Baseline verificationSQLSERVER(MSSQL)
The following related paths have only been tested on MSSQL2000
Shared account verification
Use sql statement: select name from syslogins group by name having count(name)>1 Check whether there is a shared account
Reference configuration: Create roles and authorize roles, assign roles to different users or modify roles and permissions in user attributes. To achieve safety regulations
Check whether there is an account that is not related to database work or maintenance
Use the sql statement: select from syslogins a left outer join sysusers b on = where is null and is not null Check whether it exists in the database work and maintenance of irrelevant accounts
Reference configuration: SQL SERVER Enterprise Manager-> Security-> Delete irrelevant accounts while logging in or SQL SERVER Enterprise Manager-> Database-> Corresponding database-> Delete irrelevant accounts for users
3. Verify whether the MSSQL database is configured according to the user's business needs and the minimum permissions required by it.
Use stored procedure: EXEC sp_helpuser to view all users of the database and their corresponding permissions
Reference configuration: Change database properties and cancel server roles that are not required for business database accounts;
Change database properties and cancel unwanted roles in "Database Access" and "Allowed in Database Roles" that are not required by business database accounts.
Server role corresponding permissions:
sysadmin performs any activity in SQLSERVER, and the permissions of that role span other fixed server roles. Generally, sa and Buildin/Administrator belong to this role
serveradmin Configure server-wide settings
setupadmin Add and delete linked servers and execute certain system stored procedures
securityadmin management server login
processadmin Manage processes running in SQLSERVER instances
dbcreator Create and change databases
diskadmin Manage disk files
bulkadmin Execute BULK INSERT statement
Change database properties and cancel unwanted roles in "Database Access" and "Allowed in Database Roles" that are not required by business database accounts.
Server role corresponding permissions:
sysadmin performs any activity in SQLSERVER, and the permissions of that role span other fixed server roles. Generally, sa and Buildin/Administrator belong to this role
serveradmin Configure server-wide settings
setupadmin Add and delete linked servers and execute certain system stored procedures
securityadmin management server login
processadmin Manage processes running in SQLSERVER instances
dbcreator Create and change databases
diskadmin Manage disk files
bulkadmin Execute BULK INSERT statement
Use database roles to manage permissions of objects
Use sql statement: select count(*) from sysusers where issqlrole=1 Check whether the result value is greater than 10. If it is less than or equal to 10, it does not meet the safety baseline standard.
Reference configuration: Check the permissions of the corresponding role in the role in the database and check whether it contains objects that do not need to be accessed.
View permissions in object properties such as tables, stored procedures, etc. in the database, and check whether there are unnecessary accounts or roles to access the object
Create a new role in Enterprise Manager->Database->Related Database->Role--Create new role;
Adjust the permissions in the role attributes and give the role the select, insert, update, delete, exec, and dri permissions corresponding to the object in the role
Adjust the permissions in the role attributes and give the role the select, insert, update, delete, exec, and dri permissions corresponding to the object in the role
Check whether there is a user with empty password
Use the sql statement: select name from syslogins where sid in(select sid from sysusers where issqluser=1) and password is null Check whether there is a user with a null password
Reference configuration: Check whether created and updated are determined in table syslogins.
Check whether the password field is null in table syslogins
Check whether the password field is null in table syslogins
If there is a user with a password of null, it is recommended to delete it.
Check for unnecessary stored procedures
Use the sql statement to see if the following stored procedures exist. If they exist, please delete them unless necessary: xp_cmdshell Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty Sp_OAMethod Sp_OASetProperty Sp_OAStop Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues Xp_regremovemultistring xp_sdidebug xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin xp_logevent xp_loginconfig xp_logininfo xp_makewebtask xp_msver xp_perfend xp_perfmonitor xp_perfsample xp_perfstart xp_readerrorlog xp_revokelogin xp_runwebtask xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister xp_sqltrace xp_sscanf xp_startmail xp_stopmail xp_subdirs xp_unc_to_drive xp_dirrtree
See Configuration: Deactivate unnecessary stored procedures and delete some stored procedures that will not be used.
Methods for deleting stored procedures:
use master
sp_dropextendedproc 'Stored Proc';
for example:
use master
sp_dropextendedproc 'xp_cmdshell'
Methods for deleting stored procedures:
use master
sp_dropextendedproc 'Stored Proc';
for example:
use master
sp_dropextendedproc 'xp_cmdshell'
Does the database record user login information
Use sql statement: master..xp_instance_regread N'HKEY_LOCAL_MACHINE', N'SOFTWARE\Microsoft\MSSQLServer\Setup', N'SQLPath' to view the MSSQL installation path, process the path, view the log file, and whether there is user login information, including login time, login status, etc. (Under Windows 7 conditions, you can use: wmic process get name,executablepath | findstr "" to view the MSSQL service path)
Reference configuration: Open database properties, select Security, adjust the audit level in security to "All", and adjust the authentication to "SQL Server and Windows"
Whether the database records security events related to the database
Detection method is the same as above 7
Is the database encrypted using a mandatory protocol?
Enter in the terminal: reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer | type Check whether the returned information exists for Encrypt, if it does not exist, it does not use the encrypted protocol.
Reference configuration: Start the server network configuration tool and select "Forced protocol encryption" in "General"
Determine whether the system packages the latest patch package
Use sql statement: select @@version to view the current version
Reference configuration: Go to the official website of SQLSERVER to check whether the current version is the latest patch package. If not, please download the latest patch package for installation. Please refer to the readme file in it for details.
Determine whether to set the maximum number of concurrent connections
Use sql statement: select value from where [config]=103 Check the maximum number of concurrent connections
Reference configuration: Reference configuration operation Start Microsoft SQL Server Management Studio->Login the server as administrator, left Object Explorer->Select the target server->Right-click the server properties->Connection->Set "Maximum number of concurrent connections (0 = unlimited) (M)" to the evaluated value
12. Enable C2 audit trail
Use stored procedure: EXEC sp_configure 'c2 audit mode' to view C2 status
Reference configuration: Reference configuration operation Start Microsoft SQL Server Management Studio->Left Object Explorer->Select Target Server->Right-click Server Properties->Security->Tick "Enable C2 Audit Tracking".