top of page

How to Protect SQL Server from Hackers and Penetration Tests

Updated: Sep 30, 2020

On June 3rd, the InfosecMatter blog published a post titled "Top #10 Vulnerabilities: Internal Infrastructure Pentest". This blog post detailed the top most common vulnerabilities in Windows servers and networks found during more than 60 internal infrastructure penetration tests around the world. After reading this article, I was prompted to actively look for similar resources on SQL Server penetration testing, and I got some interesting findings. See below my conclusions.

After reading up on a bunch of SQL Server penetration testing articles, I found that the steps of a common penetration test are as follows:

  1. Discovery

  2. Gaining Access

  3. Elevating Permissions

  4. Attacking (Loot / Destruction)

Logically, these steps mimic the steps taken by a common would-be hacker (except, of course, they try not to actually damage anything).

I'll briefly describe each step from the point of view of a hacker or penetration tester, the common methodologies of each step, and offer recommendations that we can follow to protect our database systems at every level.

1. Discovery

The first step a hacker or a "pentester" would do when introduced into a network, is to start looking for SQL Servers. This is done using IP and Port scanner tools that scan the network for common ports that may represent a vulnerable system.

Common Methodologies

How to Protect Ourselves

2. Gaining Access

Now that we have our "targets", our next step is trying to break in. Basically this means guessing a working username and password combination or using an elevated Operating System account to create a new login.

Common Methodologies

  • Try SA or some other username and a weak or default password (via brute force/password lists)

  • Discovering credential leaks (username and password combinations or certificates with private keys). These are commonly saved in configuration files somewhere in the file system (XML, web.config, appSettings.json files etc. that contain things like connection strings for applications)

  • Using a highly privileged Windows account to create a basic Scheduled Task that logs into the SQL Server using NT SERVICE\SYSTEM or some such, and create a new sysadmin login that can be used.

  • SQL Injection is also a common method for trying to gain access via the permissions of an existing software application.

How to Protect Ourselves

  • Rename and disable the SA login.

  • Disable SQL Authentication. Use Windows Authentication only.

  • Do not save your connection strings in clear text anywhere.

    • Offloading your passwords using a service such as Azure Key Vault or something similar.

    • Using Windows Authentication will also solve this issue by not requiring you to save your passwords anywhere.

    • Use something like Microsoft CredScan to detect possible credential leaks that you may have missed.

  • Remove SQL Server access from the NT SERVICE\SYSTEM Windows login if it exists.

  • Remove SQL Server access from the BUILTIN\Administrators Windows Group if it exists.

  • Remove SQL Server access from any Windows Account that also has Windows Administrator permissions on the same server.

  • Follow the "Principle of Least Privilege".

  • Protect against SQL Injection.

3. Elevating Permissions

If we gained access to the SQL Server using a non-sysadmin account, we would want to elevate our account to sysadmin. If we already have access to a sysadmin account, we would want to elevate access to the entire operating system, and/or gain access to additional logins that can increase our attack surface area.

Common Methodologies

How to Protect Ourselves

  • Do not enable the TRUSTWORTHY setting in any database.

    • With the sole exception of MSDB which requires this setting.

      • Circumvent this limitation by denying from any non-sysadmin users the permissions to create or alter objects in the MSDB database.

    • If you need to use CLR assemblies with UNSAFE or EXTERNAL_ACCESS permission sets, please do it the proper way - using certificates and signing your assemblies.

  • Do not give any login the securityadmin server role.

  • Do not grant SELECT permissions on system tables to any login that doesn't actually need them.

  • Keep xp_cmdshell disabled, and/or set a Windows Proxy account with limited privileges

  • Keep OLE Automation procedures disabled.

  • If possible, keep CLR disabled.

  • Protect against SQL Injection, inside stored procedures with dynamic SQL as well!

4. Attacking (Loot / Destruction)

This basically comes down to utilizing our achieved permissions to retrieve as much data as we can or to cause as much damage as we can. The higher-privileged user we got, the more widespread our impact can be.

Common Methodologies

  • Querying system tables.

  • Updating system tables.

  • Stealing, deleting, or modifying data or even entire databases.

  • Discovering, stealing, and/or destroying backup files.

  • Corrupting databases.

  • Creating additional hidden back-doors for repeated access and attacks.

  • Locking down the database using encryption.

  • Initiating a Denial-of-Service attack (DoS or DDoS) by "choking" the SQL Server instance with heavy operations that freeze the entire server.

  • Causing widespread damage on the OS, domain, and network (including worms, viruses, and Trojans).

How to Protect Ourselves

  • Follow the "Principle of Least Privilege". i.e. do not give permissions to any user unless they truly require it. Forget about giving sysadmin to everyone by default! And in general, try to avoid giving server roles unless you must. They all can be pretty dangerous.

  • Maintain a healthy backup plan with proper RTO and RPO, and perform periodical restore tests to verify your RTO and the overall health of the backup files.

  • Make sure to install your SQL Servers on virtual machines, that can have VM-wide snapshots taken periodically and restored quickly when needed.

  • Use Transparent-Data-Encryption, and other encryption mechanisms (where possible) to protect your sensitive data at rest, and enable SSL to protect it in transit.

