Upload
databaseguys
View
1
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Being More SecureSQL Server 2005Being More SecureSQL Server 2005
Don VilenDon VilenProgram Manager, SQL ServerProgram Manager, SQL ServerMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview Background Background Principals, Securables, PermissionsPrincipals, Securables, Permissions
AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices
Some Relevant Some Relevant InformationInformationSQL Server isSQL Server is Multi-instance AwareMulti-instance Aware
1 Default Instance, multiple named 1 Default Instance, multiple named instancesinstances
Has the ability to listen on TCP, Has the ability to listen on TCP, named pipes, VIA, HTTP (new in SQL named pipes, VIA, HTTP (new in SQL 2005)2005) More protocols were in SQL Server 2000More protocols were in SQL Server 2000
TCP 1433 and UDP 1434 reservedTCP 1433 and UDP 1434 reserved
SQL Server Security SQL Server Security ModesModes WindowsWindows®® Authentication security Authentication security
modemode Only accept logins using Windows NTOnly accept logins using Windows NT®®/ /
Windows 2000 credentialsWindows 2000 credentials Implements network-wide single sign-onImplements network-wide single sign-on
Mixed security modeMixed security mode Allows Windows loginsAllows Windows logins Allows SQL Server-based loginsAllows SQL Server-based logins
Basic Authentication schemeBasic Authentication scheme
LoginsLogins
A A LoginLogin gives you connection rights gives you connection rights Is contained in the Is contained in the mastermaster database database Server-wide scopeServer-wide scope Server-level permissions grantableServer-level permissions grantable Membership in server rolesMembership in server roles New DDL: New DDL: CREATE / ALTER / DROP CREATE / ALTER / DROP LOGINLOGIN
UsersUsers
A database A database UserUser allows entry into allows entry into databasedatabase Contained in every DBContained in every DB Provides mapping to LoginsProvides mapping to Logins Specific to a single databaseSpecific to a single database Membership in fixed or user defined DB Membership in fixed or user defined DB
rolesroles New DDL: New DDL: CREATE / ALTER / DROP USERCREATE / ALTER / DROP USER
SQL Server RolesSQL Server Roles
Fixed server rolesFixed server roles Flexible server administrationFlexible server administration Eg: Sysadmin, ServeradminEg: Sysadmin, Serveradmin
Fixed database rolesFixed database roles Flexible database administrationFlexible database administration Eg: db_ddladmin, db_ownerEg: db_ddladmin, db_owner
Flexible database rolesFlexible database roles Custom security combinationsCustom security combinations
Application rolesApplication roles Assign rights to applications instead of Assign rights to applications instead of
usersusers
Application RolesApplication Roles
Database-specific roles that do not contain Database-specific roles that do not contain membersmembers
Require a password to be activatedRequire a password to be activated sp_setapprolesp_setapprole
Once activated, users cannot access other Once activated, users cannot access other databasesdatabases Unless the guest account or public role has Unless the guest account or public role has
been created in the other databasebeen created in the other database
New in SQL Server 2005: Ability to revert New in SQL Server 2005: Ability to revert application rolesapplication roles sp_unsetapprolesp_unsetapprole
What Are Principals?What Are Principals?
Principals
Permissions
Securables
Server RoleSQL Server Login
SQL ServerSQL Server
Windows GroupDomain User AccountLocal User AccountWindowsWindows
UserDatabase RoleApplication RoleGroupDatabaseDatabase
Principals
Permissions
Securables
Server RoleSQL Server Login
SQL ServerSQL Server
Windows GroupDomain User AccountLocal User AccountWindowsWindows
UserDatabase RoleApplication RoleGroupDatabaseDatabase
What Are Securables?What Are Securables?
FilesRegistry Keys
Instance
Schema
Database
Principals
Permissions
Securables
Server RoleSQL Server Login
SQL ServerSQL Server
Windows GroupDomain User AccountLocal User AccountWindowsWindows
UserDatabase RoleApplication RoleGroupDatabaseDatabase
FilesRegistry Keys
Instance
Schema
Database
What Are Permissions?What Are Permissions?
