Security

Being More SecureSQL Server 2005Being More SecureSQL Server 2005

Don VilenDon VilenProgram Manager, SQL ServerProgram Manager, SQL ServerMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

SQL Server Security OverviewSQL Server Security Overview Background Background Principals, Securables, PermissionsPrincipals, Securables, Permissions

AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices

Some Relevant Some Relevant InformationInformationSQL Server isSQL Server is Multi-instance AwareMulti-instance Aware

1 Default Instance, multiple named 1 Default Instance, multiple named instancesinstances

Has the ability to listen on TCP, Has the ability to listen on TCP, named pipes, VIA, HTTP (new in SQL named pipes, VIA, HTTP (new in SQL 2005)2005) More protocols were in SQL Server 2000More protocols were in SQL Server 2000

TCP 1433 and UDP 1434 reservedTCP 1433 and UDP 1434 reserved

SQL Server Security SQL Server Security ModesModes WindowsWindows®® Authentication security Authentication security

modemode Only accept logins using Windows NTOnly accept logins using Windows NT®®/ /

Windows 2000 credentialsWindows 2000 credentials Implements network-wide single sign-onImplements network-wide single sign-on

Mixed security modeMixed security mode Allows Windows loginsAllows Windows logins Allows SQL Server-based loginsAllows SQL Server-based logins

Basic Authentication schemeBasic Authentication scheme

LoginsLogins

A A LoginLogin gives you connection rights gives you connection rights Is contained in the Is contained in the mastermaster database database Server-wide scopeServer-wide scope Server-level permissions grantableServer-level permissions grantable Membership in server rolesMembership in server roles New DDL: New DDL: CREATE / ALTER / DROP CREATE / ALTER / DROP LOGINLOGIN

UsersUsers

A database A database UserUser allows entry into allows entry into databasedatabase Contained in every DBContained in every DB Provides mapping to LoginsProvides mapping to Logins Specific to a single databaseSpecific to a single database Membership in fixed or user defined DB Membership in fixed or user defined DB

rolesroles New DDL: New DDL: CREATE / ALTER / DROP USERCREATE / ALTER / DROP USER

SQL Server RolesSQL Server Roles

Fixed server rolesFixed server roles Flexible server administrationFlexible server administration Eg: Sysadmin, ServeradminEg: Sysadmin, Serveradmin

Fixed database rolesFixed database roles Flexible database administrationFlexible database administration Eg: db_ddladmin, db_ownerEg: db_ddladmin, db_owner

Flexible database rolesFlexible database roles Custom security combinationsCustom security combinations

Application rolesApplication roles Assign rights to applications instead of Assign rights to applications instead of

usersusers

Application RolesApplication Roles

Database-specific roles that do not contain Database-specific roles that do not contain membersmembers

Require a password to be activatedRequire a password to be activated sp_setapprolesp_setapprole

Once activated, users cannot access other Once activated, users cannot access other databasesdatabases Unless the guest account or public role has Unless the guest account or public role has

been created in the other databasebeen created in the other database

New in SQL Server 2005: Ability to revert New in SQL Server 2005: Ability to revert application rolesapplication roles sp_unsetapprolesp_unsetapprole

What Are Principals?What Are Principals?

Principals

Permissions

Securables

Server RoleSQL Server Login

SQL ServerSQL Server

Windows GroupDomain User AccountLocal User AccountWindowsWindows

UserDatabase RoleApplication RoleGroupDatabaseDatabase

Principals

Permissions

Securables





What Are Securables?What Are Securables?

FilesRegistry Keys

Instance

Schema

Database

Principals

Permissions

Securables





FilesRegistry Keys

Instance

Schema

Database

What Are Permissions?What Are Permissions?

