This post is part of our SQL Server security blog series, 30 SQL Server Security Checks in 30 Days. We’re publishing a new security check every day in the month of June. Visit our sp_CheckSecurity page to learn about our free SQL Server tool you can download and run to check your own server.
Thanks for tuning into our posts for the 30 SQL Server security checks in 30 days series this month. I want to recap the entire month of posts with a few homework assignments to get you started today.
Assignment #1 – Change your mindset.
We’ve talked about a lot of the checks in our sp_CheckSecurity tool here. That community-available tool covers a large subset of the checks we do in our SQL Server security health checks. And we’ve talked about a lot of those checks this month.
I’m going to suggest some homework below, but first I wanted to tell you securing your SQL Server environment is more than just running sp_CheckSecurity. It’s even more than doing a comprehensive SQL Server security health check with Straight Path. It’s a mindset. It’s a mindset shift. And it goes beyond the databases and SQL Server instances you secure.
Security needs to become your and your team’s primary mindset. You need to look at the e-mails and texts you receive at home and the office. You need to look at the decisions you make and tools you use with the security first mindset. We have seen companies go under because of attacks. We’ve seen companies spend an entire annual budget on remediation and recovery from attacks. The attackers are sophisticated. They are smart. They have teams of developers. They have the power of AI and automation. They are not stopping.
I hate it when folks say things like “it’s a matter of when not if,” but I’m about to be one of them – Your mindset needs to be a matter of “when” not “if”. You need to assume an attack can happen, will happen, or may be happening right now. And then you need to ask the questions and review the environments with an eye to minimizing that damage.
SQL Server Security is More than just SQL Server Security
Be paranoid. You need to here. Do the homework below. Make sure your entire organization follows suit. Make sure the folks responsible for networking, security, and overall IT and Tech in your organization are aligned here. If they aren’t – be the champion of security… When not if..
Assignment #2 – Consider the Human Element
The posts this month and the checks in the tools look at settings, configurations, and areas to lock down and tighten controls and access. But remember, your security is only as strong as the people enforcing it. It’s only as effective as the policies and training backing operational processes in your organization.
I once had a job as a full-time DBA, and I implemented some best practices for group-based login security. I cleaned up the sysadmin role in SQL Server. And made access via AD groups only. I loved our developers – great folks – but I got them out of the sysadmin (and setupadmin and securityadmin roles) on our prod servers. But then I saw one in the system again, making “helpful” changes to sys.configuraiton changes that weren’t approved by the DBA team. I talked to the developer – puzzled at how they got back in with the changes I made. They were honest, at least, “Oh. I called the helpdesk and asked if they could add my login to the Prd_DBA_US group so I could do my job and they did…” OOPS. I forgot about the humans.
Your security is only as good as the people with access to it, and the policies and auditing you do to ensure compliance with the policies.
Think through the policies you need to set to make sure that all of the work you are doing based on the posts this month and running the sp_CheckSecurity proc isn’t undone by a lack of clear policies, documentation, training, and auditing of those policies. (When not if…)
Assignment #3 – Download sp_CheckSecurity
It’s pretty simple.
Start securing your SQL Server environment today. Download the free tool, check your own SQL Servers, read the “more” links in the URLs in the output. Follow the links to the posts in this month of security posts here on the blog and secure your environment today.
While we are a consulting company who do DBA as a Service services and sells SQL Server and SQL Server Security health checks – we’re also community members who care about you securing your environment. You can certainly leave a comment or send us an e-mail at info@straightpathsql.com with a quick follow-up question. We’re not going to engage in a free statement of work via e-mail, but we’ll answer a quick question related to these posts or the scripts. You should be able to take that tool, these posts, and your training as a DBA and start securing your SQL Server environment today.
So that’s the assignment – Get paranoid. Assume it’s a matter of when not if. Review the posts from this month. Download the community tool and start securing your SQL Server environment right now. Become the champion of security within your company if no one hast that role yet, and lead your organization into a secure future. (When not if…)
Download sp_checksecurity