Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect with life Vinod Kumar Technology Evangelist - Microsoft

Published byMagdalene George Modified over 9 years ago

Similar presentations

Presentation on theme: "Connect with life Vinod Kumar Technology Evangelist - Microsoft"— Presentation transcript:

1 http://www.ExtremeExperts.com Connect with life www.connectwithlife.co.in Vinod Kumar Technology Evangelist - Microsoft http://blogs.sqlxml.org/vinodkumar http://www.ExtremeExperts.com

2 Session Objectives And Takeaways Session Objective(s): Describe what applications can do to help increase data security Discuss encryption, authentication, permissions, and SQL injection Understand that Security is an important consideration for application as well as the server Know what is available in SQL Server and how it can help customers achieve security objectives

3 http://www.ExtremeExperts.com Why Do Applications Need to Care? Data security is not complete without application involvement SQL injection is now the single most common type of attack on the web Applications control or influence: Encryption Authentication Permissions / Role Separation Vulnerability to SQL Injection

4 http://www.ExtremeExperts.com Data Protection

5 http://www.ExtremeExperts.com Data Encryption Why consider encryption? Additional layer of security Required by some regulatory compliance laws In SQL Server 2000, vendor support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management

6 http://www.ExtremeExperts.com Data Encryption SQL Server 2005 Support Encryption and Decryption built-ins DDL for creation of Symmetric Keys, Asymmetric Keys, and Certificates Symmetric Keys and Private Keys are always stored encrypted Securing the Keys themselves Based on user passwords Automatic, using SQL Server key management Choice of algorithms DES, TRIPLE_DES, RC2, RC4, RC4_128, DESX, AES (128, 192, or 256)

7 http://www.ExtremeExperts.com Data Encryption Best Practices Encrypt only necessary data Use symmetric encryption Plan carefully Key management is very important Understand changes to existing code needed Consider key size and algorithm on CPU

8 http://www.ExtremeExperts.com Channel Encryption Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005

9 http://www.ExtremeExperts.com Channel Encryption Best Practices Enable channel encryption whenever possible and tolerable Provision a certificate on the server Force encryption from the client

10 http://www.ExtremeExperts.com Authentication Windows Auth is preferable to SQL Auth SQL AUTHENTICATIONWINDOWS AUTHENTICATION Userid/PasswordEncrypted Token (Kerberos) Challenge-Response (NTLM) Password obfuscated on wirePassword not transmitted on wire Subject to replay attack if channel not encrypted Not subject to replay attack (Kerberos) No mutual authenticationMutual authentication with Kerberos Logins managed in SQL ServerLogins managed by Windows DBAs create login accountsWindows/domain admins create login accounts Password policy enforced by Windows (Windows 2003+) Password policy enforced by Windows Security context may or may not be common between servers Security context is common between servers

11 http://www.ExtremeExperts.com Authentication Enhancement in 2008 SQL Server 2005 Kerberos possible with TCP/IP connections only SPN must be registered with AD SQL Server 2008 Kerberos available with ALL protocols SPN may be specified in connection string (OLEDB/ODBC) Kerberos possible without SPN registered in AD

12 http://www.ExtremeExperts.com Application Role Separation and Permissions

13 http://www.ExtremeExperts.com Permission Strategy Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo Grant required perms to normal login Never use the dbo schema User-schema separation Applications should have own schema Consider multiple schemas Leverage Flexible Database Roles Facilitates role separation Consider Auditing user activity

14 http://www.ExtremeExperts.com Ownership chaining Be aware of ownership chaining

15 http://www.ExtremeExperts.com Module Signing Need ALTER ANY LOGIN server permission to ALTER LOGIN Need to GRANT ALTER ANY LOGIN TO Alice? – No! ALTER LOGIN Bob ENABLE Alice (non privileged login)

16 http://www.ExtremeExperts.com Module Signing (cont) Alice has permission to call SP SP run under Alice’s context but with elevated privilege SP protected against tampering Alice (non privileged login) SP_ENABLE_LOGIN ALTER LOGIN Bob ENABLE Cert_login ALTER ANY LOGIN

17 http://www.ExtremeExperts.com TokenToken Execution Context Login and User Token

18 http://www.ExtremeExperts.com Execution Context Best Practices Controlled escalation of privileges DB scoped: EXECUTE AS and App Roles Cross-DB scoped: Certificates Avoid using dynamic SQL under an escalated context Do not use use CDOC and SETUSER Avoid allowing guest access on user DBs

19 http://www.ExtremeExperts.com SQL Injection

20 http://www.ExtremeExperts.com SQL Injection Introduction SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution. SQL injection is one of the most common attacks. It can affect T-SQL code as well as code generated outside SQL such as ASP, ASP.Net, managed code, native code, etc.

