notes: update as of 1/13/2010. vulnerabilities are included for sql server 2000, sql server 2005,...
TRANSCRIPT
Microsoft SQL Server 2008 R2
Security OverviewName
TitleMicrosoft Corp.
Agenda
Introduction
SQL Server 2005 Security Recap
Security in SQL Server 2008 R2
Demo
Compliance and Certifications
Business Challenges
Data reliability is a growing concern for many enterprises
• Insider threat – 70% of attacks come from inside the firewall*
• Identity theft• Industrial espionage• Government espionage
Data misuse and detection/privacy violation
Regulations like PCI and HIPAA mandate strict requirements for data security, data privacy and data integrity
*Source: Forrester, March 2009
Business Needs
Ensure reliability, confidentiality, availability and integrity of data
Demonstrate that good security practices are being followed in the database environment
Provide a history of detailed auditing data for use by internal/external auditors
Insights into Database Vulnerabilities
SQL Server continues to lead in lowest security patches across the major DBMS vendors
Fewer vulnerabilities translates to less time spent patching servers and inherently more secure databases
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 , SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g), IBM DB2 (8.0, 8.1, 8.2, 9.0, 9.5), Query for Oracle was run with vendor name: ‘Oracle’ , and product name: ‘any’ (all database product name variations were queried) . Query for IBM DB2 was run with vendor name: ‘IBM’ , and product name: ‘db2.’ Query for MySQL was run with vendor name: ‘MySQL’, and product name: ‘Any.’ Query for Microsoft was run with vendor name: ‘Microsoft ‘ ; product name: ‘Microsoft SQL Server’; version name: ’Any’This chart counts NIST CVE – Software Flaws (Each CVE might include more than one Oracle vulnerabilities)
2002 2003 2004 2005 2006 2007 2008 20090
20
40
60
80
100
120
140
160
SQL Server
Oracle
DB2
MySQL
SQL Server 2005 Security Recap
SQL Server 2005 Security Recap
PROTECT DATA
Key management
Catalog security
Built-in encryption
CONTROL ACCESS
User-schema separation
Granular permission control
Encrypted log-in credentials
ENSURE COMPLIANCE
Capture and audit DDL activities
Password policy enforcement
SQL Server 2005 Security Recap
Customer challenges Security feature
Weak passwords
Password policy enforcement
Lack of audit information
Capture and audit DDL activities
Data confidentiality
Built-in encryption Key management
Metadata protection
Catalog security
Schema level permission
User-schema separation
Granular permission to execute statements in a module
Execution context Module signing
Protect access to the DB
Encrypted log-in credentials Connection end-points
Key management
Catalog security
Built-in encryption User-schema separation
Granular permission control
Encrypted log-in credentials
Capture and audit DDL activities
Password policy enforcement
PR
OTEC
T
DATA
EN
SU
RE
CO
MPLI
AN
CE
CO
NTR
OL
AC
CESS
SQL Server 2008 Security Enhancements
SQL Server 2008 Investments
PROTECT DATA
CONTROL ACCESS
ENSURE COMPLIANCE
Built-in encryption
Key management
Catalog security
User-schema separation
Granular permission
control
Encrypted log-in credentials
Capture and audit DDL activities
Password policy enforcement
Transparent Data Encryption
Extensible Key Management
Authentication enhancements
Policy-based Management
SQL Server Audit
Protect Data
Transparent Data Encryption
Extensible Key Management
PROTECT DATA
Built-in encryption
Key management
Catalog security
Transparent Data Encryption
Extensible Key Management
CONTROL ACCESS
ENSURE COMPLIANCE
User-schema separation
Granular permission
control
Encrypted log-in credentials
Capture and audit DDL activities
Password policy enforcement
Authentication enhancements
Policy-based Management
SQL Server Audit
Data Protection Investments PROTECT DATA
Recent regulations have mandated strict requirements for data security, data privacy and data integrity
Database security is a growing concern for many enterprises
• Encryption required application changes
• Encryption keys not separate from data
SQL Server 2005 limitations
• Extensible Key Management (EKM)• Transparent Data Encryption (TDE)
SQL Server 2008
Extensible Key Management (EKM)
Key storage, management and encryption done by HSM module
SQL EKM key is a proxy to HSM key
SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module
PROTECT DATA
SQL Server
SQL EKM Provider DLL
SQL EKM Key(HSM key proxy)
Data
HSM
Benefits of using EKM
“Defense in depth” makes unauthorized access to data harder by storing encryption keys away from the data
May facilitate separation of duties between DBA and data owner
Uses HSM for encryption and decryption which may result in performance gains
Enables centralized key management across organization
PROTECT DATA
…SQL Server 2008 helps CareGroup comply with HIPPA data encryption requirements… SQL Server 2008 delivers an excellent solution… by supporting third-party key management and hardware security module products. —CareGroup Case Study
Evid
ence
EKM Key Hierarchy in SQL Server PROTECT DATA
Symmetric key Asymmetric key
HSM
EKM Symmetric key EKM Asymmetric key
Data Data Native Symmetric key
TDE DEK
key
SQL Server
Transparent Data Encryption (TDE) PROTECT DATA
Encryption/decryption at database level
• Certificate• Key residing in a Hardware
Security Module (HSM)
DEK is encrypted with:
Certificate required to attach database files or restore a backup
SQL Server 2008
Client ApplicationEncrypted data page
DEK
Advantages of using TDE PROTECT DATA
Encrypt the entire database on the disk to protect against lost or stolen disks or backup media
Does not increase database size and has minimal performance impact
Does not require application changes
Applications do not need to explicitly encrypt/decrypt data
Backups are automatically encrypted and unusable without key
Protects against direct access to database files, data at rest
“With SQL Server 2008 we have transparent encryption, so we can easily enforce the encryption of the information in the database itself without making any changes on the application side.”
