Ing. Eduardo Castro, Phd
ecastro@mswindowscr.org

http://comunidadwindows.org
http://ecastrom.blogspot.com
Transparent Data Encryption       Visual Entity Designer           Backup Compression
External Key Management           En...
Transparent data encryption – encrypt an
entire database
Backup encryption – compresses and secures
the backup file
Auditi...
Enterprise
                                                         Data Platform



                              Protect...
In SQL Server 2000, 3rd party
support required
Since SQL Server 2005
  Built-in support for data encryption
  Support for ...
Support for full SSL Encryption since SQL
Server 2000
  Clients: MDAC 2.6 or later
  Force encryption from client or serve...
SQL Server 2005
−   Built-in encryption functions
−   Key management in SQL Server
−   Encrypted File System (EFS)
−   Bit...
Follow principal of least privilege!
Avoid using sysadmin/sa and db_owner/dbo
− Grant required perms to normal login
Never...
Key storage,
                             HSM
                                   management and
                          ...
Security
  Data and keys are physically separated (keys
  are stored in HSM modules)
  Centralized key management and stor...
HSM


            Symmetric key        Asymmetric key




          EKM Symmetric key    EKM Asymmetric key

SQL
Server


...
Encryption/decryption
             SQL Server 2008                     at database level
                     DEK
        ...
Operating System Level
Data Protection API (DPAPI)                                  DPAPI encrypts
                       ...
Asymmetric Key resides on
Hardware Security Module (HSM)                     the EKM device
                            As...
Compatible with Database Compression
Not recommended with Backup
Compression
Database Mirroring
  Copy certificate from pr...
Operational Impact
    Storage replication at hardware level
         Background task to encrypt all pages
         At HW ...
SQL Server 2005
  SQL Trace
  DDL/DML Triggers
  Third-party tools to read transaction logs
  No management tools support
...
File
                                                               Security Event Log
                                   ...
Leverages high performance eventing
infrastructure to generate audits
Runs within engine rather than as a
side/separate ap...
Centralizing audit logs and reporting
         DB Servers

                                             Process Audit Info...
Enterprise
                                                               Data Platform



                            Spe...
Facets   Conditions      Policies




               Targets     Categories
• Provide auditors with assurance that SQL Server
Compliance      complies with all security and business guidelines
     ...
Defines the evaluation mode, target filters, and schedule of the conditions.

                                 Policy


Sp...
Server
           Restriction




Category    Policy       Target




           Evaluation
             Mode
On Demand                                        On Schedule
• Evaluate a policy when specified by user       • SQL Server...
Windows PowerShell™ is a framework and runtime for
executing management commands
Cmdlets are instances of .NET classes tha...
Bringing It All Together

        policy
        results            policy
                           results




       p...
Bringing It All Together

                           policy
                           results
            policy
        ...
Logically group instances based
on business function(s)
Centrally publish policies to
groups of SQL Server 2008
instances
...
Add Intelligence to
Policies
   Place each policy in a
   category
   Define server restrictions
   for versions and editi...
Create Custom Server Groups
in the CMS
   Run specific policies against a list
   of servers
   Examples: Production,
   D...
Real-Time Enforcement and
Reporting
   Monitor the event log through
   Alerting integration
Advanced functionality and
in...
policy
                                             results




                                policy
                   ...
Dynamic
                                                           Development



                              Access yo...
Enterprise Policy Management Framework
   http://www.codeplex.com/EPMFramework
Policy Based Management Blog
   http://blog...
To learn more about the Windows PowerShell™ scripting
Language
   http://www.microsoft.com/downloads/details.aspx?FamilyID...
Upcoming SlideShare
Loading in...5
×

Sql Server 2008 Security Enhanments

2,334

Published on

In this presentation we review the security enhancements in SQL Server 2008.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,334
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sql Server 2008 Security Enhanments

