http:// connect with life vinod kumar technology evangelist - microsoft
TRANSCRIPT
http://www.ExtremeExperts.comConnect with life
www.connectwithlife.co.in
Security in SQL Server 2008
Vinod KumarTechnology Evangelist - Microsofthttp://blogs.sqlxml.org/vinodkumarhttp://www.ExtremeExperts.com
http://www.ExtremeExperts.com
Session Objectives And Takeaways
Session Objective(s): Describe what applications can do to help increase data securityDiscuss encryption, authentication, permissions, and SQL injection
Understand that Security is an important consideration for application as well as the serverKnow what is available in SQL Server and how it can help customers achieve security objectives
http://www.ExtremeExperts.com
Why Do Applications Need to Care?
Data security is not complete without application involvementSQL injection is now the single most common type of attack on the webApplications control or influence:
EncryptionAuthenticationPermissions / Role SeparationVulnerability to SQL Injection
http://www.ExtremeExperts.com
Data Encryption
Why consider encryption?Additional layer of securityRequired by some regulatory compliance laws
In SQL Server 2000, vendor support requiredSince SQL Server 2005
Built-in support for data encryptionSupport for key management
Encryption additions in SQL Server 2008Transparent Data EncryptionExtensible Key Management
http://www.ExtremeExperts.com
Data EncryptionSQL Server 2005 Support
Encryption and Decryption built-insDDL for creation of Symmetric Keys, Asymmetric Keys, and Certificates
Symmetric Keys and Private Keys are always stored encrypted
Securing the Keys themselvesBased on user passwordsAutomatic, using SQL Server key management
Choice of algorithms DES, TRIPLE_DES, RC2, RC4, RC4_128, DESX, AES (128, 192, or 256)
http://www.ExtremeExperts.com
Data EncryptionBest Practices
Encrypt only necessary dataUse symmetric encryption Plan carefully
Key management is very importantUnderstand changes to existing code neededConsider key size and algorithm on CPU
http://www.ExtremeExperts.com
Channel Encryption
Support for full SSL Encryption since SQL Server 2000
Clients: MDAC 2.6 or laterForce encryption from client or server
Login packet encryptionUsed regardless of encryption settingsSupported since 2000Self-generated certificates avail since 2005
http://www.ExtremeExperts.com
Channel EncryptionBest Practices
Enable channel encryption whenever possible and tolerableProvision a certificate on the serverForce encryption from the client
http://www.ExtremeExperts.com
Authentication
Windows Auth is preferable to SQL Auth
SQL AUTHENTICATION WINDOWS AUTHENTICATION
Userid/Password Encrypted Token (Kerberos)Challenge-Response (NTLM)
Password obfuscated on wire Password not transmitted on wire
Subject to replay attack if channel not encrypted
Not subject to replay attack (Kerberos)
No mutual authentication Mutual authentication with Kerberos
Logins managed in SQL Server Logins managed by Windows
DBAs create login accounts Windows/domain admins create login accounts
Password policy enforced by Windows (Windows 2003+)
Password policy enforced by Windows
Security context may or may not be common between servers
Security context is common between servers
http://www.ExtremeExperts.com
AuthenticationEnhancement in 2008
SQL Server 2005Kerberos possible with TCP/IP connections onlySPN must be registered with AD
SQL Server 2008Kerberos available with ALL protocolsSPN may be specified in connection string (OLEDB/ODBC)Kerberos possible without SPN registered in AD
http://www.ExtremeExperts.com
Application Role Separation and Permissions
http://www.ExtremeExperts.com
Permission Strategy
Follow principal of least privilege!Avoid using sysadmin/sa and db_owner/dbo
Grant required perms to normal loginNever use the dbo schema
User-schema separationApplications should have own schema
Consider multiple schemasLeverage Flexible Database Roles
Facilitates role separationConsider Auditing user activity
http://www.ExtremeExperts.com
Ownership chaining
Be aware of ownership chaining
GRANT EXECUTE ONAlice.Proc1 TO Bob
EXECUTE Alice.Proc1
Proc1
View1
Table1
Check EXECUTE
No check
No check
Database
Alice’s Schema
Bob
Alice
http://www.ExtremeExperts.com
Module Signing
Need ALTER ANY LOGIN server permission to ALTER LOGINNeed to GRANT ALTER ANY LOGIN TO Alice? – No!