— Avad Shammout, Lead Technical Database Administrator, CareGroup HealthCare System
Evid
ence
TDE – Key Hierarchy
SQL Server 2008Master Database
Certificate
SQL Server 2008User Database
Database Encryption Key
Database Master Key encrypts Certificate In Master Database
Certificate encrypts Database Encryption Key
PROTECT DATA
Operating System Level Data Protection API (DPAPI)
DPAPI encrypts Service Master Key
SQL Server 2008Instance Level Service Master
Key
Service Master Key encrypts Database Master Key
SQL Server 2008Master Database
Database Master Key
Password
Demo: Enabling TDE
Control Access
Authentication enhancements
PROTECT DATA
Built-in encryption
Key management
Catalog security
Transparent Data Encryption
Extensible Key Management
CONTROL ACCESS
User-schema separation
Granular permission
control
Encrypted log-in credentials
Authentication enhancements
ENSURE COMPLIANCE
Capture and audit DDL activities
Password policy enforcement
Policy-based Management
SQL Server Audit
Authentication Enhancements
• Kerberos possible with TCP/IP connections only• SPN must be registered with AD
SQL Server 2005 limitations
• Kerberos available with ALL protocols• SPN may be specified in connection string
(OLEDB/ODBC)• Kerberos possible without SPN registered in AD
SQL Server 2008 enhancements
CONTROL ACCESS
Authentication Enhancements
Attacker could force NTLM to be used, authentication failures, or redirect connections to rogue servers
SPN composed using 2 insecure sources
CONTROL ACCESS
SQL Browser
DNS
SPN = MSSQLSvc/<FQDN>:<Port>
Why specify an SPN in the connection?
Ensure Compliance
Policy-based Management
SQL Server Audit
ENSURE COMPLIANCE
Capture and audit DDL activities
Password policy enforcement
PROTECT DATA
Built-in encryption
Key management
Catalog security
Transparent Data Encryption
Extensible Key Management
CONTROL ACCESS
User-schema separation
Granular permission
control
Encrypted log-in credentials
Authentication enhancements
Policy-based Management
SQL Server Audit
Policy-Based Management
Automate surface area configuration
Ensure compliance with configuration policies for servers, databases, and database objects across the enterprise
Reduce your exposure to security threats by using the new Surface Area facet to control active services and features
ENSURE COMPLIANCE
Policy-Based ManagementDefining Policies
Categories
Facets Conditions Policies
ENSURE COMPLIANCE
Targets
Policy-Based ManagementPolicy checking and governance
ENSURE COMPLIANCE
• Capture the declarative intent (desired state)
• Simplify compliance enforcement
Conditions
• Define aspects of system configuration• Physical properties that
relate to settings• Logical properties that
encapsulate business rules
Facets
Auditing Database Activity
• SQL Trace• DDL/DML Triggers• Third-party tools to read transaction logs• No management tools support
SQL Server 2005
• SQL Server Audit
SQL Server 2008 enhancements
ENSURE COMPLIANCE
SQL Server Audit
• Native DDL for Audit configuration and management• Security support
Audit now a 1st Class Server Object
• File• Windows Application Log• Windows Security Log
Create an Audit object to automatically log actions to:
Ability to define granular Audit Actions of Users or Roles on DB objects
ENSURE COMPLIANCE
Benefits of SQL Server Audit
Track reads, writes, and other events to Windows Application Log and Windows Security Log
Detect misuse of permissions early on to limit possible damage
More granular audits for flexibility
Built into the database engine
Simple configuration using SQL Server Management Studio
Faster performance than SQLTrace
ENSURE COMPLIANCE
“The enhanced auditing tools in SQL Server 2008 enable us to track all changes to tables and other data elements in our system.”
