For SQL Server DevelopmentCharley HananiaB.Sc (Computing Science), MCP, MCDBA, MCITP, MCTS, MCTSenior Database SpecialistP...
3Outline• Why is Security important?• Reducing Attack Surface• Trustworthy Computing• The Principle of Least PrivilegeD2-S...
Authenticateand authoriseReduce surfaceareaAudit eventsEncryptSecurity PrinciplesD2-S5-AD – SQL Server Development: Securi...
#ofCVENotes: Updated as of 10/18/2007.Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 . Oracle (8i, 9i,...
NetworkOperatingSystemDatabaseMgt SystemProtocolsPortsSharesServicesAccountsAuditing &LoggingFiles &DirectoriesRegistryFir...
7Context SwitchingD2-S5-AD – SQL Server Development: Security Best Practices
Authorization• Principle of Least Privileges• Rich Access Control Model– Granular permissions– Choice of appropriate scope...
9Data Encryption within TablesEncrypting Sensitive DataD2-S5-AD – SQL Server Development: Security Best Practices
Data Encryption• Why consider encryption?– Additional layer of security– Required by some regulatory compliancelaws• In SQ...
SQL Server Cryptographic Capabilities• Transparent Data Encryption and Decryption built-in• DDL for creation of– Symmetric...
Encryption Algorithm Support• Algorithms andkey lengths vary;depends on CSP(Cryptographic ServicesProvider)• Performance d...
13User Schema SeparationMoving objects into other schemasD2-S5-AD – SQL Server Development: Security Best Practices
Sharepoint IntegrationTransparent Data EncryptionExternal Key ManagementHot Pluggable CPU supportData AuditingData Compres...
Transparent Data Encryption• Encryption/decryption occurs at thedatabase– Uses Database Encryption Key (DEK)• Applications...
16Links• Hello Secure Worldhttp://www.microsoft.com/click/hellosecureworld/default.mspx• Microsoft Security Assessment Too...
Questions?
Thank you!
European pass conference 2008 - sql server development - security best practices - charley hanania
Upcoming SlideShare
Loading in …5
×

European pass conference 2008 - sql server development - security best practices - charley hanania

872 views
775 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
872
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hello and Welcome to this European PASS Conference session on SQL Server 2005 Security Best Practices for SQL Server Development, I’m Charley Hanania...I’m a Senior Database Specialist working for UBS Investment Bank as the Production Product Owner for MS SQL Server.I’ve been working in the industry for around 18 years now, focussed on databases for close to 15...In today’s session you'll find out what ways Microsoft SQL Server approaches security to help developers design systems to be secure by default.We’ll be focussing on key security concepts in SQL Server 2000, 2005 and 2008 and looking at a few examples along the way to bring these concepts to light.Let us start this session by going into more detail on exactly what we will be covering.
  • SQL Server 2000 permitted encrypted connections over all network libraries by using certificates and SSL encryption.
  • In SQL Server 2005, you can encrypt data in the database by writing custom Transact-SQL that uses the cryptographic capabilities of the database engine. SQL Server 2008 improves upon this situation by introducing transparent data encryption.Transparent data encryption performs all cryptographic operations at the database level removing any need for application developers to create custom code to encrypt and decrypt data. Data is encrypted as it is written to disk, and decrypted as it is read from disk. By using SQL Server to manage encryption and decryption transparently, you can help secure business data in the database without requiring any changes to existing applications
  • European pass conference 2008 - sql server development - security best practices - charley hanania

