{"id":3239,"date":"2015-07-25T17:45:25","date_gmt":"2015-07-25T16:45:25","guid":{"rendered":"http:\/\/andreas-wolter.com\/sicherheitsfixe-fuer-sql-server-und-warum-sicherheits-best-practices-wichtig-sind\/"},"modified":"2017-10-18T11:08:20","modified_gmt":"2017-10-18T10:08:20","slug":"security-fixes-for-sql-server-and-why-security-best-practices-matter","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/security-fixes-for-sql-server-and-why-security-best-practices-matter\/","title":{"rendered":"Security-Fixes for SQL Server and why Security Best Practices Matter"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_heading-23a11e535e8cdd836ee3935657cde093\">\n#top .av-special-heading.av-av_heading-23a11e535e8cdd836ee3935657cde093{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-av_heading-23a11e535e8cdd836ee3935657cde093 .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-av_heading-23a11e535e8cdd836ee3935657cde093 .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-av_heading-23a11e535e8cdd836ee3935657cde093 av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >Security-Fixes for SQL Server and why Security Best Practices Matter<\/h3><div class='av-subheading av-subheading_below'><p>(MS15-058 SQL Server Security Bulletin)<\/p>\n<\/div><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>With 14 July 2015, quite precisely one year after the first security bugs in 5 years had to be fixed, we have been given a new reason to test one\u2019s security patching policy.<\/p>\n<p>&#8211; Provided that you have such a policy for SQL Server.<!--more--><\/p>\n<p>And it is not my intention to point at anybody. Because: we have simply been spoiled due to the lack of security-related fixes in SQL Server. Security bugs (at least those that leaked out) have basically not occurred since SQL Server 2000.<\/p>\n<p>&#8211; There is a range of statistics and papers, such as that by the American security expert David Litchfield (<a href=\"http:\/\/www.davidlitchfield.com\/security.htm\" target=\"_blank\" rel=\"noopener\">www.davidlitchfield.com\/security.htm<\/a>), the ITIC-Report from 2010, <a href=\"http:\/\/itic-corp.com\/blog\/2010\/09\/sql-server-most-secure-database-oracle-least-secure-database-since-2002\/\" target=\"_blank\" rel=\"noopener\">SQL Server Most Secure Database; Oracle Least Secure Database Since 2002<\/a>, and the statistics by the <a href=\"https:\/\/web.nvd.nist.gov\/\" target=\"_blank\" rel=\"noopener\">NIST<\/a> (National Institute of Standards and Technology) from 2013, on which the following graph is based:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_image-a9bd751e8ab0412c8fed22a40bea5f1d\">\n.avia-image-container.av-av_image-a9bd751e8ab0412c8fed22a40bea5f1d img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-av_image-a9bd751e8ab0412c8fed22a40bea5f1d .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-av_image-a9bd751e8ab0412c8fed22a40bea5f1d av-styling- avia-align-center  avia-builder-el-2  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3235 avia-img-lazy-loading-not-3235 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1507_Database_vulnerabilities_by_NIST_2013.png\" alt='' title='1507_Database_vulnerabilities_by_NIST_2013'  height=\"214\" width=\"605\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1507_Database_vulnerabilities_by_NIST_2013.png 605w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1507_Database_vulnerabilities_by_NIST_2013-600x212.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1507_Database_vulnerabilities_by_NIST_2013-300x106.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1507_Database_vulnerabilities_by_NIST_2013-450x159.png 450w\" sizes=\"(max-width: 605px) 100vw, 605px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Due to the fact that, based on the NIST data, the SQL Server has been the most secure database system 5 years in a row, it may indeed have moved away from the focus of administrators in terms of security patching.<\/p>\n<p>The Security Bulletin from July 2015:<\/p>\n<p><strong>Vulnerabilities in SQL Server Could Allow Remote Code Execution (3065718)<\/strong><\/p>\n<p><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/MS15-058\" target=\"_blank\" rel=\"noopener\">https:\/\/technet.microsoft.com\/en-us\/library\/security\/MS15-058<\/a><\/p>\n<p>3 security vulnerabilities are described here:<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><ul>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-1761\" target=\"_blank\" rel=\"noopener\"><strong>SQL Server Elevation of Privilege Vulnerability &#8211; CVE-2015-1761<\/strong><\/a><\/li>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-1762\" target=\"_blank\" rel=\"noopener\"><strong>SQL Server Remote Code Execution Vulnerability &#8211; CVE-2015-1762<\/strong><\/a><\/li>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-1763\" target=\"_blank\" rel=\"noopener\"><strong>SQL Server Remote Code Execution Vulnerability &#8211; CVE-2015-1763<\/strong><\/a><\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><strong>Which SQL Server versions are affected?<\/strong><\/p>\n<p>The list, starting with <strong>SQL Server 2008 Service Pack 3<\/strong> and ending with <strong>SQL Server 2014<\/strong>, can be found in the bulletin.<\/p>\n<p>A more detailed search is possible with the respective SQL Engine number in this blog article by Microsoft:<\/p>\n<p><a href=\"http:\/\/blogs.msdn.com\/b\/sqlreleaseservices\/archive\/2015\/07\/14\/ms15-058-sql-server-security-bulletin-released.aspx\" target=\"_blank\" rel=\"noopener\">http:\/\/blogs.msdn.com\/b\/sqlreleaseservices\/archive\/2015\/07\/14\/ms15-058-sql-server-security-bulletin-released.aspx<\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><strong>Under what circumstances can a system be attacked due to these bugs?