8.12 Database Services Countermeasures

  • Ensure that database user passwords (sa and probe accounts found in Microsoft SQL Server, root under MySQL, etc.) are adequately strong.

  • Filter and control public Internet-based access to database service ports to prevent determined attackers from launching brute-force password-grinding attacks in particular. In the case of Oracle with the TNS Listener, this point is extremely important.

  • Don't run publicly accessible remote maintenance services on database servers; you will thus deter Oracle TNS Listener user .rhosts file creation and other types of grappling-hook attacks. If possible, use two-factor authentication for remote access from specific staging hosts; with public keys, use something like SSH .

  • If SQL services are accessible from the Internet or other untrusted networks, ensure they are patched with the latest service packs and security hot fixes to ensure resilience from buffer overflows and other types of remote attack.