    • Avoid saving your encryption keys together with your database (for example, decryption certificates installed on the SQL Server machine, or clear-text passwords being used inside stored procedures to open Symmetric or Asymmetric Keys).

    • Column Level Encryption (Always Encrypted) is a strongly recommended solution, where possible.

  • Run the SQL Server service using an account with minimum Windows permissions. Follow the "Principle of Least Privilege" in this case as well.

  • Auditing can also be an important tool to protect from and investigate possible attacks. There are several options available in SQL Server:

What About Security Patches?

A recently published article by SC Media highlighted the lesson to be learned from a datacenter's failure to patch their servers on time, which led to password leaks of 900 VPN enterprise servers.

That's an absurdly embarrassing oversight, considering that the patch in question was already released more than a year before the security breach.

Microsoft occasionally releases important security hotfixes for SQL Server as well (also known as GDR) which fix known vulnerabilities in SQL Server as they are discovered. And for the exact same reason, it's important to take note of these patches and apply them as soon as possible to your production servers (or any servers that hold any kind of sensitive data, or possible connection to servers that do hold sensitive data... On second thought - just patch everything).

It's understandable for organizations to hold back on applying service packs and cumulative updates for their SQL Server instances. More than once already we've seen patches fix some bugs - while creating even bigger bugs.

This is why it's crucial to install such updates on QA and Staging environments first, and run any possible tests before applying to your production servers... Or simply wait for a couple of months or so.

Security hotfixes, however, usually hold a special status where it becomes much more urgent to apply them as soon as you can. It becomes paramount to use something like the Automated Patching feature in Azure SQL Server VMs, or some kind of automation that notifies you about new updates as soon as they come out.

In our managed service DBSmart, for example, we have such an automated process which immediately notifies us about newly released patches, and alerts us when a server under our care is falling behind. In such cases, we notify the customer and assist them in following the necessary steps (checking the list of fixes in the patch, evaluating potential risks, installing the patch in a test/QA/staging environment, monitoring the system, etc.).


There are many steps that we can take in order to protect our SQL Server environments on every level.

Most of these vulnerabilities can be easily addressed using the SQL Vulnerability Assessment Tool provided by Microsoft.

If your SQL Server is hosted on Azure, you can take advantage of the Security Center and Advanced Threat Protection features as well.

The best course of action would be to have a professional take a look at your database systems, review it, and implement best practices. Madeira Data Solutions offers the Data Architecture Review which covers many best practices in SQL Server, including in terms of Security, Performance, Maintenance, and more. Click here to learn more!

Additional Resources



4 days ago

I sincerely appreciate all of your assistance over the month of June! With the assistance of a kind hacker named Kmax, my credit score improved to 821 Excellent today when I viewed my credit report. In less than 72 hours, he assisted me in removing all negative information from my credit report and raising my credit score to 821 platinum score. He charges a significant service fee however his service is quick. KmaxCyberServices at is the contact information. Thanks..


Apr 13

I'm grateful to this specific hacker team for their hard work in helping me find the culprits who stole the 16BTC I lost to an online investment company last year. They worked quickly and effectively. Give him a call at +1 240 580 8653 or send him an email at mthecredit guy at gmail dot com if you're wondering whether I have another option. Incredibly, they can fix credit at record highs in just three weeks!

Additionally, I received a substantial payment of roughly $150k; if you have a company or bank account, you are qualified to receive this, thank you...


Apr 07

If you are interested in getting a good hacking service?  I recommend you contact the MIKE CREDIT GUY COMPANY whose services are 100% safe and 100% guaranteed, they are a team of professionals ever ready to satisfy one's needs in hacking services such as  hacking of social networks in general, for example, Facebook, Instagram, Twitter, Changes and upgrading of university grades, Clear criminal records, General hacking and database penetration, PayPal accounts verified hacking, WordPress Blogs hacking, Hack all social media accounts, Hack all Android  phones, laptops and Windows Mobile devices. Raise credit score, Western Union and Money gram Hack, Hacking and deleting videos and CCTV history, Hack bank logins, money transfer, credit transfer, clear credit records, credit repair report, Increase…


Mar 08

Mike The Credit Guy He's the best in any kind of credit issues, My old friend of mine introduced me to this lovely hacker and I got in touch with him. I explained to him about my low credit scores and my credit card debts, To my surprise. He helped me increase my credit score to 820 Golden score and He wiped out the late payments, collections and inquiries on my credit report within 72 hours. He also helped me pay off my credit card debts within a few weeks, He`s trusted, affordable and calm. Now Mike The Credit Guy has turned to my Hacker, You might need him to change your life as he helps me clear my credit…


Mar 06

In buying my new house, Kmax and his Credit Repair Crew were invaluable allies. Sincerely, I don't think I could have gotten an excellent credit without his assistance. They are understanding, truthful, and well-informed. Kmax built me a trust that was necessary for my credit to be fixed and for me to be eligible to purchase a home. Knowing that my score is still high at 799 across all bureaus and that all of the bad entries have been removed is a comfort. I heartily recommend contacting him at KMAX CYBER SERVICES AT GMAIL DOT COM, and be thankful to God.



Get New posts delivered straight to your inbox

Thank you for subscribing!

bottom of page