KEMBAR78
MS SQL server audit | PPTX
Portcullis Computer Security, profile picture
Uploaded byPortcullis Computer Security
PPTX, PDF303 views

MS SQL server audit

The document provides an overview of extended stored procedures in SQL Server, highlighting that they call functions from dynamic-link library (DLL) files but are deprecated in SQL Server 2012. It emphasizes the importance of disabling these procedures and understanding table privileges to prevent unauthorized data modification, following guidelines from the Centre for Internet Security (CIS). Additionally, it includes methods for identifying and assessing permissions on extended stored procedures and other database objects.

Download to read offline
Portcullis Computer Security MS SQL SERVER AUDIT : EXTENDED STORED PROCEDURES/ TABLE PRIVILEGES
(if you excuse the pun) Everyone has a different view on Extended Stored Procedures  Some might say they are stored procedures with extra functionality  Some might say they can cause problems to a database if misused  Some simply say they are stored procedures with a prefix of xp_  This post will hopefully give a better understanding of what Extended Stored Procedures are, how to identify them and how to restrict public access to them. Also this post will look at identifying permissions upon tables, views and functions to ensure it is not possible for users to directly modify data.
Assessing XP stored procedures  Extended Stored Procedures are stored procedures that call functions from Dynamic-Link Library (DLL) files. However these features are deprecated in SQL Server 2012 and may not be supported in future versions of SQL Server. CLR integration should be installed instead if required. In the CIS benchmarks for SQL Server 2008R2 and SQL Server 2012, item 2.2 CLR Integration should be disabled with CLR enabled configuration setting set to 0.  In general, Extended Stored Procedures should not be enabled as good practice. In Centre for Internet Security (CIS) Benchmark for SQL Server 2008r2 and 2012, for the Extended Stored Procedures listed, the recommendation is for those stored procedures to be disabled.  Extended Stored Procedures can be observed using SQL Server Management Studio. Within the Object Explorer, navigate to the SQL Server Instance and expand the path following:
Locate any of the Extended Stored Procedures and look at their properties. The CIS benchmark for SQL server 2008R2 and SQL server 2012 identifies the following:  3.1 xp_availablemedia  3.2 xp_cmdshell  3.3 xp_dirtree  3.4 xp_enumgroups  3.5 xp_fixeddrives  3.6 xp_servicecontrol  3.7 xp_subdirs  3.8 xp_regaddmultistring  3.9 xp_regdeletekey  3.10 xp_regdeletevalue  3.11 xp_regenumvalue  3.12 xp_regremovemultistring  3.13 xp_regwrite  3.14 xp_regread
For Example, to look at xp_dirtree: 1. Locate xp_dirtree (labelled sys.xp_dirtree) in the object explorer, right click and select Properties 2. Select the Permissions tab. 3. Look in the Users or Roles listing, If the public entry does not exist, then it complies with the CIS Benchmark (and you can skip further steps). 4. If public entry does exist, select the it within the Users or Roles listing. 5. If the Grant checkbox for the Execute permission is checked, the Public role has Execute permission on the procedure. You should remove the public entry. ( Image on next slide)
A useful query can be constructed that gathers the permissions granted to public for all XP stored procedures. The query looks at the database permissions table and identifies the associated objects that are extended stored procedures (XP) with it assigned permission which applies to PUBLIC
Table and View Privileges  In CIS Benchmark for SQL Server 2008R2 and SQL Server 2012, there is a recommendation to sanitise the database and application user input. To help to perform this, a good idea is to gather all the permissions for tables, views, stored procedures and functions including the columns for each of these object types. Note for each user with the permissions to access these object types, the aim is to eliminate any permissions to INSERT, DELETE or UPDATE to non-administrative users (i.e. user that do not require these permissions).  The following query gathers all objects of the above type and their columns and identifies which users can access them with what permission for each database.
Summary In this article, we have looked Extended Stored Procedures and how to identify them. In general, Extended Stored Procedures are not required for the running of a SQL Server and should be disabled from use. Good practices from Microsoft and CIS support this. We also looked at constructing a query that can evaluate what permissions are assigned to users for objects that can be applied to sensitive data, such as tables, views, stored procedures and functions.
Request to be added to the Portcullis Labs Newsletter SIGN UP HERE