21 http://www.ExtremeExperts.com SQL Injection T-SQL example CREATE PROC sp_SqlInjectionDemo( @ColumnValue varchar(100) ) AS DECLARE @cmd nvarchar(max) SET @cmd = N'SELECT * FROM [test].[Demo] WHERE data = ''' + @ColumnValue + '''' print @cmd -- For demonstration purposes EXEC( @cmd ) Go

22 http://www.ExtremeExperts.com SQL Injection ASP example ‘‘ Execute a SQL command strCmd = " N'SELECT * FROM [test].[Demo] WHERE data = '" & columnValue & "'" Set objCommand.ActiveConnection = objConn objCommand.CommandText = strCmd objCommand.CommandType = adCmdText Set objRS = objCommand.Execute()

23 http://www.ExtremeExperts.com SQL Injection Example - attacker's side T-SQL: EXEC sp_SqlInjectionDemo 'abc''; SELECT * FROM sys.objects where name like ''sys%' go ASP:

24 http://www.ExtremeExperts.com SQL Injection Strategies to protect against SQL injection Validate Input against a white-list Use parameterized SQL queries Use Type-Safe SqlParameter in.Net Use parameterized SPs Least-privilege Principle Least privileged principal for web services Escape special characters Escape quotes with quotename/replace Escape wildcards in LIKE statements Validate buffer length to avoid truncation

25 http://www.ExtremeExperts.com SQL Injection Tools Microsoft Source Code Analyzer for SQL injection Aid in SQL injection detection for ASP code July CTP: http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7 C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en Requirements: OS: XP SP2, Windows 2003 SP1, Windows Vista or Windows 2008.Net Framework 2.0

26 http://www.ExtremeExperts.com SQL Injection Additional resources SQL Server Security Blog SQL injection (BOL) Preventing SQL injection in ASP Giving SQL injection the respect it deserves Raul Garcia’s blog

27 http://www.ExtremeExperts.com

28 Summary - Protecting Your Data Consider encryption for protecting sensitive data Carefully think about permissions Maximize role separation Always be mindful of SQL Injections

29 http://www.ExtremeExperts.com Feedback / QnA Your Feedback is Important! Please take a few moments to fill out our online feedback form at: > For detailed feedback, use the form at http://www.connectwithlife.co.in/vtd/helpdesk.aspx Or email us at vtd@microsoft.com Use the Question Manager on LiveMeeting to ask your questions now!

30 http://www.ExtremeExperts.com © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Connect with life Vinod Kumar Technology Evangelist - Microsoft"

Similar presentations

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)

Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)
Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Vinod Kumar M MTC – Technology Specialist Level: 300.

Vinod Kumar M MTC – Technology Specialist Level: 300.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Payroll and HR Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
Connect with life Bijoy Singhal Developer Evangelist | Microsoft India |

Connect with life Bijoy Singhal Developer Evangelist | Microsoft India |
Connect with life Vinod Kumar M Technology Evangelist | Microsoft

Connect with life Vinod Kumar M Technology Evangelist | Microsoft
 Il-Sung Lee Senior Program Manager Microsoft Corporation BB37.

 Il-Sung Lee Senior Program Manager Microsoft Corporation BB37.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Connect with life www.connectwithlife.co.in Praveen Srvatsa Director | AsthraSoft Consulting Microsoft Regional Director, Bangalore Microsoft MVP, ASP.NET.

Connect with life Praveen Srvatsa Director | AsthraSoft Consulting Microsoft Regional Director, Bangalore Microsoft MVP, ASP.NET.
Ravi Sankar Technology Evangelist | Microsoft Corporation

Ravi Sankar Technology Evangelist | Microsoft Corporation
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
 Pablo Castro Software Architect Microsoft Corporation TL08.

 Pablo Castro Software Architect Microsoft Corporation TL08.
Feature: SmartList Usability Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: SmartList Usability Enhancements © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
Session 1.

Session 1.

Similar presentations

Ads by Google