Download SQL Server 2005 Security - Australian SQL Server User Group

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Microsoft Access wikipedia , lookup

Database model wikipedia , lookup

Btrieve wikipedia , lookup

Clusterpoint wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Team Foundation Server wikipedia , lookup

Open Database Connectivity wikipedia , lookup

SQL wikipedia , lookup

PL/SQL wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Transcript 
Introduction to SQL 2005
Security
Nick Ward
SQL Server Specialist
[email protected]
Database Security





Prevent SQL injection attacks
Encrypt data in the database
Secure data over the network
Secure database connection strings
Handle data access exceptions
SQL Server 2005 Overview
SQL Server 2005 Security Initiatives

Trustworthy Computing Initiative



Security, privacy, reliability and business practices
http://www.microsoft.com/mscorp/twc/default.mspx
SD3+C




Secure by design
Secure by default
Secure in deployment
Communications
Reduction in Surface Area


Secure by Default
More optional installation options





Default: Demonstration databases not installed
Default: CLR disabled
Default: HTTP endpoint disabled
Minimized Attack surface: Features require
explicit configuration
Surface Area Configuration Tool
SQL Server 2005 Security
Surface Area Configuration Tool
Nick Ward
SQL Server Technology Specialist
Microsoft
The Least Privilege Principal

Granular permissions



Security execution context



Grant/revoke/deny
Hierarchical permissions
EXECUTE AS
Functions, procedures, views and triggers
DDL Triggers
Security: Execution Context
Execute Perms
checked for User3
User 3
User2.Proc1
User1.T1
User2.Proc1
User1.T1
Execute Perms
checked for User3
Select Perms
checked for User3
No permission –
User1.Proc1 fails
‘Execute AS ‘X’ ’
User 3
Select Perms
checked for User3
User2.Proc1
Execute Perms
checked for User3
User1.T1
Select Perms
checked for ‘X’.
Not for user3
Security: Execution Context

Execute AS CALLER


Execute AS SELF



Last person to create or alter the module
Execute AS OWNER


Default – same as SQL Server 2000 behavior
Execute as current owner of the module
Execute AS “UserName”
Execute AS “LoginName”

Only for DDL triggers with server-wide execution
SQL Server 2005 Security
EXECUTE AS ‘x’
Nick Ward
SQL Server Technology Specialist
Microsoft
DDL Triggers


Triggers fire when Data Definition
Language (DDL) is executed
Used to:




Fire after the statement


Prevent DDL changes to your schema
Cause something to occur when schema changes
To record changes or events in the database schema
Can roll back the statement’s effect
Can run managed code
SQL Server 2005 Security
DDL Triggers
Nick Ward
SQL Server Technology Specialist
Microsoft
Secure in Deployment

Microsoft Update services integration



Automatic or manual
Systems Management Server (SMS)
integration
Deployment security content: “Security
Considerations for SQL Server”






http://msdn2.microsoft.com/en-us/library/ms161948
Windows server
Network
Windows service accounts
Surface Area
All SQL Server components
Authorization Enhancements

Already discussed



Granular permission control
Module execution context
Still to come…



User schema separation
Metadata security
Encryption enhancements
Security: User-Schema Separation

New DDL for user and schemas



CREATE/ALTER/DROP for USER, ROLE, and SCHEMA
Dropping user does not require application
rewrite
Security


Schema v object
permission
Default schema
Contained In
Table
Function
View
Stored Procedure
Owned By
Owned By
Bill
Schema
Server.Database.Schema.Object
Server.Database.Owner.Object
Mary
SQL Server 2005 Security
User-Schema Separation
Nick Ward
SQL Server Technology Specialist
Microsoft
Security: Certificates

Encryption enhancements





Encryption uses symmetric keys, asymmetric keys and
certificates
SQL Server 2005 can generate certificates for encryption
RC4, RSA, Triple-DES and AES encryption supported
Encryption can be used with any level of
SQL Server 2005 securable
Key Management
Security Hierarchy
SQL Server 2005 Security
Data Encryption
Nick Ward
SQL Server Technology Specialist
Microsoft
Metadata


No visibility without permission
“VIEW DEFINITION” permission
SQL Injection

Consider the following:
var Shipcity;
ShipCity = Request.form ("ShipCity");
var sql = "select * from OrdersTable where
ShipCity = '" + ShipCity + "'";

Enter “Melbourne”:
select * from OrdersTable where ShipCity =
‘Melbourne'

Enter “Melbourne'; drop table OrdersTable—”
select * from OrdersTable where ShipCity =
‘Melbourne';drop table OrdersTable--'
SQL Injection – What to do?






Validate all input: length, type, ranges,
valid values etc.
Reject control characters: ; ‘ -- /* */ xp_
Never build T-SQL statements from user
input – beware string concatenation
Use stored procedures
Visual Studio Team System 2005
Type-safe SQL parameters
SqlDataAdapter myCommand = new
SqlDataAdapter("AuthorLogin", conn);
myCommand.SelectCommand.CommandType =
CommandType.StoredProcedure;
SqlParameter parm =
myCommand.SelectCommand.Parameters.Add("@au_id",
SqlDbType.VarChar, 11);
parm.Value = Login.Text;
© 2003-2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Related documents
Recruitment Authorisation Form
Recruitment Authorisation Form
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
B S Srinath Amruth
B S Srinath Amruth
wildlife - Seasalt
wildlife - Seasalt
How to run a SQL Script in SQL Management Studio
How to run a SQL Script in SQL Management Studio
How to Import MDB files to SQL Server 2008 R2
How to Import MDB files to SQL Server 2008 R2
wildlife - Seasalt
wildlife - Seasalt