Microsoft SQL Server Securityand Auditing

Clay RisenhooverISACA North TexasApril 14, 2016http://tinyurl.com/ISACAClay

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 1

GoalsUnderstand new and important

security featuresDemonstrate use of some of themDiscuss security ramifications of

all of them

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 2

AssumptionsThe ideal student:• Not a DBA• Not freaked out by SQL• Understand security/assurance• Understand basic database

concepts (like ACID)

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 3

ACIDAtomicity (all or nothing

transactions)Consistency (transactions leave DB

in stable state)Isolation (concurrency)Durability (transactions don’t go

away once committed)

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 4

ModelServer hardeningConfidentialityIntegrityAvailability

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 5

Server HardeningPatch levelAuthentication modes

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 6

PatchingDetermine running versionSqlserverversions.blogspot.comselect @@versionselect SERVERPROPERTY('productversion')

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 7

AuthenticationDetermine authentication mode

SELECTSERVERPROPERTY('IsIntegratedSecurityOnly')

SELECT CASESERVERPROPERTY('IsIntegratedSecurityOnly')WHEN 1 THEN 'Windows Authentication'WHEN 0 THEN ‘Mixed Mode Authentication'

END as [Authentication Mode]

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 8

ConfidentialityEncryptionRow-level securityUser permissions

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 9

Encryption OptionsTransparent data encryption (TDE)Encrypted BackupsAlways encrypted

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 10

Encryption - TDEIntroduced in SQL Server 2008

EnterpriseEncrypts data at restUses hierarchy of keys

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 11

TDE Key Hierarchy

Database Encryption Key

Database Master Key

Service Master Key (OS Level)

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 12

TDE – Key BackupsBACKUP MASTER KEY TO FILE ='path_to_file' ENCRYPTION BYPASSWORD = 'password‘

RESTORE MASTER KEY FROM FILE ='path_to_file' DECRYPTION BYPASSWORD = 'password' ENCRYPTION BYPASSWORD = 'password' [ FORCE ]

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 13

Encryption – Encrypted BackupsIntroduced in SQL Server 2014Encrypt database backup filesCan use

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 14

Encryption – Always EncryptedIntroduced in SQL Server 2016Protects data in transit and at restColumns encrypted with keys

stored with application, not inserver

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 15

Encryption – Final ThoughtsBackup and protect all

cryptographic keysTEST YOUR BACKUPS

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 16

Row-Level SecurityIntroduced in SQL Server 2016Uses functions to restrict table

rows available to a userOlder versions, had to use views

and stored procedures toemulate

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 17

Special PermissionsServer-level permissions:• Apply to all databases, present

and futureIntroduced in SQL Server 2014:

CONNECT ANY DATABASESELECT ALL USER SECURABLES

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 18

IntegrityDelayed durabilityMark transaction as committed,

even if logs have not beenflushed

Makes our ACID a little less ACID-ic

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 19

Integrity – Delayed DurabilityMay be set at:• Database level• Transaction level• For in-memory natively

compiled procedures

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 20

Database levelALTER DATABASE dbnameSET DELAYED_DURABILITY= DISABLED | ALLOWED |FORCED;

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 21

Transaction LevelCOMMIT TRANSACTION WITH(DELAYED_DURABILITY =ON);

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 22

Atomic levelFor natively-compiled procedure

used with in-memory OLTP:BEGIN ATOMIC WITH(DELAYED_DURABILITY =ON, ...)

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 23

Delayed Durability CheckingDatabase properties dialog

Options tab

Query

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 24

Delayed Durability - Options

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 25

Delayed Durability – Query

SELECT name,DATABASEPROPERTYEX(name,'DelayedDurability') ASDelayedDurability,

DATABASEPROPERTYEX(name,Status') AS Status

FROM master.dbo.sysdatabasesORDER BY name

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 26

AvailabilityFor on-premise installations, a

number of Azure availabilityoptions:

• Managed backups to Azure• “Always on” availability groups

with Azure replicas

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 27

Managed Backup to AzureIntroduced in SQL Server 2014Automated backup to Azure

“blob” storage containerSimilar to disk/tape backup, but

stored in cloud“Backup to URL”

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 28

Backup to URLBACKUP DATABASE TestDB TO URL ='https://<accountname>.blob.core.windows.net/<containername>/TestDB.bak'

WITH CREDENTIAL ='<mycredentialname>' ,COMPRESSION,STATS = 5;

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 29

Always-On Azure ReplicasAlways-On availability groups

used for database replicationReplicas can be hosted in AzureFailover to on-premise or Azure

replica

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 30

ConclusionBrief overview of interesting

featuresNot exhaustive2016 deployments a good time to

re-check your DB environment

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 31

Questions

http://tinyurl.com/ISACAClay

© 2016, Risenhoover Consulting, Inc. All Rights Reserved 32