Lockdown.sql - 18 Dec 2006

Plug SQL Server 2000 holes from the start by setting a secure baseline configuration

Kevin Kline, SolarWinds

December 17, 2006

4 Min Read
ITPro Today logo in a gray background | ITPro Today

SQL


Server enthusiast and security architect Chip Andrews was frustrated by theneed to repeatedly button up the security holes he found at client installations. Because Enterprise Manager can be cumbersome for modifying the configurationof multiple servers—and Chip typically worked with large numbers of servers—hewanted to ensure a fast, effective way to reduce the security risks of a straight SQLServer 2000 installation. Chip’s Web site (http://www.sqlsecurity.com) hosts a variety offree SQL Server security utilities and links to other recommended Windows securityutilities. But the most useful utility on the site isn’t an executable; it’s the simple, tinyLockdown.sql T-SQL script.

Functionality


Lockdown.sql configures a SQL Server 2000 instance to the most secure baselineconfiguration possible. From this point, the DBA can simply enable the functionalityneeded for that instance. When using this script, a DBA’s security mindset requires theapplication of a bit of reverse psychology. The average DBA is used to locking downsecurity holes as they emerge. In contrast, Lockdown.sql secures all vulnerabilities andrequires you to open up functionality that might not automatically be available becauseit introduces a security risk.

The latest release of Lockdown.sql supports named instances, doesn’t break futureservice pack and hotfix installations, and locks down rarely used functionality but strivesnot to break common application features. You can easily invoke the utility from thecommand prompt for mass distribution.

What Does Lockdown.sql Secure?


Although Lockdown.sql is a simple T-SQL script, it changes many default configuration settings on a SQL Server 2000 instance. When you execute it, the scriptautomatically

  • determines whether the SQL Server service account for LocalSystem Authority is allowed.

  • confirms the latest service packs and hotfixes.

  • enables Windows Authentication as the only login method.

  • sets a strong sa account password consisting of two concatenated unique identifiers.

  • enables full logon auditing to monitor successful and failed SQL Server access.

  • disables SQL Server Agent, Microsoft Distributed Transaction Coordinator (MSDTC), and MSSEARCH services.

  • disables ad hoc queries for all data providers in accordance with the “minimal surface area” best practice.

  • removes the Pubs and Northwind sample databases.

  • tightens permissions on many system stored procedures and extended stored procedures, including SQL Server Agent job system stored procedures, Web tasks, table permissions, DTS package table permissions, and extended stored procedures.

  • revokes permissions of the guest account to MSDB.

  • disables remote access.

  • ensures that system tables can’t be accessed.

  • increases the SQL Server log history capacity for better auditing and reporting.

  • removes lingering SQL Server setup files.

Some of these lockdown measures mightat first seem too strong, but the scriptdoesn’t break most applications. If youwant to enable any of the features thatLockdown.sql disables, you can simplyadd the functionality back by removing or commenting out the lines of code that you don’t want, if your application requires it.

Note that although some best practices documents have encouraged DBAsto remove unnecessary extended storedprocedures, Lockdown.sql doesn’t do this.Instead, the utility disables extended storedprocedure permissions that represent a security risk. Chip took this approach for severalreasons. First, removing extended storedprocedures can cause problems with servicepacks and hotfixes during installation andcan cause problems with useful tools suchas Enterprise Manager. Preventing accessby non-sysadmin users is more effectivelyand easily achieved by dropping executepermissions than by removing extendedstored procedures. In addition, hackers canadd back the files of dropped extendedstored procedures, but they can’t alter permissions when those permissions have beenexplicitly denied. And DBAs can easily addprivileges back, making it unnecessary to drop extended stored procedures that mightlater be needed for a one-off job.

How to Execute the Script—PlusSome Cautions


Executing Lockdown.sql couldn’t be easier because it’s a simple T-SQL script. I recommend that you read the entire script, which will only take a few minutes, to ensure that it’s not disabling any functions you want on your instance of SQL Server 2000. In addition, be aware that the script as written might cause errors in a case-sensitive installation. You might want to standardize the case before using the script. To execute thescript from the command prompt, type:

osql -S (servername) -E -ilockdown.sql

Note that the script doesn’t currently support SQL Server 2005 because the newestversion of SQL Server has more robustsecurity and automatically disables manyof the same security vulnerabilities thatLockdown.sql does. However, Chip has saidhe’d like to update his script if user interestis strong enough. Chip’s Web site, whichisn’t affiliated with Microsoft, offers otherfree SQL Server security tools and has adiscussion forum that focuses exclusivelyon SQL Server security. I encourage you todrop Chip a note in his discussion forumor contact him directly at [email protected] if you’d like to see a new SQL Server2005 version of the script. And be sure tovisit the Tool Time forum online to comment on this column and post your owntool recommendations!

About the Author

Kevin Kline, SolarWinds

Kevin Kline, SolarWinds

See more from Kevin Kline, SolarWinds
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a stressed employee at their laptop and collaboration icons gone amok
Unified Communications
Microsoft Teams Is Acting Up. What Can We Do?Microsoft Teams Is Acting Up. What Can We Do?
byBrien Posey
Sep 12, 2024
4 Min Read
person placing a block between two columns of blocks
IT Management
Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?Data Skills Gap Is Hampering Productivity; Is Upskilling the Answer?
byNathan Eddy
Sep 7, 2024
7 Min Read
data privacy quiz sample question above a desk
Data Privacy
Data Privacy Quiz: 20 Questions To Test Your KnowledgeData Privacy Quiz: 20 Questions To Test Your Knowledge
byIan Horowitz
Aug 30, 2024
1 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

tablet with "cloud computing" on the screen on top of financial documents and calculator
Cloud Computing
Guide to Cloud Computing ETFsGuide to Cloud Computing ETFs
A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Migrating From VMware Guide cover
VMWare
Migrating From VMware: Guide to a Successful TransitionMigrating From VMware: Guide to a Successful Transition
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained
ITPro Today's tech careers quick reference guide cover
Career Management
Tech Careers: Quick Reference Guide to IT Job TitlesTech Careers: Quick Reference Guide to IT Job Titles