—Avad Shammout, Lead Technical Database Administrator, CareGroup HealthCare System
Evid
ence
Audit Specifications
• Pre-defined action groups• Individual action filters
Server and database audit specifications for
ENSURE COMPLIANCE
• Server config changes, login/logoff, role membership change, etc.
Server action groups
• Schema object access, database role membership change, database object access, database config change
Database action groups
Audit Specifications
AuditSecurity Event Log
Application Event LogFile
system0..1Server audit specification per Audit object
0..1DB audit specificationper database per Audit object
CREATE SERVER AUDIT SPECIFICATION SvrAC
TO SERVER AUDIT PCI_Audit
ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION AuditAC
TO SERVER AUDIT PCI_Audit
ADD (SELECT ON Customers BY public)
Server Audit Specificatio
n
Server Audit ActionServer Audit Action
Server Audit ActionServer Audit Action
Server Audit Action
Database Audit
Specification
Database Audit ActionDatabase Audit
ActionDatabase Audit ActionDatabase Audit
ActionDatabase Audit Action
File
Demo: SQL Server Audit and
Policy-Based Management
Compliance and Certifications
HIPAA and PCI Compliance Evaluated
Common Criteria Certified
World-Class Security Evaluations
−The Common Criteria was designed by a group of nations to improve the availability of security-enhanced IT products, help users evaluate IT products for purchase, and contribute to consumer confidence in IT product security.
— SQL Server Books Online
Security functions: Access control, audit, management, identification & authentication, session handling and memory management
Assurance components: Functional specs and high level design plus independent vulnerability testing
Environment: CC certified OS (Windows Server) and admin roles
Key Criteria
Requirement for many governments, industries, and enterprise customers
SQL Server 2008 Enterprise achieved Common Criteria (CC) compliance at EAL1+ (Evaluation Assurance Level), EAL4+ is in progress and recognized by the US government
Represents the third time for CC compliance and the first time for a 64-bit version of SQL Server
Common Criteria Certification
R2 is built on the SQL Server 2008 foundation and brings forward the security benefits with minimal changes to the core engine
Evid
ence
Health Information Portability and Accountability Act (HIPAA) governs health information privacy, security, organizational identifiers, and overall administrative practices
HIPAA has 5 major components, SQL Server can help support the Security Rule; ensuring protected health information (PHI)
SQL Server supports HIPAA areas: Access controls, Data integrity & encryption, Communications security, and Audit & compliance
HIPAA Details
Take advantage of SQL Server 2008 capabilities to help meet database-related compliance requirements
Technical features can support HIPAA requirements like role-based access, strong user authentication, encryption, and event logging
SQL Server Support
SQL Server features can promote the consistency of deployed technical controls and enable effective monitoring over time
SQL Server for HIPAA Compliance
Whitepaper: “Supporting HIPAA Compliance with Microsoft SQL Server 2008,” Authored by Information Security Center of Expertise at Jefferson Wells International, Inc, a leading Risk Advisory and Security Compliance services organization.
Evid
ence
Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide security standard created by the Payment Card Industry Security CouncilSQL Server can be deployed to meet the database server requirements and should always be considered by personnel in cardholder environments
SQL Server supports PCI areas: Vendor-supplied defaults, protect stored data, encrypt data transmission, restrict access to data, assign unique IDs to persons with access, and monitor all access to data
PCI Details
Take advantage of SQL Server 2008 capabilities to help meet database-related compliance requirements
Technical features can support PCI requirements like TDE, EKM, SQL Server Audit, and Policy-Based Management
SQL Server Support
Automated implementation of key SQL Server 2008 features help enable customers to achieve PCI compliance and standardized security controls
SQL Server for PCI Compliance
Whitepaper: “Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS),” Authored by certified audit firm, Parente Randolph (now ParenteBeard). E
vid
ence
Q & A
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Appendix
Reduced Surface Area Configuration
New in SQL Server 2008, Surface Area Configurations are handled by automated policy-based framework to help ensure compliance across the enterprise
• Some features are off by default(except when you perform an upgrade
• Granular permissions on SQL engineand SQL Server Agent
• Users need VIEW DEFINITION permissionsto see metadata that they do not own
Efforts made in reducing surface area include:
Authentication Features
• Useful if login is compromised or user is fired
Ability to disable a login
• Password complexity, Password expiration, Account lockout
• Common policy across the network for windows and SQL
• Granular control to turn on/off policy/expiration per login
Password Policy Enforcement
• Ability to choose which users connect over which protocols
Endpoint Based Authentication
• Single Sign On• Constrained delegation with Win2K3 (Granular control)
NTLM and Kerberos for Windows logins
• No admin step required to get secure (secure by default)
Default Secure channel for standard SQL logins
SQL Server 2008Authorization
Ease of security management
• Granular permissions• Choice of appropriate scope
(database, schema, object, sub-object)• Role Based Access control• Application module based access control• Minimizing application impact for user
management• Both data (above) and metadata
Rich access control model
Principle of least privileges