sql server 2008 security overview
DESCRIPTION
TRANSCRIPT
![Page 1: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/1.jpg)
ISSAISSA
Data Security for Audit and Data Security for Audit and ComplianceCompliance
Andrew FryerEvangelist Microsoft Ltd
![Page 2: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/2.jpg)
Session Objectives
• Understand that Security is an important consideration for applications as well as the server
• Know what is available in SQL Server and how it can help you achieve security objectives
![Page 3: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/3.jpg)
Agenda
• Protecting applications− Data protection− Authentication/Authorization− SQL Injection
• SQL 2008 Compliance New Features− Transparent Data Encryption− Extensible Key Management− Audit
![Page 4: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/4.jpg)
A true story.....(kind of)
• The Company
• The Application
• The MD
• The IT Manager
• The DBA
![Page 5: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/5.jpg)
What happened
• Day 1 due diligence− Review and change admin passwords
• 10 minutes later− Helpdesk reports problems− Login failures
• Smoking gun− ODBC DSN
• 10 minutes later− Helpdesk reports problems− Module failures, report failures− Code review !
using ‘sa’ context!
![Page 6: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/6.jpg)
Code review
• Issues− No centralized data access layer− Embedded SQL
− Lookup Order:
− Lookup Customer:
− Connection strings with hardcoded passwords
“SELECT * FROM Orders WHERE OrderId=“ + varOrderId
SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’”
Provider=sqloledb;Data Source=xxx;Initial Catalog=billingDB;User Id=sa;Password=‘’;
![Page 7: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/7.jpg)
Protecting ApplicationsProtecting Applications
![Page 8: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/8.jpg)
Authentication
![Page 9: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/9.jpg)
Data Encryption
• In SQL Server 2000, 3rd party support required
• Since SQL Server 2005 − Built-in support for data encryption− Support for key management
• Encryption additions in SQL Server 2008− Transparent Data Encryption− Extensible Key Management
![Page 10: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/10.jpg)
Channel Encryption
• Support for full SSL Encryption since SQL Server 2000− Clients: MDAC 2.6 or later− Force encryption from client or server
• Login packet encryption− Used regardless of encryption settings− Supported since 2000− Self-generated certificates avail since
2005
![Page 11: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/11.jpg)
Permission Strategy
• Follow principal of least privilege!• Avoid using sysadmin/sa and
db_owner/dbo− Grant required perms to normal login
• Never use the dbo schema− User-schema separation
• Applications should have own schema− Consider multiple schemas
• Leverage Flexible Database Roles− Facilitates role separation
• Consider Auditing user activity
![Page 12: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/12.jpg)
GRANT EXECUTE ONHR.Proc1 TO Bob
EXECUTE HR.Proc1
Proc1
View1
Table1
Check EXECUTE
No check
No check
Database
Alice’s HR Schema
Bob
Alice
Ownership Chaining
• Beware of Ownership Chaining
![Page 13: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/13.jpg)
Module Signing
• Alice has permission to call SP• SP run under Alice’s context but
with elevated privilege• SP protected against tampering
Alice (non privileged login)
SP_ENABLE_LOGIN
ALTER LOGIN Bob ENABLE
Cert_login
ALTER ANY LOGIN
![Page 14: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/14.jpg)
Execution ContextBest Practices
• Controlled escalation of privileges− DB scoped: EXECUTE AS and App Roles− Cross-DB scoped: Certificates− Avoid using dynamic SQL under an
escalated context
• Do not use use CDOC and SETUSER• Avoid allowing guest access on user
DBs
![Page 15: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/15.jpg)
SQL Injection
• SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution.
SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’”
''';DROP TABLE CUSTOMERS--'
SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS—’SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS—’
![Page 16: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/16.jpg)
SQL Injection – defence
• Use parameterized SQL queries• Use Type-Safe SqlParameter in .Net• Use parameterized SPs• Least-privilege Principle• Escape special characters• Escape quotes with
quotename/replace• Escape wildcards in LIKE statements• Validate buffer length to avoid
truncation
![Page 17: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/17.jpg)
class DataAccess{ static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) {
var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity);
foreach (SalesOrder o in orders) { Console.WriteLine("{0:d}\t{1}\t{2}", o.OrderDate, o.OrderId, o.Total); } } }}
class DataAccess{ static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) {
var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity);
foreach (SalesOrder o in orders) { Console.WriteLine("{0:d}\t{1}\t{2}", o.OrderDate, o.OrderId, o.Total); } } }}
Query syntax is
native applicatio
n code
Data objects
are first-class
citizens
Data Access Code with LINQ
No dynamic SQL therefore no No dynamic SQL therefore no injectioninjection
![Page 18: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/18.jpg)
Business Reasons
• Compliance requirements for PCI, HIPAA, GLBA among many other acronyms
• Key Management, Encryption, and Auditing are key components to meeting these compliance requirements
• Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance
IT Control SO
X
PC
I
HIP
AA
GL
BA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
![Page 19: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/19.jpg)
Data Encyption
• SQL Server 2005− Built-in encryption functions− Key management in SQL Server− Encrypted File System (EFS)− Bit-Locker
• SQL Server 2008− Extensible Key Management (EKM)− Transparent Data Encryption (TDE)
![Page 20: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/20.jpg)
Extensible Key Management
• Key storage, management and encryption done by HSM module
• SQL EKM key is a proxy to HSM key
• SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module
SQL EKM Provider DLL
SQL EKM Key(HSM key proxy)
Data
SQL Server
HSM
![Page 21: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/21.jpg)
Advantages of using EKM
• Security− Data and keys are physically separated
(keys are stored in HSM modules)− Centralized key management and
storage for enterprise− Additional authentication layer− Separation of duties between db_owner
and data owner
• Performance− Pluggable hardware encryption boards
![Page 22: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/22.jpg)
EKM Key Hierarchy in SQL 2008
HSM
DatDataa
DatDataa
Native Symmetric key
TDE DEK key
EKM Symmetric key EKM Asymmetric key
SQL Server
Symmetric key Asymmetric key
![Page 23: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/23.jpg)
Transparent Data Encryption (TDE)
• Encryption/decryption at database level
• DEK is encrypted with:− Certificate− Key residing in a
Hardware Security Module (HSM)
• Certificate required to attach database files or restore a backup
SQL Server 2008
DEK
Client Application
Encrypted data page
![Page 24: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/24.jpg)
SQL Server 2008Instance Level
Service Master Key
TDE – Key Hierarchy
Database Master Key encrypts Certificate In Master Database
SQL Server 2008 User Database
Database Encryption Key
DPAPI encrypts Service Master Key
Service Master Key encrypts Database Master KeyPassword
Operating System LevelData Protection API (DPAPI)
SQL Server 2008 Master Database
Database Master Key
SQL Server 2008 Master Database
Certificate
Certificate encrypts Database Encryption Key
![Page 25: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/25.jpg)
SQL Server 2008 User Database
Database Encryption Key
TDE – Key Hierarchy with EKM
Asymmetric Key resides on the EKM device
Asymmetric Key encrypts Database Encryption Key
Hardware Security Module (HSM)Asymmetric Key
![Page 26: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/26.jpg)
TDE considerations
• Compatible with Database Compression
• Not recommended with Backup Compression
• Database Mirroring− Copy certificate from primary to mirror
• Log files are not retroactively encrypted− Encryption begins at next VLF boundary
• Tempdb is encrypted when 1 db in instance uses TDE
• Enterprise only
![Page 27: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/27.jpg)
Transparent Data EncryptionOperational Impact• Storage replication at hardware level
− Background task to encrypt all pages− At HW level, all pages get changed, i.e. all pages need to be replicated− Need to test if your hardware replication can handle this throughput
• When using Database Mirroring or Log Shipping, − Ensure that the mirror server has the master key and certificate as well− Bottleneck isn’t throughput of pages
− Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted
− But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity
− Possible Failover Issues− Synchronous mirroring backlog may result in not being able to failover since
restoring received transaction log records could take a few hours− For log shipping restoration of the backups will fall behind, manual failover
cannot take place before restore finally caught up.− May want to consider disabling HA and perform resynchronization of
your HA configuration
![Page 28: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/28.jpg)
Auditing Database Activity
• SQL Server 2005− SQL Trace− DDL/DML Triggers− Third-party tools to read transaction logs− No management tools support
• SQL Server 2008− SQL Server Audit
![Page 29: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/29.jpg)
Audit Specifications
2929
AuditAuditSecurity Event LogSecurity Event Log
Application Event LogApplication Event Log File syste
m0..1Server audit specification per Audit object
0..1DB audit specificationper database per Audit object
CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);
CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)
CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)
Server Audit
Specification
Server Audit Action
Server Audit ActionServer Audit
ActionServer Audit
ActionServer Audit Action
Server Audit ActionServer Audit
ActionServer Audit
ActionServer Audit Action
Server Audit Action
Database Audit ComponentsDatabase Audit
ComponentsDatabase Audit Components
Database Audit
Specification
Database Audit Action
Database Audit ActionDatabase Audit
ActionDatabase Audit
ActionDatabase Audit Action
Database Audit ActionDatabase Audit
ActionDatabase Audit
ActionDatabase Audit Action
Database Audit Action
FileFile
![Page 30: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/30.jpg)
Reasons to use SQL Audit
• Leverages high performance eventing infrastructure to generate audits
• Runs within engine rather than as a side/separate app
• Parity with SQL 2005 Audit Generation• Faster than SQL Trace• Records changes to Audit
configuration• Configuration and management in
SSMS• (Note: Enterprise Edition only)
![Page 31: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/31.jpg)
AuditingCentralizing audit logs and reporting
Compliance Reports
Process Audit InformationUse SSIS to process SQL2008 audit log data and store in its own SQL database.
File Server SQL 2008
SQL Audit
SSIS
Generate Reports
DB Servers
DB Server
DB Server
DB Server
Transfer Logs
SSRS 2008
![Page 32: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/32.jpg)
FacetsCondition
s Policies
Policy-Based Management
Categories
Targets
![Page 33: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/33.jpg)
Take aways
• Protect applications not just databases
• Get the basics right!• Leverage all of the features of SQL
Server to meet your compliance needs
![Page 34: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/34.jpg)
Resources
• UK SQL Server 2008 Server Site http://www.microsoft.com/uk/sql
• SQL Server Compliance Micro-Sitehttp://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx
• Whitepaper for PCI compliancehttp://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf
• Me http://blogs.technet.com/andrew
![Page 35: SQL Server 2008 Security Overview](https://reader036.vdocuments.site/reader036/viewer/2022081413/54662eb1af795979338b50c3/html5/thumbnails/35.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.