How to prevent SQL Server and Internet Explorer hack attacks

Given the sheer number of SQL Server installations out there and the number of exploits that attempt to compromise them (SQL Slammer, anyone?), it would be stupid not to look at the ways to secure SQL Server, since it is considered 'data central' for many Windows users. The same argument goes for Internet Explorer. In this article, we'll cover the basics of how to best secure both of those Microsoft technologies.

Securing Microsoft SQL Server
Use Microsoft's own SQL Scan tool to discover all instances of SQL servers on the network. SQL's own Server Network Utility will enable the setting of TCP ports for these manually; don't assume they will all be defaulted to TCP 1433 and then blocked via the firewall to these ports from untrusted clients.

With SQL, more than any other Windows technology (Internet Explorer excepted), ve...

RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Avoid common Web application firewall configuration errors

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ndor patches are a critical component in the security process, so use them, and do so in a timely fashion. Equally, assign the strongest passwords possible to the server administration account, including those running in 'Windows Only' authentication mode. Otherwise the server will be immediately vulnerable if that mode is ever changed in the future. Furthermore, 'Windows Only' authentication should be the default configuration for every new installation. Finally, starting with SQL Server 2005, the software comes with a native data encryption infrastructure. Use it!

Securing Microsoft Internet Explorer
For the best in Microsoft-driven Web browser security, run Internet Explorer 7 on Windows Vista in protected mode. Internet Explorer security zones should always be used and configured properly to ensure security. Set the defaults to 'high', switch into 'custom level mode' and disable ActiveX controls and plug-ins, scripting of IE Web browser controls and meta refresh. Finally, set the launching of programs inside an Iframe to 'prompt.'

Further Internet Explorer hardening can be achieved by dealing with ActiveX issues. In short, don't allow ActiveX controls to control Windows security.

Simply disable ActiveX using the IE security zones option for the best protection if using older versions of Internet Explorer. Better still, upgrade to Internet Explorer 7 and make use of the ActiveX opt-in functionality it introduced. This by default disables most ActiveX controls and uses prompts to enable them when requested. Such prompts follow a more intuitive set of ActiveX best practice rules to take most of the user guesswork out of the decision-making process. Ensure that you disable the ability to 'Script ActiveX controls marked safe for scripting' because this can otherwise be exploited by malicious controls and drive-by-download websites.

Internet Explorer Security: A religious experience
Do not be tempted by false idols, such as the many well-publicised workarounds to disable the Vista User Account Control (UAC) system. While disabling this can make installing applications less annoying, running with it greatly hardens Internet Explorer 7 security.

Likewise, do not avoid worshiping at the altar of "Patch Tuesday." Install IE 7 patches with a religious fervour. Talking of religion, for increased security over IE 7, consider switching to a more secure Web browser such as Firefox 3 (it's too early to recommend Google Chrome from a security perspective). Sure, Firefox has security problems of its own, but the much smaller user base makes it less attractive to hackers, and so the majority of exploits are still targeted squarely at Internet Explorer.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.