ALTER LOGIN Bob ENABLE
Alice (non privileged login)
http://www.ExtremeExperts.com
Module Signing (cont)
Alice has permission to call SPSP run under Alice’s context but with elevated privilegeSP protected against tampering
Alice (non privileged login)
SP_ENABLE_LOGIN
ALTER LOGIN Bob ENABLE
Cert_login
ALTER ANY LOGIN
http://www.ExtremeExperts.com
Token
Execution ContextLogin and User Token
Primary Identity
Secondary Identity
Secondary Identity
Certificate
Authenticator
SQL or Windows user nameRoles and Windows group memberships, including public
Signed modules
Cross-DB impersonated context
http://www.ExtremeExperts.com
Execution ContextBest Practices
Controlled escalation of privilegesDB scoped: EXECUTE AS and App RolesCross-DB scoped: CertificatesAvoid using dynamic SQL under an escalated context
Do not use use CDOC and SETUSERAvoid allowing guest access on user DBs
http://www.ExtremeExperts.com
SQL InjectionIntroduction
SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution.SQL injection is one of the most common attacks.It can affect T-SQL code as well as code generated outside SQL such as ASP, ASP .Net, managed code, native code, etc.
http://www.ExtremeExperts.com
SQL Injection T-SQL example
CREATE PROC sp_SqlInjectionDemo( @ColumnValue varchar(100) )
AS DECLARE @cmd nvarchar(max) SET @cmd = N'SELECT * FROM [test].[Demo] WHERE data = ''' + @ColumnValue + '''' print @cmd -- For demonstration purposes EXEC( @cmd )Go
http://www.ExtremeExperts.com
SQL Injection ASP example
‘‘ Execute a SQL commandstrCmd = " N'SELECT * FROM [test].[Demo] WHERE data = '" & columnValue & "'"Set objCommand.ActiveConnection = objConnobjCommand.CommandText = strCmd objCommand.CommandType = adCmdText Set objRS = objCommand.Execute()
http://www.ExtremeExperts.com
SQL Injection Example - attacker's side
T-SQL:EXEC sp_SqlInjectionDemo 'abc''; SELECT * FROM
sys.objects where name like ''sys%'go
ASP:
http://www.ExtremeExperts.com
SQL InjectionStrategies to protect against SQL injection
Validate Input against a white-listUse parameterized SQL queries
Use Type-Safe SqlParameter in .Net
Use parameterized SPsLeast-privilege PrincipleLeast privileged principal for web servicesEscape special characters
Escape quotes with quotename/replaceEscape wildcards in LIKE statements
Validate buffer length to avoid truncation
http://www.ExtremeExperts.com
SQL InjectionTools
Microsoft Source Code Analyzer for SQL injection
Aid in SQL injection detection for ASP codeJuly CTP: http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en
Requirements:OS: XP SP2, Windows 2003 SP1, Windows Vista or Windows 2008.Net Framework 2.0
http://www.ExtremeExperts.com
SQL InjectionAdditional resources
SQL Server Security BlogSQL injection (BOL)Preventing SQL injection in ASPGiving SQL injection the respect it deservesRaul Garcia’s blog
http://www.ExtremeExperts.com
Summary - Protecting Your Data
Consider encryption for protecting sensitive dataCarefully think about permissions
Maximize role separationAlways be mindful of SQL Injections
http://www.ExtremeExperts.com
Feedback / QnA
Your Feedback is Important!Please take a few moments to fill out our
online feedback form at: << Feedback URL – Ask your organizer for this in advance>>
For detailed feedback, use the form at http://www.connectwithlife.co.in/vtd/helpdesk.aspx
Or email us at [email protected]
Use the Question Manager on LiveMeeting to ask your questions now!
http://www.ExtremeExperts.com
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.