Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Microsoft Access wikipedia , lookup
Oracle Database wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Concurrency control wikipedia , lookup
Ingres (database) wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Relational model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Database model wikipedia , lookup
DB-14: OpenEdge® Database Run-time Security Revealed Michael Jacobs Architect, Progress OpenEdge Agenda Run-time database security landscape OpenEdge 10 database security Comparing run-time and compile-time Configuring run-time database security 2 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Database Run-time Security Drivers Why motivates us to use run-time database security: Because you have to • Government regulations • Industry standards • Personal data privacy requirements Legal liability • Imposed $$ penalties It is all because of the hackers • They have tools • They have the knowledge • They have the motivation 3 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation CSI/FBI Computer Crime & Security Survey 2006 respondents reported : 48% detected 1 – 6 security incidents • 68% reported losses due to insider attacks • Average loss ~$168,000 Top reasons for loss • • • • Viruses Unauthorized access to information Laptop / mobile hardware theft Theft of proprietary information Top security issues • Data protection & application security • Policy & regulatory compliance • Identity theft & leakage of private information 4 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Database Security In a perfect world, the application stack has no security holes: (Black-hat hacker) OS/Network Security Application Application Application A B C xDBC Driver xDBC Driver xDBC Driver DB Server Database Utilities (cache files) RDBMS (index blocks) 5 OS Files DB-14: OpenEdge Database Run-time Security Revealed (record blocks) © 2007 Progress Software Corporation Database Security In reality, the application stack has many vulnerabilities : OS/Network Security Application A Application B Application C xDBC Driver xDBC Driver xDBC Driver DB Server Database Utilities (cache files) RDBMS (index blocks) 6 OS Files DB-14: OpenEdge Database Run-time Security Revealed (record blocks) © 2007 Progress Software Corporation Database Run-time Security’s Role Block application-code attacks & inappropriate user access : SQL sets the standard for database run-time security • User authentication • Database administration • View, table & column access controls Database vendors add security features • Multiple user authentication systems • User connection privileges • Role & user-group privileges 7 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Agenda Run-time database security landscape OpenEdge 10 database security Comparing run-time and compile-time Configuring run-time database security 8 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation OpenEdge Database Security One database – two security systems : SQL Server ABL Core application ISUD user authentication user authentication user authorization OpenEdge RDBMS • Database storage engine performs no security operations application CRUD user authorization user accounts SQL Privileges • SQL & ABL clients provide all database security ABL Permissions Public Tables SQL Tables 9 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Comparing ABL & SQL Security Systems ABL 10 SQL Security model GRANT GRANT Default DBA n/a Default security administrator Default table access “*” <db-owner> SYSPROGRESS n/a “*” <none> Default field access “*” <none> DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation OpenEdge Database Auditing How do you know the security systems have not been compromised ? SQL Server ABL Core application ISUD user authentication user authentication user authorization OpenEdge RDBMS • No SQL or ABL database record operations can bypass auditing application CRUD user authorization Audit Rules policies.xml Audit subsystem Audit Data Schema & data Tables 11 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation User Authentication 12 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Shared ABL & SQL User Accounts _User table accounts : Two required fields • user-id (_Userid) – Maximum length: – Illegal characters: • password 12 < 32 or “#*,!@” (_Password) – ABL: Changed only by the account’s owner – SQL: Changed by DBA or the account’s owner Password field: Beware of default SQL DBA account definitions • <db-owner> • SYSPROGRESS • PUB 13 fixed-length CRC-16 hash DB-14: OpenEdge Database Run-time Security Revealed (DBA privileges) (DBA privileges) (table owner privileges) © 2007 Progress Software Corporation ABL & SQL _User Account Behavior ABL • Without _User accounts – User-id: OS process id – Cannot use –U –P to connect SQL • Without _User accounts – Default user-id: none – Connect with any user-id except • “PUB” • “SYSPROGRESS” (passwords ignored) • With _User accounts – Default user-id: “” – -U/-P must match _user account – Can always CONNECT as default user-id 14 DB-14: OpenEdge Database Run-time Security Revealed • With _User accounts – Default user-id: none – MUST authenticate to _User account – PUB & SYSPROGRESS accepted as user-ids © 2007 Progress Software Corporation ABL Prompting for User-id It all happens inside ABL