SQL Server 2008 Security Overview


Published on

Published in: Technology
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SQL Server 2008 Security Overview

  1. 1. ISSA Data Security for Audit and Compliance Andrew Fryer Evangelist Microsoft Ltd
  2. 2. Session Objectives <ul><li>Understand that Security is an important consideration for applications as well as the server </li></ul><ul><li>Know what is available in SQL Server and how it can help you achieve security objectives </li></ul>
  3. 3. Agenda <ul><li>Protecting applications </li></ul><ul><ul><li>Data protection </li></ul></ul><ul><ul><li>Authentication/Authorization </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><li>SQL 2008 Compliance New Features </li></ul><ul><ul><li>Transparent Data Encryption </li></ul></ul><ul><ul><li>Extensible Key Management </li></ul></ul><ul><ul><li>Audit </li></ul></ul>
  4. 4. A true story.....(kind of) <ul><li>The Company </li></ul><ul><li>The Application </li></ul><ul><li>The MD </li></ul><ul><li>The IT Manager </li></ul><ul><li>The DBA </li></ul>
  5. 5. What happened <ul><li>Day 1 due diligence </li></ul><ul><ul><li>Review and change admin passwords </li></ul></ul><ul><li>10 minutes later </li></ul><ul><ul><li>Helpdesk reports problems </li></ul></ul><ul><ul><li>Login failures </li></ul></ul><ul><li>Smoking gun </li></ul><ul><ul><li>ODBC DSN </li></ul></ul><ul><li>10 minutes later </li></ul><ul><ul><li>Helpdesk reports problems </li></ul></ul><ul><ul><li>Module failures, report failures </li></ul></ul><ul><ul><li>Code review ! </li></ul></ul>using ‘sa’ context!
  6. 6. Code review <ul><li>Issues </li></ul><ul><ul><li>No centralized data access layer </li></ul></ul><ul><ul><li>Embedded SQL </li></ul></ul><ul><ul><li>Lookup Order: </li></ul></ul><ul><ul><li>Lookup Customer: </li></ul></ul><ul><ul><li>Connection strings with hardcoded passwords </li></ul></ul><ul><ul><li>“ SELECT * FROM Orders WHERE OrderId=“ + varOrderId </li></ul></ul><ul><ul><li>SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’” </li></ul></ul>Provider=sqloledb;Data Source=xxx;Initial Catalog=billingDB;User Id= sa ;Password=‘’;
  7. 7. <ul><li>Protecting Applications </li></ul>
  8. 8. Authentication
  9. 9. Data Encryption <ul><li>In SQL Server 2000, 3 rd party support required </li></ul><ul><li>Since SQL Server 2005 </li></ul><ul><ul><li>Built-in support for data encryption </li></ul></ul><ul><ul><li>Support for key management </li></ul></ul><ul><li>Encryption additions in SQL Server 2008 </li></ul><ul><ul><li>Transparent Data Encryption </li></ul></ul><ul><ul><li>Extensible Key Management </li></ul></ul>
  10. 10. Channel Encryption <ul><li>Support for full SSL Encryption since SQL Server 2000 </li></ul><ul><ul><li>Clients: MDAC 2.6 or later </li></ul></ul><ul><ul><li>Force encryption from client or server </li></ul></ul><ul><li>Login packet encryption </li></ul><ul><ul><li>Used regardless of encryption settings </li></ul></ul><ul><ul><li>Supported since 2000 </li></ul></ul><ul><ul><li>Self-generated certificates avail since 2005 </li></ul></ul>
  11. 11. Permission Strategy <ul><li>Follow principal of least privilege! </li></ul><ul><li>Avoid using sysadmin/sa and db_owner/dbo </li></ul><ul><ul><li>Grant required perms to normal login </li></ul></ul><ul><li>Never use the dbo schema </li></ul><ul><ul><li>User-schema separation </li></ul></ul><ul><li>Applications should have own schema </li></ul><ul><ul><li>Consider multiple schemas </li></ul></ul><ul><li>Leverage Flexible Database Roles </li></ul><ul><ul><li>Facilitates role separation </li></ul></ul><ul><li>Consider Auditing user activity </li></ul>
  12. 12. Ownership Chaining <ul><li>Beware of Ownership Chaining </li></ul>
  13. 13. Module Signing <ul><li>Alice has permission to call SP </li></ul><ul><li>SP run under Alice’s context but with elevated privilege </li></ul><ul><li>SP protected against tampering </li></ul>Alice (non privileged login) SP_ENABLE_LOGIN ALTER LOGIN Bob ENABLE Cert_login ALTER ANY LOGIN