More Related Content

PDF
OER- Unit 3 Authorization-DB security
byGirija Muscut
 
PPTX
Sql server ___________data control language
byEhtisham Ali
 
PPTX
Sql basics 2
byRaghu nath
 
PPT
4 trigger
byTrần Thanh
 
PPT
System health session
byAmit Banerjee
 
PPT
NUS exam 70-432_MVP Choirul Amri
byQuek Lilian
 
PDF
Chapter6 database connectivity
byKV(AFS) Utarlai, Barmer (Rajasthan)
 
PPT
Database security
byJaved Khan
 
OER- Unit 3 Authorization-DB security
byGirija Muscut
 
Sql server ___________data control language
byEhtisham Ali
 
Sql basics 2
byRaghu nath
 
4 trigger
byTrần Thanh
 
System health session
byAmit Banerjee
 
NUS exam 70-432_MVP Choirul Amri
byQuek Lilian
 
Chapter6 database connectivity
byKV(AFS) Utarlai, Barmer (Rajasthan)
 
Database security
byJaved Khan
 

What's hot

PDF
DTecH IT Education- Best Oracle dba training institute in bangalore
byDTecH It Education
 
PDF
Create user database management security
byGirija Muscut
 
PPTX
Ebook12
bykaashiv1
 
PDF
Datamigration
byBattlecruiser Vodanh
 
PPTX
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
byDenny Lee
 
PDF
Struts by l n rao
byUrs'Truly V'Nayak
 
PDF
Oracle Database Courses
byArmin Valadkhani
 
PDF
Kp.3 pengaturan sistem dan user
byDesty Yani
 
PDF
Hibernate an introduction
byjoseluismms
 
PDF
Hibernate by l n rao
byUrs'Truly V'Nayak
 
PDF
Protocol oriented programming
byArif Huda
 
PDF
Apps session wait_tables
byAnil Pandey
 
PPTX
SQL Server Blocking Analysis
byHậu Võ Tấn
 
PDF
You Oracle Technical Interview
byHossam El-Faxe
 
PPTX
Struts 2 – Architecture
byDucat India
 
ODP
an implementation of repository pattern for mobile application
byArif Huda
 
PDF
security-checklist-database
byMohsen B
 
PDF
Android App Development 05 : Saving Data
byAnuchit Chalothorn
 
PPT
DB2 LUW Auditing
byDB2Locksmith
 
DTecH IT Education- Best Oracle dba training institute in bangalore
byDTecH It Education
 
Create user database management security
byGirija Muscut
 
Ebook12
bykaashiv1
 
Datamigration
byBattlecruiser Vodanh
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
byDenny Lee
 
Struts by l n rao
byUrs'Truly V'Nayak
 
Oracle Database Courses
byArmin Valadkhani
 
Kp.3 pengaturan sistem dan user
byDesty Yani
 
Hibernate an introduction
byjoseluismms
 
Hibernate by l n rao
byUrs'Truly V'Nayak
 
Protocol oriented programming
byArif Huda
 
Apps session wait_tables
byAnil Pandey
 
SQL Server Blocking Analysis
byHậu Võ Tấn
 
You Oracle Technical Interview
byHossam El-Faxe
 
Struts 2 – Architecture
byDucat India
 
an implementation of repository pattern for mobile application
byArif Huda
 
security-checklist-database
byMohsen B
 
Android App Development 05 : Saving Data
byAnuchit Chalothorn
 
DB2 LUW Auditing
byDB2Locksmith
 

Viewers also liked

PPTX
Third street aleworks
bythirdstreetalework
 
PPTX
Venom vulnerability
byPortcullis Computer Security
 
PPT
Alcool 2011
byCherif Ghrab
 
PPTX
Detecting Windows horizontal password guessing attacks in near real-time
byPortcullis Computer Security
 
