Securing SQL Server Processes with Certificates Robert L Davis Database Engineer @SQLSoldier www.sqlsoldier.com Securing SQL Server Processes with Certificates

Robert L Davis @SQLSoldier PASS Security Virtual Chapter Microsoft Certified Master Data Platform MVP @SQLSoldier www.sqlsoldier.com Database Engineer BlueMountain Capital Management 17+ years working with SQL Server PASS Security Virtual Chapter http://security.sqlpass.org Volunteers needed Database Engineer at BlueMountain Capital Management Foremer Principal Database Architect at DB Best Technologies www.dbbest.com Former Principal DBA at Outerwall, Inc Former Sr. Product Consultant with Idera Software Former Program Manager for SQL Server Certified Master program in Microsoft Learning Former Sr. Production DBA / Operations Engineer at Microsoft (CSS) Microsoft Certified Master: SQL Server 2008 / MCSM Charter: Data Platform Co-founder of the SQL PASS Security Virtual Chapter MCITP: Database Developer: SQL Server 2005 and 2008 MCITP: Database Administrator: SQL Server 2005 and 2008 MCSE: Data Platform MVP 2014 Co-author of Pro SQL Server 2008 Mirroring Former Idera ACE (Advisors & Community Educators) 2 time host of T-SQL Tuesday Guest Professor at SQL University, summer 2010, spring/summer 2011 Speaker at SQL PASS Summit 2010, 2011, and 2012 including a pre-con in 2012 Speaker/Pre-con at SQLRally 2012 17+ years working with SQL Server Writer for SQL Server Pro (formerly SQL Server Magazine) Member: Mensa Dog picture: Maggie and Woody SQLCruise instructor: Seattle to Alaska 2012 Speaker at SQL Server Intelligence Conference in Seattle 2012 Blog: http://www.sqlsoldier.com Twitter: http://twitter.com/SQLSoldier

Securing SQL Server Processes with Certificates Managing Certificates

Securing SQL Server Processes with Certificates Managing Certificates Creating Logins and Users Mapped to Certificates

Securing SQL Server Processes with Certificates Managing Certificates Creating Logins and Users Mapped to Certificates Signing Procedures

Securing SQL Server Processes with Certificates Managing Certificates Creating Logins and Users Mapped to Certificates Signing Procedures Signing Procedures for SQL Server Processes

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates BACKUP CERTIFICATE

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates BACKUP CERTIFICATE Restoring certificates

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates BACKUP CERTIFICATE Restoring certificates

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates BACKUP CERTIFICATE Restoring certificates CREATE CERTIFICATE … FROM FILE

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates BACKUP CERTIFICATE Restoring certificates CREATE CERTIFICATE … FROM FILE Store securely

Securing SQL Server Processes with Certificates Managing Certificates Creating certificates CREATE CERTIFICATE Backing up certificates BACKUP CERTIFICATE Restoring certificates CREATE CERTIFICATE … FROM FILE Store securely Demo

Securing SQL Server Processes with Certificates Creating Logins and Users Mapped to Certificates Creating logins

Securing SQL Server Processes with Certificates Creating Logins and Users Mapped to Certificates Creating logins CREATE LOGIN … FROM CERTIFICATE

Securing SQL Server Processes with Certificates Creating Logins and Users Mapped to Certificates Creating logins CREATE LOGIN … FROM CERTIFICATE Creating users

Securing SQL Server Processes with Certificates Creating Logins and Users Mapped to Certificates Creating logins CREATE LOGIN … FROM CERTIFICATE Creating users CREATE USER … FOR/FROM CERTIFICATE

Securing SQL Server Processes with Certificates Creating Logins and Users Mapped to Certificates Creating logins CREATE LOGIN … FROM CERTIFICATE Creating users CREATE USER … FOR/FROM CERTIFICATE Demo

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options Cross-database ownership chaining

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options Cross-database ownership chaining Trustworthy

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options Cross-database ownership chaining Trustworthy Signing the procedures

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options Cross-database ownership chaining Trustworthy Signing the procedures ADD SIGNATURE TO … BY CERTIFICATE … WITH PASSWORD

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options Cross-database ownership chaining Trustworthy Signing the procedures ADD SIGNATURE TO … BY CERTIFICATE … WITH PASSWORD Executes as certificate which is mapped to a user and/or login

Securing SQL Server Processes with Certificates Signing Stored Procedures Grant permissions for a stored procedure without granting to user Allows you to avoid common issues where you may otherwise be pressured to enable risky database options Cross-database ownership chaining Trustworthy Signing the procedures ADD SIGNATURE TO … BY CERTIFICATE … WITH PASSWORD Executes as certificate which is mapped to a user and/or login Demo

Securing SQL Server Processes with Certificates Signing Stored Procedures for SQL Server Processes Relies on everything we’ve learned so far

Securing SQL Server Processes with Certificates Signing Stored Procedures for SQL Server Processes Relies on everything we’ve learned so far Can be used to execute signed procedure via Service Broker

Securing SQL Server Processes with Certificates Signing Stored Procedures for SQL Server Processes Relies on everything we’ve learned so far Can be used to execute signed procedure via Service Broker Can be used to grant rights to CLR assemblies

Securing SQL Server Processes with Certificates Signing Stored Procedures for SQL Server Processes Relies on everything we’ve learned so far Can be used to execute signed procedure via Service Broker Can be used to grant rights to CLR assemblies More work but more secure

Performance Tuning 101: Parallelism Q & A

Thank you for attending! Thanks! Thank you for attending! My blog: www.sqlsoldier.com Twitter: twitter.com/SQLSoldier