  14. 14. Execution Context Best Practices <ul><li>Controlled escalation of privileges </li></ul><ul><ul><li>DB scoped: EXECUTE AS and App Roles </li></ul></ul><ul><ul><li>Cross-DB scoped: Certificates </li></ul></ul><ul><ul><li>Avoid using dynamic SQL under an escalated context </li></ul></ul><ul><li>Do not use use CDOC and SETUSER </li></ul><ul><li>Avoid allowing guest access on user DBs </li></ul>
  15. 15. SQL Injection <ul><li>SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution. </li></ul><ul><ul><li>SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’” </li></ul></ul>''';DROP TABLE CUSTOMERS--' <ul><ul><li>SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS —’ </li></ul></ul>
  16. 16. SQL Injection – defence <ul><li>Use parameterized SQL queries </li></ul><ul><li>Use Type-Safe SqlParameter in .Net </li></ul><ul><li>Use parameterized SPs </li></ul><ul><li>Least-privilege Principle </li></ul><ul><li>Escape special characters </li></ul><ul><li>Escape quotes with quotename/replace </li></ul><ul><li>Escape wildcards in LIKE statements </li></ul><ul><li>Validate buffer length to avoid truncation </li></ul>
  17. 17. class DataAccess { static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) { var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity); foreach (SalesOrder o in orders) { Console.WriteLine(&quot;{0:d} {1} {2}&quot;, o.OrderDate, o.OrderId, o.Total); } } } } Data Access Code with LINQ Query syntax is native application code Data objects are first-class citizens No dynamic SQL therefore no injection
  18. 18. Business Reasons <ul><li>Compliance requirements for PCI, HIPAA, GLBA among many other acronyms </li></ul><ul><li>Key Management, Encryption, and Auditing are key components to meeting these compliance requirements </li></ul><ul><li>Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance </li></ul>
  19. 19. Data Encyption <ul><li>SQL Server 2005 </li></ul><ul><ul><li>Built-in encryption functions </li></ul></ul><ul><ul><li>Key management in SQL Server </li></ul></ul><ul><ul><li>Encrypted File System (EFS) </li></ul></ul><ul><ul><li>Bit-Locker </li></ul></ul><ul><li>SQL Server 2008 </li></ul><ul><ul><li>Extensible Key Management (EKM) </li></ul></ul><ul><ul><li>Transparent Data Encryption (TDE) </li></ul></ul>
  20. 20. Extensible Key Management <ul><li>Key storage, management and encryption done by HSM module </li></ul><ul><li>SQL EKM key is a proxy to HSM key </li></ul><ul><li>SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module </li></ul>SQL EKM Provider DLL SQL EKM Key (HSM key proxy) Data SQL Server
  21. 21. Advantages of using EKM <ul><li>Security </li></ul><ul><ul><li>Data and keys are physically separated (keys are stored in HSM modules) </li></ul></ul><ul><ul><li>Centralized key management and storage for enterprise </li></ul></ul><ul><ul><li>Additional authentication layer </li></ul></ul><ul><ul><li>Separation of duties between db_owner and data owner </li></ul></ul><ul><li>Performance </li></ul><ul><ul><li>Pluggable hardware encryption boards </li></ul></ul>
  22. 22. EKM Key Hierarchy in SQL 2008 Native Symmetric key TDE DEK key EKM Symmetric key EKM Asymmetric key SQL Server Symmetric key Asymmetric key Data Data
  23. 23. Transparent Data Encryption (TDE) <ul><li>Encryption/decryption at database level </li></ul><ul><li>DEK is encrypted with: </li></ul><ul><ul><li>Certificate </li></ul></ul><ul><ul><li>Key residing in a Hardware Security Module (HSM) </li></ul></ul><ul><li>Certificate required to attach database files or restore a backup </li></ul>SQL Server 2008 DEK Client Application Encrypted data page
  24. 24. TDE – Key Hierarchy Database Master Key encrypts Certificate In Master Database DPAPI encrypts Service Master Key Service Master Key encrypts Database Master Key Certificate encrypts Database Encryption Key
  25. 25. TDE – Key Hierarchy with EKM Asymmetric Key resides on the EKM device Asymmetric Key encrypts Database Encryption Key
