These the very real best practices every DBA should follow. I am sharing one the very interesting and very useful blog post by experts in PCI compliance and who adhere to apply all those securities.
There are some general principles which provide guidelines on how to achieve and maintain PCI DSS security.
- Create an SQL Server hardening guide. You have to document your security procedures and it is easier for your team if everyone follows the same security standards. It can be part of the IT security manual or a standalone document. I recommend to check the Center for Internet Security (CIS) benchmarks.
- Create a SQL Server security checklist for the DBA team. You can find additional details in this article.
- Create an extract of the PCI DSS requirements for DBAs. The PCI document is long, you cannot expect that the whole DBA team will read it carefully. Check this tip for the outline of the main requirements related to SQL Server.
- Try to minimize the PCI scope. Work with the network and application teams to establish network segmentation and reduce the number of servers in the PCI zone.
- Establish a change management process. You should document and control all the changes on your SQL Server.
- Always perform the security hardening right after installing the SQL Server. Never put a server to production without assuring that it complies with all the security requirements.
- The DBA team should install all SQL Server instances. No exceptions and all DBAs should follow the server hardening guide.
- Install all service packs and critical fixes for Windows, SQL Server and VMware (if applicable). It is necessary to implement all critical fixes to ensure that there are no known security issues.
- Create a process to apply the latest security fixes. This process should cover the Windows patches as well as SQL Server service packs and security fixes. Read this tip about patching policies.
- The user privileges should be minimized. Try to assign the minimum sufficient rights to every user.
Best Practices for SQL Server Installation
These best practices can be applied during the installation process.
- Install all service packs and critical fixes for SQL Server right after installation. It is necessary to implement all critical fixes.
- Install only the required components. The less the components, the less security problems that can occur.
- Disable unnecessary features, services and protocols. You can use the SQL Server Configuration Manager to disable the unused SQL Server services.
- Change the default SQL Server configuration. This should include for example the SQL Server ports, SA accountand BUILTIN\Administrators group.
- Configure SQL login auditing to log both failed and successful logins. Details of the login audit configuration can be found in this tip and there is also a tip about SYSADMIN login auditing.
- Always use Windows Authentication mode. This simplifies login administration and the organization can benefit from single sign-on. You can check and change the authentication mode in three different ways: using SQL Server Management Studio, with T-SQL or in the Windows registry.
- Restrict the access to the SQL Server files. Protect the SQL Server configuration and database files as well as the backup folders.
- Configure a firewall. You need a protective firewall on your server to defend your system. If there is no other firewall installed on your server then configure Windows Firewall to work with the Database Engine, Integration Services and Analysis Services.
- Verify your installation before putting the server to production. The Microsoft SQL Server 2012 Best Practice Analyzer can quickly identify if your server is configured according to industry best practices or not.
Best Practices for Continuous Compliance
After you completed the installation of a secure Microsoft SQL Server, you should keep it PCI DSS compliant during the operation.
- Create a database access policy. Only the SQL Server administrators should access the database directly, all other users should access it through a business application.
- Maintain a list of all administrative accounts. It is critical to have an up-to-date list of all the accounts and the auditors will request it.
- Every system should have at least two administrators. You should minimize the impact if something happens to any of the DBAs.
- Create a dataflow diagram for the PCI data. It is important to know where the sensitive data is and this diagram can help you to spot which databases contain cardholder data. You should consider obtaining a network diagram from the appropriate team.
- Create a password policy for SQL Servers. This policy should include how to identify blank and weak passwordsand configure password enforcement options.
- Create a process for granting elevated user permission. Such user rights should be provided only upon managerial approval and you have to document it.
- Create a policy to handle the service accounts. There should be different service accounts for every service and they should be configured with the least privileges.
- Configure alerts for software and hardware warnings. You can use SCOM or any other equivalent. Check this collection of SQL Server monitoring tips.
- Establish a process to handle the alerts received from the system. You should react to the alerts and it is the best when there is a written procedure about who handles what.
- Create a procedure for the security key handling. The encryption keys should be regularly changed and they have to be replaced when a key custodian leaves the company. It is also recommended to employ dual control and split knowledge for the key management.
- Regularly scan the database and the logs for cardholder data. DBAs should know where the sensitive data is and they have to work with the application team to minimize the exposure.
- Create a procedure to remove the unnecessary cardholder data. You should archive the cardholder data only for the maximum period the business requires. You should have a policy in place to destroy the data after it reaches its maximum lifecycle.
- Create a policy about the backup media handling. The backups should be tested, correctly labeled and secured. The backup data should be properly destroyed when it is no longer required.
- Perform a penetration test annually. This should include the whole system, should not be limited to SQL Server.
- Organize annual security trainings for all the users and DBAs. The continued education will ensure that everybody is aware of the evolving PCI DSS requirements. All new employees should be also educated.