    1. 1. For SQL Server DevelopmentCharley HananiaB.Sc (Computing Science), MCP, MCDBA, MCITP, MCTS, MCTSenior Database SpecialistProduction Product Owner – MS SQL ServerUBS Investment Bank
    2. 2. 3Outline• Why is Security important?• Reducing Attack Surface• Trustworthy Computing• The Principle of Least PrivilegeD2-S5-AD – SQL Server Development: Security Best Practices
    3. 3. Authenticateand authoriseReduce surfaceareaAudit eventsEncryptSecurity PrinciplesD2-S5-AD – SQL Server Development: Security Best Practices
    4. 4. #ofCVENotes: Updated as of 10/18/2007.Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 . Oracle (8i, 9i, 9iR2, 10g, 10gR2)Query for Oracle was run with vendor name: ‘Oracle’ , and product name: ‘any’ (all database product name variations were queried) .Query for Microsoft was run with vendor name: ‘Microsoft ‘ ; product name: ‘Microsoft SQL Server’; version name: ’Any’Source: NIST National Vulnerability Database040801201602002 2003 2004 2005 2006 2007243 0 0 0 04612256114441SQL Server Oracle DatabaseIs Security something that MS are focused on?D2-S5-AD – SQL Server Development: Security Best Practices
    5. 5. NetworkOperatingSystemDatabaseMgt SystemProtocolsPortsSharesServicesAccountsAuditing &LoggingFiles &DirectoriesRegistryFirewallsPacket FiltersInstalled FeaturesEnabled ComponentsAuthentication ModesEndpointsDefence in DepthUsing a layered ApproachD2-S5-AD – SQL Server Development: Security Best Practices
    6. 6. 7Context SwitchingD2-S5-AD – SQL Server Development: Security Best Practices
    7. 7. Authorization• Principle of Least Privileges• Rich Access Control Model– Granular permissions– Choice of appropriate scope (database, schema,object, sub-object)– Role Based Access control– Application module basedaccess control– Minimizing application impact for user management– Both Data (above) and Metadata• Ease of security managementD2-S5-AD – SQL Server Development: Security Best Practices
    8. 8. 9Data Encryption within TablesEncrypting Sensitive DataD2-S5-AD – SQL Server Development: Security Best Practices
    9. 9. Data Encryption• Why consider encryption?– Additional layer of security– Required by some regulatory compliancelaws• In SQL Server 2000– Vendor support required• In SQL Server 2005– Built-in support for explicit data encryption• In SQL Server 2008– Transparent data encryption– Extensible key managementThreatDetectedEmergencyProcedureServer HighlyProtectedD2-S5-AD – SQL Server Development: Security Best Practices
    10. 10. SQL Server Cryptographic Capabilities• Transparent Data Encryption and Decryption built-in• DDL for creation of– Symmetric Keys– Asymmetric Keys and Certificates• Symmetric Keys and Private Keys are stored encrypted• Securing the Keys themselves– Based on user passwords– Automatic, using SQL Server key managementD2-S5-AD – SQL Server Development: Security Best Practices
    11. 11. Encryption Algorithm Support• Algorithms andkey lengths vary;depends on CSP(Cryptographic ServicesProvider)• Performance dependson size of data beingcipheredXP SP2 WS2003DES 56 (64) 56 (64)3DES 128 128DESX 184 184AES128 - 128AES192 - 192AES256 - 256RC2 128 128RC4 40 40RC4_128 128 128RSA 2048 2048D2-S5-AD – SQL Server Development: Security Best Practices
    12. 12. 13User Schema SeparationMoving objects into other schemasD2-S5-AD – SQL Server Development: Security Best Practices
    13. 13. Sharepoint IntegrationTransparent Data EncryptionExternal Key ManagementHot Pluggable CPU supportData AuditingData Compression Backup CompressionEnhanced Database MirroringPerformance Data CollectionImproved Plan Guide SupportResource GovernorImproved DatatypesHierarchyIDLinQChange Data CaptureTable Valued ParametersLarge UDTSMERGE StatementsXML EnhancementsService Broker EnhancementsSpatial DataPolicy based ManagementMicrosoft System Center IntegrationExtended EventsData CompressionFILESTREAMIntegrated Full Text IndexingSparse ColumnsNew Index TypesPartition Table ParallelismStar Join SupportPersistent LookupsImproved Thread SchedulingMERGE StatementChange Data CaptureScale-out Analysis ServicesSubspace ComputationsData Mining Add-ins for ExcelIIS Agnostic RSRich Text SupportReport DesignerWord/Excel DesigningEntity Data ModelSo What’s New in SQL Server 2008?D2-S5-AD – SQL Server Development: Security Best Practices
    14. 14. Transparent Data Encryption• Encryption/decryption occurs at thedatabase– Uses Database Encryption Key (DEK)• Applications do not need to handleencryption/decryption of data– Treat encrypted and unencrypted data inan identical way• DEK is encrypted with:– Password– Service Master Key– Hardware Security Module• DEK must be decrypted to attachdatabase files or restore a backupSQL Server 2008DEKClient ApplicationEncrypted data pageD2-S5-AD – SQL Server Development: Security Best Practices
    15. 15. 16Links• Hello Secure Worldhttp://www.microsoft.com/click/hellosecureworld/default.mspx• Microsoft Security Assessment Toolhttp://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en• Microsoft Application Verifierhttp://www.microsoft.com/downloads/details.aspx?FamilyID=bd02c19c-1250-433c-8c1b-2619bd93b3a2&DisplayLang=en• Microsoft Threat Analysis & Modelling Toolhttp://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&DisplayLang=en• How To: Protect From SQL Injection in ASP.NEThttp://msdn2.microsoft.com/en-us/library/ms998271.aspx• Securing Your Database Serverhttp://msdn.microsoft.com/en-us/library/aa302434.aspx• Threats and Countermeasureshttp://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspxD2-S5-AD – SQL Server Development: Security Best Practices
    16. 16. Questions?
    17. 17. Thank you!

    ×