Download SQL Server 2000 Security Features And Deployment

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts

Microsoft Access wikipedia , lookup

Database model wikipedia , lookup

Relational model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Clusterpoint wikipedia , lookup

Team Foundation Server wikipedia , lookup

Btrieve wikipedia , lookup

Open Database Connectivity wikipedia , lookup

SQL wikipedia , lookup

Object-relational impedance mismatch wikipedia , lookup

PL/SQL wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Transcript 
™
SQL Server 2000 Security
Features and Deployment
Considerations
Microsoft Corporation
Agenda
Basic overview



Logins/users
Roles
Permissions
Securing SQL Server




Setup
Post-setup configuration
Encryption
Delegation
Security auditing
Troubleshooting
Security Updates
SQL Server Security Modes
Windows® Authentication security mode


Only accept logins using Windows NT®/
Windows 2000 credentials
Implements network-wide single sign-on
Mixed security mode


Allows Windows logins
Allows SQL Server-based security
Logins And Users
A Login gives you connection rights



Is contained in the master database
Applies to the server
Has no permissions directly per server
Exception: Server Role membership
A database user is permissions container



Also the schema owner
Permissions are granted to database users, not
logins
Specific to a single database
SQL Server Roles
Fixed server roles

Server Wide - Flexible server
administration
Fixed database roles

Database Wide - Flexible database
administration
User Defined roles

Custom security combinations
Application roles (sp_setapprole)

Assign rights to applications instead of
Permissions
SQL Server three permission verbs:



Grant gives a right
Deny explicitly denies a right
Revoke takes away an existing grant or
deny
Grant
-
Revoke
Revoke [deny]
+
DENY
Grant
Deny
Setup Is Secure
If you install into NTFS file system, we
secure the directories and files

Service accounts and the local administrators
group get full control, no other permissions set
We secure the SQL Server registry keys

Same permissions as the NTFS files
We default to integrated security on NT
MSDE install on Win98 and WinMe defaults
to Mixed
But, Things You May Want To
Change
Remove Everyone Group from Registry, Grant
Full control to Admin group, local system
account and Service account.
Built-in\Administrators are sysadmins by default
Replace with service accounts,
[NT Authority\System] (for mssearch), cluster service
account on a cluster
Never select a blank sa password
Set a password for Probe account – if used
Turn on Failed Login Auditing/additional
Auditing
Disable the guest account
Encryption
Network Communications Encryption


Multi-protocol
SSL
Metadata Encryption - Windows Crypto API
File Encryption for database files
Data Encryption inside the server
Multi-Protocol Encryption
Still there 
Use for backwards compatibility only
Doesn’t work with named instances

Only targets the machine name, not
machine\instance
Uses Windows RPC


So same security strength as the OS
Requires a valid windows account
SSL Encryption Over
The Network
You must have a server certificate to
negotiate SSL encryption
Set up the certificate using Microsoft
Internet Explorer or the MMC Certificate
Snap-in
Make sure to request the server certificate
in the fully-qualified DNS name of your
server
SQLServer.Sydney.corp.Microsoft.com
Setting Up For SSL Encryption
Over the Network
We will always encrypt your standard security login attempt

Not necessary for Integrated login attempts
You can optionally request encryption of all
communications from a single client
Just use the checkbox in the client network utility
But, if the certificate is not trusted by the client, your
connection attempt will fail
Secure Server Option
Use to force encryption of all
communications with this SQL server
Turn on encryption via the server network
utility
Any connection attempt which
can’t negotiate an SSL session will be
rejected
You MUST have a certificate
on the server or no communications of
any kind is possible (including local
Meta Data Encryption
Just as in previous releases, we can
encrypt:




Stored procedures
Triggers
Views
DTS packages are now encrypted
Strictly for SQL Server
No, there’s no way to hack it (yet)

All encryption will be
broken eventually…
File Encryption
You can secure the database files
Use the Windows Encrypted File System
(EFS)

Windows 2000 or later
Slows down the server, but
< 5% typically
Fully Supported
Prevents illicit copying of db files
Also products from third parties, such as
http://www.netlib.com
Data Encryption
Microsoft doesn’t provide in the box

We could, but key recovery/escrow is really,
really hard
Third party solutions available, including
http://www.protegrity.com
Or, you can write your own


