Hardening Database Server (MS SQL)

Data used by NAM components (NAM Server and NAM Console) are stored in Microsoft SQL Server databases. You can take extra steps to enhance security of your data that is kept in NAM by following guidelines below.

Key elements for enhancing security of NAM databases are:

  • SSL encrypted connection between NAM components and MS SQL Server
  • Transparent Data Encryption (TDE) of database files in MS SQL Server
  • Performing regular database backups
  • Following best practices in securing access to your MS SQL Server

SSL encrypted connection between NAM components and MS SQL Server

Ensure SSL is enabled between NAM components and SQL Server.

Enable TLS 1.2 and secure ciphers to secure database connection.

Transparent Data Encryption (TDE) of database files in MS SQL Server

Transparent Data Encryption (TDE) overview

NAM supports Transparent Data Encryption (TDE) technology employed by Microsoft, IBM and Oracle to protect data at file level by encrypting the physical database files - both the data (mdf) and log (ldf) files.

  • Microsoft offers TDE as part of its Microsoft SQL Server 2008, 2008 R2, 2012, 2014, 2016 and 2017.
  • TDE is only supported on the Evaluation, Developer, Enterprise and Datacenter editions of Microsoft SQL Server.

Standard SQL Server edition does not support TDE, but Microsoft offers an in-place upgrade to Enterprise edition:

TDE technology was designed to have the entire encryption process be completely transparent to the applications accessing the database. Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted before they are written to disk and decrypted when read into memory. This inhibits limitations from querying the data in an encrypted database.

  • TDE does not increase the size of the encrypted database.
  • As a result of enabling TDE, database backups will also be encrypted.
  • When enabling TDE, you should immediately back up the certificate and the private key associated with the certificate. If the certificate ever becomes unavailable or if you must restore or attach the database on another server, you must have backups of both the certificate and the private key or you will not be able to open the database.
  • Also, TempDB database will be automatically encrypted (since the tempdb is used by all user databases).

For more information about TDE see Microsoft documentation.

Follow these steps to enable or disable TDE in MS SQL Server

Performing regular database backups

MS SQL Server best practices

Database user roles and permissions

  • Limit access to the database to only authorized users.
  • Use operating system accounts to log in to dataserver machines as administrative duties should be performed using individual accounts, and not using a shared group account. A group account could be permitted to run automated monitoring jobs such as backups. For more information, see Setting database user rights.
  • Enforce strong database passwords when technically possible.
  • Remove unneeded default accounts or change their default passwords. For NAM, make sure that the default database sa account is not used in any of the NAM products. For more information, see Updating database owner password

Database auditing

  • Monitor all logins to operating system and database servers, successful or unsuccessful.
  • Review audit logs regularly.