CREATEALTERDROPCONTROLCONNECTSELECTEXECUTEUPDATEDELETEINSERTTAKE OWNERSHIPVIEW DEFINITIONBACKUP
GRANT DENY REVOKEGRANT DENY REVOKE
ACL
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication
EndpointsEndpoints Password PolicyPassword Policy SSL protectionSSL protection
AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices
Endpoint-Based Endpoint-Based AuthenticationAuthentication Endpoint:Endpoint:
Point of entry into an instancePoint of entry into an instance Binds transport protocol to payloadBinds transport protocol to payload
HTTP, Service Broker, Database MirroringHTTP, Service Broker, Database Mirroring Endpoints need to be explicitly createdEndpoints need to be explicitly created No permissions on endpoint by defaultNo permissions on endpoint by default
TCP, Named Pipes, Shared MemoryTCP, Named Pipes, Shared Memory Default endpoint created at start upDefault endpoint created at start up CONNECT permissions granted to authenticated loginsCONNECT permissions granted to authenticated logins Permissions can be denied on a per endpoint basisPermissions can be denied on a per endpoint basis
Transport ProtocolTransport Protocol
Named pipes Shared MemoryNamed pipes Shared Memory
TCPTCP HTTPHTTP VIA VIA
PayloadsPayloads
TDSTDS SOAPSOAP
SSBSSB Database Database MirroringMirroring
SQL Server Security ModelSQL Server Security ModelUsing EndpointsUsing Endpoints
Establish login credentialsEstablish login credentialsAuthorize against Endpoint
Connect to the SQL Server computerConnect to the SQL Server computer
Verify permissions for all actionsVerify permissions for all actions
Network connection request/pre-login handshakeNetwork connection request/pre-login handshake
Login authentication request to SQL ServerLogin authentication request to SQL Server
Switch to a database and authorize accessSwitch to a database and authorize access
Attempt to perform some actionAttempt to perform some action
Establish a database contextEstablish a database context
Password Policy Password Policy EnforcementEnforcement Enforcement of the following on loginsEnforcement of the following on logins
Password StrengthPassword Strength Password ExpirationPassword Expiration Account LockoutsAccount Lockouts
Follows local Windows password policyFollows local Windows password policy Supports consistent enterprise-wide policySupports consistent enterprise-wide policy
ApproachApproach New password policy check API New password policy check API Only available on Windows Server 2003 and Only available on Windows Server 2003 and
aboveabove On previous versions, rudimentary complexity On previous versions, rudimentary complexity
checkcheck
Login-Level OptionsLogin-Level Options
Server-SideServer-Side Check_Policy – Default ONCheck_Policy – Default ON Check_Expiration – Default OFFCheck_Expiration – Default OFF MUST_CHANGE – SQL Server logins onlyMUST_CHANGE – SQL Server logins only DISABLEDISABLE
Client-Side SupportClient-Side SupportPassword change at loginPassword change at login
Protecting SQL Credentials Protecting SQL Credentials
Requires a secure channelRequires a secure channel IPSEC, SSLIPSEC, SSL
In previous releases required admin In previous releases required admin to setup SSL / IPSEC certificateto setup SSL / IPSEC certificate Not secure by defaultNot secure by default
In SQL SERVER 2005In SQL SERVER 2005 SSL certificate automatically generatedSSL certificate automatically generated Prevents passive man-in-the-middle Prevents passive man-in-the-middle
attacksattacks
Protecting the ChannelProtecting the Channel
TransferTransferun-encrypted dataun-encrypted data
DB1 DB2
SQL Server2SQL Server2
UsernameUsername
passwordpassword
Username
passwordpassword
UsernameUsername
passwordpassword
Protecting the ChannelProtecting the Channel
DB1 DB2
SQL ServerSQL Server
UsernameUsername
passwordpassword
TransferTransferdata over an encrypted channeldata over an encrypted channel
Encryption Over the WireEncryption Over the Wire