PPTX
Detecting windows horizontal password blog
byPortcullis Computer Security
 
DOCX
AKSHAY BOGS CV
byAKSHAY M
 
PPTX
Permanent building
byVisionBuildings
 
PPTX
Permanent-building
byVisionBuildings
 
PPTX
5th grade finance (career lesson)
byjessied85
 
PDF
NELP
byJacklyn McGlothlin
 
PDF
Finance
byjessied85
 
PPTX
Transfer pricing
byKapil Jain
 
PDF
How to set ASL (Access, Stair, Ladder) standard for pdms 12 in Module Design ...
byAliakbar Nouri
 
PDF
Steps to prepare MTO (Material Take Off) in PDMS
byAliakbar Nouri
 
Third street aleworks
bythirdstreetalework
 
Venom vulnerability
byPortcullis Computer Security
 
Alcool 2011
byCherif Ghrab
 
Detecting Windows horizontal password guessing attacks in near real-time
byPortcullis Computer Security
 
Detecting windows horizontal password blog
byPortcullis Computer Security
 
AKSHAY BOGS CV
byAKSHAY M
 
Permanent building
byVisionBuildings
 
Permanent-building
byVisionBuildings
 
5th grade finance (career lesson)
byjessied85
 
NELP
byJacklyn McGlothlin
 
Finance
byjessied85
 
Transfer pricing
byKapil Jain
 
How to set ASL (Access, Stair, Ladder) standard for pdms 12 in Module Design ...
byAliakbar Nouri
 
Steps to prepare MTO (Material Take Off) in PDMS
byAliakbar Nouri
 

Similar to MS SQL server audit

PPTX
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
byScott Sutherland
 
PPTX
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
byNetSPI
 
PPTX
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
byScott Sutherland
 
PPTX
Beyond xp_cmdshell: Owning the Empire through SQL Server
byScott Sutherland
 
PDF
Ce hv6 module 42 hacking database servers
byVi Tính Hoàng Nam
 
PDF
Microsoft sql server_2017_and_azure_sql_database_permissions_infographic
byNatt Suthamsmai
 
PPTX
Oracle Database Security For Developers
bySzymon Skorupinski
 
PDF
Dynamics of Leading Legacy Databases
byCognizant
 
PDF
Does Your IBM i Security Meet the Bar for GDPR?
byPrecisely
 
PDF
Winning performance challenges in oracle standard editions
byPini Dibask
 
PDF
2008 Collaborate IOUG Presentation
byBiju Thomas
 
PPT
DB2UDB_the_Basics Day 3
byPranav Prakash
 
PPT
SQL Server Basics Hello world iam here.ppt
bynanisaketh
 
PPTX
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
byMichael Rosenblum
 
PPTX
DBA Commands and Concepts That Every Developer Should Know - Part 2
byAlex Zaballa
 
PPTX
DBA Commands and Concepts That Every Developer Should Know - Part 2
byAlex Zaballa
 
PPTX
Oracle database 12.2 new features
byAlfredo Krieg
 
PDF
DB2 10 Security Enhancements
byLaura Hood
 
PPTX
12_more_idea_things_about_oracle_12c.pptx
byankitmodidba
 
PPT
DB2 UDB for z/OS Version 7 - An Overview
byCraig Mullins
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
byScott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
byNetSPI
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
byScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
byScott Sutherland
 
Ce hv6 module 42 hacking database servers
byVi Tính Hoàng Nam
 
Microsoft sql server_2017_and_azure_sql_database_permissions_infographic
byNatt Suthamsmai
 
Oracle Database Security For Developers
bySzymon Skorupinski
 
Dynamics of Leading Legacy Databases
byCognizant
 
Does Your IBM i Security Meet the Bar for GDPR?
byPrecisely
 
Winning performance challenges in oracle standard editions
byPini Dibask
 
2008 Collaborate IOUG Presentation
byBiju Thomas
 
DB2UDB_the_Basics Day 3
byPranav Prakash
 
SQL Server Basics Hello world iam here.ppt
bynanisaketh
 
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...
byMichael Rosenblum
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
byAlex Zaballa
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
byAlex Zaballa
 
