Sql Server 2008 Security Enhanments

Ing. Eduardo Castro, Phd ecastro@mswindowscr.org http://comunidadwindows.org http://ecastrom.blogspot.com

Transparent Data Encryption Visual Entity Designer Backup Compression External Key Management Entity Aware Adapters MERGE SQL Statement Data Auditing SQL Server Change Tracking Data Profiling Pluggable CPU Synchronized Programming Model Star Join Transparent Client Redirect for Visual Studio Support Enterprise Reporting Database Mirroring SQL Server Conflict Detection Engine Database Mirroring Enhancements FILESTREAM data type Internet Report DBM: Auto Page Repair Integrated Full -Text Search Deployment Declarative Management Sparse Columns Block Computations Framework Large User-Defined Types Scale-out Analysis Server Group Management Date / Time Data Types BI Platform Management Streamlined Installation LOCATION data type Export to Word and Excel Enterprise System Management SPATIAL data type Author reports in Word, Performance Data Collection Excel Virtual Earth Integration System Analysis Report Builder Partitioned Table Parallelism Enhancements Data Compression Query Optimizations TABLIX Query Optimization Modes Persistent Lookups Rich Formatted Data Resource Governor Change Data Capture Personalized Entity Data Model Perspectives LINQ … and many more

Transparent data encryption – encrypt an entire database Backup encryption – compresses and secures the backup file Auditing – now monitors data access and modifications Policy-based Framework from Windows Server 2008 automates administrative tasks

Enterprise Data Platform Protect your information Transparent Data Encryption Encrypt your data without requiring an application re-write External Key Management Consolidate security keys within the data center Data Auditing Integrated auditing support Increase the reliability of your Pluggable CPU applications Add system resources without affecting your users Enhanced Database Mirroring Leverage database mirroring to increase reliability

In SQL Server 2000, 3rd party support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management

Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005

SQL Server 2005 − Built-in encryption functions − Key management in SQL Server − Encrypted File System (EFS) − Bit-Locker SQL Server 2008 − Extensible Key Management (EKM) − Transparent Data Encryption (TDE)

Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo − Grant required perms to normal login Never use the dbo schema − User-schema separation Applications should have own schema − Consider multiple schemas Leverage Flexible Database Roles − Facilitates role separation Consider Auditing user activity

Key storage, HSM management and encryption done by HSM module SQL EKM Provider DLL SQL EKM key is a proxy to HSM key SQL EKM Key SQL EKM Provider DLL (HSM key proxy) implements SQLEKM Data interface, calls into SQL Server HSM module

Security Data and keys are physically separated (keys are stored in HSM modules) Centralized key management and storage for enterprise Additional authentication layer Separation of duties between db_owner and data owner Performance Pluggable hardware encryption boards

HSM Symmetric key Asymmetric key EKM Symmetric key EKM Asymmetric key SQL Server Data Data Native TDE DEK key Symmetric key

Encryption/decryption SQL Server 2008 at database level DEK DEK is encrypted with: − Certificate − Key residing in a Hardware Security Encrypted data page Module (HSM) Client Application Certificate required to attach database files or restore a backup

Operating System Level Data Protection API (DPAPI) DPAPI encrypts Service Master Key SQL Server 2008 Instance Level Service Master Key Service Master Key encrypts Database Master Key SQL Server 2008 Master Database Database Master Key Password Database Master Key Certificate encrypts Certificate In Master Database SQL Server 2008 Master Database Certificate encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database

Asymmetric Key resides on Hardware Security Module (HSM) the EKM device Asymmetric Key Asymmetric Key encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database

Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only

Operational Impact Storage replication at hardware level Background task to encrypt all pages At HW level, all pages get changed, i.e. all pages need to be replicated Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, Ensure that the mirror server has the master key and certificate as well Bottleneck isn’t throughput of pages Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity Possible Failover Issues Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. May want to consider disabling HA and perform resynchronization of your HA configuration

SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit

File Security Event Log Audit Application Event Log File 0..1 system 0..1 Server audit specification DB audit specification per Audit object per database per Audit object Server Audit Database Audit Specification Components Database Audit Database Components Database Audit Components Audit Server Audit Action Specification Server Audit Action Server Audit Action Server Audit Action Database Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action CREATE SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION SvrAC AuditAC TO SERVER AUDIT PCI_Audit TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); ADD (SELECT ON Customers BY public) 18

Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)

Centralizing audit logs and reporting DB Servers Process Audit Information Use SSIS to process SQL2008 audit log data and store in its own SQL database. SSIS DB Server Transfer Logs SQL Audit DB Server File Server SQL 2008 DB Server o rts ep teR n era Ge SSRS 2008 Compliance Reports

Enterprise Data Platform Spend less time on ongoing operations Declarative Management Framework Manage via policies instead of scripts Define Enterprise wide data management policies Server Group Management Automated monitoring and enforcement of policies Simplify your installation and configuration Streamlined Installation Integrated with your enterprise system management Enterprise System Define Policies that are compliant with Management System Definition Model Manage your data and system infrastructure with Microsoft System Center

Facets Conditions Policies Targets Categories

• Provide auditors with assurance that SQL Server Compliance complies with all security and business guidelines • Complement All Actions Audited • Ensure peak performance Consistency • High levels of security & reliability • Drive strategic management initiative to control Costs costs • More efficient and proactive management

Defines the evaluation mode, target filters, and schedule of the conditions. Policy Specifies a set of allowed states of a managed target with regard to a facet Condition Set of related logical properties Facet

Server Restriction Category Policy Target Evaluation Mode

On Demand On Schedule • Evaluate a policy when specified by user • SQL Server 2008 only • Available through SSMS or Windows • SQL Server Agent job periodically PowerShell™ evaluates a policy • Option to force certain conditions to comply with policy • Supports down-level evaluation (depends on properties exposed) Evaluation modes On Change: Prevent On Change: Log Only • SQL Server 2008 only • SQL Server 2008 only • DDL triggers prevent policy violations • Event notification evaluates a policy when a relevant change is made

Windows PowerShell™ is a framework and runtime for executing management commands Cmdlets are instances of .NET classes that process input objects from the pipeline SQL Server Provider for Windows PowerShell™ encompasses SMO Invoke-PolicyEvaluation –Policy DatabaseStatus.xml, Trustworthy.xml -TargetServerName inst1 Invoke-SQLCMD –Query ”SELECT name FROM sys.Databases;” –ServerInstance “MyServerInstance”

Bringing It All Together policy results policy results policy results policy results policy results policy results

Logically group instances based on business function(s) Centrally publish policies to groups of SQL Server 2008 instances Evaluate policies on-demand against a group of servers Filter by logical groups in Windows PowerShell™ scripts

Add Intelligence to Policies Place each policy in a category Define server restrictions for versions and editions where appropriate

Create Custom Server Groups in the CMS Run specific policies against a list of servers Examples: Production, Development, PCI Define Concurrent Jobs Define multiple concurrent executions based on Policy Category and/or logical Central Management Server group

Real-Time Enforcement and Reporting Monitor the event log through Alerting integration Advanced functionality and integration with SSMS Dependency, health states, subscriptions, history Scale Security Access to other rich features in SQL Server 2008

policy results policy results policy results syspolicy_policy_execution_history policy results syspolicy_policy_execution_history_details

Dynamic Development  Access your data from anywhere SQL Server Change Tracking  Store your data locally while disconnected from server  Synchronize Incremental changes Synchronized Programming between client and server Model  Detect conflicts during synchronization including deletes Visual Studio Support  Add disconnected scenarios without re-writing existing applications SQL Server Conflict Detection

Enterprise Policy Management Framework http://www.codeplex.com/EPMFramework Policy Based Management Blog http://blogs.msdn.com/sqlpbm/default.aspx

To learn more about the Windows PowerShell™ scripting Language http://www.microsoft.com/downloads/details.aspx?FamilyID=b4720b0 0-9a66-430f-bd56-ec48bfca154f&DisplayLang=en Windows PowerShell™ Blog http://blogs.msdn.com/powershell/ SQL Server PowerShell Overview http://msdn.microsoft.com/en-us/library/cc281954.aspx

Sql Server 2008 Security Enhanments

by Eduardo Castro on Mar 24, 2010

Accessibility

Upload Details

Usage Rights

1 Embed 13

Statistics

Sql Server 2008 Security Enhanments — Presentation Transcript