Login Credentials EncryptionLogin Credentials Encryption Uses SSL certificate from certificate Uses SSL certificate from certificate
store (if available)store (if available) Can be explicitly chosen using Can be explicitly chosen using Certificate Certificate
PickerPicker Otherwise, will use SQL-generated Otherwise, will use SQL-generated
certificatecertificate Data packets can be encryptedData packets can be encrypted
Server-Side Option: ‘Force Protocol Server-Side Option: ‘Force Protocol Encryption’ Encryption’
Client-Side: Encryption with Client-Side: Encryption with or withoutor without certificate validationcertificate validation
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization
Permissions and ScopesPermissions and Scopes SchemasSchemas Ownership Chaining and Execution Ownership Chaining and Execution
ContextContext AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices
Granular PermissionsGranular Permissions Principle of Least PrivilegesPrinciple of Least Privileges Multiple permissions – various scopesMultiple permissions – various scopes
Choice of permission granularity and Choice of permission granularity and scopescope
ScopesScopes Server: Server: Example: ALTER ANY LINKED SERVERExample: ALTER ANY LINKED SERVER Database: Database: Example CREATE TABLEExample CREATE TABLE Schema: Schema: Example ALTERExample ALTER Object: Object: Example SELECTExample SELECT
Permission Granularity:Permission Granularity: Example: Example: ALTER permission on an objectALTER permission on an object Example: Example: ALTER TRACE permissionALTER TRACE permission
SchemasSchemasNew in SQL Server 2005New in SQL Server 2005 Fully qualified namesFully qualified names
SQL Server 2000: SQL Server 2000: Server.Database.Server.Database.OwnerOwner.Object.Object
SQL Server 2005: SQL Server 2005: Server.Database.Server.Database.SchemaSchema.Object.Object
Users (owners) and schemas have been Users (owners) and schemas have been separatedseparated Were the same in previous releasesWere the same in previous releases Objects contained in schemasObjects contained in schemas
Separation allows for better security Separation allows for better security managementmanagement
Offers better namespace management Offers better namespace management from application perspectivefrom application perspective
General Permissions General Permissions SchemeScheme
GranteeGrantee Logins for server-level permissionsLogins for server-level permissions Database principals for database-level Database principals for database-level
permissionspermissions SecurableSecurable
Entity to be securedEntity to be secured Example: Tables, assemblies, databases, Example: Tables, assemblies, databases,
server, etc…server, etc… Same permission can be at multiple scopesSame permission can be at multiple scopes
Example CONTROL at schema or table levelExample CONTROL at schema or table level DENY at any level always take precedenceDENY at any level always take precedence
Scope and GranularityScope and Granularity
DatabaseDatabase
SchemaSchema 11 Schema 2Schema 2 Schema 3Schema 3
Table1Table1 View1View1 View 2View 2 Stored ProcStored Proc FunctionFunction
Covering PermissionsCovering Permissions
Permissions can be derived from Permissions can be derived from grants at higher scopegrants at higher scope Example EXECUTE granted at schema Example EXECUTE granted at schema
levellevel Permissions can be implied by other Permissions can be implied by other
permissionspermissions Example, CONTROL on a table implies Example, CONTROL on a table implies
SELECTSELECT sys.fn_mypermissions()sys.fn_mypermissions()
Ability to find out what permissions a Ability to find out what permissions a user hasuser has
Where are permissions Where are permissions recorded?recorded? sys.server_permissionssys.server_permissions
Server-level permissionsServer-level permissions sys.database_permissionssys.database_permissions
