Link to home
Start Free TrialLog in
Avatar of smv939
smv939

asked on

SQL Server Database hacked through ASP pages in internet.

Hi All,
   I am working in a small company and I am handling SQL Server(means I am the administrator) in our companyand also I am a programmer who published the ASP pages in internet. My Database got hacked from outside last week and corrupted all the tables.Now our company removed all the ASPpages from the internet.

This is what our company come up to secure the website.
1. encrypt the SQL server login
2. Create stored procedures even for simple 'SELECT' statements.Only 'SELECT' statements are not in stored procedures.
3.Create Audit tables for our records.

Please share information on how we can secure SQL Server data through ASP page in internet.
I am using VisualInterDev 6.0 Service pack 5 for ASP.
What type of Encryption is good in iternet. XML is OK or any other method. Will XML encryption work in VInterDev 6.0?

Please help.
SMV
Avatar of dqmq
dqmq
Flag of United States of America image

Obviously, the more you know about the method of attack, the better. SQL injection is very different from hijacking a logon, for example.  Each requires different solutions.  Also, do not assume your attack came from outside.  That is the exception rather than the rule.  The most common source of corruption is accidental and the second is from the inside.

As a baseline, though, you should also consider:

Encrypting traffic between your ASP server and the SQL Server at the TCP level.

Put SQL Server behind a firewall--do not expose it to the internet

Implement a robust security scheme on SQL Server itself.  For example, since data access will be exclusively through SP's, then restrict all data access except by SP's.


 


Stored procedures are a good idea on the DB end to avoid possible injection hacks. You can avoid using SPs every if you are careful to scrub the input data at the ASP page. As mentioned SQL injection is a slight possibility if you haven't scrubbed the input and querystrings well and the culprit was able to attach UNION statements to querystrings or input fields. These should always be protected from receiving any invalid entries (especially those containing code that can be interpreted by SQL). Careful coding practices can protect you from outside hackers, but as dgmg said, it is more likely something internal has happened to corrupt the data.
Avatar of smv939
smv939

ASKER

Dear dqmq,

Our company's network security guy is useless and SQL server is already under the firewall.
he says it is from the outside.
>Encrypting traffic between your ASP server and the SQL Server at the TCP level.
   How do we do this at the TCP level. I want to implement everything possible rather than rely on our network group.
>Implement a robust security scheme on SQL Server itself.  For example, since data access will be exclusively through SP's, then restrict all data access except by SP's.
   Could you please explain this in more detail. How we do this in SQL server.I am new in this field. First time I am facing the hacking issue in my life.

Thanks,
SMV
How is he sure that it is from the outside? Did he capture the query that corrupted the data? Did he correlate access times with users? Again, if it is from the outside stored procs and scrubbing data is all you need to do to make it safe (assuming there isn't some kind of admin portal that could be hacked).
ASKER CERTIFIED SOLUTION
Avatar of dqmq
dqmq
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of smv939

ASKER

Thanks dgmg. I will work on SP's access level.