nerdexam
GIAC

GSEC · Question #66

GSEC Question #66: Real Exam Question with Answer & Explanation

The correct answer is D. It is good practice to not allow users to send raw SQL commands to the SQL Server.. Preventing raw SQL commands from reaching SQL Server is a core defense against SQL injection, the most critical SQL Server application-layer threat.

Question

Many IIS servers connect to Microsoft SQL databases. Which of the following statements about SQL server security is TRUE?

Options

  • ASQL Server patches are part of the operating system patches.
  • BSQL Server should be installed on the same box as your IIS web server when they communicate
  • CIt is good practice to never use integrated Windows authentication for SQL Server.
  • DIt is good practice to not allow users to send raw SQL commands to the SQL Server.

Explanation

Preventing raw SQL commands from reaching SQL Server is a core defense against SQL injection, the most critical SQL Server application-layer threat.

Common mistakes.

  • A. SQL Server patches are released independently through Microsoft's SQL Server update channels and are not included in standard OS patch cycles.
  • B. Placing IIS and SQL Server on the same host violates service separation principles and expands the attack surface - a compromise of the web tier can directly expose the database.
  • C. Integrated Windows authentication for SQL Server is generally more secure than SQL authentication because it uses Kerberos or NTLM and avoids storing database passwords in connection strings.

Concept tested. SQL injection prevention and SQL Server hardening best practices

Reference. https://learn.microsoft.com/en-us/sql/relational-databases/security/sql-injection

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GSEC Practice