CREATEALTERDROPCONTROLCONNECTSELECTEXECUTEUPDATEDELETEINSERTTAKE OWNERSHIPVIEW DEFINITIONBACKUP

GRANT DENY REVOKEGRANT DENY REVOKE

ACL

AgendaAgenda

SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication

EndpointsEndpoints Password PolicyPassword Policy SSL protectionSSL protection

AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices

Endpoint-Based Endpoint-Based AuthenticationAuthentication Endpoint:Endpoint:

Point of entry into an instancePoint of entry into an instance Binds transport protocol to payloadBinds transport protocol to payload

HTTP, Service Broker, Database MirroringHTTP, Service Broker, Database Mirroring Endpoints need to be explicitly createdEndpoints need to be explicitly created No permissions on endpoint by defaultNo permissions on endpoint by default

TCP, Named Pipes, Shared MemoryTCP, Named Pipes, Shared Memory Default endpoint created at start upDefault endpoint created at start up CONNECT permissions granted to authenticated loginsCONNECT permissions granted to authenticated logins Permissions can be denied on a per endpoint basisPermissions can be denied on a per endpoint basis

Transport ProtocolTransport Protocol

Named pipes Shared MemoryNamed pipes Shared Memory

TCPTCP HTTPHTTP VIA VIA

PayloadsPayloads

TDSTDS SOAPSOAP

SSBSSB Database Database MirroringMirroring

SQL Server Security ModelSQL Server Security ModelUsing EndpointsUsing Endpoints

Establish login credentialsEstablish login credentialsAuthorize against Endpoint

Connect to the SQL Server computerConnect to the SQL Server computer

Verify permissions for all actionsVerify permissions for all actions

Network connection request/pre-login handshakeNetwork connection request/pre-login handshake

Login authentication request to SQL ServerLogin authentication request to SQL Server

Switch to a database and authorize accessSwitch to a database and authorize access

Attempt to perform some actionAttempt to perform some action

Establish a database contextEstablish a database context

Password Policy Password Policy EnforcementEnforcement Enforcement of the following on loginsEnforcement of the following on logins

Password StrengthPassword Strength Password ExpirationPassword Expiration Account LockoutsAccount Lockouts

Follows local Windows password policyFollows local Windows password policy Supports consistent enterprise-wide policySupports consistent enterprise-wide policy

ApproachApproach New password policy check API New password policy check API Only available on Windows Server 2003 and Only available on Windows Server 2003 and

aboveabove On previous versions, rudimentary complexity On previous versions, rudimentary complexity

checkcheck

Login-Level OptionsLogin-Level Options

Server-SideServer-Side Check_Policy – Default ONCheck_Policy – Default ON Check_Expiration – Default OFFCheck_Expiration – Default OFF MUST_CHANGE – SQL Server logins onlyMUST_CHANGE – SQL Server logins only DISABLEDISABLE

Client-Side SupportClient-Side SupportPassword change at loginPassword change at login

Protecting SQL Credentials Protecting SQL Credentials

Requires a secure channelRequires a secure channel IPSEC, SSLIPSEC, SSL

In previous releases required admin In previous releases required admin to setup SSL / IPSEC certificateto setup SSL / IPSEC certificate Not secure by defaultNot secure by default

In SQL SERVER 2005In SQL SERVER 2005 SSL certificate automatically generatedSSL certificate automatically generated Prevents passive man-in-the-middle Prevents passive man-in-the-middle

attacksattacks

Protecting the ChannelProtecting the Channel

TransferTransferun-encrypted dataun-encrypted data

DB1 DB2

SQL Server2SQL Server2

UsernameUsername

passwordpassword

Username

passwordpassword

UsernameUsername

passwordpassword

Protecting the ChannelProtecting the Channel

DB1 DB2


UsernameUsername

passwordpassword

TransferTransferdata over an encrypted channeldata over an encrypted channel

Encryption Over the WireEncryption Over the Wire

Login Credentials EncryptionLogin Credentials Encryption Uses SSL certificate from certificate Uses SSL certificate from certificate

store (if available)store (if available) Can be explicitly chosen using Can be explicitly chosen using Certificate Certificate

