Connect with life Vinod Kumar Technology Evangelist - Microsoft
Session Objectives And Takeaways Session Objective(s): Describe what applications can do to help increase data security Discuss encryption, authentication, permissions, and SQL injection Understand that Security is an important consideration for application as well as the server Know what is available in SQL Server and how it can help customers achieve security objectives
Why Do Applications Need to Care? Data security is not complete without application involvement SQL injection is now the single most common type of attack on the web Applications control or influence: Encryption Authentication Permissions / Role Separation Vulnerability to SQL Injection
Data Protection
Data Encryption Why consider encryption? Additional layer of security Required by some regulatory compliance laws In SQL Server 2000, vendor support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management
Data Encryption SQL Server 2005 Support Encryption and Decryption built-ins DDL for creation of Symmetric Keys, Asymmetric Keys, and Certificates Symmetric Keys and Private Keys are always stored encrypted Securing the Keys themselves Based on user passwords Automatic, using SQL Server key management Choice of algorithms DES, TRIPLE_DES, RC2, RC4, RC4_128, DESX, AES (128, 192, or 256)
Data Encryption Best Practices Encrypt only necessary data Use symmetric encryption Plan carefully Key management is very important Understand changes to existing code needed Consider key size and algorithm on CPU
Channel Encryption Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005
Channel Encryption Best Practices Enable channel encryption whenever possible and tolerable Provision a certificate on the server Force encryption from the client
Authentication Windows Auth is preferable to SQL Auth SQL AUTHENTICATIONWINDOWS AUTHENTICATION Userid/PasswordEncrypted Token (Kerberos) Challenge-Response (NTLM) Password obfuscated on wirePassword not transmitted on wire Subject to replay attack if channel not encrypted Not subject to replay attack (Kerberos) No mutual authenticationMutual authentication with Kerberos Logins managed in SQL ServerLogins managed by Windows DBAs create login accountsWindows/domain admins create login accounts Password policy enforced by Windows (Windows 2003+) Password policy enforced by Windows Security context may or may not be common between servers Security context is common between servers
Authentication Enhancement in 2008 SQL Server 2005 Kerberos possible with TCP/IP connections only SPN must be registered with AD SQL Server 2008 Kerberos available with ALL protocols SPN may be specified in connection string (OLEDB/ODBC) Kerberos possible without SPN registered in AD
Application Role Separation and Permissions
Permission Strategy Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo Grant required perms to normal login Never use the dbo schema User-schema separation Applications should have own schema Consider multiple schemas Leverage Flexible Database Roles Facilitates role separation Consider Auditing user activity
Ownership chaining Be aware of ownership chaining
Module Signing Need ALTER ANY LOGIN server permission to ALTER LOGIN Need to GRANT ALTER ANY LOGIN TO Alice? – No! ALTER LOGIN Bob ENABLE Alice (non privileged login)
Module Signing (cont) Alice has permission to call SP SP run under Alice’s context but with elevated privilege SP protected against tampering Alice (non privileged login) SP_ENABLE_LOGIN ALTER LOGIN Bob ENABLE Cert_login ALTER ANY LOGIN
TokenToken Execution Context Login and User Token
Execution Context Best Practices Controlled escalation of privileges DB scoped: EXECUTE AS and App Roles Cross-DB scoped: Certificates Avoid using dynamic SQL under an escalated context Do not use use CDOC and SETUSER Avoid allowing guest access on user DBs
SQL Injection
SQL Injection Introduction SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution. SQL injection is one of the most common attacks. It can affect T-SQL code as well as code generated outside SQL such as ASP, ASP.Net, managed code, native code, etc.
SQL Injection T-SQL example CREATE PROC varchar(100) ) AS nvarchar(max) = N'SELECT * FROM [test].[Demo] WHERE data = ''' + '''' -- For demonstration purposes ) Go
SQL Injection ASP example ‘‘ Execute a SQL command strCmd = " N'SELECT * FROM [test].[Demo] WHERE data = '" & columnValue & "'" Set objCommand.ActiveConnection = objConn objCommand.CommandText = strCmd objCommand.CommandType = adCmdText Set objRS = objCommand.Execute()
SQL Injection Example - attacker's side T-SQL: EXEC sp_SqlInjectionDemo 'abc''; SELECT * FROM sys.objects where name like ''sys%' go ASP:
SQL Injection Strategies to protect against SQL injection Validate Input against a white-list Use parameterized SQL queries Use Type-Safe SqlParameter in.Net Use parameterized SPs Least-privilege Principle Least privileged principal for web services Escape special characters Escape quotes with quotename/replace Escape wildcards in LIKE statements Validate buffer length to avoid truncation
SQL Injection Tools Microsoft Source Code Analyzer for SQL injection Aid in SQL injection detection for ASP code July CTP: C46E-A599-4FCB-9AB4-A B6BA&displaylang=en Requirements: OS: XP SP2, Windows 2003 SP1, Windows Vista or Windows 2008.Net Framework 2.0
SQL Injection Additional resources SQL Server Security Blog SQL injection (BOL) Preventing SQL injection in ASP Giving SQL injection the respect it deserves Raul Garcia’s blog
Summary - Protecting Your Data Consider encryption for protecting sensitive data Carefully think about permissions Maximize role separation Always be mindful of SQL Injections
Feedback / QnA Your Feedback is Important! Please take a few moments to fill out our online feedback form at: > For detailed feedback, use the form at Or us at Use the Question Manager on LiveMeeting to ask your questions now!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.