Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Slides:



Advertisements
Similar presentations
SQL Server 2005 RDBMS Technical Overview Matthew Stephen IT Pro Evangelist (SQL Server) Microsoft Ltd.
Advertisements

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Understand Database Security Concepts
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
SQL Server 2005 Security Enhancements Dr Greg Low Senior Consultant Readify
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Chapter 9 Auditing Database Activities
Chapter 7 HARDENING SERVERS.
Fundamentals, Design, and Implementation, 9/e Chapter 11 Managing Databases with SQL Server 2000.
SQL Server 2005 Database Engine Sommarkollo Microsoft.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Virtual techdays INDIA │ august 2010 Building ASP.NET applications using SQL Server Compact Chaitanya Solapurkar │ Partner Technical Consultant,
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Design for DNN Developers Sebastian Leupold.
Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Module 9 Designing and Implementing Stored Procedures.
Profiles, Password Policies, Privileges, and Roles
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 14 Configuring Security for SQL Server Agent.
Windows Forms in Visual Studio 2005: An Overview Name: Joe Stegman Title: Lead Program Manager Session code.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Module 2: Connecting to Data Sources. Overview Choosing a.NET Data Provider Defining a Connection Managing a Connection Handling Connection Exceptions.
Navigating SQL Server Lesson 3. Skills Matrix Graphical User Interface (GUI) Management Tools SQL Server Management Studio SQL Server Configuration Manager.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com
Lara Microsoft. What does it mean? Why do you need to care? How can you achieve your SoD goals?
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Module 11 Authorizing Users to Access Resources. Module Overview Authorizing User Access to Objects Authorizing Users to Execute Code Configuring Permissions.
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Security-Enhanced Database Platform. Agenda  Business challenges and needs  SQL Server 2008 features  Trustworthy computing  Surface Area Reduction.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Hosting Websites and Web Applications with Microsoft ® SQL Server ® 2008.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
SQL Triggers, Functions & Stored Procedures Programming Operations.
Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.
Module 9: Implementing Functions. Overview Creating and Using Functions Working with Functions Controlling Execution Context.
9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.
Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.
Microsoft SQL Server 2014 for Oracle DBAs Module 8
A Technical Overview of Microsoft® SQL Server™ 2005 Beta 2
Security mechanisms and vulnerabilities in .NET
Common Security Mistakes
Designing Database Solutions for SQL Server
Intermediate Security Topics in SQL SERver
Microsoft Connect /17/2019 9:55 PM
Chapter 11 Managing Databases with SQL Server 2000
SharePoint Server Assessment Results
Presentation transcript:

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Database Security Prevent SQL injection attacks Encrypt data in the database Secure data over the network Secure database connection strings Handle data access exceptions

SQL Server 2005 Overview

SQL Server 2005 Security Initiatives Trustworthy Computing Initiative Security, privacy, reliability and business practices SD3+C Secure by design Secure by default Secure in deployment Communications

Reduction in Surface Area Secure by Default More optional installation options Default: Demonstration databases not installed Default: CLR disabled Default: HTTP endpoint disabled Minimized Attack surface: Features require explicit configuration Surface Area Configuration Tool

SQL Server 2005 Security Surface Area Configuration Tool Nick Ward SQL Server Technology Specialist Microsoft Nick Ward SQL Server Technology Specialist Microsoft

The Least Privilege Principal Granular permissions Grant/revoke/deny Hierarchical permissions Security execution context EXECUTE AS Functions, procedures, views and triggers DDL Triggers

Security: Execution Context User 3 Select Perms checked for User3 Execute Perms checked for User3 User2.Proc1 User1.T1 Execute Perms checked for User3 Select Perms checked for User3 No permission – User1.Proc1 fails User 3 User2.Proc1 User1.T1 ‘Execute AS ‘X’ ’ Execute Perms checked for User3 Select Perms checked for ‘X’. Not for user3 User2.Proc1User1.T1

Security: Execution Context Execute AS CALLER Default – same as SQL Server 2000 behavior Execute AS SELF Last person to create or alter the module Execute AS OWNER Execute as current owner of the module Execute AS “UserName” Execute AS “LoginName” Only for DDL triggers with server-wide execution

SQL Server 2005 Security EXECUTE AS ‘x’ Nick Ward SQL Server Technology Specialist Microsoft Nick Ward SQL Server Technology Specialist Microsoft

DDL Triggers Triggers fire when Data Definition Language (DDL) is executed Used to: Prevent DDL changes to your schema Cause something to occur when schema changes To record changes or events in the database schema Fire after the statement Can roll back the statement’s effect Can run managed code

SQL Server 2005 Security DDL Triggers Nick Ward SQL Server Technology Specialist Microsoft Nick Ward SQL Server Technology Specialist Microsoft

Secure in Deployment Microsoft Update services integration Automatic or manual Systems Management Server (SMS) integration Deployment security content: “Security Considerations for SQL Server” Windows server Network Windows service accounts Surface Area All SQL Server components

Authorization Enhancements Already discussed Granular permission control Module execution context Still to come… User schema separation Metadata security Encryption enhancements

New DDL for user and schemas CREATE/ALTER/DROP for USER, ROLE, and SCHEMA Dropping user does not require application rewrite Security Schema v object permission Default schema Schema Security: User-Schema Separation Table Function View Stored Procedure Bill Owned ByContained InOwned By Mary Server.Database.Owner.ObjectServer.Database.Schema.Object

SQL Server 2005 Security User-Schema Separation Nick Ward SQL Server Technology Specialist Microsoft Nick Ward SQL Server Technology Specialist Microsoft

Security: Certificates Encryption enhancements Encryption uses symmetric keys, asymmetric keys and certificates SQL Server 2005 can generate certificates for encryption RC4, RSA, Triple-DES and AES encryption supported Encryption can be used with any level of SQL Server 2005 securable Key Management

Security Hierarchy

SQL Server 2005 Security Data Encryption Nick Ward SQL Server Technology Specialist Microsoft Nick Ward SQL Server Technology Specialist Microsoft

Metadata No visibility without permission “VIEW DEFINITION” permission

SQL Injection Consider the following: var Shipcity; ShipCity = Request.form ("ShipCity"); var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'"; Enter “Melbourne”: select * from OrdersTable where ShipCity = ‘Melbourne' Enter “Melbourne'; drop table OrdersTable—” select * from OrdersTable where ShipCity = ‘Melbourne';drop table OrdersTable--'

SQL Injection – What to do? Validate all input: length, type, ranges, valid values etc. Reject control characters: ; ‘ -- /* */ xp_ Never build T-SQL statements from user input – beware string concatenation Use stored procedures Visual Studio Team System 2005 Type-safe SQL parameters SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; SqlParameter parm = SqlDbType.VarChar, 11); parm.Value = Login.Text;

© Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.