procedures : ABL Core: run _edit.p. _edit.p run _prostar.p. _prostar.p run _login.p. * Sources found in DLC/src & PSDN development tools download 15 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL & SQL User Account Administration Similar user account operations : ABL Create account Delete account CREATE _user CREATE USER record statement DELETE _user DROP USER record statement ASSIGN field ALTER USER statement Change password Create password ENCODE () 16 SQL DB-14: OpenEdge Database Run-time Security Revealed N/A © 2007 Progress Software Corporation OpenEdge Database Security Alternative user authentication for ABL only applications : SQL Server ABL Core user login credentials user accounts ( _user ) user authentication is valid? Y connection user-id user authentication CLIENTPRINCIPAL Validate CLIENTPRINCIPAL is valid? ABL Application Proof of ABL user authentication ABL Core Authentication Configuration A 17 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation User Authorization 18 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation All Tables Have an Owner Both ABL & SQL clients respect table “ownership” : “PUB” (SQL server & ABL user-id) • Data tables – ABL clients: Create, Read, Update, & Delete – SQL clients: Insert, Select, Update, & Delete • Meta schema tables – ABL clients: Create, Read, Update, & Delete – SQL clients: Select “SYSPROGRESS” (private user-id for SQL server) • ABL clients: none • SQL clients: Select “<sql-client>” • SQL clients: • ABL clients: 19 (supported only by SQL server) Insert, Select, Update, & Delete none DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Core Database Security Administered via _schema record CRUD operations : assign _Canwrite _Field record Permissions find for create delete F1 F2 F3 _Canread F4 _File Permissions * Sometimes meta-schema table & field permissions lie 20 DB-14: OpenEdge Database Run-time Security Revealed F5 F6 _Cancreate F7 _Canwrite _Canread _Candelete Table Data © 2007 Progress Software Corporation SQL Server Database Security Administered via GRANT/REVOKE SQL statements : Selective column update only alter _syscolauth Privileges select insert update delete update F1 F2 F3 update F4 _systabauth Privileges F5 F6 insert F7 update select delete Table Data 21 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation SQL Server Database Security Wrapper for a mixture of selected rows & columns : alter _syscolauth Privileges select insert update delete update F1 F2 F3 update F4 _systabauth Privileges View Privileges 22 No read access by exclusion DB-14: OpenEdge Database Run-time Security Revealed F5 F6 create insert F7 update select read delete Table Data © 2007 Progress Software Corporation Database Administration 23 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation SQL Standard Database Administration DBA has all database privileges* Table’s “owner” has all table & column privileges A user must have a privilege before they can GRANT that privilege to others The grantor of a privilege can REVOKE that privilege A privilege may be GRANTED without the ability to grant it to any other user * Except OpenEdge Auditing SoD (Separation of Duty) 24 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Security Administrator Revealed ABL Security Administrator is NOT A DBA ABL Security Administrator controls • Table & field access via _Can-* permissions • User account creation & deletion • ABL client & database security options Security Administrator’s user-account list is replicated in many places • See PSDN open-source development tools – src/prodict/user/_usradmn.p 25 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Agenda Run-time database security landscape OpenEdge 10 database security Comparing run-time and compile-time Configuring run-time database security 26 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Compile-time Versus Run-time Security Compile-time Connection’s user-id Fixed Dynamic Table & column access Fixed Dynamic Run-time impact < run-time > compile time Yes No Higher Lower Application security context Security risk from user impersonation & rogue r-code 27 Run-time DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation OpenEdge Database Security ABL .r-code contains only the permitted CRUD operations : user login credentials .p source (CRUD) All record operations OE Database Server ABL Core compiler dynamic buffer (CRUD) static buffer user authentication connection user-id user accounts ( _user ) (RU) Permissions .r code (RU) user access? (RU) Permitted record operations 28 DB-14: OpenEdge Database Run-time Security Revealed Public Data Checks user-id to permitted operations © 2007 Progress Software Corporation OpenEdge Database Security Default ABL Core run-time permission checking : user login credentials OE Database Server ABL Core run-time user authentication .r code (RU) Checked at run-time user accounts ( _user ) connection user-id Permissions .r code (CRUD) dynamic buffer user access? Public Data static buffer Not checked at run-time 29 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation OpenEdge Database Security ABL Core with optional run-time permission checking : user login credentials OE Database Server ABL Core run-time user authentication .r code (RU) user accounts ( _user ) connection user-id Permissions .r code (CRUD) dynamic