MsSql

关注公众号 jb51net

关闭
首页 > 数据库 > MsSql > SQL Server安全配置检查与优化

SQL Server安全配置全面检查与优化方案

作者:施嘉伟

本文介绍了SQLServer数据库安全配置检查与优化方案,覆盖不同系统和数据库版本,通过多条SQL脚本检测密码策略、加密、备份等关键安全项,帮助管理员发现并修复安全隐患,提高数据库安全性,需要的朋友可以参考下

一、说明

1.1 覆盖操作系统和数据库版本

1.2 查询最小权限要求

例如创建的shijw用户,授权如下:

ALTER SERVER ROLE [diskadmin] ADD MEMBER [shijw];
ALTER SERVER ROLE [processadmin] ADD MEMBER [shijw];
ALTER SERVER ROLE [securityadmin] ADD MEMBER [shijw];
ALTER SERVER ROLE [setupadmin] ADD MEMBER [shijw];

二、SQL语句

2.1 数据库用户密码复杂度认证

SELECT name, is_policy_checked FROM sys.sql_logins;

SQL返回结果:

2.2 数据库用户密码有效期策略

SELECT name, is_policy_checked FROM sys.sql_logins;

SQL返回结果:

2.3 连接会话限制

SELECT CONVERT(Numeric(18,2), CONVERT(Numeric(18,2), c.value_in_use) / CONVERT(Numeric(18,2), maximum) * 100) AS user_count
FROM sys.configurations c
WHERE c.name = 'user connections';

SQL返回结果:

2.4 连接数据库进程数限制

SELECT CONVERT(Decimal(18,0), (SUM(s.current_workers_count) * 1.0 / i.max_workers_count) * 100) AS CPU线程使用率
FROM sys.dm_os_sys_info i, sys.dm_os_schedulers s
GROUP BY i.max_workers_count;

SQL返回结果:

2.5 物理备份

SELECT bs.database_name, 
       BACKUPTYPE = CASE
           WHEN bs.type = 'D' AND bs.is_copy_only = 0 THEN 'Full Database'
           WHEN bs.type = 'D' AND bs.is_copy_only = 1 THEN 'Full Copy-Only Database'
           WHEN bs.type = 'I' THEN 'Differential database backup'
           WHEN bs.type = 'L' THEN 'Transaction Log'
           WHEN bs.type = 'F' THEN 'File or filegroup'
           WHEN bs.type = 'G' THEN 'Differential file'
           WHEN bs.type = 'P' THEN 'Partial'
           WHEN bs.type = 'Q' THEN 'Differential partial' END + ' Backup',
       CASE bf.device_type 
           WHEN 2 THEN 'Disk'
           WHEN 5 THEN 'Tape'
           WHEN 7 THEN 'Virtual device'
           WHEN 9 THEN 'Azure Storage'
           WHEN 105 THEN 'A permanent backup device'
           ELSE 'Other Device' END AS DeviceType,
       bs.Backup_Start_Date, 
       BackupFinishDate = bs.Backup_Finish_Date,
       [BackupStatus] = CASE bs.Backup_Start_Date WHEN NULL THEN '备份失败' ELSE '成功' END,
       LatestBackupLocation = bf.physical_device_name
FROM msdb.dbo.backupset bs
LEFT JOIN msdb.dbo.backupmediafamily bf ON bs.[media_set_id] = bf.[media_set_id]
WHERE bs.backup_start_date > DATEADD(MONTH, - 2, sysdatetime())
ORDER BY bs.database_name ASC, bs.Backup_Start_Date DESC;

SQL返回结果:

2.6 网络传输加密

SELECT DISTINCT (encrypt_option) FROM sys.dm_exec_connections;

SQL返回结果:

2.7 数据库存储加密

SELECT D.name AS 'Database Name',
       CASE
           WHEN E.encryption_state = 3 THEN 'Encrypted'
           WHEN E.encryption_state = 2 THEN 'In Progress'
           ELSE 'Not Encrypted'
       END AS state
FROM sys.dm_database_encryption_keys E
RIGHT JOIN sys.databases D ON D.database_id = E.database_id
LEFT JOIN sys.certificates c ON E.encryptor_thumbprint = c.thumbprint;

SQL返回结果:

2.8 透明加密

SELECT name, is_encrypted FROM sys.databases;

SQL返回结果:

2.9 连接超时机制

SELECT COMMENT, value FROM SYS.SYSCONFIGURES WHERE COMMENT LIKE 'remote%';

SQL返回结果:

2.10 数据库版本补丁

SELECT @@VERSION;
SELECT SERVERPROPERTY('ProductVersion');

2.11 弱口令

SELECT name, create_date, is_disabled FROM sys.sql_logins WHERE PWDCOMPARE('', password_hash) = 1;
SELECT name, create_date, is_disabled FROM sys.sql_logins WHERE PWDCOMPARE(name, password_hash) = 1;

2.12 C2审计

SELECT value FROM sys.sysconfigures WHERE comment = 'c2 audit mode';

SQL返回结果:

2.13 SQL审核

SELECT status FROM sys.dm_server_audit_status WHERE status = 1;

SQL返回结果:

2.14 SQL注入

SELECT value FROM sys.sysconfigures WHERE comment = 'Enable or disable command shell';

SQL返回结果:

三、总结

这些SQL脚本主要用于检查SQL Server数据库的安全配置,确保数据库在操作系统、权限控制、备份、加密以及其他关键领域符合最佳实践。根据执行结果,系统管理员可以针对发现的问题采取相应的补救措施,进一步加强数据库的安全性。

以上就是SQL Server安全配置全面检查与优化方案的详细内容,更多关于SQL Server安全配置检查与优化的资料请关注脚本之家其它相关文章!

您可能感兴趣的文章:
阅读全文