Presentation is loading. Please wait.

Presentation is loading. Please wait.

or: How I Learned to Stop Using EXECUTE AS and Love Certificates

Published byAri Jayadi Modified over 6 years ago

Similar presentations

Presentation on theme: "or: How I Learned to Stop Using EXECUTE AS and Love Certificates"— Presentation transcript:

1 or: How I Learned to Stop Using EXECUTE AS and Love Certificates
Module Signing or: How I Learned to Stop Using EXECUTE AS and Love Certificates Module Signing or: How I Learned to Stop Using EXECUTE AS and Love Certificates Version: 2.2-B ( ) Version 1.0 ( )

2 Reference: Simpsons spoof of “Dr
Reference: Simpsons spoof of “Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb” (1964)

3 C:\> whoami Working in IT and with databases since 1996:
SQL Server (since 2002), SQLCLR (since 2006) Areas of interest / concentration: SQLCLR, Module Signing, Collations & Encodings Variety of Roles, OSes, Languages, and DBs Articles: SQL Server Central (incl. Stairway to SQLCLR series) Simple-Talk Founder of Sql Quantum Lift: SQL# (SQLsharp) : SQLCLR library of functions OmniExec : Multi-threaded, multi-server & DB query tool

4 Agenda Typical Problems Security Basics Typical Solutions
Problems with Typical Solutions Module Signing What it is, What it can do, and Why use it Asymmetric Keys & Certificates Example Wrap-up / Q & A

5 You Gotta Problem? Common “Problem” Scenarios:
Need Elevated Permission that is not Grantable Need Elevated Permission that is not Granular Dynamic SQL Cross-Database Operations Allow Access to a Restricted Database

6 What Are Ya Gonna Do About It?
Common Solutions Cross-Database Ownership Chaining Impersonation ( EXECUTE AS ) TRUSTWORTHY ON

7 Security Basics: SIDs, Logins and Users
Security Identifier (SID) Binary: 0x A91F17B3F6334F2C782536D9D66E88A String: S Logins: Server / Instance –level sys.server_principals & sys.server_permissions SUSER_NAME(), SUSER_ID() Users: Database-level sys.database_principals & sys.database_permissions USER_NAME(), USER_ID() SID matches Login’s SID, but Name can be different “Guest” if no User entry “dbo” always principal_id = 1 SID changes to Login of owner

8 Security Basics: Logins and Users
Name = Bob SID = 0x123456 Server Database 1 User: Name = Bob SID = 0x123456 Database 2 User: Name = Sally SID = 0x123456 Database 3 User: Name = guest SID = 0x00

9 Security Basics: Ownership Chains
Inherently how permissions work Permissions check skipped if sub-object is same owner DML, SELECT, and EXEC only Slight performance benefit Within single DB by default Can enable Cross-Database Ownership Chaining Image taken from:

10 Cross-Database Ownership Chaining
Ownership chaining activation Server-level “cross db ownership chaining” When enabled, enables all Databases Database-level DB_CHAINING Only used for enabling when server-level is disabled Extends ownership chain between DBs Owner SID must exist in both DBs Can’t elevate permissions Dynamic SQL breaks unless User in both Databases

11 Impersonation

12 Impersonation “Instead-of” Permissions Account-based security
Requires a Login and/or User with elevated permissions Security Context (SESSION_USER) changes to this “impersonated” principal Accomplished via EXECUTE AS

13 EXECUTE AS Clause Statement Part of “CREATE OBJECT” statement
Impersonated Principals are always DB level No IMPERSONATE permission needed Statement Can do Server-level Logins and DB-level Users Requires IMPERSONATE permission

14 Problems with Impersonation & Cross-Database Ownership Chaining
Cross-DB Ownership Chaining: security risk (can spoof User / DB-level) db_ddladmin & db_owner users can create objects for other owners Users with CREATE DATABASE permission can create new databases and attach existing databases Impersonation: If IMPERSONATE is required: can be used any time No granular control over permissions Cross-DB operations need TRUSTWORTHY ON Need to use ORIGINAL_LOGIN() for Auditing Elevated permissions last until process / sub-process ends or REVERT TRUSTWORTHY: Bigger security risk (can also spoof Logins, such as “sa” !)

