Skip to main content

This section of the ISM provides guidance on database servers.

Protecting database server contents

Database server contents can be protected from unauthorised access (e.g. by the physical theft of a database server or failure to sanitise database server hardware before disposal) through the use of encryption.

Security Control: 1425; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Hard disks of database servers are encrypted using full disk encryption.

Functional separation between database servers and web servers

Placing databases used by web applications on the same physical server as a web server can expose them to an increased possibility of compromise by an adversary.

Security Control: 1269; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Database servers and web servers are functionally separated, physically or virtually.

Communications between database servers and web servers

Information communicated between database servers and web applications, especially over the internet, is susceptible to capture by an adversary.

Security Control: 1277; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Information communicated between database servers and web applications is encrypted.

Network environment

Placing database servers on the same network segment as an organisation’s workstations and allowing them to communicate with other network resources exposes them to an increased possibility of compromise by an adversary. Alternatively, in cases where databases will only be accessed from their own database server, allowing remote access to the database server poses an unnecessary security risk.

Security Control: 1270; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Database servers that require network connectivity are placed on a different network segment to an organisation’s workstations.

Security Control: 1271; Revision: 2; Updated: Jan-20; Applicability: O, P, S, TS
Network access controls are implemented to restrict database server communications to strictly defined network resources such as web servers, application servers and storage area networks.

Security Control: 1272; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
If only local access to a database is required, networking functionality of database management system (DBMS) software is disabled or directed to listen solely to the localhost interface.

Separation of production, test and development database servers

Using production database servers for test and development activities could result in accidental damage to their integrity or contents.

Security Control: 1273; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Test and development environments do not use the same database servers as production environments.

Further information

Further information on developing Standard Operating Environments for database servers can be found in the operating system hardening section of the Guidelines for System Hardening.

Further information on patching operating systems of database servers can be found in the system patching section of the Guidelines for System Management.

Further information on using cryptography can be found in the Guidelines for Cryptography.