Avoiding Database Security Problems - 10 Feb 2000

Imagine that you're tasked with guarding the Hope Diamond. You wouldn't place it in the world’s most impregnable safe, then leave the lock combination on a yellow sticky note on the door to the vault, would you? That's essentially what happens when you become obsessed with one part of the e-commerce security puzzle, but ignore security of key ingredients such as the database.

I've been thinking about e-commerce security during the past few weeks since MSNBC posted a story explaining how correspondents managed to view nearly 2500 credit-card numbers stored by seven small e-commerce sites within just a few minutes. In this case, MSNBC found a surprisingly large number of Web sites running a SQL Server machine connected directly to the Internet with no firewall protection. Even worse, the administrators of these sites never bothered to change the default sa password to something other than NULL. This isn't a case of the e-commerce building blocks being insecure, but rather a good example of what happens when intellectually challenged people do a job they're not qualified to handle or when a really smart person just gets lazy.

Are Microsoft server and database platforms 100 percent invulnerable? Are any computer systems? The database is a key ingredient to almost any modern business computer solution, including e-commerce solutions, and it never ceases to amaze me how often network administrators with little understanding of the database platform are charged with securing the entire solution, often with a disastrous result.

Hackers and security holes will always plague IT systems, so DBAs need to stay educated on the current threats. Education and preparedness will help us avoid many security threats that lurk in cyberspace. But let's not blame the computer when our lack of diligence causes the security hole.

If you're new to SQL Server security, check out a Microsoft article about deploying SQL Server-based solutions. You'll also want to review two SQL Server security holes that might affect your systems. You can find "SQL 7.0 SA Password Attack" and "SQL 7.0 Denial of Server". Also, you'll find an article about e-commerce-based security.

Do you have a good information source about SQL Server security? Send me your favorite security-related Web sites or other resources that you'd like me to mention in a future edition of SQL Server Magazine UPDATE. You can avoid many database security problems, but only if you know about them.