Hard to do right and still be secure
Some third party solutions out there
Kerberos and Delegation
Kerberos is the preferred security protocol
for Windows 2000

Much more secure than NTLM
Provides for delegation, which is…
The ability to bridge credentials across
more than one server
Enabling Delegation
Must be a Windows 2000 domain, using the Active
Directory, and client and server using Kerberos

This means all computers here are
Windows 2000
Set the following in the Active Directory™:



The Account is sensitive and cannot be delegated
option must not be set for the user requesting
delegation
The Account is trusted for delegation
option must be set for the service account of SQL
Server
The Server running SQL Server must be allowed to
delegate credentials (the computer is trusted for
delegation option)
Enabling Delegation (User)
SQL Server must have a Service Principal Name
(SPN) assigned by the Windows 2000 account
domain administrator assigned to the service
account of the SQL Server service on that
particular machine

Must enable via the setspn utility in the
Windows 2000 Resource Kit
No dynamic TCP port
All accounts must be part of the same domain

Setspn – A MSSQLSvc/Host:port serviceaccount
Example: setspn
– A MSSQLSvc/SQL2.redmond.corp.microsoft.com:
1433 SQLaccount

Don’t specify redmond\SQLaccount – doesn’t work
Enabling Delegation (Machine)
Or, you can run under the local system
account and we will self-register at service
startup


SQL Server automatically registers the SPNs
itself – no user action required – one change
to Setspn if you wish to use it
Setspn –A MSSQLSvc/Host:port machine
Example: setspn
–A MSSQLSvc/sql2:1433 sqlaccount
LocalSystem is much easier –
but you lose other functionality
Agenda
Basic overview



Logins/users
Roles
Permissions
Securing SQL Server




Setup
Post-setup configuration
Encryption
Delegation
Security auditing
Troubleshooting
SQL Server 2000 Auditing
SQL Trace – the server side of profiling
SQL Profiler – the UI components
Auditing is performed by SQL Trace –
internal to SQLServr.exe
Very robust and secure
Collect the minimum necessary data to keep
overhead reasonable

DBA Events, logins, password changes, etc.
SQL Server 2000 Audit Events
We audit 19 different kinds of events:
Login/logout
GRD - statement perms
GRD – object perms
Add/drop SQL login
GRD NT login rights
Modify login property
Password change event
Add/remove from fixed
server role
Add/remove database user
Derived Permissions
Add/remove database
role member
Add/drop a database role
Change Approle password
Statement permission used
Object permission used
Backup/restore event
DBCC command issued
Audit modification event
Server shutdown/pause/start
How To Turn On An Audit
An audit (except for C2 audit) is just a
profiler trace
So, turn on a profiler trace with the new
profiler procedures, adding auditing
events
Set the trace to start with the server if
you want a comprehensive audit


Wrap the trace setup into a stored
procedure
Enable that stored procedure
C2-Style Auditing
Must be on an NTFS partition
All events audited
We will shut down the server if we can’t write to the
audit file
The file rollover size is fixed at 200MB
The file goes into your mssql\data directory and is
named audit_YYYYMMDDHHMMSS_1
To enable:


Exec sp_configure ‘C2 audit mode’, 1
Restart service
Don’t run C2 mode unless you really need it
Agenda
Basic overview



Logins/users
Roles
Permissions
Securing SQL Server




Setup
Post-setup configuration
Encryption
Delegation
Security auditing
Troubleshooting
Most Common Security
Complaints/Issues
Ownership chains
Dynamic SQL inside stored procs
Changing Object Owner
Restore permissions for
database owners
Should everything be owned by dbo?
Xp_cmdshell
Ownership Chains
Create table user1.t1 (c1 int not null)
Create proc user2.proc1 as select * from
user1.t1 return
If user3 has execute permissions on proc1,
still need select permissions on user1.t1
Dynamic SQL
Dynamic SQL inside stored procs runs in the
security context of the executor of the proc, not in
the owner of the stored proc

This is a security feature to protect you
Example:
Create proc myproc @p1 nvarchar(500) as
Exec (@p1) return 0
Exec myproc “sp_addlogin ‘richard’ exec
sp_addsrvrolemember ‘richard’,’sysadmin’ ”
And you’re sysadmin… 
Changing Object Owner
If you drop a user you must first
drop/reassign all their objects
Use sp_changeobjectowner – don’t directly
update the system tables

