Building an aplication that use SQL Server means that we give the SQL Server an authority to store and manage the data. In order to make sure that the data always available and secure, we need to take care the configuration that will help the development team to make sure the system and secure and available. Let’s start the tips
Tips 1. Physical Security
Put the server on a room with sufficient security (locked), secure from power surge, and of course have a backup power. Limit the access with external pheriperals such as external hard drive, usb and others. If you want to backup consider to use backup tape, secure external hard rive, or even cloud storage. Please appendix about recommended hard drive to store the application.
Tips 2. Operating System Security
We need to configure our system for SQL Server cimmunication such as TCP / IP Communication and Maintenance plan.
Tips 3. SQL Server Security
SQL server has a lot features that related security. I recommends you to do several installation and configuration below:
- If your application is built for .NET and run on a same network, we recommend you to disable user authenication using user name and password. it means you just need to use Windows Authentication. However, if your application work across domain or even internet, you should activate it.
- Turn the sql browser off. It makes the other client application can’t scan and can’t find your sql server except you give them the server name or the IP.
- Use TCP IP address to access the server. Please consider to never use the named pipe with default name, You should changes the server name and use TCP IP binding for external access.
- Move the default location of the database files when you install the database. It is good idea if you move the database location into the others location.
There are plenty of security features for SQL Server such as authorization, encryption, port access. Furthermore, you can see the detail here
Tips 4. Application Security
In order to make your application and SQL server secure you should consider following actions:
- Validate any inputs on your application to prevent SQL Injection. Using Stored Procedure is recommended.
- Limited access to SQL Server through one account for one application. It’s bad idea to create a lot SQL Server users for one application. Consider use only one users with least previllage.
- Never put server information when your codes is error. Some of developers, give the information about server name or database name when the errors happen. Never put the detail of your server on your screen.
- Use connection string builder, to ensure the sensitive data such as password is not stored on plain text on your web,config. Here are the sample codes
Tips 5. Social Engineering Security
This is the most effective security to make your application bullet proof. the tips are
- Strong password for your SQL Server access.
- Changes password at least two months for server access.
- isolate your server, open the RD access through local lan only.
That’s it, if you have others idea, please put through a comment.