PickerPicker Otherwise, will use SQL-generated Otherwise, will use SQL-generated

certificatecertificate Data packets can be encryptedData packets can be encrypted

Server-Side Option: ‘Force Protocol Server-Side Option: ‘Force Protocol Encryption’ Encryption’

Client-Side: Encryption with Client-Side: Encryption with or withoutor without certificate validationcertificate validation

AgendaAgenda

SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization

Permissions and ScopesPermissions and Scopes SchemasSchemas Ownership Chaining and Execution Ownership Chaining and Execution

ContextContext AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices

Granular PermissionsGranular Permissions Principle of Least PrivilegesPrinciple of Least Privileges Multiple permissions – various scopesMultiple permissions – various scopes

Choice of permission granularity and Choice of permission granularity and scopescope

ScopesScopes Server: Server: Example: ALTER ANY LINKED SERVERExample: ALTER ANY LINKED SERVER Database: Database: Example CREATE TABLEExample CREATE TABLE Schema: Schema: Example ALTERExample ALTER Object: Object: Example SELECTExample SELECT

Permission Granularity:Permission Granularity: Example: Example: ALTER permission on an objectALTER permission on an object Example: Example: ALTER TRACE permissionALTER TRACE permission

SchemasSchemasNew in SQL Server 2005New in SQL Server 2005 Fully qualified namesFully qualified names

SQL Server 2000: SQL Server 2000: Server.Database.Server.Database.OwnerOwner.Object.Object

SQL Server 2005: SQL Server 2005: Server.Database.Server.Database.SchemaSchema.Object.Object

Users (owners) and schemas have been Users (owners) and schemas have been separatedseparated Were the same in previous releasesWere the same in previous releases Objects contained in schemasObjects contained in schemas

Separation allows for better security Separation allows for better security managementmanagement

Offers better namespace management Offers better namespace management from application perspectivefrom application perspective

General Permissions General Permissions SchemeScheme

GranteeGrantee Logins for server-level permissionsLogins for server-level permissions Database principals for database-level Database principals for database-level

permissionspermissions SecurableSecurable

Entity to be securedEntity to be secured Example: Tables, assemblies, databases, Example: Tables, assemblies, databases,

server, etc…server, etc… Same permission can be at multiple scopesSame permission can be at multiple scopes

Example CONTROL at schema or table levelExample CONTROL at schema or table level DENY at any level always take precedenceDENY at any level always take precedence

Scope and GranularityScope and Granularity

DatabaseDatabase

SchemaSchema 11 Schema 2Schema 2 Schema 3Schema 3

Table1Table1 View1View1 View 2View 2 Stored ProcStored Proc FunctionFunction

Covering PermissionsCovering Permissions

Permissions can be derived from Permissions can be derived from grants at higher scopegrants at higher scope Example EXECUTE granted at schema Example EXECUTE granted at schema

levellevel Permissions can be implied by other Permissions can be implied by other

permissionspermissions Example, CONTROL on a table implies Example, CONTROL on a table implies

SELECTSELECT sys.fn_mypermissions()sys.fn_mypermissions()

Ability to find out what permissions a Ability to find out what permissions a user hasuser has

Where are permissions Where are permissions recorded?recorded? sys.server_permissionssys.server_permissions

Server-level permissionsServer-level permissions sys.database_permissionssys.database_permissions

Database-level permissionsDatabase-level permissions sys.securable_classessys.securable_classes

Lists all securablesLists all securables sys.fn_builtin_permissionssys.fn_builtin_permissions

Shows all permissions grantable on a Shows all permissions grantable on a securablesecurable

Includes covering permissionsIncludes covering permissions

Ownership Chaining and Ownership Chaining and Execution ContextExecution Context

User 3User 3

Select Permissions Select Permissions checked for User3checked for User3

Execute Permissions Execute Permissions checked for User3checked for User3

User1.Proc1User1.Proc1 User1.T1User1.T1


NONO Permissions Permissions checked for User3checked for User3

User 3User 3 User2.Proc1User2.Proc1 User1.T1User1.T1

‘‘Execute AS ‘X’ ’Execute AS ‘X’ ’