Database-level permissionsDatabase-level permissions sys.securable_classessys.securable_classes
Lists all securablesLists all securables sys.fn_builtin_permissionssys.fn_builtin_permissions
Shows all permissions grantable on a Shows all permissions grantable on a securablesecurable
Includes covering permissionsIncludes covering permissions
Ownership Chaining and Ownership Chaining and Execution ContextExecution Context
User 3User 3
Select Permissions Select Permissions checked for User3checked for User3
Execute Permissions Execute Permissions checked for User3checked for User3
User1.Proc1User1.Proc1 User1.T1User1.T1
Execute Permissions Execute Permissions checked for User3checked for User3
NONO Permissions Permissions checked for User3checked for User3
User 3User 3 User2.Proc1User2.Proc1 User1.T1User1.T1
‘‘Execute AS ‘X’ ’Execute AS ‘X’ ’
Execute Permissions Execute Permissions checked for User3checked for User3
Select Permissions Select Permissions checked forchecked for ‘X’. ‘X’. Not for user3Not for user3
SQL ServerSQL Server20052005
SQL Server SQL Server 20002000 User2.Proc1User2.Proc1 User1.T1User1.T1
Module Execution ContextModule Execution Context Ability to choose execution context Ability to choose execution context
of modulesof modules Stored procedures, functions, triggersStored procedures, functions, triggers Include Include WITH EXECUTE ASWITH EXECUTE AS in module definition in module definition
No need to rely on ownership chaining to No need to rely on ownership chaining to get ‘upfront permission check’ behaviorget ‘upfront permission check’ behavior Ownership chaining rules still apply howeverOwnership chaining rules still apply however
Permissions checked against current Permissions checked against current execution contextexecution context
Option available for dynamic SQL as wellOption available for dynamic SQL as well EXECUTE ('…') EXECUTE ('…') AS USERAS USER = 'User1'; = 'User1';
Execution context maintained in the Execution context maintained in the sys.sql_modules catalog viewsys.sql_modules catalog view
Module Execution ContextModule Execution Context
CREATE PROCEDURE dbo.usp_DemoCREATE PROCEDURE dbo.usp_Demo WITH EXECUTE ASWITH EXECUTE AS 'Domain\SqlUsr1' 'Domain\SqlUsr1' AS SELECT user_name(); AS SELECT user_name();
Execute AS CALLERExecute AS CALLER Statements execute as Statements execute as immediateimmediate calling context calling context Default behavior, similar to SQL Server 2000 Default behavior, similar to SQL Server 2000
Execute AS ‘Execute AS ‘UserNameUserName’’ Statements execute as the username specifiedStatements execute as the username specified Impersonate permission required on user specified Impersonate permission required on user specified
Execute AS SELFExecute AS SELF Statements execute as the creator/modifier of the Statements execute as the creator/modifier of the
module module Execute AS OWNERExecute AS OWNER
Statements execute as the Statements execute as the currentcurrent owner of the module owner of the module
Using Using Execute AsExecute As to create to create permission bucketspermission buckets
Scenario:Scenario: Database Admin wants to delegate the ability to truncate Database Admin wants to delegate the ability to truncate
a set of tables each nighta set of tables each night Problem:Problem:
Truncate is not a grantable permissionTruncate is not a grantable permission Closest covering permission is ALTER, but that is too high Closest covering permission is ALTER, but that is too high
and gives other abilityand gives other ability Solution: Solution: Execute AsExecute As to the rescue to the rescue
Create a Proc that truncates the tableCreate a Proc that truncates the table Mark it to execute as a user with ALTER permissionsMark it to execute as a user with ALTER permissions Grant execute permission to the target userGrant execute permission to the target user
Result:Result: You’ve just made Truncate a grantable permission!!!You’ve just made Truncate a grantable permission!!!