<\/strong><\/p>\n<p>The preconditions for the three security bugs differ of course and are (on purpose) not described down to the last detail.<\/p>\n<p>Yet WHAT is possible to read from it is that those who have set up rights only to a fine degree and dedicatedly are significantly less vulnerable since in part schema alteration rights in the database area are a prerequisite.<\/p>\n<p>Therefore, I would like to recall that one is well-advised to really assign only necessary rights and to understand schemas as security areas. The use of <em>db_owner<\/em>, for example, should be off-limits for application users.<\/p>\n<p>Those who have been following such rules so far may continue to feel fairly secure since the possibility to abuse these security vulnerabilities is thus greatly reduced.<\/p>\n<p>For this reason, one should always take <strong>security<\/strong> <strong>best practices <\/strong>to heart.<\/p>\n<p>A <em>vulnerability<\/em> does not yet make an <em>exploit<\/em>.<\/p>\n<p>Here are a couple of links related to security matters in SQL Server:<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/bb283235.aspx\" target=\"_blank\" rel=\"noopener\">Securing SQL Server<\/a><\/p>\n<p><a href=\"http:\/\/blogs.msdn.com\/b\/sqlsecurity\/\" target=\"_blank\" rel=\"noopener\">SQL Server Security Blog<\/a><\/p>\n<p><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dd283095%28SQL.100%29.aspx\" target=\"_blank\" rel=\"noopener\">SQL Server Best Practices \u2013 Implementation of Database Object Schemas<\/a><\/p>\n<p><a href=\"http:\/\/download.microsoft.com\/download\/8\/F\/A\/8FABACD7-803E-40FC-ADF8-355E7D218F4C\/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx\" target=\"_blank\" rel=\"noopener\">SQL Server 2012 Security Best Practices \u2013 Operational and Administrative Tasks<\/a><\/p>\n<p>SQL Server 2012 <a href=\"http:\/\/sqlserverlst.codeplex.com\/\" target=\"_blank\" rel=\"noopener\">Label Security Toolkit and white paper<\/a><\/p>\n<p><a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2014\/06\/sql-server-database-ownership-survey-results-recommendations\" target=\"_blank\" rel=\"noopener\">SQL Server Database Ownership: recommendations<\/a><\/p>\n<p><a href=\"http:\/\/blogs.msdn.com\/b\/sqlsecurity\/archive\/2010\/09\/24\/guest-account-in-user-databases.aspx\" target=\"_blank\" rel=\"noopener\">Guest account in User Databases<\/a><\/p>\n<p><a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2016\/02\/schema-design-for-sql-server-recommendations-for-schema-design-with-security-in-mind\" target=\"_blank\" rel=\"noopener\">Schema-design for SQL Server: recommendations for Schema design with security in mind<\/a><\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Happy patching<\/p>\n<p>Andreas<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_one_full-97c650ae075063b375f558a776c570f8\">\n#top .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-av_one_full-97c650ae075063b375f558a776c570f8 av_one_full  avia-builder-el-8  el_after_av_textblock  el_before_av_hr  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='hr av-av_hr-0ff602b3e980a3377077ff3c1c834df6 hr-default  avia-builder-el-10  el_after_av_one_full  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-av_social_share-8644d330ffb238fff0cfa858c5295467 av-social-sharing-box-default  avia-builder-el-11  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/security-fixes-for-sql-server-and-why-security-best-practices-matter\/&#038;t=Security-Fixes%20for%20SQL%20Server%20and%20why%20Security%20Best%20Practices%20Matter\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=Security-Fixes%20for%20SQL%20Server%20and%20why%20Security%20Best%20Practices%20Matter&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3239\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=Security-Fixes%20for%20SQL%20Server%20and%20why%20Security%20Best%20Practices%20Matter&#038;url=https:\/\/andreas-wolter.com\/en\/security-fixes-for-sql-server-and-why-security-best-practices-matter\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_hr-4474f20d2389e2e5ecf918a02da5132e\">\n#top .hr.hr-invisible.av-av_hr-4474f20d2389e2e5ecf918a02da5132e{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-av_hr-4474f20d2389e2e5ecf918a02da5132e hr-invisible  avia-builder-el-12  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-av_comments_list-88ce68e426f11248fa394058a3de040f  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"With 14 July 2015, quite precisely one year after the first security bugs in 5 years had to be fixed, we have been given a new reason to test one\u2019s security patching policy. &#8211; Provided that you have such a policy for SQL Server.","protected":false},"author":4,"featured_media":3235,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[128,57],"tags":[216,27],"class_list":["post-3239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-patching","category-security-en","tag-patching-en","tag-security-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3239"}],"version-history":[{"count":4,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3239\/revisions"}],"predecessor-version":[{"id":3727,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3239\/revisions\/3727"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/3235"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}