15 Problems with Impersonation / TRUSTWORTHY

16 And the Preferred Solution is...

17 Module Signing “In Addition To” Permissions Code-based security
Signatures = authenticity and change detection Hash only provides change detection Security Context (SESSION_USER) does NOT change to this “privileged” principal

18 Module Signing (cont.) Also requires a Login and/or User with elevated permissions Accomplished using ADD SIGNATURE Regular vs. COUNTER SIGNATURE Can sign modules: Multi-statement Table-Valued Functions Stored Procedures Scalar Functions Triggers SQLCLR Assemblies

19 Benefits Privileged principal cannot be impersonated
Very Granular permissions No security holes (e.g. TRUSTWORTHY, etc.) Signature is dropped if code is changed !! Elevated permissions confined to signed code Multiple Signatures can be used to combine permission “sets”

20 Signatures and Counter Signatures
Stored Procedure ABC Signature = 0x12AB Requires permission X, Executes Proc DEF Certificate Signature = 0x12AB Stored Procedure DEF Counter Signature of 0x12AB Needs Permission Y User from Certificate Signature = 0x12AB Has permission X Has permission Y Can EXEC Procedure DEF Regular User Can only execute Procedure ABC Does NOT have permission X Does NOT have permission Y Cannot execute Procedure DEF

21 Asymmetric Keys & Certificates
Common Aspects Consist of a Private Key and Public Key Can have the Private Key removed Common Properties: Thumbprint (hash of Public Key, sys.crypt_properties) SID Principal_id name Create from File (.snk or .dll) or Assembly Provide password or use Database Master Key (DMK)

22 Asymmetric Keys Where: SELECT * FROM [sys].[asymmetric_keys];
Properties: public_key Can create from Key Store / EKM BUT, EKM created Keys not supported for Module Signing Can specify Algorithm: Cannot backup  More likely to misspelllll “assimetric?” ;-)

23 Certificates Where: SELECT * FROM [sys].[certificates];
Asymmetric Key + extra properties Properties: Serial Number: unique ID of the Certificate Subject: essentially a description Start Date: UTC; default = GETUTCDATE(); Expiration Date: UTC; default = 1 year from Start Module Signing ignores Expiration Date Can backup !!

24 (example code) Grant a database role in current database with permission to execute a SP in msdb What minimum permissions do I need to provide to a user so that it can check the status of SQL Server Agent Service?

25 Conclusionarium Module Signing Info ( https://ModuleSigning.info/ )
Cross-Database Ownership Chaining Impersonation / EXECUTE AS TRUSTWORTHY ON S.U.C.K.S 💩 😠 😧 😭 🚽 Certificates and Module Signing AWESOME !!! 😺 😹 😇 🙌 Module Signing Info ( )

26 Hiding in Plain Sight Module Signing Resources: Articles: SQLsharp.com
Articles: ( Stairway to SQLCLR ) SQLsharp.com StackOverflow.com & DBA.StackExchange.com LinkedIn

Download ppt "or: How I Learned to Stop Using EXECUTE AS and Love Certificates"

Similar presentations

Login dan Permission dfd, 2012. Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.

Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Login dan Permission dfd, 2012. Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.

Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Database Application Security Models

Database Application Security Models
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Database Design for DNN Developers Sebastian Leupold.

Database Design for DNN Developers Sebastian Leupold.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Maintaining a Mirrored Database Tips and Tricks by Paul G. Hiles.

Maintaining a Mirrored Database Tips and Tricks by Paul G. Hiles.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
1 SQL Server 2000 Administration Kashef Mughal MSB.

1 SQL Server 2000 Administration Kashef Mughal MSB.
Module 9 Designing and Implementing Stored Procedures.

Module 9 Designing and Implementing Stored Procedures.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.

Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
Module 14 Configuring Security for SQL Server Agent.

Module 14 Configuring Security for SQL Server Agent.

Similar presentations

Ads by Google