Creating Custom Creating Custom Permission SetsPermission Sets
Execute AS 'X'Execute AS 'X'
Execute Execute permissions permissions checked for checked for User3User3
SelectSelect permissions permissions checked for checked for 'X‘, 'X‘, not for User3not for User3
User3User3 User2.Proc1User2.Proc1 User1.Table1User1.Table1
Original Login always auditedOriginal Login always audited
Cross-Database Cross-Database Ownership ChainingOwnership Chaining
User1.SP1User1.SP1 User1.Tab1User1.Tab1
Login1Login1
End_UserEnd_User
Cross DB Ownership Cross DB Ownership Chaining = 1Chaining = 1
DB_Chaining = 1DB_Chaining = 1 DB_Chaining = 1DB_Chaining = 1
Execute Permissions Execute Permissions checked for End_Userchecked for End_User
No Permissions No Permissions checkedchecked
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices
But what about But what about metadata?metadata? System tables implemented as views: System tables implemented as views:
catalog viewscatalog views Metadata is secured by defaultMetadata is secured by default
Minimal permissions to publicMinimal permissions to public Catalog views are row-level securedCatalog views are row-level secured
Need to be owner or have some Need to be owner or have some permission on object to see it in catalog permission on object to see it in catalog viewview SA can see everything in serverSA can see everything in server DBO can see everything in databaseDBO can see everything in database
New permission to allow viewing of New permission to allow viewing of metadatametadata VIEW DEFINITONVIEW DEFINITON Applicable at object level, schema level, Applicable at object level, schema level,
database and server leveldatabase and server level
Data Access AuditData Access Audit
SQL Trace – the server side of SQL Trace – the server side of profilingprofiling
Auditing is performed by SQL Trace – Auditing is performed by SQL Trace – internal to SQL Serverinternal to SQL Server
Exposed through stored proceduresExposed through stored procedures Can be called directly or through the Can be called directly or through the
SQL Server Profiler UISQL Server Profiler UI SQL Server 2005 introduces new SQL Server 2005 introduces new
audit events around impersonation audit events around impersonation and schema managementand schema management
Login AuditingLogin Auditing
Record of login activityRecord of login activity Necessary to keep track of potential Necessary to keep track of potential
brute force attemptsbrute force attempts SQL Server 2005 defaults to auditing SQL Server 2005 defaults to auditing
failed login attemptsfailed login attempts Audit events written to error log and Audit events written to error log and
Windows application logWindows application log
Custom AuditingCustom Auditing DML triggersDML triggers
Can be used to audit data modifications in a Can be used to audit data modifications in a custom mannercustom manner
DDL triggersDDL triggers New in SQL Server 2005New in SQL Server 2005 Custom audit DDL changesCustom audit DDL changes
Event notificationsEvent notifications Uses Service Broker Uses Service Broker Asynchronous audit of operationsAsynchronous audit of operations
USE AdventureWorksUSE AdventureWorksGOGO
CREATE CREATE EVENT NOTIFICATIONEVENT NOTIFICATION NotifyALTER_T1 NotifyALTER_T1ON DATABASEON DATABASEFOR ALTER_TABLEFOR ALTER_TABLETO SERVICETO SERVICE '//AdventureWorks.com/ArchiveService', '//AdventureWorks.com/ArchiveService', '8140a771-3c4b-4479-8ac0-81008ab17984'; '8140a771-3c4b-4479-8ac0-81008ab17984';
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices
Data EncryptionData Encryption
Why consider encryption?Why consider encryption? Additional layer of securityAdditional layer of security Required by some regulatory compliance Required by some regulatory compliance
lawslaws In SQL Server 2000, vendor support In SQL Server 2000, vendor support
requiredrequired In SQL Server 2005In SQL Server 2005
Built-in support for data encryptionBuilt-in support for data encryption Support for key managementSupport for key management
Cryptography 101Cryptography 101
1234-5678-1234-56781234-5678-1234-5678
Symmetric Key Encryption Symmetric Key Encryption