buffer user access? Public Data static buffer All operations checked at run-time 30 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Agenda Run-time database security landscape OpenEdge database security Comparing run-time and compile-time Configuring run-time database security 31 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Configuring Database Security The best database security comes from multiple layers : ABL & SQL application security (Adds contextual application security to the database’s built-in security features) OpenEdge database run-time security (Protects database from rogue applicationcode and users) OS file system permissions (Protects database’s utilities, configuration, and data files from other OS processes) 32 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation OpenEdge Database Security Options Many security options available to fit your application : 1. 2. 3. 4. 33 Database administration Database user connection Table & column/field access Database auditing DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Security Starts with User Accounts When are database user accounts required ? A place to start “Database contain private or confidential data?” YES: I should configure database user accounts 1 or more _user administrator accounts 1 or more _user accounts for data access Eliminate built-in default-user accounts “_user accounts required for individual users?” If SQL server is used: YES If SQL is not used: can use application’s user accounts via the CLIENT-PRINCIPAL object 34 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Database Administration Security Steps If SQL Server installed, configure it’s DBA security first : 1. Connect SQL explorer as any user-id and find the database’s “db-owner” SELECT * from SYSPROGRESS.SYSDBAUTH; 2. It is the user-id that is not “SYSPROGRESS” 3. Reconnect SQL explorer with the “db-owner” user-id 4. Create a common ABL/SQL DBA account CREATE USER ‘MYDBA’, ‘dba-pwd’; GRANT RESOURCE, DBA to MYDBA; 35 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Database Administration Security Steps Lockout built-in SQL DBAs & table owners : 1. Connect SQL Explorer as MYDBA 2. Create user accounts with known passwords CREATE USER ‘SYSPROGRESS’, ‘pwd’; CREATE USER ‘<db-owner>’, ‘pwd’; CREATE USER ‘PUB’, ‘pwd’; 36 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Database Administration Security Steps Define ABL Security Administrator : Use Data Administration tool to deny PUBLIC Security Administrator access 1. Define common ABL [ & SQL] administration user account [“MYDBA”] Admin->Security->Edit User list… 2. Set the security administrator list to “MYDBA” * Admin->Security->Security Administrators… * Best practices indicate two user accounts defined 37 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Database Schema Administration ABL client cannot change SQL user privileges SQL client cannot change ABL user permissions Define your own ABL-DBA by granting • Grant PUBLIC (“*”) to _File._Can-read • Grant _Can-create, _Can-write, _Can-delete to ABL Security Administrator account list for schema security “_File._File” “_File._Field” “_File._Index” “_File._Index-field” 38 DB-14: OpenEdge Database Run-time Security Revealed “_File._sec-role” “_File._sec-granted-role” “_File._sec-authentication-domain “_File._sec-authentication-system © 2007 Progress Software Corporation Enable Advanced ABL Security Features 1. 2. Update to release 10.1A+ If not creating a new 10.1B+ database, update security schema definitions $ proutil db –C updateschema OR enable OpenEdge auditing $ prostrct add db audit-areas.st $ proutil db –C enableauditing area data-area-name indexarea index-area-name [disableindexes] 39 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Connection Security Optionally block blank-user id connections Database Administration utility’s menu Admin->Database Options … Disallow Blank UserID* (*Requires 1 _user account & -U/-P connection) Pick your ABL access-control design • All database connections use the user’s login id • Application connects to the database using – A single database user-id (1 user w. all permissions for all data tables) – A role or group account (each application user-id has exactly 1 role ) 40 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Binding R-code to the OpenEdge Database DBAUTHKEY in case run-time security not achievable : Low level security option, but viable for some usecases Simple secret-key hash value • Embedded in database • Compiled into r-code • Checked by ABL core at run-time Not recommended where: • ABL is customized at production site • Database’s used in multiple applications • Update application with subset of .r-code modules 41 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Two ABL Permissions Security Strategies Choose which suits your application the best : Use the application development defaults • On [schema] tables where data is PUBLIC • Deny user access to tables with restricted data * • Deny default blank user-id access to all tables & fields Admin->Security->Disallow Blank Userid Access … Use the industry recommended GRANT model • • • • If your application uses SQL server security Tables that contain restricted-access tables or fields Default table/field access is System Administrators Add (grant) & remove (revoke) selective user accounts * Not an recommended security practice 42 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Run-time Database Security Enabling ABL run-time permission checking : Turn on run-time checking via the data administration tool’s dialog Admin->Database Options … Use Runtime Permissions Checking Update application’s code error checking (if required) Tip: use ABL CAN-DO() to test permission list find _File where _File._File-Name = “Customer”. if CAN-DO(_File._Can-Delete, user_id) then DELETE Customer. 