SlideShare a Scribd company logo

The Spy Who Loathed Me - An Intro to SQL Server Security

Download as PPTX, PDF
Chris Bell, profile picture
Chris Bell

The document provides an overview of SQL security best practices, including server configuration, user roles, backup strategies, and encryption methods. It highlights the importance of proper security measures to prevent attacks, such as SQL injection and brute-force methods, while detailing various types of keys and certificates for data protection. Additionally, it touches on the significance of backup practices and restoring processes to ensure data security and integrity.

Technology
1 of 44
Downloaded 32 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
The Spy who loathed me An Introduction to SQL Security
Dossier • WaterOx Consulting, Inc. • Founder / CEO / Lead Consultant • PASSDC • SQL Saturday DC *Image from uvvodka.com
001* Server Configuration
Service Accounts *Image from uvvodka.com # Accounts Setup Security Maintenance One One / Server One / Service
Local Service Accounts • Used more often than it should be • Accounts had local admin rights • Not such an issue after Windows 2008 • Post Windows 2008 = pseudo accounts • NT SERVICEMSSQLSERVER • NT SERVICESQLSERVERAGENT • No passwords to change • You don’t have access to them * Image from asseblysteakhouse.com
Credentials and proxy Accounts • Introduced in SQL 2005 • Credentials are used with SQL Agent proxy accounts • Allows SQL to impersonate another domain account • Configure specific job steps • Run under different Windows account
OS Rights • SQL Server • Windows System Rights • Log on as a service • Replace a process-level token • Adjust memory quotas for a process • NTFS Permissions • Pre-2008 need to add permission to data files • 2008+ access maintained • What the DBA needs • Profile system performance • OS access granted when installing service packs
002* Users & Roles
Server Roles • Fixed Roles • Pre-configured • Most famous & abused: sysadmin • User Defined Roles • New in 2012 • Custom server-wide roles
Database Roles • Fixed Roles • 10 created with each DB • Highest level: db_owner • User Defined Roles • Most common • Most recommended • Very granular • Can be nested
Application Roles • Not well understood • Not often used • User authenticates against SQL Server • But has no rights • Activated by the application • sp_setapprole
Client Connection Strings • Windows Authentication is best • Not always possible • Take extra care to secure connection strings • Watch out for plain text! • Often in configuration files • Web.config
Endpoints • Service that listens natively for requests • Once created & defined • access can be granted, revoked & denied • from DB users, groups, roles and logons • Can use to restrict application access • Deny connectivity to default TCP endpoint • Grant connectivity through the endpoint only • When new endpoint created, by default the “public” role has right to connect to default TCP removed
SQL Password Security • SQL Server Authentication • Broken by brute force attacks • Windows Authentication • Kerberos • Windows Active Directory Domain Controller • SQL Azure • No SA account • No Windows Authentication
Contained Databases • New in 2012 • Quickly and easily moved between instances • User info stored in the DB • No record in master • Some problems • db_owners can create users • Guest accounts in other databases a risk
003* Backup & Restore
Backup • Don’t just overwrite prior backup • If failure of current backup, no good file available • Cleanup old backup files • Backup Passwords are a base level of protection • Prevents accidental restore of database • Deprecated as of 2012 • Don’t forget the keys and certificates • Data could be lost of keys are not available
New Backup options • SQL Backup to URL • 2012 – T-SQL, PowerShell & SMO only • 2014 – SSMS as well • SQL Server Managed Backup to Azure • 2014 – backup to Azure storage only • Database and instance level • Recommended for SQL on Azure VMs
Backup Encryption • New for 2014 • Encrypt while backing up • Requires Database Master Key • Certificate • Asymmetric key (EKM only) • If using TDE use different certificates or keys • Increase security
Offsite storage and Restore • Offsite storage • Necessary evil • Mitigate the risks as much as possible • Ensure security at facility as well • Practice restores • Backup is worthless if can’t be restored • Determine time to retrieve files from offsite storage
004* Keys & Certificates
Symmetric keys • Simplest type of key • Same key used to encrypt & decrypt • Good performance • Key must be at all locations to decrypt
ASymmetric keys • Key Pair • Public key • Private key • Better encryption • More complex & slower • Generally unsuitable for mass encryption & decryption
Certificates • Type of asymmetric key pair • Public key • Identity information of the private key owner • Digital signature for a trusted authority to prove identity • Ensure data is encrypted and reaches intended receiver
