ISSA Data Security for Audit and Compliance Andrew Fryer Evangelist Microsoft Ltd

Session Objectives Understand that Security is an important consideration for applications as well as the server Know what is available in SQL Server and how it can help you achieve security objectives

Understand that Security is an important consideration for applications as well as the server

Know what is available in SQL Server and how it can help you achieve security objectives

Agenda Protecting applications Data protection Authentication/Authorization SQL Injection SQL 2008 Compliance New Features Transparent Data Encryption Extensible Key Management Audit

Protecting applications

Data protection

Authentication/Authorization

SQL Injection

SQL 2008 Compliance New Features

Transparent Data Encryption

Extensible Key Management

Audit

A true story.....(kind of) The Company The Application The MD The IT Manager The DBA

The Company

The Application

The MD

The IT Manager

The DBA

What happened Day 1 due diligence Review and change admin passwords 10 minutes later Helpdesk reports problems Login failures Smoking gun ODBC DSN 10 minutes later Helpdesk reports problems Module failures, report failures Code review ! using ‘sa’ context!

Day 1 due diligence

Review and change admin passwords

10 minutes later

Helpdesk reports problems

Login failures

Smoking gun

ODBC DSN

10 minutes later

Helpdesk reports problems

Module failures, report failures

Code review !

Code review Issues No centralized data access layer Embedded SQL Lookup Order: Lookup Customer: Connection strings with hardcoded passwords “ SELECT * FROM Orders WHERE OrderId=“ + varOrderId SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’” Provider=sqloledb;Data Source=xxx;Initial Catalog=billingDB;User Id= sa ;Password=‘’;

Issues

No centralized data access layer

Embedded SQL

Lookup Order:

Lookup Customer:

Connection strings with hardcoded passwords

“ SELECT * FROM Orders WHERE OrderId=“ + varOrderId

SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’”

Protecting Applications

Protecting Applications

Authentication

Data Encryption In SQL Server 2000, 3 rd party support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management

In SQL Server 2000, 3 rd party support required

Since SQL Server 2005

Built-in support for data encryption

Support for key management

Encryption additions in SQL Server 2008

Transparent Data Encryption

Extensible Key Management

Channel Encryption Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005

Support for full SSL Encryption since SQL Server 2000

Clients: MDAC 2.6 or later

Force encryption from client or server

Login packet encryption

Used regardless of encryption settings

Supported since 2000

Self-generated certificates avail since 2005

Permission Strategy Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo Grant required perms to normal login Never use the dbo schema User-schema separation Applications should have own schema Consider multiple schemas Leverage Flexible Database Roles Facilitates role separation Consider Auditing user activity

Follow principal of least privilege!

Avoid using sysadmin/sa and db_owner/dbo

Grant required perms to normal login

Never use the dbo schema

User-schema separation

Applications should have own schema

Consider multiple schemas

Leverage Flexible Database Roles

Facilitates role separation

Consider Auditing user activity

Ownership Chaining Beware of Ownership Chaining

Beware of Ownership Chaining

Module Signing Alice has permission to call SP SP run under Alice’s context but with elevated privilege SP protected against tampering Alice (non privileged login) SP_ENABLE_LOGIN ALTER LOGIN Bob ENABLE Cert_login ALTER ANY LOGIN

Alice has permission to call SP

SP run under Alice’s context but with elevated privilege

SP protected against tampering

Execution Context Best Practices Controlled escalation of privileges DB scoped: EXECUTE AS and App Roles Cross-DB scoped: Certificates Avoid using dynamic SQL under an escalated context Do not use use CDOC and SETUSER Avoid allowing guest access on user DBs

Controlled escalation of privileges

DB scoped: EXECUTE AS and App Roles

Cross-DB scoped: Certificates

Avoid using dynamic SQL under an escalated context

Do not use use CDOC and SETUSER

Avoid allowing guest access on user DBs

SQL Injection SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution. SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’” ''';DROP TABLE CUSTOMERS--' SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS —’

SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution.

SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’”

SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS —’

SQL Injection – defence Use parameterized SQL queries Use Type-Safe SqlParameter in .Net Use parameterized SPs Least-privilege Principle Escape special characters Escape quotes with quotename/replace Escape wildcards in LIKE statements Validate buffer length to avoid truncation

Use parameterized SQL queries

Use Type-Safe SqlParameter in .Net

Use parameterized SPs

Least-privilege Principle

Escape special characters

Escape quotes with quotename/replace

Escape wildcards in LIKE statements

Validate buffer length to avoid truncation

class DataAccess { static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) { var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity); foreach (SalesOrder o in orders) { Console.WriteLine("{0:d} {1} {2}", o.OrderDate, o.OrderId, o.Total); } } } } Data Access Code with LINQ Query syntax is native application code Data objects are first-class citizens No dynamic SQL therefore no injection

Business Reasons Compliance requirements for PCI, HIPAA, GLBA among many other acronyms Key Management, Encryption, and Auditing are key components to meeting these compliance requirements Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance

Compliance requirements for PCI, HIPAA, GLBA among many other acronyms

Key Management, Encryption, and Auditing are key components to meeting these compliance requirements

Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance

Data Encyption SQL Server 2005 Built-in encryption functions Key management in SQL Server Encrypted File System (EFS) Bit-Locker SQL Server 2008 Extensible Key Management (EKM) Transparent Data Encryption (TDE)

SQL Server 2005

Built-in encryption functions

Key management in SQL Server

Encrypted File System (EFS)

Bit-Locker

SQL Server 2008

Extensible Key Management (EKM)

Transparent Data Encryption (TDE)

Extensible Key Management Key storage, management and encryption done by HSM module SQL EKM key is a proxy to HSM key SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module SQL EKM Provider DLL SQL EKM Key (HSM key proxy) Data SQL Server

Key storage, management and encryption done by HSM module

SQL EKM key is a proxy to HSM key

SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module

Advantages of using EKM Security Data and keys are physically separated (keys are stored in HSM modules) Centralized key management and storage for enterprise Additional authentication layer Separation of duties between db_owner and data owner Performance Pluggable hardware encryption boards

Security

Data and keys are physically separated (keys are stored in HSM modules)

Centralized key management and storage for enterprise

Additional authentication layer

Separation of duties between db_owner and data owner

Performance

Pluggable hardware encryption boards

EKM Key Hierarchy in SQL 2008 Native Symmetric key TDE DEK key EKM Symmetric key EKM Asymmetric key SQL Server Symmetric key Asymmetric key Data Data

Transparent Data Encryption (TDE) Encryption/decryption at database level DEK is encrypted with: Certificate Key residing in a Hardware Security Module (HSM) Certificate required to attach database files or restore a backup SQL Server 2008 DEK Client Application Encrypted data page

Encryption/decryption at database level

DEK is encrypted with:

Certificate

Key residing in a Hardware Security Module (HSM)

Certificate required to attach database files or restore a backup

TDE – Key Hierarchy Database Master Key encrypts Certificate In Master Database DPAPI encrypts Service Master Key Service Master Key encrypts Database Master Key Certificate encrypts Database Encryption Key

TDE – Key Hierarchy with EKM Asymmetric Key resides on the EKM device Asymmetric Key encrypts Database Encryption Key

TDE considerations Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only

Compatible with Database Compression

Not recommended with Backup Compression

Database Mirroring

Copy certificate from primary to mirror

Log files are not retroactively encrypted

Encryption begins at next VLF boundary

Tempdb is encrypted when 1 db in instance uses TDE

Enterprise only

Transparent Data Encryption Operational Impact Storage replication at hardware level Background task to encrypt all pages At HW level, all pages get changed, i.e. all pages need to be replicated Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, Ensure that the mirror server has the master key and certificate as well Bottleneck isn’t throughput of pages Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity Possible Failover Issues Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. May want to consider disabling HA and perform resynchronization of your HA configuration

Storage replication at hardware level

Background task to encrypt all pages

At HW level, all pages get changed, i.e. all pages need to be replicated

Need to test if your hardware replication can handle this throughput

When using Database Mirroring or Log Shipping,

Ensure that the mirror server has the master key and certificate as well

Bottleneck isn’t throughput of pages

Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted

But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity

Possible Failover Issues

Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours

For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up.

May want to consider disabling HA and perform resynchronization of your HA configuration

Auditing Database Activity SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit

SQL Server 2005

SQL Trace

DDL/DML Triggers

Third-party tools to read transaction logs

No management tools support

SQL Server 2008

SQL Server Audit

Audit Specifications Audit Security Event Log Application Event Log 0..1 Server audit specification per Audit object 0..1 DB audit specification per database per Audit object CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public) Server Audit Action Server Audit Action Server Audit Action Server Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action File File system Server Audit Specification Database Audit Components Database Audit Components Database Audit Components Database Audit Specification

Reasons to use SQL Audit Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)

Leverages high performance eventing infrastructure to generate audits

Runs within engine rather than as a side/separate app

Parity with SQL 2005 Audit Generation

Faster than SQL Trace

Records changes to Audit configuration

Configuration and management in SSMS

(Note: Enterprise Edition only)

Auditing Centralizing audit logs and reporting

Policy-Based Management Facets Conditions Policies Categories Targets

Take aways Protect applications not just databases Get the basics right! Leverage all of the features of SQL Server to meet your compliance needs

Protect applications not just databases

Get the basics right!

Leverage all of the features of SQL Server to meet your compliance needs

Resources UK SQL Server 2008 Server Site http://www.microsoft.com/uk/sql SQL Server Compliance Micro-Site http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx Whitepaper for PCI compliance http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf Me http://blogs.technet.com/andrew

UK SQL Server 2008 Server Site

http://www.microsoft.com/uk/sql

SQL Server Compliance Micro-Site

http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx

Whitepaper for PCI compliance

http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf

Me

http://blogs.technet.com/andrew

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.