11.18.03
 By
Leonard Loro
Databases are a goldmine for criminals. Successfully tracking an intrusion
can depend 100% on administering database accesses and permissions.
Unauthorized user actions, as well as possible intruder actions, need
to be tracked and audited in order to maintain the integrity of the
information stored in the database.
The security architecture of the database will depend 100%
on what the administrator is continuously auditing and tracking from
user actions. In addition, granting and providing access to the right
information - not more - is critical to stop possible intrusions.
There are a lot of tools for administering and configuring database
security. Scripts, programs and special resources are included with
vendor products (such as the SQL Server Resource kit), but it's critical
to understand how to utilize these tools. The information in the article
applies to all RDBMSs (Relational Database Management Systems) products
such as SQL Server, Oracle 8i and Sybase Adaptive Server. |
Principles of RDBMSs Security
The goal of the security architecture of a RDBMSs is to protect and
verify that every piece of information that is stored in the database.
Business information needs to be verified, to assure that the no data
has been changed. This goal is divided in the following aspects: only
authorized users should be able to view data stored in the repository,
authorized individuals should feel confident that the data presented
to them is accurate and not improperly modified and users should be
able to access the data they need, when they need it.
Most RDBMSs manage the security information with two users sysadmin
and dbaadmin. The sysadmin - system administrator - normally has authority
over the operating system resources and actions. The dbaadmin - database
administrator - has authority over the RDBMSs subsystem. For example,
in SQL Server the dbaadmin user is called "sa" by default and the
sysadmin is called "Administrator" in Windows 2000.
Users need to be given a specific type of access to utilize the information
stored on the database. When a user tries to access the database,
the RDBMS verifies it's identity using the internal subsystem before
determining or allowing the user to access the information.
For example in our business manager scenario, a business manager might
need to have "Write" access to the company financial information to
change sales information, while the secretary might need to have "Read"
access to read those reports. In that case, the dbaadmin authority
is responsible to give specific access required by the manager and
the secretary.
Those privileges apply only to those specific actions that the dbaadmin
has granted, so if the secretary user tries to write information to
the database, the RDBMS will deny it.
Security for Administration and Management
Like most computer networks and systems, a database needs to be updated
and maintained regularly. Each new user that is added or piece of
information requires several operations; starting and stopping the
RDBMS, administering user accounts and managing database backups.
To perform database maintenance operations, individual users can be
given the rights to perform operations such as database backup, creation
of reports and addition of information. Someone with a higher authority,
such as dbaadmin must grant the user the privilege to perform such
operation over the database.
Normally, only the sysadmin manages upgrades to hardware and software.
Some vendors offer proprietary RDBMS extensions to grant this ability
to non-sysadmin users. Another method to accomplish this is the use
of a non-sysadmin user that can be given the permission to perform
this operations.
Figure 1. SQL Server security properties. To access this menu go
to right click the server that you want to administer, choose Properties
and click the Security tab.
RDBMS Performance Tools
Managing RDBMS performance is about constantly monitoring the system
health and audit any changes. Common performance problems include
operating with higher response times and higher CPU usage. Interpreting
what is the source of the problems is a key part of troubleshooting
and solving performance issues.
Correctly configuring maintenance tasks on your RDBMS is a key to
good performance. Simplifying the process of configuring the RDBMS
is a key part of an operations plan. Several tools exist to create
an automate maintenance plan for your databases. Maintenance actions
can consist of database statements, operating system commands, executable
programs or scripts.
Operating system tools are used to monitor resource usage (such as
disk, CPU and memory). For example, System Monitor can be used to
manage SQL Server disk counters. Alerting capabilities and user feedback
are also key for RDBMS. User feedback can be used to find information
about how fast the end users think that the system is running. Alerts
can be used to perform actions on the RDBMS when a specific system
condition occurs.
* Originally published at 2000Trainers
About the Author:
Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business
specialist. His experience includes engaging, managing and implementing
large consulting projects for government agencies and companies like
Microsoft, Nissan as well as other Fortune 500's. Leonard can be reached
at Leonardo.loro@ENresource.com, or visit ENresource.com.
Read this newsletter at: http://www.securitypronews.com/2003/1118.html |
|
| From
the Forum: |
| Networking Security |
... So, for the technology options available,
say ISDN (B and D channel) or broadband, point-point or VPN,
what are the major security headaches and solutions?
|
|
|