Select Permissions Select Permissions checked forchecked for ‘X’. ‘X’. Not for user3Not for user3

SQL ServerSQL Server20052005

SQL Server SQL Server 20002000 User2.Proc1User2.Proc1 User1.T1User1.T1

Module Execution ContextModule Execution Context Ability to choose execution context Ability to choose execution context

of modulesof modules Stored procedures, functions, triggersStored procedures, functions, triggers Include Include WITH EXECUTE ASWITH EXECUTE AS in module definition in module definition

No need to rely on ownership chaining to No need to rely on ownership chaining to get ‘upfront permission check’ behaviorget ‘upfront permission check’ behavior Ownership chaining rules still apply howeverOwnership chaining rules still apply however

Permissions checked against current Permissions checked against current execution contextexecution context

Option available for dynamic SQL as wellOption available for dynamic SQL as well EXECUTE ('…') EXECUTE ('…') AS USERAS USER = 'User1'; = 'User1';

Execution context maintained in the Execution context maintained in the sys.sql_modules catalog viewsys.sql_modules catalog view

Module Execution ContextModule Execution Context

CREATE PROCEDURE dbo.usp_DemoCREATE PROCEDURE dbo.usp_Demo WITH EXECUTE ASWITH EXECUTE AS 'Domain\SqlUsr1' 'Domain\SqlUsr1' AS SELECT user_name(); AS SELECT user_name();

Execute AS CALLERExecute AS CALLER Statements execute as Statements execute as immediateimmediate calling context calling context Default behavior, similar to SQL Server 2000 Default behavior, similar to SQL Server 2000

Execute AS ‘Execute AS ‘UserNameUserName’’ Statements execute as the username specifiedStatements execute as the username specified Impersonate permission required on user specified Impersonate permission required on user specified

Execute AS SELFExecute AS SELF Statements execute as the creator/modifier of the Statements execute as the creator/modifier of the

module module Execute AS OWNERExecute AS OWNER

Statements execute as the Statements execute as the currentcurrent owner of the module owner of the module

Using Using Execute AsExecute As to create to create permission bucketspermission buckets

Scenario:Scenario: Database Admin wants to delegate the ability to truncate Database Admin wants to delegate the ability to truncate

a set of tables each nighta set of tables each night Problem:Problem:

Truncate is not a grantable permissionTruncate is not a grantable permission Closest covering permission is ALTER, but that is too high Closest covering permission is ALTER, but that is too high

and gives other abilityand gives other ability Solution: Solution: Execute AsExecute As to the rescue to the rescue

Create a Proc that truncates the tableCreate a Proc that truncates the table Mark it to execute as a user with ALTER permissionsMark it to execute as a user with ALTER permissions Grant execute permission to the target userGrant execute permission to the target user

Result:Result: You’ve just made Truncate a grantable permission!!!You’ve just made Truncate a grantable permission!!!

Creating Custom Creating Custom Permission SetsPermission Sets

Execute AS 'X'Execute AS 'X'

Execute Execute permissions permissions checked for checked for User3User3

SelectSelect permissions permissions checked for checked for 'X‘, 'X‘, not for User3not for User3

User3User3 User2.Proc1User2.Proc1 User1.Table1User1.Table1

Original Login always auditedOriginal Login always audited

Cross-Database Cross-Database Ownership ChainingOwnership Chaining

User1.SP1User1.SP1 User1.Tab1User1.Tab1

Login1Login1

End_UserEnd_User

Cross DB Ownership Cross DB Ownership Chaining = 1Chaining = 1

DB_Chaining = 1DB_Chaining = 1 DB_Chaining = 1DB_Chaining = 1

Execute Permissions Execute Permissions checked for End_Userchecked for End_User

No Permissions No Permissions checkedchecked

AgendaAgenda

SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices

But what about But what about metadata?metadata? System tables implemented as views: System tables implemented as views:

catalog viewscatalog views Metadata is secured by defaultMetadata is secured by default