Service Master key • Root of all SQL Encryption Hierarchy • Uses newer AES encryption in 2012 • Was triple DES • Regenerate if upgrading to 2012 • Take advantage of new algorithms • Backup the SMK as one of the first DBA tasks done • Backup Service Master Key to File = ‘path’ Encryption by password = ‘password’ • Restore Service Master Key from File = ‘path to file’ decryption by password ‘password’ • Be aware, restore is very resource intensive
Database Master key • Symmetric key • Protects the private keys of certificates and asymmetric keys • Secured by password • Triple DES algorithm • AES algorithm in 2012 • Copy encrypted with the SMK as well • Stored in database as well as master database • Create Master Key Encryption by password = ‘password’ • Must open key first to then backup • Open Master Key decryption by = ‘password’ • Backup master Key to File = ‘filename’ encryption by password = ‘password’
Extensible key management • Hardware Security Modules (HSM) • Store keys on hardware or software modules • More secure as keys are separated from data • Enable 3rd party EKM/HSM module registration • SQL can then use the keys • Access to • Advanced features • Key management
Backup the keys • Extremely important • Backup and store keys offsite • Practice restore • If keys lost, no easy way to retrieve the data
005* Attacks
SQL Injection • Adding characters to a SQL query • Via form field or application front end • Modify its action • Usually due to dynamic SQL within front-end application • Caused by poor coding practices • Both application and stored procedure code • Simple dynamic SQL statement • SELECT * FROM Sales_Hist WHERE OrderID=1256 • SELECT * FROM Sales_Hist WHERE OrderID=1256; delete from Customers;
SQL Injection • Prevent by checking for keywords? • Can bypass using binary data that is converted by SQL • Cast(0x64656C6574652066726F6D20637573746F6D657273 as varchar(21)) • Don’t assume 3rd party tools are safe • Not only a SQL Server issue • Why successful? • New developers don’t know about the problem • Short timelines lead to quick deployments
SQL Injection prevention • Prevent dynamic in-line SQL against the database • All DB interaction must be abstracted • Only use Dynamic SQL if no other option • Applications should not access tables & views directly • Calls to SQL should all be parameterized • No user input should be trusted • ORMs greatly lessen the risk • When done properly • EXECUTE AS • Impersonate a lesser privileged user
Brute Force • Usually used against passwords • Easy for computers to figure out • Harder for people to remember • Easy to download tools to use • Try passphrases instead • ‘I like using at least 5 passphrases!’ • Disable the SA account • ALTER LOGIN [sa] DISABLE • May break old code
Denial of service • Inelegant but effective • Goal is to overload the server with requests • Usually a web service attack, but affects SQL on back-end • Limit the number of concurrent connections • sp_configure ‘user connection’, ###; • Use query governor to prevent long running queries • Blocks queries estimated to be longer than X seconds • Resource Governor • Define resource pools and workload groups
Dedicated admin access • DBA ‘backdoor’ on port 1434 (default) • Must be member of sysadmin role • Prior to 2012 • ADMIN:<instance> • 2012+ • Sqlcmd only • -A switch • Or prefix admin: to the instance name • Sqlcmd –Sadmin:<instance_name> • Not enabled for remote connections • sp_configure 'remote admin connections', 1;
006* Hashing & Encryption
Encrypting objects • Encrypt code behind objects • WITH ENCRYPTION statement • Stored procedures • Functions • Commonly used when deploying DB to a client • Object encryption is easily broken • Lose ability to view execution plans, etc.
Encrypting data • Different options • Application • Database • In Database • Minimal to no changes to front end • CPU load increase
Transparent data encryption • Encrypts / decrypts data as it is written to / from the HDD • Protects backups as well • If able to connect, can see data like normal • Increased CPU load • Encrypts tempdb as well
Transparent data encryption • Used in mirroring • Both primary and mirror encrypted • Data encrypted in transport as well • When used with backup compression • Much lower compression amounts • Replication will need TDE on • Publisher • Subscriber • Does not encrypt FILESTREAM • Only data in DB files encrypted (MDF, LDF, NDF)
Hashing and Encryption Hashing Encryption Purpose Mask Values Secure Values Reversible No Yes Indexes Yes No Keys Req’d No Yes CPU Load Lower Higher
007* Contact
@CBellDBA www.linkedin.com/in/chrisbellwaterox/ Chris@WaterOxConsulting.com Rate this session or me: http://speakerrate.com/speakers/136671-wateroxconsulting
References • Securing SQL Server Second Edition • Denny Cherry • Microsoft SQL Server 2012 Security Cookbook • Rudi Bruchez • MSDN / BOL • Personal Experience * All images are copyright of their owners and are used strictly in an educational manner