  1. 1. Ing. Eduardo Castro, Phd ecastro@mswindowscr.org http://comunidadwindows.org http://ecastrom.blogspot.com
  2. 2. Transparent Data Encryption Visual Entity Designer Backup Compression External Key Management Entity Aware Adapters MERGE SQL Statement Data Auditing SQL Server Change Tracking Data Profiling Pluggable CPU Synchronized Programming Model Star Join Transparent Client Redirect for Visual Studio Support Enterprise Reporting Database Mirroring SQL Server Conflict Detection Engine Database Mirroring Enhancements FILESTREAM data type Internet Report DBM: Auto Page Repair Integrated Full -Text Search Deployment Declarative Management Sparse Columns Block Computations Framework Large User-Defined Types Scale-out Analysis Server Group Management Date / Time Data Types BI Platform Management Streamlined Installation LOCATION data type Export to Word and Excel Enterprise System Management SPATIAL data type Author reports in Word, Performance Data Collection Excel Virtual Earth Integration System Analysis Report Builder Partitioned Table Parallelism Enhancements Data Compression Query Optimizations TABLIX Query Optimization Modes Persistent Lookups Rich Formatted Data Resource Governor Change Data Capture Personalized Entity Data Model Perspectives LINQ … and many more
  3. 3. Transparent data encryption – encrypt an entire database Backup encryption – compresses and secures the backup file Auditing – now monitors data access and modifications Policy-based Framework from Windows Server 2008 automates administrative tasks
  4. 4. Enterprise Data Platform Protect your information Transparent Data Encryption Encrypt your data without requiring an application re-write External Key Management Consolidate security keys within the data center Data Auditing Integrated auditing support Increase the reliability of your Pluggable CPU applications Add system resources without affecting your users Enhanced Database Mirroring Leverage database mirroring to increase reliability
  5. 5. In SQL Server 2000, 3rd party support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management
  6. 6. Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005
  7. 7. SQL Server 2005 − Built-in encryption functions − Key management in SQL Server − Encrypted File System (EFS) − Bit-Locker SQL Server 2008 − Extensible Key Management (EKM) − Transparent Data Encryption (TDE)
  8. 8. Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo − Grant required perms to normal login Never use the dbo schema − User-schema separation Applications should have own schema − Consider multiple schemas Leverage Flexible Database Roles − Facilitates role separation Consider Auditing user activity
  9. 9. Key storage, HSM management and encryption done by HSM module SQL EKM Provider DLL SQL EKM key is a proxy to HSM key SQL EKM Key SQL EKM Provider DLL (HSM key proxy) implements SQLEKM Data interface, calls into SQL Server HSM module
  10. 10. Security Data and keys are physically separated (keys are stored in HSM modules) Centralized key management and storage for enterprise Additional authentication layer Separation of duties between db_owner and data owner Performance Pluggable hardware encryption boards
  11. 11. HSM Symmetric key Asymmetric key EKM Symmetric key EKM Asymmetric key SQL Server Data Data Native TDE DEK key Symmetric key
  12. 12. Encryption/decryption SQL Server 2008 at database level DEK DEK is encrypted with: − Certificate − Key residing in a Hardware Security Encrypted data page Module (HSM) Client Application Certificate required to attach database files or restore a backup
  13. 13. Operating System Level Data Protection API (DPAPI) DPAPI encrypts Service Master Key SQL Server 2008 Instance Level Service Master Key Service Master Key encrypts Database Master Key SQL Server 2008 Master Database Database Master Key Password Database Master Key Certificate encrypts Certificate In Master Database SQL Server 2008 Master Database Certificate encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
  14. 14. Asymmetric Key resides on Hardware Security Module (HSM) the EKM device Asymmetric Key Asymmetric Key encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
  15. 15. Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only
  16. 16. Operational Impact Storage replication at hardware level Background task to encrypt all pages At HW level, all pages get changed, i.e. all pages need to be replicated Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, Ensure that the mirror server has the master key and certificate as well Bottleneck isn’t throughput of pages Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity Possible Failover Issues Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. May want to consider disabling HA and perform resynchronization of your HA configuration
  17. 17. SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit
  18. 18. File Security Event Log Audit Application Event Log File 0..1 system 0..1 Server audit specification DB audit specification per Audit object per database per Audit object Server Audit Database Audit Specification Components Database Audit Database Components Database Audit Components Audit Server Audit Action Specification Server Audit Action Server Audit Action Server Audit Action Database Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action CREATE SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION SvrAC AuditAC TO SERVER AUDIT PCI_Audit TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); ADD (SELECT ON Customers BY public) 18
  19. 19. Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)
  20. 20. Centralizing audit logs and reporting DB Servers Process Audit Information Use SSIS to process SQL2008 audit log data and store in its own SQL database. SSIS DB Server Transfer Logs SQL Audit DB Server File Server SQL 2008 DB Server o rts ep teR n era Ge SSRS 2008 Compliance Reports
  21. 21. Enterprise Data Platform Spend less time on ongoing operations Declarative Management Framework Manage via policies instead of scripts Define Enterprise wide data management policies Server Group Management Automated monitoring and enforcement of policies Simplify your installation and configuration Streamlined Installation Integrated with your enterprise system management Enterprise System Define Policies that are compliant with Management System Definition Model Manage your data and system infrastructure with Microsoft System Center
  22. 22. Facets Conditions Policies Targets Categories
  23. 23. • Provide auditors with assurance that SQL Server Compliance complies with all security and business guidelines • Complement All Actions Audited • Ensure peak performance Consistency • High levels of security & reliability • Drive strategic management initiative to control Costs costs • More efficient and proactive management
  24. 24. Defines the evaluation mode, target filters, and schedule of the conditions. Policy Specifies a set of allowed states of a managed target with regard to a facet Condition Set of related logical properties Facet
  25. 25. Server Restriction Category Policy Target Evaluation Mode
  26. 26. On Demand On Schedule • Evaluate a policy when specified by user • SQL Server 2008 only • Available through SSMS or Windows • SQL Server Agent job periodically PowerShell™ evaluates a policy • Option to force certain conditions to comply with policy • Supports down-level evaluation (depends on properties exposed) Evaluation modes On Change: Prevent On Change: Log Only • SQL Server 2008 only • SQL Server 2008 only • DDL triggers prevent policy violations • Event notification evaluates a policy when a relevant change is made
  27. 27. Windows PowerShell™ is a framework and runtime for executing management commands Cmdlets are instances of .NET classes that process input objects from the pipeline SQL Server Provider for Windows PowerShell™ encompasses SMO Invoke-PolicyEvaluation –Policy DatabaseStatus.xml, Trustworthy.xml -TargetServerName inst1 Invoke-SQLCMD –Query ”SELECT name FROM sys.Databases;” –ServerInstance “MyServerInstance”
  28. 28. Bringing It All Together policy results policy results policy results policy results policy results policy results
  29. 29. Bringing It All Together policy results policy results policy results policy results policy results policy results
  30. 30. Logically group instances based on business function(s) Centrally publish policies to groups of SQL Server 2008 instances Evaluate policies on-demand against a group of servers Filter by logical groups in Windows PowerShell™ scripts
  31. 31. Add Intelligence to Policies Place each policy in a category Define server restrictions for versions and editions where appropriate
  32. 32. Create Custom Server Groups in the CMS Run specific policies against a list of servers Examples: Production, Development, PCI Define Concurrent Jobs Define multiple concurrent executions based on Policy Category and/or logical Central Management Server group
  33. 33. Real-Time Enforcement and Reporting Monitor the event log through Alerting integration Advanced functionality and integration with SSMS Dependency, health states, subscriptions, history Scale Security Access to other rich features in SQL Server 2008
  34. 34. policy results policy results policy results syspolicy_policy_execution_history policy results syspolicy_policy_execution_history_details
  35. 35. Dynamic Development  Access your data from anywhere SQL Server Change Tracking  Store your data locally while disconnected from server  Synchronize Incremental changes Synchronized Programming between client and server Model  Detect conflicts during synchronization including deletes Visual Studio Support  Add disconnected scenarios without re-writing existing applications SQL Server Conflict Detection
  36. 36. Enterprise Policy Management Framework http://www.codeplex.com/EPMFramework Policy Based Management Blog http://blogs.msdn.com/sqlpbm/default.aspx
  37. 37. To learn more about the Windows PowerShell™ scripting Language http://www.microsoft.com/downloads/details.aspx?FamilyID=b4720b0 0-9a66-430f-bd56-ec48bfca154f&DisplayLang=en Windows PowerShell™ Blog http://blogs.msdn.com/powershell/ SQL Server PowerShell Overview http://msdn.microsoft.com/en-us/library/cc281954.aspx

×