server DB Permissions Script
No ratings yet
SQL Server DB Permissions Script
4 pages
Comprehensive Database Permissions Script
No ratings yet
Comprehensive Database Permissions Script
4 pages
SQL User and Permission Scripts
No ratings yet
SQL User and Permission Scripts
2 pages
SQL Server Login and Permission Scripts
No ratings yet
SQL Server Login and Permission Scripts
3 pages
Adgrants
No ratings yet
Adgrants
13 pages
SQL Script for Database Permissions Report
No ratings yet
SQL Script for Database Permissions Report
6 pages
MSSQL Injection Cheat Sheet
No ratings yet
MSSQL Injection Cheat Sheet
2 pages
Database User Permission Script
No ratings yet
Database User Permission Script
4 pages
Oracle Database Compliance Checklist
No ratings yet
Oracle Database Compliance Checklist
54 pages
Advanced SQL Scripts To Assure The Utmost DB Security
No ratings yet
Advanced SQL Scripts To Assure The Utmost DB Security
17 pages
SQL Server Audit and Backup Queries
No ratings yet
SQL Server Audit and Backup Queries
4 pages
Must-Have SQL Security Scripts For ProDBA
No ratings yet
Must-Have SQL Security Scripts For ProDBA
15 pages
DCL Commands (Oracle)
No ratings yet
DCL Commands (Oracle)
14 pages
AG-Refresh Orion Database Job Script
No ratings yet
AG-Refresh Orion Database Job Script
9 pages
Granting Privileges in Oracle SQL
No ratings yet
Granting Privileges in Oracle SQL
1 page
Oracle SQL Injection Cheat Sheet - W
No ratings yet
Oracle SQL Injection Cheat Sheet - W
1 page
SQL Server DB Refresh Article-DBAChamps
No ratings yet
SQL Server DB Refresh Article-DBAChamps
4 pages
Pentestmonkey
No ratings yet
Pentestmonkey
5 pages
Transfer Logins and Passwords Between Instances of SQL Server
No ratings yet
Transfer Logins and Passwords Between Instances of SQL Server
7 pages
Oracle SQL Scripts for DBAs
No ratings yet
Oracle SQL Scripts for DBAs
8 pages
DB Refresh KB Article - Praveen Madupu
No ratings yet
DB Refresh KB Article - Praveen Madupu
4 pages
SQL Server Database Context Queries
No ratings yet
SQL Server Database Context Queries
5 pages
SQL Server Logins and Roles Script
No ratings yet
SQL Server Logins and Roles Script
9 pages
Informatica Repository Queries - Part I
No ratings yet
Informatica Repository Queries - Part I
21 pages
MSSQL Injection Cheat Sheet
No ratings yet
MSSQL Injection Cheat Sheet
5 pages
SQL User Privilege Management Guide
No ratings yet
SQL User Privilege Management Guide
13 pages
Database Management and Recovery Steps
0% (1)
Database Management and Recovery Steps
8 pages
Oracle Database Queries Overview
No ratings yet
Oracle Database Queries Overview
4 pages
MS SQL - User List Query
No ratings yet
MS SQL - User List Query
3 pages
Oracle Permissions for cdc_user
No ratings yet
Oracle Permissions for cdc_user
3 pages
Chapter 2
No ratings yet
Chapter 2
15 pages
PEL Installation and Database Setup Guide
No ratings yet
PEL Installation and Database Setup Guide
4 pages
Cours BD2
No ratings yet
Cours BD2
192 pages
Teradata System Access Rights List
No ratings yet
Teradata System Access Rights List
4 pages
Cours Complet 2
No ratings yet
Cours Complet 2
183 pages
jbrofuzz SQL Injection Statements
No ratings yet
jbrofuzz SQL Injection Statements
3 pages
Table Space Info
No ratings yet
Table Space Info
2 pages
Interview Questions and Answers
No ratings yet
Interview Questions and Answers
23 pages
Tuning
No ratings yet
Tuning
12 pages
SQL Server Login Transfer Guide
No ratings yet
SQL Server Login Transfer Guide
6 pages
Maintenance Solution
No ratings yet
Maintenance Solution
192 pages
Issue Details
No ratings yet
Issue Details
211 pages
Oracle Database Security Commands Guide
No ratings yet
Oracle Database Security Commands Guide
2 pages
Oracle User Management Guide
No ratings yet
Oracle User Management Guide
3 pages
Wa0002
No ratings yet
Wa0002
31 pages
Oracle Hardening
No ratings yet
Oracle Hardening
13 pages
Module Ivppt
No ratings yet
Module Ivppt
24 pages
Login Scriptout
No ratings yet
Login Scriptout
2 pages
User Creation and Access Management SQL
No ratings yet
User Creation and Access Management SQL
4 pages
Basededados
No ratings yet
Basededados
6 pages
SP - Help - Revlogin Script For Logins
No ratings yet
SP - Help - Revlogin Script For Logins
5 pages
Database Security Exam Questions
No ratings yet
Database Security Exam Questions
5 pages
Informatica Repository Tables
No ratings yet
Informatica Repository Tables
33 pages
Oracle Database Control Guide
No ratings yet
Oracle Database Control Guide
2 pages
(Fin - Semestre) TD Sur L'administration Oracle Avancee
No ratings yet
(Fin - Semestre) TD Sur L'administration Oracle Avancee
5 pages
Transac SQL
No ratings yet
Transac SQL
1,663 pages
SQL Server Database Backup and Restore Guide
No ratings yet
SQL Server Database Backup and Restore Guide
9 pages
Oracle Cheat Sheet
100% (1)
Oracle Cheat Sheet
6 pages

SQL Server Database Security Audit

Uploaded by

SQL Server Database Security Audit

Uploaded by

Escuela Tecnológica Instituto Técnico Central

Tecnólogo en Desarrollo de Software

TALLER DE SEGURIDAD SQL SERVER

Restauramos la base de datos AdventureWorld2019 en nuestro SQL Server.

Hacemos auditoría a la base de datos, escaneamos las vulnerabilidades.

Exportación de la auditoría realizada a Excel.

Una vez solucionados los errores presentados en la auditoría, la realizamos

IF((SELECT count(*) from sys.database_principals WHERE principal_id >= 5 AND

SELECT CASE WHEN EXISTS

SELECT permission_name AS [Permission]

You might also like