introduction to sql 2005 security nick ward sql server specialist [email protected] nick ward...
TRANSCRIPT
Introduction to SQL 2005 Introduction to SQL 2005 SecuritySecurity
Introduction to SQL 2005 Introduction to SQL 2005 SecuritySecurity
Nick WardSQL Server [email protected]
Nick WardSQL Server [email protected]
Database SecurityDatabase Security
Prevent SQL injection attacks Encrypt data in the database Secure data over the network Secure database connection strings Handle data access exceptions
SQL Server 2005 OverviewSQL Server 2005 Overview
SQL Server 2005 Security SQL Server 2005 Security InitiativesInitiatives Trustworthy Computing Initiative
Security, privacy, reliability and business practices http://www.microsoft.com/mscorp/twc/default.mspx
SD3+C Secure by design Secure by default Secure in deployment Communications
Reduction in Surface AreaReduction in Surface Area Secure by Default More optional installation options
Default: Demonstration databases not installed Default: CLR disabled Default: HTTP endpoint disabled
Minimized Attack surface: Features require explicit configuration
Surface Area Configuration Tool
SQL Server 2005 SecuritySQL Server 2005 SecuritySurface Area Configuration ToolSurface Area Configuration Tool
SQL Server 2005 SecuritySQL Server 2005 SecuritySurface Area Configuration ToolSurface Area Configuration Tool
Nick WardSQL Server Technology SpecialistMicrosoft
Nick WardSQL Server Technology SpecialistMicrosoft
The Least Privilege PrincipalThe Least Privilege Principal Granular permissions
Grant/revoke/deny Hierarchical permissions
Security execution context EXECUTE AS Functions, procedures, views and triggers
DDL Triggers
Security: Execution ContextSecurity: Execution Context
User 3
Select Perms checked for User3
Execute Perms checked for User3
User2.Proc1 User1.T1
Execute Perms checked for User3
Select Perms checked for User3No permission – User1.Proc1 fails
User 3 User2.Proc1 User1.T1
‘Execute AS ‘X’ ’
Execute Perms checked for User3
Select Perms checked for ‘X’. Not for user3
User2.Proc1 User1.T1
Security: Execution ContextSecurity: Execution Context Execute AS CALLER
Default – same as SQL Server 2000 behavior
Execute AS SELF Last person to create or alter the module
Execute AS OWNER Execute as current owner of the module
Execute AS “UserName” Execute AS “LoginName”
Only for DDL triggers with server-wide execution
SQL Server 2005 SecuritySQL Server 2005 SecurityEXECUTE AS ‘x’EXECUTE AS ‘x’
SQL Server 2005 SecuritySQL Server 2005 SecurityEXECUTE AS ‘x’EXECUTE AS ‘x’
Nick WardSQL Server Technology SpecialistMicrosoft
Nick WardSQL Server Technology SpecialistMicrosoft
DDL TriggersDDL Triggers Triggers fire when Data Definition
Language (DDL) is executed Used to:
Prevent DDL changes to your schema Cause something to occur when schema changes To record changes or events in the database schema
Fire after the statement Can roll back the statement’s effect
Can run managed code
SQL Server 2005 SecuritySQL Server 2005 SecurityDDL TriggersDDL Triggers
SQL Server 2005 SecuritySQL Server 2005 SecurityDDL TriggersDDL Triggers
Nick WardSQL Server Technology SpecialistMicrosoft
Nick WardSQL Server Technology SpecialistMicrosoft
Secure in DeploymentSecure in Deployment Microsoft Update services integration
Automatic or manual
Systems Management Server (SMS) integration
Deployment security content: “Security Considerations for SQL Server” http://msdn2.microsoft.com/en-us/library/ms161948 Windows server Network Windows service accounts Surface Area All SQL Server components
Authorization EnhancementsAuthorization Enhancements Already discussed
Granular permission control Module execution context
Still to come… User schema separation Metadata security Encryption enhancements
New DDL for user and schemas CREATE/ALTER/DROP for USER, ROLE, and SCHEMA
Dropping user does not require application rewrite
Security Schema v object
permission Default schema
Schema
Security: User-Schema Security: User-Schema SeparationSeparation
TableFunctionViewStored Procedure
BillOwned ByContained In Owned By
Owned By
MaryServer.Database.Owner.ObjectServer.Database.Schema.Object
SQL Server 2005 SecuritySQL Server 2005 SecurityUser-Schema SeparationUser-Schema SeparationSQL Server 2005 SecuritySQL Server 2005 SecurityUser-Schema SeparationUser-Schema Separation
Nick WardSQL Server Technology SpecialistMicrosoft
Nick WardSQL Server Technology SpecialistMicrosoft
Security: CertificatesSecurity: Certificates Encryption enhancements
Encryption uses symmetric keys, asymmetric keys and certificates
SQL Server 2005 can generate certificates for encryption
RC4, RSA, Triple-DES and AES encryption supported
Encryption can be used with any level of SQL Server 2005 securable
Key Management
Security HierarchySecurity Hierarchy
SQL Server 2005 SecuritySQL Server 2005 SecurityData EncryptionData Encryption
SQL Server 2005 SecuritySQL Server 2005 SecurityData EncryptionData Encryption
Nick WardSQL Server Technology SpecialistMicrosoft
Nick WardSQL Server Technology SpecialistMicrosoft
MetadataMetadata No visibility without permission “VIEW DEFINITION” permission
SQL InjectionSQL Injection Consider the following:
var Shipcity;ShipCity = Request.form ("ShipCity");var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'";
Enter “Melbourne”:
select * from OrdersTable where ShipCity = ‘Melbourne'
Enter “Melbourne'; drop table OrdersTable—”
select * from OrdersTable where ShipCity = ‘Melbourne';drop table OrdersTable--'
SQL Injection – What to do?SQL Injection – What to do? Validate all input: length, type, ranges,
valid values etc. Reject control characters: ; ‘ -- /* */ xp_ Never build T-SQL statements from user
input – beware string concatenation Use stored procedures Visual Studio Team System 2005 Type-safe SQL parameters
SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn);myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);parm.Value = Login.Text;
© 2003-2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.