  26. 26. TDE considerations <ul><li>Compatible with Database Compression </li></ul><ul><li>Not recommended with Backup Compression </li></ul><ul><li>Database Mirroring </li></ul><ul><ul><li>Copy certificate from primary to mirror </li></ul></ul><ul><li>Log files are not retroactively encrypted </li></ul><ul><ul><li>Encryption begins at next VLF boundary </li></ul></ul><ul><li>Tempdb is encrypted when 1 db in instance uses TDE </li></ul><ul><li>Enterprise only </li></ul>
  27. 27. Transparent Data Encryption Operational Impact <ul><li>Storage replication at hardware level </li></ul><ul><ul><li>Background task to encrypt all pages </li></ul></ul><ul><ul><li>At HW level, all pages get changed, i.e. all pages need to be replicated </li></ul></ul><ul><ul><li>Need to test if your hardware replication can handle this throughput </li></ul></ul><ul><li>When using Database Mirroring or Log Shipping, </li></ul><ul><ul><li>Ensure that the mirror server has the master key and certificate as well </li></ul></ul><ul><ul><li>Bottleneck isn’t throughput of pages </li></ul></ul><ul><ul><ul><li>Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted </li></ul></ul></ul><ul><ul><ul><li>But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity </li></ul></ul></ul><ul><ul><li>Possible Failover Issues </li></ul></ul><ul><ul><ul><li>Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours </li></ul></ul></ul><ul><ul><ul><li>For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. </li></ul></ul></ul><ul><ul><li>May want to consider disabling HA and perform resynchronization of your HA configuration </li></ul></ul>
  28. 28. Auditing Database Activity <ul><li>SQL Server 2005 </li></ul><ul><ul><li>SQL Trace </li></ul></ul><ul><ul><li>DDL/DML Triggers </li></ul></ul><ul><ul><li>Third-party tools to read transaction logs </li></ul></ul><ul><ul><li>No management tools support </li></ul></ul><ul><li>SQL Server 2008 </li></ul><ul><ul><li>SQL Server Audit </li></ul></ul>
  29. 29. Audit Specifications Audit Security Event Log Application Event Log 0..1 Server audit specification per Audit object 0..1 DB audit specification per database per Audit object CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit     ADD (FAILED_LOGIN_GROUP); CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit     ADD (SELECT ON Customers BY public) Server Audit Action Server Audit Action Server Audit Action Server Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action File File system Server Audit Specification Database Audit Components Database Audit Components Database Audit Components Database Audit Specification
  30. 30. Reasons to use SQL Audit <ul><li>Leverages high performance eventing infrastructure to generate audits </li></ul><ul><li>Runs within engine rather than as a side/separate app </li></ul><ul><li>Parity with SQL 2005 Audit Generation </li></ul><ul><li>Faster than SQL Trace </li></ul><ul><li>Records changes to Audit configuration </li></ul><ul><li>Configuration and management in SSMS </li></ul><ul><li>(Note: Enterprise Edition only) </li></ul>
  31. 31. Auditing Centralizing audit logs and reporting
  32. 32. Policy-Based Management Facets Conditions Policies Categories Targets
  33. 33. Take aways <ul><li>Protect applications not just databases </li></ul><ul><li>Get the basics right! </li></ul><ul><li>Leverage all of the features of SQL Server to meet your compliance needs </li></ul>
  34. 34. Resources <ul><li>UK SQL Server 2008 Server Site </li></ul><ul><ul><li>http://www.microsoft.com/uk/sql </li></ul></ul><ul><li>SQL Server Compliance Micro-Site </li></ul><ul><ul><li>http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx </li></ul></ul><ul><li>Whitepaper for PCI compliance </li></ul><ul><ul><li>http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf </li></ul></ul><ul><li>Me </li></ul><ul><ul><li>http://blogs.technet.com/andrew </li></ul></ul>
  35. 35. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.