logo

What is Database Hardening and Why Is It Critical?

Hardening the various systems across your network helps you improve your cybersecurity posture level and block attacks. Hardening includes regular patching of known software vulnerabilities and turning off nonessential services on each system to reduce the number of processes that can be exploited.

Hardening your database servers is a vital part of this information security strategy. After all, your databases contain critical information that drives mission-critical applications and business processes, so you need firm control over their configuration and use.

This blog post details hardening strategies to help ensure strong database security. These best practices will help you prevent your databases from being compromised by an intruder, malware or other cyberattack.

Database Hardening Best Practices

Secure the Environment

Effective database management starts with physical security. Every physical or virtual database server needs to be hosted in a secure and monitored environment. The database system should be hosted separately from all other application servers. It also needs to be located behind a next-generation firewall that strictly controls traffic directed to it. Each server should have its local firewall enabled as well for additional protection.

Encrypt Critical Data

Sensitive data must always be encrypted when stored. Encryption ensures that even if the data is compromised, it cannot be read. In addition, data should be transported using encrypted connections. Be sure to regularly review your encryption process since requirements for key length and type of cryptography may change and related certificates can expire.

Use Established Benchmarks

Establish a hardened build standard to be required for each database platform you use, such as Oracle, SQL Server or DB2. If done manually, this can be a daunting task since any specific database can have hundreds of settings to research and define.

Fortunately, you don’t need to create these benchmarks from scratch. In particular, both the Center for Internet Security (CIS) and the NIST Security framework provide guidance for secure configuration standards, auditing methodologies and remediation steps, including the following best practices:

  • Remove default accounts.
  • Implement a strong password policy.
  • Follow a least-privilege access model. Be especially vigilant to provide elevated database access to only the users who need it.
  • Actively monitor file and object permissions.
  • Audit and log all access connections by users.
  • Disable unnecessary services and components.
  • Build an effective schema for your database tables.
  • Encrypt data if possible.

Implement Change Tracking

You also need to ensure that each server remains in compliance with your hardened build standard. Remember that security settings can be changed at any time by any user with the required privileges

While a formal compliance audit might be conducted only once a year, Zero Trust principles require the continuous tracking of security settings to promptly spot any configuration drift that could put sensitive data at risk. 

How File Integrity Monitoring Can Help

File integrity monitoring (FIM) is an invaluable component of any database hardening strategy. FIM technology can automatically monitor your configuration files and settings for drift away from your hardened build standard, and identify disguised Trojans, zero-day malware and modified bespoke application files. By automating file integrity monitoring, you can get better results while saving money by eliminating the need to hire and train costly IT resources. Most FIM tools today support a variety of database systems, as well as firewalls, network devices, and Windows, Linux and Unix servers.

Netwrix Change Tracker is a comprehensive FIM solution that helps you implement the critical database hardening best practices detailed above. It spots unexpected changes to your systems that could indicate suspicious activity, empowering you to stop configuration drift that puts your business at risk. Plus, Netwrix Change Tracker can help you harden your database servers whether they are on premises or in the cloud helps.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.