0x0088840517080E4FA2…0x0088840517080E4FA2…
EncryptionEncryption
DecryptionDecryption
1234-5678-1234-56781234-5678-1234-5678 0x0088840517080E4FA2…0x0088840517080E4FA2…
Encryption with public keyEncryption with public key
Decryption with private keyDecryption with private keyPublic KeyPublic Key Private KeyPrivate Key
Asymmetric Key Encryption Asymmetric Key Encryption
Encryption and Decryption Encryption and Decryption BBuilt-in Functionsuilt-in Functions EncryptByKey ( )EncryptByKey ( ) EncryptByAsymKey ( )EncryptByAsymKey ( ) EncryptByCert ( )EncryptByCert ( ) EncryptByPassPhrase ( )EncryptByPassPhrase ( )
Each with corresponding DecryptByXxx ( )Each with corresponding DecryptByXxx ( )
ALTER TABLE HumanResources.EmployeeALTER TABLE HumanResources.Employee ADD EncryptedNatIDNumber varbinary(128) ADD EncryptedNatIDNumber varbinary(128) -- Open the symmetric key to encrypt data-- Open the symmetric key to encrypt dataOPEN SYMMETRIC KEY SSN_Key_01OPEN SYMMETRIC KEY SSN_Key_01 DECRYPTION BY CERTIFICATE HR037 DECRYPTION BY CERTIFICATE HR037; ; -- Encrypt the value in column NationalIDNumber-- Encrypt the value in column NationalIDNumber -- with symmetric key SSN_Key_01, saving the -- with symmetric key SSN_Key_01, saving the -- result in column EncryptedNatIDNumber -- result in column EncryptedNatIDNumber UPDATE HumanResources.EmployeeUPDATE HumanResources.Employee SET EncryptedNatIDNumber = SET EncryptedNatIDNumber = EncryptByKeyEncryptByKey( Key_GUID('SSN_Key_01'),( Key_GUID('SSN_Key_01'), NationalIDNumber ); NationalIDNumber );
SQL Server 2005 supportSQL Server 2005 support
Encryption and Decryption built-insEncryption and Decryption built-ins DDL for creation ofDDL for creation of
Symmetric KeysSymmetric Keys Asymmetric Keys and CertificatesAsymmetric Keys and Certificates
Symmetric Keys and Private Keys are Symmetric Keys and Private Keys are always stored encryptedalways stored encrypted
Securing the Keys themselvesSecuring the Keys themselves Based on user passwordsBased on user passwords Automatic, using SQL Server key Automatic, using SQL Server key
managementmanagement
It’s all about the KeysIt’s all about the Keys
Encryption keys need to be protectedEncryption keys need to be protected Some keys need to be backed upSome keys need to be backed up
If the keys are lost, data may be lostIf the keys are lost, data may be lost Therefore, ability to restore keys must Therefore, ability to restore keys must
existexist Keys may need to be regeneratedKeys may need to be regenerated
In case of compromise of the keysIn case of compromise of the keys Keys may need to be shared across Keys may need to be shared across
systemssystems In the case, where encrypted data is In the case, where encrypted data is
being sharedbeing shared
Encryption SupportEncryption SupportKeyKey
Another keyAnother keyUser PasswordUser Password CertificateCertificate
•Database entity created by Database entity created by CREATE KEY DDLCREATE KEY DDL
•Always stored encryptedAlways stored encrypted•Secured in one of three waysSecured in one of three ways
Public KeyPublic KeyPrivate KeyPrivate Key
PasswordPassword Master KeyMaster Key
DPAPIDPAPI
•Database entity created by Database entity created by CREATE CERTIFICATE DDLCREATE CERTIFICATE DDL
•Always private keys Always private keys stored encryptedstored encrypted
•Secured in one of two waysSecured in one of two ways
Secured BySecured By
Wraps the …Wraps the …
Secured BySecured By
Secured BySecured By
Associated with…Associated with…
Service KeyService Key Secured BySecured By
Database Master KeyDatabase Master Key Secures private keys inside the Secures private keys inside the
databasedatabase Explicitly created by owner of the Explicitly created by owner of the
databasedatabase Support for regeneration and Support for regeneration and
recoveryrecovery ALTER MASTER KEY DDLALTER MASTER KEY DDL BACKUP / RESTORE MASTER KEY DDLBACKUP / RESTORE MASTER KEY DDL
Always secured using user passwordAlways secured using user password Stored in the databaseStored in the database
Can also be secured using Service Can also be secured using Service Master Key Master Key
Always take a backup!Always take a backup!