Minimal permissions to publicMinimal permissions to public Catalog views are row-level securedCatalog views are row-level secured

Need to be owner or have some Need to be owner or have some permission on object to see it in catalog permission on object to see it in catalog viewview SA can see everything in serverSA can see everything in server DBO can see everything in databaseDBO can see everything in database

New permission to allow viewing of New permission to allow viewing of metadatametadata VIEW DEFINITONVIEW DEFINITON Applicable at object level, schema level, Applicable at object level, schema level,

database and server leveldatabase and server level

Data Access AuditData Access Audit

SQL Trace – the server side of SQL Trace – the server side of profilingprofiling

Auditing is performed by SQL Trace – Auditing is performed by SQL Trace – internal to SQL Serverinternal to SQL Server

Exposed through stored proceduresExposed through stored procedures Can be called directly or through the Can be called directly or through the

SQL Server Profiler UISQL Server Profiler UI SQL Server 2005 introduces new SQL Server 2005 introduces new

audit events around impersonation audit events around impersonation and schema managementand schema management

Login AuditingLogin Auditing

Record of login activityRecord of login activity Necessary to keep track of potential Necessary to keep track of potential

brute force attemptsbrute force attempts SQL Server 2005 defaults to auditing SQL Server 2005 defaults to auditing

failed login attemptsfailed login attempts Audit events written to error log and Audit events written to error log and

Windows application logWindows application log

Custom AuditingCustom Auditing DML triggersDML triggers

Can be used to audit data modifications in a Can be used to audit data modifications in a custom mannercustom manner

DDL triggersDDL triggers New in SQL Server 2005New in SQL Server 2005 Custom audit DDL changesCustom audit DDL changes

Event notificationsEvent notifications Uses Service Broker Uses Service Broker Asynchronous audit of operationsAsynchronous audit of operations

USE AdventureWorksUSE AdventureWorksGOGO

CREATE CREATE EVENT NOTIFICATIONEVENT NOTIFICATION NotifyALTER_T1 NotifyALTER_T1ON DATABASEON DATABASEFOR ALTER_TABLEFOR ALTER_TABLETO SERVICETO SERVICE '//AdventureWorks.com/ArchiveService', '//AdventureWorks.com/ArchiveService', '8140a771-3c4b-4479-8ac0-81008ab17984'; '8140a771-3c4b-4479-8ac0-81008ab17984';

AgendaAgenda


Data EncryptionData Encryption

Why consider encryption?Why consider encryption? Additional layer of securityAdditional layer of security Required by some regulatory compliance Required by some regulatory compliance

lawslaws In SQL Server 2000, vendor support In SQL Server 2000, vendor support

requiredrequired In SQL Server 2005In SQL Server 2005

Built-in support for data encryptionBuilt-in support for data encryption Support for key managementSupport for key management

Cryptography 101Cryptography 101

1234-5678-1234-56781234-5678-1234-5678

Symmetric Key Encryption Symmetric Key Encryption

0x0088840517080E4FA2…0x0088840517080E4FA2…

EncryptionEncryption

DecryptionDecryption

1234-5678-1234-56781234-5678-1234-5678 0x0088840517080E4FA2…0x0088840517080E4FA2…

Encryption with public keyEncryption with public key

Decryption with private keyDecryption with private keyPublic KeyPublic Key Private KeyPrivate Key

Asymmetric Key Encryption Asymmetric Key Encryption

Encryption and Decryption Encryption and Decryption BBuilt-in Functionsuilt-in Functions EncryptByKey ( )EncryptByKey ( ) EncryptByAsymKey ( )EncryptByAsymKey ( ) EncryptByCert ( )EncryptByCert ( ) EncryptByPassPhrase ( )EncryptByPassPhrase ( )

