This tip is part of a series of articles on Windows security strategies. Make sure to check back each week for new Windows "how-to" advice.
TABLE OF CONTENTS
Windows password security: Systems tools and policy
Securing Windows services to prevent hacker attacks
How to prevent SQL Server and Internet Explorer hack attacks
How to detect and remove rootkits with Windows encryption
Windows security: Remote Desktop, hosts file and keyboard lock down
Given the sheer number of SQL Server installations out there and the number of exploits that attempt to compromise them (SQL Slammer, anyone?), it would be stupid not to look at the ways to secure SQL Server, since it is considered 'data central' for many Windows users. The same argument goes for Internet Explorer. In this article, we'll cover the basics of how to best secure both of those Microsoft technologies.
Securing Microsoft SQL Server
Use Microsoft's own SQL Scan tool to discover all instances of SQL servers on the network. SQL's own Server Network Utility will enable the setting of TCP ports for these manually; don't assume they will all be defaulted to TCP 1433 and then blocked via the firewall to these ports from untrusted clients.
With SQL, more than any other Windows technology (Internet Explorer excepted), vendor patches are a critical component in the security process, so use them, and do so in a timely fashion. Equally, assign the strongest passwords possible to the server administration account, including those running in 'Windows Only' authentication mode. Otherwise the server will be immediately vulnerable if that mode is ever changed in the future. Furthermore, 'Windows Only' authentication should be the default configuration for every new installation. Finally, starting with SQL Server 2005, the software comes with a native data encryption infrastructure. Use it!
Securing Microsoft Internet Explorer
For the best in Microsoft-driven Web browser security, run Internet Explorer 7 on Windows Vista in protected mode. Internet Explorer security zones should always be used and configured properly to ensure security. Set the defaults to 'high', switch into 'custom level mode' and disable ActiveX controls and plug-ins, scripting of IE Web browser controls and meta refresh. Finally, set the launching of programs inside an Iframe to 'prompt.'
Further Internet Explorer hardening can be achieved by dealing with ActiveX issues. In short, don't allow ActiveX controls to control Windows security.
Simply disable ActiveX using the IE security zones option for the best protection if using older versions of Internet Explorer. Better still, upgrade to Internet Explorer 7 and make use of the ActiveX opt-in functionality it introduced. This by default disables most ActiveX controls and uses prompts to enable them when requested. Such prompts follow a more intuitive set of ActiveX best practice rules to take most of the user guesswork out of the decision-making process. Ensure that you disable the ability to 'Script ActiveX controls marked safe for scripting' because this can otherwise be exploited by malicious controls and drive-by-download websites.
Internet Explorer Security: A religious experience
Do not be tempted by false idols, such as the many well-publicised workarounds to disable the Vista User Account Control (UAC) system. While disabling this can make installing applications less annoying, running with it greatly hardens Internet Explorer 7 security.
Likewise, do not avoid worshiping at the altar of "Patch Tuesday." Install IE 7 patches with a religious fervour. Talking of religion, for increased security over IE 7, consider switching to a more secure Web browser such as Firefox 3 (it's too early to recommend Google Chrome from a security perspective). Sure, Firefox has security problems of its own, but the much smaller user base makes it less attractive to hackers, and so the majority of exploits are still targeted squarely at Internet Explorer.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.