?
Solved

How to stop rogue SQL servers?

Posted on 2005-05-01
7
Medium Priority
?
157 Views
Last Modified: 2013-12-04
I need some creative and as bullet-proof as possible ideas on how to stop rogue SQL servers from being installed and running on my internal network.
Scope:
- Any SQL Server 2000 or MSDE on Windows 2000, XP or 2003 (servers and workstations).
- Limited to options only available to work in a pure native mode Windows 2000 domain.
- Ideas involving hardware devices such as firewalls, IDS systems, router/switch/port controls, etc. are really not an option on this solution, but side suggestions are always welcome.
- Any effective control mechanisms for allowing/disallowing it in an easily manageable way and consideration of known apps that require MSDE are helpful.
- One tough issue is that there are developers that have local Admin rights and that should be considered.
- Any solution that involves controlling the SQL services in Group Policy 'may' only get partial points as this has some limitations and workarounds. BUT if you have a really creative or bullet-proof method that goes along with it, then you could ring in all the points.

I'm eagerly awaiting a security guru to answer this!
0
Comment
Question by:BuzzbeeMe
  • 3
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13906851
So, what about port scanning? Is that out? What about turning on more event auditing, and using Snare to alert you of these types of things as well as lert you to other problems on your lan through the event logs? http://sourceforge.net/projects/snare/ It can be considered IDS to some degree, but that's not all it does.

Stoppage is really a 3 parter, First, acceptable usage policy, should state that users/developers are not to install unapproved software such as this... second, you need to monitor to be sure that the acceptable usage is being followed, snare is great, and 3rd you may have to disallow certain exe's through AD.
Acceptable use: (and many many more great policies)
http://www.sans.org/resources/policies/
Software restriction GP's
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/d24bc8c8-27cc-47ba-9b02-78d9d801e937.mspx
-rich
0
 
LVL 2

Author Comment

by:BuzzbeeMe
ID: 13907917
Thanks richrumble for the reply.

We use port scanning for 1433, but that only identifies them, not stops them before they install it. However, I will investigate Snare further.
Event logs are problematic as we are a VERY large environment. We are in the process of getting an event log consolidation/monitoring system in place, but at present, its just not there yet. Also, it would be an 'after the fact' catch, not 'stopping' them.
We do have a paper policy in place and is about to be enforced at the absolute highest level to all employees, which, hence, is where the actual stopping and enforing starts to come in.
Group Policies...significant limitations so far..
- Software restrictions: Only works on XP/2003. We are going to use it, but we are vastly Win2k, which does not support this option.
- Resticting an .exe: This option is a user policy, not a computer policy. Even using a loopback policy to make it a computer policy, the problem is that it is expecting a user to launch it, not the 'Local System'. If SQL is using the 'Local System' to startup, the policy does nothing. It only works if the user actually attempts to run the exe, which normally, they wouldn't as it is a service.
As you can see there are some intracacies in doing this and I have some limitations of what works and what I can do.
Thanks for the suggestions and pease keep the ideas coming.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13909058
We are also very large, 5000+ users, 600+ servers. And snare was great for our purposes, but we've moved to GFI's SELM, which is far more expensive, but works just as well.
http://www.gfi.com/lanselm/

Programs like DeepFreeze are able to allow/disallow you to install program by using process locking, similar to what ZoneAlarm does when a new program want's access to the nic or to act as a server. http://www.faronics.com/ 
-rich

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:BuzzbeeMe
ID: 13964802
I ended up using a few GPO's that disabled all SQL services and set the service permissions to only 'Domain Admins'. This ensured not even developers with Administrator rights could start the services.
For application servers, which have thier own OU, a 'Master' policy was created as noted above. For servers that were actually approved to run it, a lower-level policy was used to enable the services and set the correct permissions.
For workstations, which are in several OU's, a 'Master' policy was created at each level with the settings noted above. For those that were approved, we used a group filter from an approval list.
This all worked really well.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13964984
Glad to hear you worked out the solution.
-rich
0
 
LVL 1

Accepted Solution

by:
GhostMod earned 0 total points
ID: 14000464
PAQd, 500 points refunded.

GhostMod
Community Support Moderator
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month14 days, 9 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question