Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Security inside SQL Server

Published bySabrina Blair Modified over 6 years ago

Similar presentations

Presentation on theme: "Implementing Security inside SQL Server"— Presentation transcript:

1 Implementing Security inside SQL Server
Questar Assessments Inc. Rick Bielawsk

2 Thank you Sponsors! Platinum Sponsor: Gold Sponsors:
Visit the Sponsor Booths Lots of Raffle Prizes! Get your parking paid via Sponsor Bingo Thank you Sponsors! Platinum Sponsor: Gold Sponsors:

3 PASSMN – News/Info Sponsors:
Thanks to all our sponsors of 2018! We need Sponsors for Nov/Dec 2018 and 2019! Special thanks to our annual sponsor: Board Member Elections in November/December: Your chance to help out the MN SQL community!

4 November 5th Through November 9th
Join the brightest data professionals focused on the Microsoft Data Platform! November 5th Through November 9th Pre-Conference Sessions – Monday/Tuesday Conference – Wednesday through Friday

5 SQLSaturday #796 – After Party
Location: 4th Floor of Mall of America Time: 6:30PM – 10PM There will be drinks and appetizers as well as free game cards and bowling! Hang out with some new friends you’ve made.

6 Infrastructure Security
Agenda Infrastructure Security Data security requires a comprehensive environment-pervasive plan. Database security requires more than access controls. Best Practices & Design Patterns SQL Server Security The Database instance service account Logins vs Users Ownership Chaining Impersonation Certificate Signing TRUSTWORTHY & DB_CHAINING

7 Limits to what I can cover
Data security is an enormous topic To cover the basics of every feature would take 2 days. There are thousands of points of vulnerability Hundreds of tools readily available An infinite combination of implementation strategies What are ‘Best Practices’ & who decides?

8 Design Best Practices Design practices that, over time, have proven to be: Easier to troubleshoot Easier to enhance Easier to secure IOW: Over time – cost less to maintain than other design choices.

9 The single most important Design best-practice
Build to interfaces not implementations In the database world (almost) NOBODY seems to follow this rule TABLES are IMPLEMENTATIONS!

10 Data Access Design Pattern
Create at least two types of schemas: Public and Private. Use a naming convention to denote the schema type. Tables are ALWAYS in a private schema. NOBODY is granted access to these. Access is only granted to interface schemas. These schemas NEVER contain tables! Views in an interface schema always specify “WITH VIEW_METADATA” Optionally a ‘Protected’ or ‘Internal’ schema type used to join data from multiple private schemas for use by multiple public schemas.

11

12

13 Top 5 Security Best Practices
Least Privileges Monitor access failures INVESTIGATE access failures! If you don’t stop an attacker BEFORE they succeed they WILL eventually succeed!

14 What are you securing? Is it really just the database? What about printed copies Only policies and procedures can protect these. What about backups Can they be stolen? If the building is destroyed can you still recover? What about transient locations Memory scraping, network sniffing, paging file access, EMF monitoring…

15 Barriers to access The vast majority of important data is not deliberately accessible from the internet Physical access ID/Password Encryption The more barriers you have the harder you make it to reach your data.

16 Terms Unsecure Secured Obfuscated Encrypted Hashed
Accessible and readable without much or any manipulation. Secured Access mechanisms refuse to present the data. Obfuscated Information to return to clear text is available. Encrypted Additional information is required to get clear text. Hashed Can’t be reversed. Many data blocks produce the same hash.

17 ID/Password Obfuscating words is not effective against programs Replacing O with 0 or S with $.... Use MORE than 14 characters So the easily broken legacy LM Hash is not computed. Phrases or sentences are easier to remember than Passwords can contain ANY Unicode character Single sign-on systems reduce your options to the LCD. If forced: Use a keyboard pattern rather than words. If possible include non-ASCII characters like <alt>0176 (° degree). Don’t use predictable patterns DPAPI must store all prior passwords to work.

18 Physical Access Means Access to: The machine holding the data A network with access to the machine Backups of the machine User hardcopies User storage media (phone, thumb drive…)

19 Nullifying the Physical Access Barrier
Key Sweeper video

20 Nullifying the ID/Password barrier
Network sniffing EMF sniffing Written or easily guessed passwords Malware introduced by user activity Malware introduced through lack of barriers Malware introduced due to barrier weaknesses EXCESSIVE ACCESS

21 Nullifying Encryption
Having strong keys and protecting them is paramount. Microsoft SQL Server uses DPAPI which is vulnerable to certain software attacks. (See It can’t protect its keys from an ‘inside job’. Where security is truly critical a 3rd party hardware based encryption system (using the EKM interface) is almost mandatory. These have no interface to reveal their keys. Only the box can decrypt what it encrypts.