More Related Content

PDF
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
 
PDF
KoprowskiT_SQLSatMoscow_WASDforBeginners
Tobias Koprowski
 
PDF
Sql Server Security Best Practices
Information Technology
 
PPTX
SQL Server 2012 Security Task
Yaakub Idris
 
PDF
Improve oracle 12c security
Laurent Leturgez
 
PPTX
Migrating Customers to Microsoft Azure: Lessons Learned From the Field
Ido Flatow
 
PDF
KoprowskiT_SQLSatMoscow_2AMaDisaterJustBegan
Tobias Koprowski
 
PPTX
The Essentials of Building Cloud-Based Web Apps with Azure
Ido Flatow
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
Tobias Koprowski
 
KoprowskiT_SQLSatMoscow_WASDforBeginners
Tobias Koprowski
 
Sql Server Security Best Practices
Information Technology
 
SQL Server 2012 Security Task
Yaakub Idris
 
Improve oracle 12c security
Laurent Leturgez
 
Migrating Customers to Microsoft Azure: Lessons Learned From the Field
Ido Flatow
 
KoprowskiT_SQLSatMoscow_2AMaDisaterJustBegan
Tobias Koprowski
 
The Essentials of Building Cloud-Based Web Apps with Azure
Ido Flatow
 

What's hot (20)

PDF
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
 
PDF
KoprowskiT_PASSEastMidsFEB16_2AMaDisasterJustBegan
Tobias Koprowski
 
PPTX
Introduction to Windows Azure Data Services
Robert Greiner
 
PDF
MySQL Security in a Cloudy World
Dave Stokes
 
PPTX
SQL ON Azure (decision-matrix)
PARIKSHIT SAVJANI
 
PDF
Introduction to SQL Server Security
Jason Strate
 
PDF
KoprowskiT_SQLSat409_MaintenancePlansForBeginners
Tobias Koprowski
 
PDF
KoprowskiT_SQLAzureLandingInBelfast
Tobias Koprowski
 
PPTX
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
 
PPTX
Windows 7 Feature Overview It Academic Day 2009
Tobias Koprowski
 
PPTX
All about Kerberos In Microsoft BI
PARIKSHIT SAVJANI
 
PPTX
Sql Server 2014 Hybrid Cloud
BT Akademi
 
PPTX
SQL Server - High availability
Peter Gfader
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
PDF
SQLDay2013_Denny Cherry - SQLServer2012inaHighlyAvailableWorld
Polish SQL Server User Group
 
