The document provides an overview of SQL Server security best practices. It recommends turning off unnecessary services, using Windows authentication over mixed mode if possible, securing the 'sa' account with a strong password, enabling auditing of failed logins, disabling unnecessary features like xp_cmdshell, and using schemas and stored procedures to implement the principle of least privilege for user access. It also discusses topics like encrypting data at the column level using keys and certificates. The goal is to harden SQL Server security without making it inaccessible to legitimate users and applications.

1. 11/5/2009
How do you ensure SQL Server is 100%
Secure?
• Simple …….. You turn it off.
SQL Server Security Best • 100% security is not possible
Practices • There are a number of best practices that you
Part 1 can take to make your SQL Server instance
k k SQ S i
Fall 2009 Ohio Behavioral Health MIS more secure
Users Group • The goal is to harden your SQL Server in a way
Jody McCluggage that it discourages attackers (e.g. don’t be the
low hanging fruit)
Overview Physical Security
• The primary focus will be on 2005/08 • Server housing production SQL Server should
• Will mention some best practices for 97/2000 be secured and only accessible to those who
(but really, you should be using 2005/08 now) need access
• This will be a high‐level overview. If you have
hi ill b hi h l l i f h
any questions on the details of anything in this
presentation, please let me know. Can do a
follow‐up with all the gory details if enough
people are interested.
Disclaimer and Warning Turn off/Disable any unnecessary
(Warning! Warning! Will Robinson) services
• Use care and thoroughly think through and • Turn off unnecessary services
• 2005/2008
test before implementing any of the – Most unnecessary services are turned off by default
suggestions in this presentation. – SQL Server Configuration Manager
– SQL Server Surface Area Configuration Manager (2005)/
Q g g ( )/
• I will not be held responsible if you break your
I will not be held responsible if you break your Policy manager (2008)
system (and will probably deny even knowing • 97/2000
you) – Services MMC snap‐in Administrator Tools
• SQL Browser service is not needed if there is only a
default instance
– Can also be disabled if you explicitly define and map ports
from application to named instances
1

2. 11/5/2009
SQL Server Service Accounts
SQL Server Service Accounts (cont.)
• Run SQL services under a low privilege local • Monitor services accounts for failed logons and
domain user account(s) account lockouts (account lockout will not prevent a
currently running SQL Server from running)
• Do not run under the context of the local • 97/2000
y , , ( p
system, local administrator, or (heaven help – Takes a little work but can be done
Takes a little work but can be done
you) a Domain Administrator account – May require changing some directory and registry
• Service account for SQL Server requires Full permissions
Control permission on the directories where • 2005/2008
data will be read and written to – Configured by default to not run under an
administrator/system account
– Data, log, backup, and replication snapshot – Change using SQL Server Configuration Manager
Port Security Authentication Mode
• Block/filter ports SQL Server is listening on • Windows Authentication only (Integrated Security) or SQL Server
and Windows Authentication (Mixed‐Mode)
perimeter devices • If able to, use Windows Authentication only (may not be possible
• 1433 (TCP) / 1434 (UDP) depending upon the applications that will be connecting)
– Can take advantage of controls built into windows (AD, Group Policy,
• Default instance account policies, groups, etc)
• Any additional named instances will listen on a – B
Better management and auditing controls
d di i l
different port • Mixed Mode (if you have to) recommendation
– 2000 or less ‐ incremented default port by one for each – Use SQL Accounts only for applications that don’t support Windows
Authentication
named instance
– Don’t use sa account for administration. Assign long complex
– SQL Server 2005 and higher – uses SQL Browser service to password and lock away.
listen on 1434 UDP and direct requests to dynamically created – Use Windows accounts with appropriate permissions for
ports administration
• Can be manually changed and set – Take advantage of Windows password policies (2005/08 only)
The Infamous “sa” account Auditing (more about setting up
custom auditing later)
• All powerful SQL Server account
• Needs to be assigned a very strong password
• By default no auditing is turned on
– Especially if running in Mixed Mode since account cannot be disabled • At a minimum turn on auditing for failed logon
or locked out
– Should not be used. Every administrator should have their own
administrator level account (preferably tied to the Windows account)
attempts
– Give it a long and complex password and put the password in a giant
l d l d d h d –B tt t
Best to turn on for both failed and successful
f b th f il d d f l
lockbox (preferably not the one that houses the social security
deposits). attempts
• 2005/08 – if Windows authentication is specified, the sa account is
disabled and a cryptographically random password is assigned. This
prevents the re‐enabling of the account without having to assign a
new password. It also ensures that there is never a blank sa
password (as was the case with some unpatched earlier versions)
2

3. 11/5/2009
Disable unnecessary features
Secure End Points
• Common dangerous and dangerous and/or • All connections pass through end points
unneeded services: • Can create and configure new end‐points
– xp_cmdshell
(2005/08 only)
– OPENROWSET & OPENDATASET
– OLE Automation • Can filter traffic by protocol and origination
fil ffi b l d i i i
– SQL Mail (use Database Mail instead) – System (most common one that users will deal
with. Created by default)
• Most can be managed through Surface
Configuration manager (2005)/Policy manger – TCP (must be created)
(2008) and sp_configure – HTTP (must be created)
Secure End Points (cont.) TCP end point (default and custom)
• System end point • Configurable options
– Shared Memory Protocol – Listening port
– Default TCP
– Listening IP address
– Named Pipes
– VIA – Traffic encryption
Traffic encryption
– Dedicated Admin Connection ‐ DAC (specialized • All login packets are by default encrypted. All other
emergency admin access. Cannot be disabled) traffic is not.
• Requires certificate installed on server
• Only enable/create those that you need. In most
production systems you need only TCP and – Hide instance
Shared Memory.
User Account management User Account management
• Manage groups not users • Filter all data access through Stored
– Assign all users to meaningful logical groups Procedures
– Assign permissions to groups – Finer control
– More robust and flexible
More robust and flexible – Eliminates the need to give the user direct access
Eliminates the need to give the user direct access
• Follow the principle of least privilege when to the underlying tables and views
managing users. Should only give users • Take advantage of Schemas to control
privileges they need to do their job and permissions.
nothing more (don’t be handing out sysadmin
or db owner privileges like there candy from a
Pez dispenser)
3

