The next phase in our walk through database security is Restricting Access, through access control systems and permissions. Setting -- or resetting as the case may be -- database access control and account authorization is a major task. Most of the steps within this phase are self explanatory, but for databases with hundreds to thousands of users the amount of time spent on review will be significant. We need to check to see what is in place, compare that with documented polices, and return users and groups to their intended settings. Many users will have elevated permissions granted 'temporarily' to get a specific task done with data or database functions outside of their normal scope, or due to job function changes, but such permissions are often left in their 'temporary' state rather than being reset when no longer needed or appropriate. This form of "permissions creep" is a common problem. For permissions put in place to avoid breaking application functionality or required for certain users to perform temporary tasks, document the variance.
Review Access/Authentication
- Time to collect existing users and access controls (unless collected in Review phase).
- Time to identify authentication methods. Databases can use database, operating system, third party access control, and mixed modes of authentication. Check what is in place.
- Time to determine approved authentication methods. Review prescribed authentication methods.
Determine Changes
- Time to identify user permission discrepancies. Review user and administrative account permissions settings and note variances.
- Time to identify group & role membership adjustments. Inspect roles and groups for members who should not be included. Review roles for unnecessary permissions or capabilities.
- Time to identify password policies and settings. Check that password policies (strength, rotation, failed login attempts, lockout), and not variance to be addressed.
- Time to identify dormant and obsolete accounts.
Implement
- Time to alter authentication methods. Modify settings to meet with established guidelines.
- Time to reconfigure and remove user accounts. Adjust permissions and remove capabilities.
- Time to implement new roles and groups and adjust membership.
- Time to reconfigure service accounts. Review application service accounts for authorization and group membership.
Document
- Time to document changes.
- Time to document accepted variances from configuration.
In our next post we will move on to shielding the database.
{extended}-Adrian Lane