Service Master KeyService Master Key Used to secure system dataUsed to secure system data
Linked server passwordsLinked server passwords Database Master keysDatabase Master keys Proxy credentialsProxy credentials
Created upon first useCreated upon first use Support for regeneration and Support for regeneration and
recoveryrecovery ALTER SERVICE MASTER KEY DDLALTER SERVICE MASTER KEY DDL BACKUP / RESTORE SERVICE MASTER KEY BACKUP / RESTORE SERVICE MASTER KEY
DDLDDL
Secured using DPAPISecured using DPAPI The service accounts credentialsThe service accounts credentials
Always take a backup!Always take a backup!
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best practicesBest practices
Surface Area Surface Area ConfigurationConfiguration Secure By Default on new installsSecure By Default on new installs
Minimal default surface areaMinimal default surface area Default install image that is safe and Default install image that is safe and
usableusable Heterogeneity in our install baseHeterogeneity in our install base
Poses hurdles for large-scale exploitsPoses hurdles for large-scale exploits More administrator control More administrator control
Choice to run features only as neededChoice to run features only as needed To lockdown features centrally and To lockdown features centrally and
easilyeasily Reduction in administrative Reduction in administrative
complexitycomplexity
ApproachApproach Install-time optionsInstall-time options
Admin choice of services to install at setup timeAdmin choice of services to install at setup time Disabled/Stopped Services:Disabled/Stopped Services:
Helper services installed as part of another Helper services installed as part of another serviceservice
Typically help with specific featuresTypically help with specific features Eg: MSADHelper, Browser, SQL Writer, Agent, etc.Eg: MSADHelper, Browser, SQL Writer, Agent, etc.
These are disabled and stopped by defaultThese are disabled and stopped by default Feature-level knobsFeature-level knobs
On/Off switches for specific features (old and On/Off switches for specific features (old and new)new)
Features requiring explicit configurationFeatures requiring explicit configuration Network CommunicationNetwork Communication
Knobs to turn on or off specific communication Knobs to turn on or off specific communication protocolsprotocols
Ad hoc DQAd hoc DQ
xp_cmdshellxp_cmdshell
OLE Automation OLE Automation SPsSPs
SMO/DMO XPsSMO/DMO XPs
SQLiMail XPsSQLiMail XPs
SQLMail XPsSQLMail XPs
CLRCLR
Webtasks XPsWebtasks XPs
Web Service Web Service RequestsRequests
Scheduled Events Scheduled Events and Report and Report
DeliveryDelivery
Helper ServicesHelper Services
ComponentsComponents
Communication Communication ProtocolsProtocols
ServicesServices
SQL Server SQL Server BoxBox
MSADHelper MSADHelper ServiceService
SQL Server AgentSQL Server Agent
SQL Writer ServiceSQL Writer Service
SQL Browser SQL Browser ServiceService
Communication Communication Protocols and Protocols and
EndpointsEndpoints
Fulltext / MSSearchFulltext / MSSearch
Allow Anonymous Allow Anonymous ConnectionsConnections
Ad hoc Ad hoc OpenRowset OpenRowset
QueriesQueries
COM User-Defined COM User-Defined FunctionsFunctions
Local Only Local Only ConnectionsConnections
Remote Partitions Remote Partitions and Linked and Linked
ObjectsObjects
SQL Server SQL Server ServiceService
Integration Integration ServicesServices
Reporting Reporting ServicesServices
Analysis Analysis ServicesServices
Notification Notification ServicesServices
Surface Area ConfigurationSurface Area Configuration
Surface Area Surface Area Configuration ToolConfiguration Tool Tool to centrally control the SQL Tool to centrally control the SQL
Server surface areaServer surface area Launch-able from setupLaunch-able from setup Available in Start menuAvailable in Start menu Provides some guidance when Provides some guidance when
turning features on or offturning features on or off Scripting capabilityScripting capability
AgendaAgenda
SQL Server Security OverviewSQL Server Security Overview AuthenticationAuthentication AuthorizationAuthorization AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best PracticesBest Practices
Security DiagnosticsSecurity Diagnostics Secure InstallationSecure Installation Secure OperationsSecure Operations
Security Diagnostics…Security Diagnostics… Run MBSA periodicallyRun MBSA periodically Scan for and remove accounts with NULL Scan for and remove accounts with NULL