Oracle database 12.2 new features
byAlfredo Krieg
 
DB2 10 Security Enhancements
byLaura Hood
 
12_more_idea_things_about_oracle_12c.pptx
byankitmodidba
 
DB2 UDB for z/OS Version 7 - An Overview
byCraig Mullins
 

Recently uploaded

PDF
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
PPTX
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 
PPTX
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
PDF
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
PDF
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
PPTX
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
PDF
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
PPTX
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
PPTX
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
PPTX
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
PDF
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
PDF
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
PPTX
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
PPTX
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
PPTX
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
PPTX
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
PDF
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
PDF
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 

MS SQL server audit

  • 1.
    Portcullis Computer Security MSSQL SERVER AUDIT : EXTENDED STORED PROCEDURES/ TABLE PRIVILEGES
  • 2.
    (if you excusethe pun) Everyone has a different view on Extended Stored Procedures  Some might say they are stored procedures with extra functionality  Some might say they can cause problems to a database if misused  Some simply say they are stored procedures with a prefix of xp_  This post will hopefully give a better understanding of what Extended Stored Procedures are, how to identify them and how to restrict public access to them. Also this post will look at identifying permissions upon tables, views and functions to ensure it is not possible for users to directly modify data.
  • 3.
    Assessing XP storedprocedures  Extended Stored Procedures are stored procedures that call functions from Dynamic-Link Library (DLL) files. However these features are deprecated in SQL Server 2012 and may not be supported in future versions of SQL Server. CLR integration should be installed instead if required. In the CIS benchmarks for SQL Server 2008R2 and SQL Server 2012, item 2.2 CLR Integration should be disabled with CLR enabled configuration setting set to 0.  In general, Extended Stored Procedures should not be enabled as good practice. In Centre for Internet Security (CIS) Benchmark for SQL Server 2008r2 and 2012, for the Extended Stored Procedures listed, the recommendation is for those stored procedures to be disabled.  Extended Stored Procedures can be observed using SQL Server Management Studio. Within the Object Explorer, navigate to the SQL Server Instance and expand the path following:
  • 4.
    Locate any ofthe Extended Stored Procedures and look at their properties. The CIS benchmark for SQL server 2008R2 and SQL server 2012 identifies the following:  3.1 xp_availablemedia  3.2 xp_cmdshell  3.3 xp_dirtree  3.4 xp_enumgroups  3.5 xp_fixeddrives  3.6 xp_servicecontrol  3.7 xp_subdirs  3.8 xp_regaddmultistring  3.9 xp_regdeletekey  3.10 xp_regdeletevalue  3.11 xp_regenumvalue  3.12 xp_regremovemultistring  3.13 xp_regwrite  3.14 xp_regread
  • 5.
    For Example, tolook at xp_dirtree: 1. Locate xp_dirtree (labelled sys.xp_dirtree) in the object explorer, right click and select Properties 2. Select the Permissions tab. 3. Look in the Users or Roles listing, If the public entry does not exist, then it complies with the CIS Benchmark (and you can skip further steps). 4. If public entry does exist, select the it within the Users or Roles listing. 5. If the Grant checkbox for the Execute permission is checked, the Public role has Execute permission on the procedure. You should remove the public entry. ( Image on next slide)
  • 7.
    A useful querycan be constructed that gathers the permissions granted to public for all XP stored procedures. The query looks at the database permissions table and identifies the associated objects that are extended stored procedures (XP) with it assigned permission which applies to PUBLIC
  • 8.
    Table and ViewPrivileges  In CIS Benchmark for SQL Server 2008R2 and SQL Server 2012, there is a recommendation to sanitise the database and application user input. To help to perform this, a good idea is to gather all the permissions for tables, views, stored procedures and functions including the columns for each of these object types. Note for each user with the permissions to access these object types, the aim is to eliminate any permissions to INSERT, DELETE or UPDATE to non-administrative users (i.e. user that do not require these permissions).  The following query gathers all objects of the above type and their columns and identifies which users can access them with what permission for each database.
  • 9.
    Summary In this article,we have looked Extended Stored Procedures and how to identify them. In general, Extended Stored Procedures are not required for the running of a SQL Server and should be disabled from use. Good practices from Microsoft and CIS support this. We also looked at constructing a query that can evaluate what permissions are assigned to users for objects that can be applied to sensitive data, such as tables, views, stored procedures and functions.
  • 10.
    Request to beadded to the Portcullis Labs Newsletter SIGN UP HERE