22 Microsoft SQL Server Service Account
Needs very little more than access to the directories where data, log and snapshot files are stored. Don’t give it more. Certainly not admin access! Configure credentials for use in specific cases where additional authority is required for other tasks; be they agent jobs, replication, service broker etc. Nothing else should ever be allowed to run under the service account. DPAPI protects the keys protecting credentials, certificates and data so anything using the same account can compromise those keys.

23 Understanding LOGINs At the ‘Server Instance’ level the Instance:
Deals only with LOGINs (Stored in Master unless contained DB is on) Performs all authentication (even in contained DB env) A Login only needs connect authority to be authenticated (given a session) in the instance (unless they specify an initial catalog which is contained) Once a session is granted Server level permissions control what server level operations can be performed. None are required. Database permissions control database level activity

24 Understanding USERs At the Database level a database
Deals only with USERs Delegates any authentication back to the instance (Contained databases are no exception – it’s a mater of where the data resides) Any unknown login is mapped to the GUEST user if enabled (It’s not, by default) If a login, certificate or asymmetric key isn’t mapped to a user NO access is granted

25 Ownership Chaining There are always 2 sets of permissions in effect when a procedure is running: Yours & the procedure’s. Works for row level access & execute only (DML). If you have access to a view, function or procedure, that access automatically extends to any other view, function, procedure or table owned by that object’s owner. No extra authority needs to be granted. Applies to any view, function or procedure you can use (for any reason: grant, chaining, execute-as, signing certificate). Includes cross database access in specific cases. This permission is NOT affected by a DENY on the user executing the statement.

26 Giving Permissions through Stored Procedures
Ownership Chaining Read & Execute Read & Execute Giving Permissions through Stored Procedures

27 Ownership Chaining Doesn’t work when:
Referenced objects are owned by another user. (breaks chain) Dynamic SQL is executed. (no owner - breaks chain) In cross database situations where: The SERVER LEVEL setting of ‘cross db ownership chaining’ is off (off by default). The request isn’t made by a Login mapped to a user in the referenced database (not a user) EXECUTE AS <User> is specified. Only Logins can make cross database calls.

28

29 Impersonation CREATE … WITH EXECUTE AS {owner|caller|self} CREATE … WITH EXECUTE AS [user = ] 'dbUser' CREATE … WITH EXECUTE AS LOGIN = 'Domain\User' Works on Multi-statement functions, stored procedures, triggers and queues. Operates as if that ID executed the function or procedure. DO NOT impersonate authoritative users such as dbo, OWNER or SELF (violates least privilege). Ownership chaining continues to work

30 Certificate Signing CREATE CERTIFICATE CertForUser … CREATE USER CertUser FROM CERTIFICATE CertForUser ADD SIGNATURE TO SensitiveProc BY CERTIFICATE CertForUser … Permissions are assigned by granting them to the user (or login) associated with the certificate. Works on Multi-statement functions, stored procedures, triggers and queues. An object can be signed by multiple certificates. The permissions the signature imparts are not inherited by referenced objects. Ownership chaining continues to work

31 Differences between certificate user and a user without login
You can assign a procedure permissions from multiple certificates but you can only execute AS a single user or login Execute AS persists as nested calls are made (unless another EXECUTE AS intervenes) Execute AS changes CURRENT_USER() thus auditing should refer to ORIGINAL_LOGIN() Certificate permissions don’t persist (although ownership chaining does)

32 Test Script

33 Chaining

34 Certificate

35 Execute AS

36 Trustworthy Pros: Cons:
This server level permission is granted to a specific database, not all databases. A database used only by the SA has the potential to be a ‘trustworthy’ database. Cons: Once granted, the database can impersonate any login – including logins with SA access!

37 Database Chaining Pros: Cons:
No system level permissions can be compromised because only EXEC and row-level operations are affected Cons: The setting isn’t database specific. All databases are affected. As a DBO I can add any ID that exists in another database then use chaining to read/update/delete rows in any table.

38 Concepts I didn’t have time to cover
Implications to allowing contained databases SSL – Requiring encrypted connections Dedicated Admin Connection considerations Impersonating non-database users Auditing Using the Login trigger & CONTEXT_INFO() Allowing non-SA users to perform bulk insert. Implementing row level security Encryption (backups, TDE, Columns)

Download ppt "Implementing Security inside SQL Server"

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Security Planning and Administrative Delegation Lesson 6.

Security Planning and Administrative Delegation Lesson 6.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Similar presentations

Ads by Google