Tools that can help to secure SQL server security within web environment
When the SQL Server is faced to the internet then you have to take utmost care to ensure that the each row in the table is not compromised to avoid any unprecedented activity.
As it is getting popular that rise in SQL injection attacks has reminded the best practices and rules to secure the database & web environment to avoid any escalation in a class of attacks targeting Web sites that use ASP and ASP.NET technologies. I don't need to say that these SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.
When you have a threat then the user will obviously look for an advisory from the Product Vendor or search on web to deploy best practicies on their side, this is an important aspect that every DBA and System Administrator must follow by identifying and correcting vulnerable ASP and ASP.NET Web application code which does not follow best practices for secure Web application development.
You may have secured the access to the tables but what if the hacker can get hands-on for the user password, this is where you should need a validation process and having such a failure to properly validate user input can allow an attacker to inject SQL commands into input fields, which may then execute against a data source leading to database corruption or code execution on the server. In the recent times we have asked Microsoft TAM many times to provide such an advisory to avoid any sort of mishaps within the data environment.
This is what we have been given the information about several tools that are available to secure the platform such as these tools can cover detection, defense, and identifying possible coding which may be exploited by an attacker.
| • |
Detection – HP Scrawlr
Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr at the HP Security Center.
Detailed description:
The tool will be a black-box analysis tool (i.e. no source code required). The user will input a starting URL, and the tool will:
| • |
Recursively crawl that URL for hyperlinks in order to build up a site tree. |
| • |
Test all discovered links for verbose SQL injection by sending HTTP requests containing SQL injection attack strings in querystring parameters. |
| • |
Examine the HTTP responses from the server for SQL error messages that would indicate a SQL injection vulnerability. |
| • |
Report any pages found to be vulnerable to the user, along with the associated input field(s). For example, the tool might report that the fields “username” and “password” on page “foo.asp” are vulnerable. | |
• |
Defense – UrlScan version 3.0 Beta
UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta.
Detailed Description:
UrlScan version 3.0 is a tool that will allow you to implement many different rules to better protect Web applications on servers from SQL injection attacks. These features include:
| • |
The ability to implement deny rules applied independently to a URL, query string, all headers, a particular header, or any combination of these. |
| • |
A global DenyQueryString section that lets you add deny rules for query strings, with the option of checking un-escaped version of the query string as well. |
| • |
The ability to use escape sequences in the deny rules to deny CRLF and other non-printable character sequences in configuration. |
| • |
Multiple UrlScan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini). |
| • |
Configuration (urlscan.ini) change notifications will be propagated to worker processes without having to recycle them. Log settings are an exception to this. |
| • |
Enhanced logging to give descriptive configuration errors. | |
• |
Identifying – Microsoft Source Code Analyzer for SQL Injection
A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.
Detailed Description:
The Microsoft Source Code Analyzer for SQL Injection is a standalone tool customers can run on their own ASP source code. In addition to the tool itself, there is documentation included on ways to fix the problems it finds in the code it analyzes. Some key features of this tool are:
| • |
Scans ASP source code for code that can lead to SQL Injection vulnerabilities. |
| • |
Generates an output that displays the coding issue. |
| • |
This tool only identifies vulnerabilities in classic ASP code. It does not work on ASP.NET code. | |
• |
Additional Information
Microsoft has additional resources to assist administrators with identifying and correcting issues dealing with this exploit.
|
Make sure to test them before you deploy completely on the production environment, this is another 'must' best practice.
**__________________________________**
SQL Server MVP, Sr. DBA & industry expert.
-
Knowledge is of two kinds. We know a subject ourselves or we know where we can find information on it. It is also a power and you will gain by sharing it.