Each with corresponding DecryptByXxx ( )Each with corresponding DecryptByXxx ( )

ALTER TABLE HumanResources.EmployeeALTER TABLE HumanResources.Employee ADD EncryptedNatIDNumber varbinary(128) ADD EncryptedNatIDNumber varbinary(128) -- Open the symmetric key to encrypt data-- Open the symmetric key to encrypt dataOPEN SYMMETRIC KEY SSN_Key_01OPEN SYMMETRIC KEY SSN_Key_01 DECRYPTION BY CERTIFICATE HR037 DECRYPTION BY CERTIFICATE HR037; ; -- Encrypt the value in column NationalIDNumber-- Encrypt the value in column NationalIDNumber -- with symmetric key SSN_Key_01, saving the -- with symmetric key SSN_Key_01, saving the -- result in column EncryptedNatIDNumber -- result in column EncryptedNatIDNumber UPDATE HumanResources.EmployeeUPDATE HumanResources.Employee SET EncryptedNatIDNumber = SET EncryptedNatIDNumber = EncryptByKeyEncryptByKey( Key_GUID('SSN_Key_01'),( Key_GUID('SSN_Key_01'), NationalIDNumber ); NationalIDNumber );

SQL Server 2005 supportSQL Server 2005 support

Encryption and Decryption built-insEncryption and Decryption built-ins DDL for creation ofDDL for creation of

Symmetric KeysSymmetric Keys Asymmetric Keys and CertificatesAsymmetric Keys and Certificates

Symmetric Keys and Private Keys are Symmetric Keys and Private Keys are always stored encryptedalways stored encrypted

Securing the Keys themselvesSecuring the Keys themselves Based on user passwordsBased on user passwords Automatic, using SQL Server key Automatic, using SQL Server key

managementmanagement

It’s all about the KeysIt’s all about the Keys

Encryption keys need to be protectedEncryption keys need to be protected Some keys need to be backed upSome keys need to be backed up

If the keys are lost, data may be lostIf the keys are lost, data may be lost Therefore, ability to restore keys must Therefore, ability to restore keys must

existexist Keys may need to be regeneratedKeys may need to be regenerated

In case of compromise of the keysIn case of compromise of the keys Keys may need to be shared across Keys may need to be shared across

systemssystems In the case, where encrypted data is In the case, where encrypted data is

being sharedbeing shared

Encryption SupportEncryption SupportKeyKey

Another keyAnother keyUser PasswordUser Password CertificateCertificate

•Database entity created by Database entity created by CREATE KEY DDLCREATE KEY DDL

•Always stored encryptedAlways stored encrypted•Secured in one of three waysSecured in one of three ways

Public KeyPublic KeyPrivate KeyPrivate Key

PasswordPassword Master KeyMaster Key

DPAPIDPAPI

•Database entity created by Database entity created by CREATE CERTIFICATE DDLCREATE CERTIFICATE DDL

•Always private keys Always private keys stored encryptedstored encrypted

•Secured in one of two waysSecured in one of two ways

Secured BySecured By

Wraps the …Wraps the …



Associated with…Associated with…

Service KeyService Key Secured BySecured By

Database Master KeyDatabase Master Key Secures private keys inside the Secures private keys inside the

databasedatabase Explicitly created by owner of the Explicitly created by owner of the

databasedatabase Support for regeneration and Support for regeneration and

recoveryrecovery ALTER MASTER KEY DDLALTER MASTER KEY DDL BACKUP / RESTORE MASTER KEY DDLBACKUP / RESTORE MASTER KEY DDL

Always secured using user passwordAlways secured using user password Stored in the databaseStored in the database

Can also be secured using Service Can also be secured using Service Master Key Master Key

Always take a backup!Always take a backup!