Not supported
We’re working on a better long-term fix in
the next release
Restore Permissions For
Database Owners
If you restore database with the
REPLACE option, it’s really a
create database


Hence, you need create database
permissions
Database ownership is not good
enough
Backup and Restore
Security of Backup Files and Media



Backup to disk then to tape
password protected.
If physically available then not secure
Restoring to another server




Mixed mode – database security breaks
Windows Authentication (Same Domain)
Windows Authentication (Different Domains)
Users from a Trusted Domain
DBO Own Everything?
No, the issue here is to avoid ownership
chains
No need at all to have everything owned by
dbo

But it does simplify name resolution
db_owner role needs to add/remove login
then needs to be added to the fixed server
role SecurityAdmin.
XP_CMDSHELL
Is dangerous
Runs as the service account or as the proxy account
Don’t grant unnecessarily
Don’t run the service as an administrator
Never run on a domain controller and grant permissions to
xp_cmdshell
Restrict to sysadmin

xp_regread, xp_regwrite, xp_regdeletekey,xp_regdeletevalue,
xp_regaddmultistring,xp_regremovemultistring,xp_regenumvalues,x
p_regenumkeys
Elimination of the SQLAgentCmdExec Proxy Account
in SQL2K – non-system admin access
Encryption Error
SQL2K cluster will fail to come online if
Server side encryption is used with invalid
or no certificate:Encrytion requested but no valid certificate was found.
17826 Could not set up Net-Library 'SSNETLIB'
SQL Server could not spawn FRunCM thread
Need to install Certificate Server on the
same domain as the SQL Server cluster
and request a valid certificate on each
node of Cluster
Known Issues With SSL
We pick the first certificate we find
by default

Even if it’s not valid for SSL
Fixed in SP1

Certificate Services on the same machine
breaks us
Same issue as above, fixed in SP1
If you turn on client side encryption, can’t
communicate to 6.5 or 7.0 servers

Because they don’t support SSL
Agenda
Basic overview



Logins/users
Roles
Permissions
Securing SQL Server




Setup
Post-setup configuration
Encryption
Delegation
Security auditing
Troubleshooting
Security Updates
Security Updates
Microsoft Security Bulletin MS02-006
(7.0 sp3) and MS02-007 (2K sp2) Print SQL Server Contain Unchecked Buffers
Microsoft Security Bulletin MS01032 (7.0 sp3) Print - SQL Query Method
Enables Cached Administrator
Connection to be Reused. Only effected
if using Mixed mode.
Summary
Use a STRONG SA password
Windows vs Mixed authentication
Use SQL roles
Encryption is available
Auditing is available
When moving databases there are security
considerations
Do not grant unnecessary access to
xp_cmdshell and similar sp
Stay secure by keeping up to date with security
patches
More info
http://www.microsoft.com/technet/treeview/
default.asp?url=/TechNet/security/prodtech
/sqlsec.asp
http://www.microsoft.com/security/
http://www.microsoft.com/sql
Related documents
MidRange Concepts - Fox Valley Technical College
MidRange Concepts - Fox Valley Technical College
Database Lab
Database Lab
Introduction to ASP.NET
Introduction to ASP.NET
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
wildlife - Seasalt
wildlife - Seasalt
6. Database Management Systems
6. Database Management Systems
PPT - ETH Systems Group
PPT - ETH Systems Group
Assignment: SQL #2 Putting Data into the Database
Assignment: SQL #2 Putting Data into the Database
Candidate Key
Candidate Key
Database Courseware: Functionality and Classroom Usage
Database Courseware: Functionality and Classroom Usage
APT 1050: DATABASE SYSTEMS Prerequisites: APT 1030
APT 1050: DATABASE SYSTEMS Prerequisites: APT 1030
COMP 521 F10 Final Exam Review
COMP 521 F10 Final Exam Review
Advanced Database - Lightweight OCW University of Palestine
Advanced Database - Lightweight OCW University of Palestine
Database Programming
Database Programming
Database Confidentiality
Database Confidentiality
Cryptography
Cryptography