Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sql Server 2008 Security Enhanments


Published on

In this presentation we review the security enhancements in SQL Server 2008.

Sql Server 2008 Security Enhanments

  1. 1. Ing. Eduardo Castro, Phd
  2. 2. Transparent Data Encryption Visual Entity Designer Backup Compression External Key Management Entity Aware Adapters MERGE SQL Statement Data Auditing SQL Server Change Tracking Data Profiling Pluggable CPU Synchronized Programming Model Star Join Transparent Client Redirect for Visual Studio Support Enterprise Reporting Database Mirroring SQL Server Conflict Detection Engine Database Mirroring Enhancements FILESTREAM data type Internet Report DBM: Auto Page Repair Integrated Full -Text Search Deployment Declarative Management Sparse Columns Block Computations Framework Large User-Defined Types Scale-out Analysis Server Group Management Date / Time Data Types BI Platform Management Streamlined Installation LOCATION data type Export to Word and Excel Enterprise System Management SPATIAL data type Author reports in Word, Performance Data Collection Excel Virtual Earth Integration System Analysis Report Builder Partitioned Table Parallelism Enhancements Data Compression Query Optimizations TABLIX Query Optimization Modes Persistent Lookups Rich Formatted Data Resource Governor Change Data Capture Personalized Entity Data Model Perspectives LINQ … and many more
  3. 3. Transparent data encryption – encrypt an entire database Backup encryption – compresses and secures the backup file Auditing – now monitors data access and modifications Policy-based Framework from Windows Server 2008 automates administrative tasks
  4. 4. Enterprise Data Platform Protect your information Transparent Data Encryption Encrypt your data without requiring an application re-write External Key Management Consolidate security keys within the data center Data Auditing Integrated auditing support Increase the reliability of your Pluggable CPU applications Add system resources without affecting your users Enhanced Database Mirroring Leverage database mirroring to increase reliability
  5. 5. In SQL Server 2000, 3rd party support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management
  6. 6. Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005
  7. 7. SQL Server 2005 − Built-in encryption functions − Key management in SQL Server − Encrypted File System (EFS) − Bit-Locker SQL Server 2008 − Extensible Key Management (EKM) − Transparent Data Encryption (TDE)
  8. 8. Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo − Grant required perms to normal login Never use the dbo schema − User-schema separation Applications should have own schema − Consider multiple schemas Leverage Flexible Database Roles − Facilitates role separation Consider Auditing user activity
  9. 9. Key storage, HSM management and encryption done by HSM module SQL EKM Provider DLL SQL EKM key is a proxy to HSM key SQL EKM Key SQL EKM Provider DLL (HSM key proxy) implements SQLEKM Data interface, calls into SQL Server HSM module
  10. 10. Security Data and keys are physically separated (keys are stored in HSM modules) Centralized key management and storage for enterprise Additional authentication layer Separation of duties between db_owner and data owner Performance Pluggable hardware encryption boards
  11. 11. HSM Symmetric key Asymmetric key EKM Symmetric key EKM Asymmetric key SQL Server Data Data Native TDE DEK key Symmetric key
  12. 12. Encryption/decryption SQL Server 2008 at database level DEK DEK is encrypted with: − Certificate − Key residing in a Hardware Security Encrypted data page Module (HSM) Client Application Certificate required to attach database files or restore a backup
  13. 13. Operating System Level Data Protection API (DPAPI) DPAPI encrypts Service Master Key SQL Server 2008 Instance Level Service Master Key Service Master Key encrypts Database Master Key SQL Server 2008 Master Database Database Master Key Password Database Master Key Certificate encrypts Certificate In Master Database SQL Server 2008 Master Database Certificate encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
  14. 14. Asymmetric Key resides on Hardware Security Module (HSM) the EKM device Asymmetric Key Asymmetric Key encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
  15. 15. Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only
  16. 16. Operational Impact Storage replication at hardware level Background task to encrypt all pages At HW level, all pages get changed, i.e. all pages need to be replicated Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, Ensure that the mirror server has the master key and certificate as well Bottleneck isn’t throughput of pages Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity Possible Failover Issues Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. May want to consider disabling HA and perform resynchronization of your HA configuration
  17. 17. SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit
  18. 18. File Security Event Log Audit Application Event Log File 0..1 system 0..1 Server audit specification DB audit specification per Audit object per database per Audit object Server Audit Database Audit Specification Components Database Audit Database Components Database Audit Components Audit Server Audit Action Specification Server Audit Action Server Audit Action Server Audit Action Database Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action CREATE SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION SvrAC AuditAC TO SERVER AUDIT PCI_Audit TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); ADD (SELECT ON Customers BY public) 18
  19. 19. Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)
  20. 20. Centralizing audit logs and reporting DB Servers Process Audit Information Use SSIS to process SQL2008 audit log data and store in its own SQL database. SSIS DB Server Transfer Logs SQL Audit DB Server File Server SQL 2008 DB Server o rts ep teR n era Ge SSRS 2008 Compliance Reports
  21. 21. Enterprise Data Platform Spend less time on ongoing operations Declarative Management Framework Manage via policies instead of scripts Define Enterprise wide data management policies Server Group Management Automated monitoring and enforcement of policies Simplify your installation and configuration Streamlined Installation Integrated with your enterprise system management Enterprise System Define Policies that are compliant with Management System Definition Model Manage your data and system infrastructure with Microsoft System Center
  22. 22. Facets Conditions Policies Targets Categories
  23. 23. • Provide auditors with assurance that SQL Server Compliance complies with all security and business guidelines • Complement All Actions Audited • Ensure peak performance Consistency • High levels of security & reliability • Drive strategic management initiative to control Costs costs • More efficient and proactive management
  24. 24. Defines the evaluation mode, target filters, and schedule of the conditions. Policy Specifies a set of allowed states of a managed target with regard to a facet Condition Set of related logical properties Facet
  25. 25. Server Restriction Category Policy Target Evaluation Mode
  26. 26. On Demand On Schedule • Evaluate a policy when specified by user • SQL Server 2008 only • Available through SSMS or Windows • SQL Server Agent job periodically PowerShell™ evaluates a policy • Option to force certain conditions to comply with policy • Supports down-level evaluation (depends on properties exposed) Evaluation modes On Change: Prevent On Change: Log Only • SQL Server 2008 only • SQL Server 2008 only • DDL triggers prevent policy violations • Event notification evaluates a policy when a relevant change is made
  27. 27. Windows PowerShell™ is a framework and runtime for executing management commands Cmdlets are instances of .NET classes that process input objects from the pipeline SQL Server Provider for Windows PowerShell™ encompasses SMO Invoke-PolicyEvaluation –Policy DatabaseStatus.xml, Trustworthy.xml -TargetServerName inst1 Invoke-SQLCMD –Query ”SELECT name FROM sys.Databases;” –ServerInstance “MyServerInstance”
  28. 28. Bringing It All Together policy results policy results policy results policy results policy results policy results
  29. 29. Bringing It All Together policy results policy results policy results policy results policy results policy results
  30. 30. Logically group instances based on business function(s) Centrally publish policies to groups of SQL Server 2008 instances Evaluate policies on-demand against a group of servers Filter by logical groups in Windows PowerShell™ scripts
  31. 31. Add Intelligence to Policies Place each policy in a category Define server restrictions for versions and editions where appropriate
  32. 32. Create Custom Server Groups in the CMS Run specific policies against a list of servers Examples: Production, Development, PCI Define Concurrent Jobs Define multiple concurrent executions based on Policy Category and/or logical Central Management Server group
  33. 33. Real-Time Enforcement and Reporting Monitor the event log through Alerting integration Advanced functionality and integration with SSMS Dependency, health states, subscriptions, history Scale Security Access to other rich features in SQL Server 2008
  34. 34. policy results policy results policy results syspolicy_policy_execution_history policy results syspolicy_policy_execution_history_details
  35. 35. Dynamic Development  Access your data from anywhere SQL Server Change Tracking  Store your data locally while disconnected from server  Synchronize Incremental changes Synchronized Programming between client and server Model  Detect conflicts during synchronization including deletes Visual Studio Support  Add disconnected scenarios without re-writing existing applications SQL Server Conflict Detection
  36. 36. Enterprise Policy Management Framework Policy Based Management Blog
  37. 37. To learn more about the Windows PowerShell™ scripting Language 0-9a66-430f-bd56-ec48bfca154f&DisplayLang=en Windows PowerShell™ Blog SQL Server PowerShell Overview