Download Securing SQL Server 2005

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts

Tandem Computers wikipedia , lookup

Concurrency control wikipedia , lookup

Oracle Database wikipedia , lookup

Database wikipedia , lookup

Microsoft Access wikipedia , lookup

Ingres (database) wikipedia , lookup

Team Foundation Server wikipedia , lookup

Btrieve wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Database model wikipedia , lookup

Relational model wikipedia , lookup

Clusterpoint wikipedia , lookup

Open Database Connectivity wikipedia , lookup

SQL wikipedia , lookup

PL/SQL wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Transcript 
Securing SQL Server 2005
Anil Desai
Speaker Information
• Anil Desai
– Independent consultant (Austin, TX)
– Author of several SQL Server books
– Instructor, “Implementing and Managing SQL
Server 2005” (Keystone Learning)
– Info: http://AnilDesai.net or [email protected]
Agenda and Outline
•
•
•
•
•
•
SQL Server Security Architecture
Configuring Service Accounts
Managing Logins and Server Permissions
Database Users and Roles
Managing Permissions
Other Security Features
– Encryption
– DDL Triggers (Auditing)
• Monitoring Security with SQL Profiler
SQL Server Security Overview
• Layered Security Model:
– Windows Level
– SQL Server Level
– Database
• Schemas (for database objects)
• Terminology:
– Principals
– Securables
– Permissions
• Scopes and Inheritance
Security Overview
•
(from
Microsoft
SQL Server
2005 Books
Online)
Security Best Practices
•
•
•
•
•
•
•
Make security a part of your standard process
Use the principle of least privilege
Implement defense-in-depth (layered security)
Enable only required services and features
Regularly review security settings
Educate users about the importance of security
Define security roles based on business rules
SQL Server Service Accounts
• Local Service Account
– Permissions of “Users” group (limited)
– No network authentication
• Network Service Account
– Permissions of Users group
– Network authentication with Computer account
• Domain User Accounts
– Adds network access for cross-server functionality
SQL Server Services
• Instance-Specific
(one service per instance):
–
–
–
–
–
SQL Server
SQL Server Agent
Analysis Services
Reporting Services
Full-Text Search
• Instance-unaware
–
–
–
–
Notification Services
Integration Services
SQL Server Browser
SQL Server Active
Directory Helper
– SQL Writer
SQL Server Surface Area
Configuration
• Default installation: Minimal services
• SAC for Services and Connections
– Allow Remote Connections
– Access to Reporting Services, SSIS, etc.
• SAC for Features
– Remote queries
– .NET CLR Integration
– Database Mail
– xp_cmdshell
Managing Logins
• Windows Logins
– Authentication/Policy managed by Windows
• SQL Server Logins
– Managed by SQL Server
• Based on Windows policies
– Password Policy Options:
•
•
•
•
HASHED (pw is already hashed)
MUST_CHANGE
CHECK_EXPIRATION
CHECK_POLICY
Creating Logins
• Transact-SQL
– CREATE LOGIN statement
• Replaces sp_AddLogin and sp_GrantLogin
– SQL Server Logins
– Windows Logins
• SQL Server Management Studio
– Setting server authentication options
– Login Auditing
– Managing Logins
Managing Server Roles
• Built-In Server-Level Roles:
– SysAdmin
– ServerAdmin
– SetupAdmin
– SecurityAdmin
– ProcessAdmin
– DiskAdmin
– DBCreator
– BulkAdmin
Database Users and Roles
• Database Users
– Logins map to database users
• Database Roles
– Users can belong to multiple roles
– Guest (does not require a user account)
– dbo (Server sysadmin users)
• Application Roles
– Used to support application code
Database Roles
• Built-in Database Roles:
–
–
–
–
–
–
–
–
–
–
db_accessadmin
db_BackupOperation
db_DataReader
db_DataWriter
db_DDLAdmin
db_DenyDataReader
db_DenyDataWriter
db_Owner
db_SecurityAdmin
public
Creating Database Users and
Roles
• CREATE USER
– Replaces sp_AddUser and sp_GrantDBAccess
– Can specify a default schema
– Managed with ALTER USER and DROP USER
• CREATE ROLE
– Default owner is creator of the role
• SQL Server Management Studio
– Working with Users and Roles
Understanding Database
Schemas
• Schemas
– Logical collection of related database objects
– Part of full object name:
• Server.Database.Schema.Object
– Default schema is “dbo”
• Managing Schemas
– CREATE, ALTER, DROP SCHEMA
– SQL Server Management Studio
– Can assign default schemes to database users:
