SQL Server Risk Assessment – The PMP Way

Posted in: Technical Track

small__5537894072Recently I had a chance to speak with my friend and colleague, Ashish Sharma. We were discussing Project Management topics (he recently passed PMP and ACP). Our discussion ended on a very interesting topic – RISK Assessment.

Definition: According to PMBOK, projects can have unforeseen events or activities that can impact the project’s progress, result, or outcome in a negative or positive way. Further, a risk can be assessed using two factors – impact and probability. Determining the quantitative or qualitative value of risk related to a specific situation or recognized threat is known as Risk Assessment.

So, coming to my point, how do we apply a risk assessment framework for database systems, especially SQL Server?

I, myself, have never created or used a Risk Register for SQL Server. Hence, I decided to do a little more research on the subject. I found absolutely nothing on this particular topic. However, while searching for SQL Server security, I found an article I wrote in 2009 that provides tips on protecting data. 

After spending some time researching, I found a good sample Risk Register that we can use. You can download it here.

Now, this is what we have for a Risk Register. What about threats?

Below, I have identified all of the threats I can think of:

Possible Threats

Risk Mitigation

Virus AttackInstall AV on DB Server,however, do not forget to exclude SQL Server files
Unauthorized LoginsAlways use Audit (C2, Windows, SQL or both) failed login attempts and analyze them regularly. Always, rename SA / Admin account and use strong password mechanism for all the servers. If possible always try to use domain authenticated accounts.
MiM AttackTo mitigate a MiM attack do the following :

  1. Isolate database server from Application / IIS Server
  2. Configure SQL Server to use non-default port
  3. Use Encryption / SSL
  4. Use Firewall inbound / outbound rules
Root AccessTo avoid someone getting root access do following:

  1. Disable / Rename in-built Admin account
  2. Grant least access to Service Account
  3. Use strong / random password
SQL InjectionDo following:

  1. Avoid using Dynamic SQL when you can
  2. Use parameterized query / stored procedure
  3. Always validate the value at form level be

Interested in working with Hemantgiri? Schedule a tech call.

About the Author

Lead Database Consultant
I am a Database Administrator by profession, and a student of a university called life by heart. I am passionate about SQL Server, photography, reading and sharing. Currently, I'm Lead Database Consultant @Pythian. I have been a Microsoft SQL Server MVP for four years, and a published author of the book - SQL Server 2008 High Availability.Keep in touch with me on twitter @ghemant

No comments