Service Master KeyService Master Key Used to secure system dataUsed to secure system data

Linked server passwordsLinked server passwords Database Master keysDatabase Master keys Proxy credentialsProxy credentials

Created upon first useCreated upon first use Support for regeneration and Support for regeneration and

recoveryrecovery ALTER SERVICE MASTER KEY DDLALTER SERVICE MASTER KEY DDL BACKUP / RESTORE SERVICE MASTER KEY BACKUP / RESTORE SERVICE MASTER KEY

DDLDDL

Secured using DPAPISecured using DPAPI The service accounts credentialsThe service accounts credentials

Always take a backup!Always take a backup!

AgendaAgenda


Surface Area Surface Area ConfigurationConfiguration Secure By Default on new installsSecure By Default on new installs

Minimal default surface areaMinimal default surface area Default install image that is safe and Default install image that is safe and

usableusable Heterogeneity in our install baseHeterogeneity in our install base

Poses hurdles for large-scale exploitsPoses hurdles for large-scale exploits More administrator control More administrator control

Choice to run features only as neededChoice to run features only as needed To lockdown features centrally and To lockdown features centrally and

easilyeasily Reduction in administrative Reduction in administrative

complexitycomplexity

ApproachApproach Install-time optionsInstall-time options

Admin choice of services to install at setup timeAdmin choice of services to install at setup time Disabled/Stopped Services:Disabled/Stopped Services:

Helper services installed as part of another Helper services installed as part of another serviceservice

Typically help with specific featuresTypically help with specific features Eg: MSADHelper, Browser, SQL Writer, Agent, etc.Eg: MSADHelper, Browser, SQL Writer, Agent, etc.

These are disabled and stopped by defaultThese are disabled and stopped by default Feature-level knobsFeature-level knobs

On/Off switches for specific features (old and On/Off switches for specific features (old and new)new)

Features requiring explicit configurationFeatures requiring explicit configuration Network CommunicationNetwork Communication

Knobs to turn on or off specific communication Knobs to turn on or off specific communication protocolsprotocols

Ad hoc DQAd hoc DQ

xp_cmdshellxp_cmdshell

OLE Automation OLE Automation SPsSPs

SMO/DMO XPsSMO/DMO XPs

SQLiMail XPsSQLiMail XPs

SQLMail XPsSQLMail XPs

CLRCLR

Webtasks XPsWebtasks XPs

Web Service Web Service RequestsRequests

Scheduled Events Scheduled Events and Report and Report

DeliveryDelivery

Helper ServicesHelper Services

ComponentsComponents

Communication Communication ProtocolsProtocols

ServicesServices

SQL Server SQL Server BoxBox

MSADHelper MSADHelper ServiceService

SQL Server AgentSQL Server Agent

SQL Writer ServiceSQL Writer Service

SQL Browser SQL Browser ServiceService

Communication Communication Protocols and Protocols and

EndpointsEndpoints

Fulltext / MSSearchFulltext / MSSearch

Allow Anonymous Allow Anonymous ConnectionsConnections

Ad hoc Ad hoc OpenRowset OpenRowset

QueriesQueries

COM User-Defined COM User-Defined FunctionsFunctions

Local Only Local Only ConnectionsConnections

Remote Partitions Remote Partitions and Linked and Linked

ObjectsObjects

SQL Server SQL Server ServiceService

Integration Integration ServicesServices

Reporting Reporting ServicesServices

Analysis Analysis ServicesServices

Notification Notification ServicesServices

Surface Area ConfigurationSurface Area Configuration

Surface Area Surface Area Configuration ToolConfiguration Tool Tool to centrally control the SQL Tool to centrally control the SQL

Server surface areaServer surface area Launch-able from setupLaunch-able from setup Available in Start menuAvailable in Start menu Provides some guidance when Provides some guidance when

turning features on or offturning features on or off Scripting capabilityScripting capability

AgendaAgenda

SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best PracticesBest Practices

Security DiagnosticsSecurity Diagnostics Secure InstallationSecure Installation Secure OperationsSecure Operations

