10TH ANNUAL CONFERENCE ABOUT MODERN IT TECHNOLOGIES
Tightening SQL Server
Security
10TH ANNUAL CONFERENCE ABOUT MODERN IT TECHNOLOGIES
Thank you Sponsors #ThriveITconf
Silver
Evening event sponsor
Material
Media
1
2
Introduction
• Dejan Sarka
@DejanSarka
– Data Scientist
– MCT, Data Platform MVP
– 34 years of data modeling,
data science and data quality
• 17 books, 20+ courses and
seminars, writing more
Agenda
• Security basics
• Row-level security
• Data masking
3
4
Structure of Secure Systems
Attempt to access Resource
Authentication of caller
Authorization
Enforcement
Resource
Identity
information
Security
configuration
settingsDirect
access
blocked
Authentication and Authorization
• Authentication
– Is the verification of the identity of a principal (such as
determining who someone is)
• Authorization
– Is the assignment of permissions on a securable to a
principal (such as deciding what a person is permitted
to do)
– Can be implemented by assigning a principal to a role
that already has permissions
– Is implemented via GRANT, DENY, or REVOKE
statements for permissions on database objects
5
6
Special Principals
• The sa login
• The public server role
• The public database role
• The guest database user
• System db users
– Information_schema and sys
• System logins based on certificates
GRANT, REVOKE, DENY
• GRANT is used to assign a permission
• DENY is used to explicitly deny a permission
– Used where permissions inherited through group or role
membership
– Should only be used in exceptional circumstances
• REVOKE removes either a GRANT or a DENY
9
10
Schemas
• Containers for database objects
– Created via CREATE SCHEMA
– Listed by querying sys.schemas view
• Users can have default schemas
• Built-in Schemas
– dbo
– guest
– sys
– INFORMATION_SCHEMA
Object Name Resolution
• If the schema name is omitted, rules apply to
how the name will be resolved
– Each user can be assigned a default schema
– Users with no defined default schema will have dbo
as their default schema
– First search is in the user's default schema
– If not found, the dbo schema is searched also
• Whenever referencing an object in a statement,
users should specify both the schema and the
object name
– SELECT ProductID FROM Production.Product
11
12
Row-Level Security
• Programmable objects - views, stored
procedures, scalar and table-valued user
defined functions, and triggers
– No broken ownership chains
• SQL 2016+: declarative (predicate-based) row-
level security (RLS)
Ownership Chains
• Programmable objects refer to base tables and
to each other in a kind of chain
– For example, a stored procedure can use a view that
selects from a base table.
– All the objects in SQL Server have owners
– As long as there is a single owner for all the objects in
the chain, you can manage permissions on the
highest level only
• SQL Server trusts that the owner of the
procedure knows what the procedure is doing.
– This works for any DML statement (SELECT,
INSERT, UPDATE, DELETE, and MERGE)
13
14
Predicate-Based RLS (1)
• Filter predicates silently filter the rows the
application reads
– No application change is needed
– Also filter the rows when an application updates or
deletes the rows; this is because the application again
simply does not see the filtered rows
• Block predicates explicitly block write
operations
– You can define them for after-insert and after-update
operations, when the predicates block inserts or
updates that would move a row beyond the scope of
the block predicate
Predicate-Based RLS (2)
• Block predicates
– After insert block predicates also apply to minimally
logged or bulk inserts
– You can also define block predicates for before-
update and before-delete operations, when they
serve as filter predicates for the updates and deletes
– Note that if you already use filter predicates, before-
update and before-delete predicates are not needed
• You might want to change the affected
applications to catch additional errors produced
by block predicates
15
16
RLS Predicate Function
• You define predicates through a predicate
function
– In the body of this function, you can use other tables
with the JOIN or APPLY operators
– If the function is schema-bound, no additional
permission checks are needed
– If the function is not schema-bound, users need
permissions to read the data from the joined tables
RLS Security Policy
• A security policy adds an RLS predicate to a
table using a predicate function
– The policy can be disabled - users see all of the rows
– A security policy also filters and/or blocks the rows for
the database owners (the dbo user, db_owner
database, and sysadmin server roles)
17
18
SSMS Data Classification (1)
• SQL Server 2008+,SSMS 17.5+
SSMS Data Classification (2)
• SSMS stores the classification information in the
columns' extended properties
– Sensitivity label – Public, General, Confidential –
GDPR, Confidential, Highly Confidential, Highly
Confidential – GDPR
– Information type – Banking, Contact Info, Credentials,
Credit Card, Date of Birth, Financial, Health, Name,
National ID, Networking, SSN, Other
19
20
SQL Server 2019 Data Classification
• In SQL Server 2019, you store the classification
in the additional native database metadata using
the new ADD SENSITIVITY CLASSIFICATION
DDL statement
• You can check the classification information
through the sys.sensitivity_classifications view
• The classification information is also shown
when you use SQL Server Audit to audit the
data modifications and querying
Dynamic Data Masking
• Obfuscate values of a column
– The default function implements full masking
• A string is masked by changing each character to X
• Numeric values are masked to zero
• Date and time data type values are masked to 01.01.2000
00:00:00.0000000
• Binary data is masked to a single byte of ASCII value 0
– The email function masks e-mails to [email protected]
– The random function masks numeric values to a
random value in a specified range
– The partial function uses a custom string to mask
character data
21
22
DDM Limitations
• You must give the users the UNMASK database
level permission if you want them to see
unmasked data
• Limitations
– The UNMASK permission currently works at the
database level only
– You also cannot mask columns encrypted with the
Always Encrypetd option, FILESTREAM and
COLUMN_SET (sparse) columns, and on full-text and
computed colums
– Carefuly crafted queries can bypas masking
Q & A
• SQL Saturday Slovenia 2019 (13. in 14.12., Xnet and FRI,
Ljubljana) –
https://www.sqlsaturday.com/910/EventHome.aspx
• Pre-Con seminars:• Power BI Data Visualizations & Storytelling with Prathyusha Reddy
K - https://www.kompas-xnet.si/…/koledar-tecaje…/SQL2019%20-
%202
• Cutting Edge: AI and intelligent Data Processing with Azure IoT in
the Cloud and on the Device with Kostja Klein and Marcel Tilly -
https://www.kompas-xnet.si/izobra…/koledar-tecajev-t/SQL2019
• Thank you!
23
24