passwords and where check_policy is offpasswords and where check_policy is off Remove unused loginsRemove unused logins Scan for objects with permissions granted to Scan for objects with permissions granted to
publicpublic Verify login-user mappingVerify login-user mapping
Interesting in attach/detach scenariosInteresting in attach/detach scenarios sp_change_users_login with report optionsp_change_users_login with report option
Enumerate membership in privileged rolesEnumerate membership in privileged roles Ensure membership to trusted individuals onlyEnsure membership to trusted individuals only
Ensure start-up procedures are safe and trustedEnsure start-up procedures are safe and trusted Periodically scan the surface area that is enabledPeriodically scan the surface area that is enabled
Secure InstallationSecure Installation Physical securityPhysical security
Protect all related systems, media, backups, etc. Protect all related systems, media, backups, etc. Never place RDBMS unprotected on the networkNever place RDBMS unprotected on the network
Firewall protectedFirewall protected Software mediating database accessSoftware mediating database access
Install on NTFS file systemInstall on NTFS file system This allows securing the files appropriatelyThis allows securing the files appropriately
Isolate Services Isolate Services Do not install on a Domain ControllerDo not install on a Domain Controller
Use low privilege service accountUse low privilege service account Do not use LocalSystem, Local or Domain AdministratorDo not use LocalSystem, Local or Domain Administrator Prevents compromised database to be used to bootstrap Prevents compromised database to be used to bootstrap
access to rest of enterprise access to rest of enterprise Latest code is most secure codeLatest code is most secure code
Apply latest service packs and security patches!Apply latest service packs and security patches!
Secure Operations Secure Operations (1 of 2)(1 of 2)
Run the prescribed security diagnostics Run the prescribed security diagnostics periodicallyperiodically
Only configure and run needed featuresOnly configure and run needed features xp_cmdshell usagexp_cmdshell usage
Do not change default permissionsDo not change default permissions Never set proxy account to administratorNever set proxy account to administrator In SQL Server 2005 proxy account does not In SQL Server 2005 proxy account does not
require service account to be adminrequire service account to be admin Smallest possible admin groupsSmallest possible admin groups Changing service accountsChanging service accounts
Use SQL Server ToolsUse SQL Server Tools Disallow direct catalog updatesDisallow direct catalog updates
Secure Operations Secure Operations (2 of 2)(2 of 2)
Media security including backupsMedia security including backups Have aggressive backup policyHave aggressive backup policy Test disaster recovery systemTest disaster recovery system
Turn on appropriate level of auditingTurn on appropriate level of auditing Track critical user actions at a minimumTrack critical user actions at a minimum Keep overhead at a minimumKeep overhead at a minimum
Encryption optionsEncryption options Protect sensitive data over the wireProtect sensitive data over the wire
Use SSL, IPSEC etc.Use SSL, IPSEC etc.
File-level encryptionFile-level encryption Prevents illicit copying of database filesPrevents illicit copying of database files SQL Server supports Encrypted File System (EFS)SQL Server supports Encrypted File System (EFS)
SummarySummary SQL Server Security OverviewSQL Server Security Overview
Background Background Principals, Securables, PermissionsPrincipals, Securables, Permissions
AuthenticationAuthentication EndpointsEndpoints Password PolicyPassword Policy SSL protectionSSL protection
AuthorizationAuthorization Permissions and ScopesPermissions and Scopes SchemasSchemas Ownership Chaining and Execution ContextOwnership Chaining and Execution Context
AuditingAuditing EncryptionEncryption Surface Area ReductionSurface Area Reduction Best PracticesBest Practices
For More InformationFor More Information
SQL Server Books OnlineSQL Server Books Online WhitepapersWhitepapers
Security in SQL Server 2005Security in SQL Server 2005 MSDN and TechNet webcastsMSDN and TechNet webcasts
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.