43 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Controlling Run-time Permission Checking If permission denied, raises STOP event Enclose statement in a block with ON STOP DO ON STOP UNDO , LEAVE : FIND customer WHERE CustNum = m_iCustNum NO-ERROR. END. IF ( ERROR-STATUS:ERROR AND INDEX(ERROR-STATUS:GET-MESSAGE(1), “permission denied”) <> 0) THEN RETURN ERROR “Customer table read access denied”. … 44 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Permission Secrets Three Security Administrator rules you never forget : A Security Administrator is NOT treated special • Table access • Field access • Granting/revoking other Security Administrators Each _Can-* permission field must have one of • One Security Administrator account • PUBLIC (“*”) Never, never, never leave a _Can-* permission list blank 45 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Permission Secrets ABL _Can-* permission list rules : Order dependent, comma separated list of account names (no white-space!) Add account name to grant access, remove account names to revoke access Use “!” to explicitly deny access to an account Use “*” for wild-card multiple user account match – PUBLIC access (all accounts) – Can use “xxx_*” or “*_xxxx” for account names with the same prefix or suffix 46 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Permission List Examples Illegal, nobody has access!!! Deny blank user grant access to no accounts Deny blank user & fred, grant access to all other accounts Grant access to blank user-id and all accounts Pure GRANT model (denies blank user-id) Grant any account starting with “dba_” “!” “!,!fred,*” “*” List denied user accounts first SQL equivalent PUBLIC access “fred,wilma,MYDBA” SQL equivalent GRANT model “barney,dba_*,MYDBA” Interesting use of account name groups * More examples in Bonus slides 47 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation ABL Permission Combinations ABL permissions enforced at lower-level : FIND, GET, FOR-EACH type statements • _File._Can-Read EQ, GT, LT, … field access • _File._Can-Read, _Field._Can-Read CREATE record statement • _File._Can-Read, _File._Can-Create, _File._Can-Write, _Field._Can-Write (required fields) ASSIGN record field values • _File._Can-Read, _File._Can-Write, 48 _Field._Can-Write DELETE record statement • _File._Can-Read, _File._Can-Delete DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Keeping SQL and ABL in Sync Similar user access controls to PUB tables & columns : SQL 49 View INSERT SELECT UPDATE DELETE Table INSERT SELECT UPDATE DELETE Column/field (view) UPDATE DB-14: OpenEdge Database Run-time Security Revealed ABL N/A _Can-create _Can-read _Can-write _Can-delete _Can-read _Can-write © 2007 Progress Software Corporation Privilege & Permission WARNING! Beware of orphan privileges and permissions: Grant/revoke operations do not check account name presence Account’s SQL privileges & ABL permissions are NOT removed when account is deleted (including DBA & Security Administrator) • If new account created with same name, it inherits all the old account’s privileges & permissions (also can be used as a recovery tool) 50 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation In Summary More pressures to include 51 database run-time security as intrusions become more sophisticated OpenEdge 10.1+ has added additional security features OpenEdge 10.1+ RDBMS can meet your database’s run-time security needs DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation For More Information, go to… PSDN • OpenEdge SQL Authorization Documentation: • OpenEdge Database Management: Database Administration • OpenEdge Database Management: SQL Reference • OpenEdge Development Collection: Progress 4GL Referenced 52 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Relevant Exchange Sessions DEV-4: OpenEdge in an LDAP World COMP-7: Securing your Swiss Cheese 53 Environment DEV-8: A statefull application in a stateless world DB-8: Jump-starting Your OpenEdge Auditing Solution DB-19: OpenEdge Authentication without the _User table DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Questions? 54 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Thank you for your time 55 DB-14: OpenEdge Database Run-time Security Revealed © 2007 Progress Software Corporation Bonus ABL Permission List Examples 56 Table “lock-out”, dump & load to recover Deny fred, grant access to all other accounts Grant access to fred and all accounts Pure GRANT model (denies blank user-id) Grant model, deny PUBLIC access “” Grant model, grant blank userid as middle account Grant model, grant blank userid as first account “fred,,wilma,MYDBA” DB-14: OpenEdge Database Run-time Security Revealed “!fred,fred,*” “fred,!fred,*” “fred,wilma,MYDBA” “fred,wilma,MYDBA,!*” “,fred,wilma,MYDBA” © 2007 Progress Software Corporation