From a defensive point of view, we consider stored procedure attacks to be a “second layer” attack because it requires that you have already penetrated the first layer and gained a level of authority prior to being able to execute. When developing a defensive plan to protect against a second-layer attacks, the general rules are as follows:
This approach is an important part of a defense-in-depth strategy. The concept of defense-in-depth was covered earlier in this book in Chapter 1, “Windows Operating System – Password Attacks.” The goal is to make it as difficult as possible (or hopefully impossible) for an attacker to execute the attacks we have demonstrated.
Stored procedures provide a good example of this idea. In the following sections, you will see multiple strategies that fall into the same defensive layer, but you will not see any that would fall into the second defensive layer (eliminating the second-layer vulnerabilities). Part of the reason that the stored procedures attacks are the subject of this chapter is that it is not possible to completely eliminate the vulnerability.