Vinod Kumar M MTC – Technology Specialist Level: 300

Session Takeaways Security is a complex topic but we will stick to basics. The session is based on real-customer surprises and requirements experienced at MTC. This is not exhaustive nor extensive of what can be covered inside Security

Session flow !!! Authentication –Login Tracing –sa (facts) Authorization Signed modules Auditing –User Data Auditing Demo

DEMO Security flow !!!! Vinod Kumar M

Encryption Performance Impact Encryption scan can have performance impact. Can be improved by altering the database file layout ( laying out files on drives with separate LUNS Encryption scan can controlled using Traceflags 5004 (pause) and 5005 (slow). These Traceflags need to be enabled upon server startup % performance degradation for normal workload. 30% degradation on CPU intensive workload. Tempdb can also cause performance impact as it is encrypted when at least one database is marked for encryption. No perfmon counters in the current release to measure the performance of encryption. No new waittypes. The DMV sys.dm_exec_requests reports the command of type “ALTER DATABASE E” and status of “background” for the background threads performing encryption scan. 5

Audit Performance Impact Audit can be of 2 types Synchronous and Asynchronous. Performance can be impacted when Synchronous Audit is selected. Guarantees that Audit event is written to the target as soon as it is generated. Must be selected only when Audit takes priority over performance. New Waittypes –Auditing introduced new waittypes to help with troubleshooting performance issues related to Audit. They are –AUDIT_XE_SESSION_MGR – waits while start/stop of sessions –AUDIT_ON_DEMAND_TARGET_LOCK – wait while creating session target on demand –PREEMPTIVE_AUDIT_ACCESS_EVENTLOG – wait while write to log. –PREEMPTIVE_AUDIT_ACCESS_SECLOG – wait while write to security log 6

Summary Authentication and Authorization are interesting and core to SQL Security model Believe in auditing and start thinking on what to audit Data security is based on application requirement –Has an inherent performance impact –Encryption is at multiple levels and mix-n-match

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Backup slides

{All Action} Auditing – New in SQL Server 2008 Create an Audit object to automatically log actions to: –File –Windows Application Log –Windows Security Log Create an Audit Specification to include server and database actions in an audit –Pre-defined action groups –Individual action filters

{Encryption Hierarchy} Wraps Associated with Secured By PasswordCertificate Public Key Master Key Password Service Key DP API Key Private Key Key Secured By

Don't Forget Module Signing (1) Need ALTER ANY LOGIN server permission to ALTER LOGIN Need to GRANT ALTER ANY LOGIN TO Alice? – No! ALTER LOGIN Bob ENABLE Alice (non privileged login)

Don't Forget Module Signing (2) Alice has permission to call SP SP run under Alice’s context but with elevated privilege SP protected against tampering Alice (non privileged login) SP_ENABLE_LOGIN ALTER LOGIN Bob ENABLE Cert_login ALTER ANY LOGIN