4. 11/5/2009
Schemas (the most under
Schemas (cont)
appreciated security feature)
• Container of SQL objects (tables, views, stored • Each object is a assigned to only one schema
procedures, functions, etc). • Schemas if setup correctly can create valuable
• Prior to 2005, schema = owner. 2005 security boundaries
decoupled the schema from the owner and
decoupled the schema from the owner and
brought it closer to the ANSI standard
• Schemas are now separate from users. A user
can be assigned to more than one schema and
a schema can be assigned to more than one
user
Schema example Schema example (cont.)
Example: Julie, John, and Jerry from the
Accounting_Group
accounting department need to have execute Julie, Jim, and Jerry
permissions on a group of stored procedures.
You could assign execute permission to the
You could assign execute permission to the Accounting Schema
A ti S h
Accounting group (remember its best to work db.Accounting.usp_getBalance
db.Accounting.usp_insertEntry
with groups) on each individual stored db.Accounting.usp_enterClient
procedure. Or you could assign all the needed
stored procedures to an “Accounting” schema GRANT EXECUTE ON SCHEMA::Accounting TO
and just give the accounting group execute Accounting_Group
permission on the “Accounting” schema.
Permissions are hierarchical
Permissions
(2005/08)
• Permissions can be assigned to “Securables” • Instance level and database level permissions
• Securable Hierarchy are grouped into hierarchies. Permissions
– Instance lower in an assigned hierarchy are also
– Database
b granted (unless explicitly revoked)
granted (unless explicitly revoked)
– Schemas • Database level permission example:
– Database Objects (tables, views, stored – Create Table
procedures, functions, etc) • Insert
• Update
• Permissions can be granted or revoked
• Delete
• Select
4

5. 11/5/2009
Column Level Encryption Column Level Encryption Key
(warning: technical data ahead) Hierarchy
• Starting with SQL Server 2005, column level • Service Master Key
encryption was supported – Created automatically when SQL Server Instance first
started
• Any encryption strategy needs to be well – Should backup to a secure location before implementing
planed before implementing. Good key
planed before implementing Good key data level encryption.
data level encryption
management is a must or you may just end up • Database Master Key
locking your self out of your data. – Created manually for each database you want to encrypt
data items
– Not required but recommended
– Encrypted by Service Master Key
– Should backup to a secure location before implementing
data level encryption.
Column Level Encryption
Column Data Encryption (Cont.)
Continued
• Data Level Encryption Keys Most common scenario when used:
– Asymmetric Keys An Asymmetric Key encrypted by a certificate is
• Single key for both encryption and decryption used to encrypt desired data elements. An
• Fast encryption function is created that is called
encryption function is created that is called
• Securing the key is an issue
within a stored procedure.
– Asymmetric Key/Certificate
• Two keys (Public and Private) are used
• Data encrypted by one key can only be decrypted by
the other and vice‐versa.
Database Level Encryption Database Level Encryption (Cont.)
• This column‐level encryption seems complex • Any data saved to EFS protected directories
and messy, why not just encrypt the entire would be encrypted. Encryption is at the
database when at rest? directory level
• Prior to 2008 this could be done using EFS
Prior to 2008 this could be done using EFS – Data moved out of protected directories would no
Data moved out of protected directories would no
(make sure you have a domain EFS recovery longer be encrypted.
agent in place before doing this). The • SQL Server 2008 to the rescue with
directories that housed the database and Transparent Data Encryption (TDE)
backups (don’t forget the backups) need to – Encryption at the database level.
have EFS enabled on them. – Database encrypted with Database Master Key
– Backups automatically encrypted also
5

6. 11/5/2009
Auditing Auditing (Cont.)
• DML (database manipulation language) • DDL (data definition Language) trigger
Triggers – A cool feature introduced in SQL 2005 that allows
– Actions can be taken or recorded based on DML you to take action based on a DDL event (Create,
events (INSERT, UPDATE, DELETE, etc)
events (INSERT UPDATE DELETE etc) Drop, Alter, etc).
p, , )
• An example would be to create a DML Trigger that – For example you could create a trigger that could
records writes to a special log table when, who, and intercept a create table command, log who, when,
what data was modified in a designated table. and what to a special log file, roll‐back the
transaction, and fire off an email.
Auditing (Cont.) Part 2
• SQL Server 2008 added two new auditing • Mitigating SQL Injection risks
features • Securing SSIS, SSRS, and SSAS
– Audit Object • Scripting SQL Server (more PowerShell fun)
– Identify a collection of actions to be tracked
Identify a collection of actions to be tracked
– Only available in Enterprise edition
• D*mn you Microsoft!
• Policy‐Based Management
– Replaces Surface Area Configuration Management
– Can be configured to monitor and enforce a
baseline configuration
Some useful resources
• SQL Server Books Online
• Google
• Microsoft SQL Server News groups
• How to Cheat at Securing Server 2005
• The Rational Guide to SQL Server 2005
Security
• Professional SQL Server 2008 Administration
6