• WITH DEFAULT_SCHEMA ‘SchemaName’
Configuring Permissions
• Scopes of Securables
– Server
– Database
– Schema
– Objects
• Permission Settings:
– GRANT
– REVOKE
– DENY
• Options
– WITH GRANT OPTION
– AS (Sets permissions using another user or role)
Managing Execution
Permissions
• Transact-SQL Code can run under a specific
execution context
– By default, will execute as the caller
• EXECUTE AS clause:
– Defined when creating an object or procedure
– Options:
• CALLER (Default)
• SELF: Object creator
• Specified database username
Getting Security Information
• Procedures and Functions
–
–
–
–
–
–
–
sys.fn_builtin_permissions
Has_Perms_By_Name
CURRENT_USER
SETUSER
IS_MEMBER
SUSER_NAME / SUSER_ID
SCHEMA_NAME
Security Catalog Views
• Sys.Server_Permissions
• Sys.Server_Principals
• Sys.Database_Permissions
• Sys.Database_Principals
• Sys.Database_Role_Members
Other Security Options
• Encrypting Object Definitions
– Use the WITH ENCRYPTION Clause
– Stores the object definition in an encrypted
format
• SQL Server Agent
– Proxies based on subsystems allow lockdown by job step types
• Preventing SQL Injection attacks
Understanding Encryption
• Goals:
– Authentication
– Data Encryption
• Symmetric Encryption
– Uses a single key
• Asymmetric Encryption
– Uses a “key-pair”
• Public key: Can be distributed
• Private key: Stored securely
– Certificates protect the public key
Understanding SQL Server Certificates
• Uses of Certificates
–
–
–
–
Data encryption
Service Broker endpoints
Digital signatures for objects
Web / HTTP connections
• SQL Server Certificates
– Stored within user databases
• Notes:
– Encryption overhead can be significant
– Keys must be protected
SQL Server Encryption
• Encryption Hierarchy
– Windows Level
• Stores Service Master Key
– SQL Server Level
• Service Master Key
– Database Master Key
• Certificates
• Asymmetric Keys
– Encrypted Objects / Data (varbinary)
Encryption Hierarchy
•
(from Microsoft
SQL Server 2005
Books Online)
Managing Certificates
• Transact-SQL commands:
– CREATE CERTIFICATE
• Stored within the user database
• Can use a password or a file
– BACKUP CERTIFICATE
• Exports to a file
– DROP CERTIFICATE
• Encrypting Data:
– EncryptBy_____ (Cert, SymmetricKey, Passphrase, etc.)
– DecryptBy_____()
Getting Certificate Information
• Information
– Sys.Certificates
– Sys.Asymmetric_Keys
– Sys.Symmetric_Keys
• Cert_ID returns the certificate identifier
• CertProperty(Cert_ID, ‘PropertyName’)
• Start_Date, Expiry_Date, etc.
DDL Triggers
• Respond to Data Definition Language (DDL)
commands
– Examples:
• DROP_TABLE
• ALTER_TABLE
• CREATE_LOGIN
• Purpose:
– Preventing certain changes
– Logging / sending notifications of schema changes
– Can rollback changes
DDL Triggers
• DDL triggers do not generate inserted/deleted
tables
• Getting Details
– EVENTDATA function returns details of the changes
in XML format
– Can query with XQUERY expressions
• DDL Trigger Scope:
– Database-Level (stored within the same database)
– Server-Level (stored in the master database)
Monitoring Security with SQL
Profiler
• Options:
– Log to a trace file or to a table
– Run programmatically using SQL Trace SP’s
• “Security Auditing” Event Class
– Audit Login / Audit Logoff
– Audit Add DB User Event
– Audit Addlogin Event
SQL Profiler: Security Auditing
For More Information
• Resources from Anil Desai
– Web Site (http://AnilDesai.net)
– E-Mail: [email protected]
– Keystone Learning Course: “Microsoft
SQL Server 2005: Implementation and
Maintenance (Exam 70-431)”
– The Rational Guide to Managing
Microsoft Virtual Server 2005
– The Rational Guide to Scripting
Microsoft Virtual Server 2005
Related documents
mysql> show tables
mysql> show tables
Oracle Demo Database Sample Queries
Oracle Demo Database Sample Queries
Job Descriptions - Human Resources Department JOB GOAL
Job Descriptions - Human Resources Department JOB GOAL
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
Recruitment Authorisation Form
Recruitment Authorisation Form
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
BIS 3204 Database DB Programming
BIS 3204 Database DB Programming
Using Power BI with my DBA Database
Using Power BI with my DBA Database
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Implementing and Maintaining Microsoft SQL Server 2008 Analysis
Vievu/DVMS
Vievu/DVMS
Introduction to ASP.NET
Introduction to ASP.NET