Security Diagnostics…Security Diagnostics… Run MBSA periodicallyRun MBSA periodically Scan for and remove accounts with NULL Scan for and remove accounts with NULL

passwords and where check_policy is offpasswords and where check_policy is off Remove unused loginsRemove unused logins Scan for objects with permissions granted to Scan for objects with permissions granted to

publicpublic Verify login-user mappingVerify login-user mapping

Interesting in attach/detach scenariosInteresting in attach/detach scenarios sp_change_users_login with report optionsp_change_users_login with report option

Enumerate membership in privileged rolesEnumerate membership in privileged roles Ensure membership to trusted individuals onlyEnsure membership to trusted individuals only

Ensure start-up procedures are safe and trustedEnsure start-up procedures are safe and trusted Periodically scan the surface area that is enabledPeriodically scan the surface area that is enabled

Secure InstallationSecure Installation Physical securityPhysical security

Protect all related systems, media, backups, etc. Protect all related systems, media, backups, etc. Never place RDBMS unprotected on the networkNever place RDBMS unprotected on the network

Firewall protectedFirewall protected Software mediating database accessSoftware mediating database access

Install on NTFS file systemInstall on NTFS file system This allows securing the files appropriatelyThis allows securing the files appropriately

Isolate Services Isolate Services Do not install on a Domain ControllerDo not install on a Domain Controller

Use low privilege service accountUse low privilege service account Do not use LocalSystem, Local or Domain AdministratorDo not use LocalSystem, Local or Domain Administrator Prevents compromised database to be used to bootstrap Prevents compromised database to be used to bootstrap

access to rest of enterprise access to rest of enterprise Latest code is most secure codeLatest code is most secure code

Apply latest service packs and security patches!Apply latest service packs and security patches!

Secure Operations Secure Operations (1 of 2)(1 of 2)

Run the prescribed security diagnostics Run the prescribed security diagnostics periodicallyperiodically

Only configure and run needed featuresOnly configure and run needed features xp_cmdshell usagexp_cmdshell usage

Do not change default permissionsDo not change default permissions Never set proxy account to administratorNever set proxy account to administrator In SQL Server 2005 proxy account does not In SQL Server 2005 proxy account does not

require service account to be adminrequire service account to be admin Smallest possible admin groupsSmallest possible admin groups Changing service accountsChanging service accounts

Use SQL Server ToolsUse SQL Server Tools Disallow direct catalog updatesDisallow direct catalog updates

Secure Operations Secure Operations (2 of 2)(2 of 2)

Media security including backupsMedia security including backups Have aggressive backup policyHave aggressive backup policy Test disaster recovery systemTest disaster recovery system

Turn on appropriate level of auditingTurn on appropriate level of auditing Track critical user actions at a minimumTrack critical user actions at a minimum Keep overhead at a minimumKeep overhead at a minimum

Encryption optionsEncryption options Protect sensitive data over the wireProtect sensitive data over the wire

Use SSL, IPSEC etc.Use SSL, IPSEC etc.

File-level encryptionFile-level encryption Prevents illicit copying of database filesPrevents illicit copying of database files SQL Server supports Encrypted File System (EFS)SQL Server supports Encrypted File System (EFS)

SummarySummary SQL Server Security OverviewSQL Server Security Overview

Background Background Principals, Securables, PermissionsPrincipals, Securables, Permissions

AuthenticationAuthentication EndpointsEndpoints Password PolicyPassword Policy SSL protectionSSL protection

AuthorizationAuthorization Permissions and ScopesPermissions and Scopes SchemasSchemas Ownership Chaining and Execution ContextOwnership Chaining and Execution Context

AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best PracticesBest Practices

For More InformationFor More Information

SQL Server Books OnlineSQL Server Books Online WhitepapersWhitepapers

Security in SQL Server 2005Security in SQL Server 2005 MSDN and TechNet webcastsMSDN and TechNet webcasts

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

Security