PPTX
20410B_01
Krishna Sujeer
 
PDF
KoprowskiT-Difinify2017-SQL_ServerBackup_In_The_Cloud
Tobias Koprowski
 
PDF
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
Tobias Koprowski
 
PDF
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
PDF
Database Provisioning in EM12c: Provision me a Database Now!
Maaz Anjum
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
Tobias Koprowski
 
KoprowskiT_PASSEastMidsFEB16_2AMaDisasterJustBegan
Tobias Koprowski
 
Introduction to Windows Azure Data Services
Robert Greiner
 
MySQL Security in a Cloudy World
Dave Stokes
 
SQL ON Azure (decision-matrix)
PARIKSHIT SAVJANI
 
Introduction to SQL Server Security
Jason Strate
 
KoprowskiT_SQLSat409_MaintenancePlansForBeginners
Tobias Koprowski
 
KoprowskiT_SQLAzureLandingInBelfast
Tobias Koprowski
 
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
 
Windows 7 Feature Overview It Academic Day 2009
Tobias Koprowski
 
All about Kerberos In Microsoft BI
PARIKSHIT SAVJANI
 
Sql Server 2014 Hybrid Cloud
BT Akademi
 
SQL Server - High availability
Peter Gfader
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
SQLDay2013_Denny Cherry - SQLServer2012inaHighlyAvailableWorld
Polish SQL Server User Group
 
20410B_01
Krishna Sujeer
 
KoprowskiT-Difinify2017-SQL_ServerBackup_In_The_Cloud
Tobias Koprowski
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
Tobias Koprowski
 
Windows azure sql_database_security_isug012013
sqlserver.co.il
 
Database Provisioning in EM12c: Provision me a Database Now!
Maaz Anjum
 
Ad

Similar to The Spy Who Loathed Me - An Intro to SQL Server Security (20)

PPT
Fortress SQL Server
webhostingguy
 
PPT
Where should I be encrypting my data?
Information Technology Society Nepal
 
PPT
SQL Server 2008 Security Overview
ukdpe
 
PPTX
Unit 2 - Chapter 7 (Database Security).pptx
SakshiGawde6
 
PPT
SQL Server Basics Hello world iam here.ppt
nanisaketh
 
PPT
SQL Server Security - Attack
webhostingguy
 
PPTX
Database security2 adebiaye
DR RICHMOND ADEBIAYE
 
PPTX
Database security
Arpana shree
 
PPT
98_364_Slides_Lesson05.ppt
RahafKhalid14
 
PPTX
kjkl.pptxsdfdsafsadfsdagsadfsadfasdggasdf
KhalidAhmadGhiasi
 
PPTX
Day2
madamewoolf
 
PPTX
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
PPT
Sql server basics
Dilfaroz Khan
 
PPT
Sql security
Safwan Hashmi
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
PDF
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
PPTX
7 (1) the motor was very good Lock and complete.pptx
nabeehmohammedtaher
 
PPT
Dealing with SQL Security from ADO.NET
Fernando G. Guerrero
 
PPTX
DBMS SECURITY
Wasim Raza
 
PPTX
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
Fortress SQL Server
webhostingguy
 
Where should I be encrypting my data?
Information Technology Society Nepal
 
SQL Server 2008 Security Overview
ukdpe
 
Unit 2 - Chapter 7 (Database Security).pptx
SakshiGawde6
 
SQL Server Basics Hello world iam here.ppt
nanisaketh
 
SQL Server Security - Attack
webhostingguy
 
Database security2 adebiaye
DR RICHMOND ADEBIAYE
 
Database security
Arpana shree
 
98_364_Slides_Lesson05.ppt
RahafKhalid14
 
kjkl.pptxsdfdsafsadfsdagsadfsadfasdggasdf
KhalidAhmadGhiasi
 
Day2
madamewoolf
 
Oracle database threats - LAOUC Webinar
Osama Mustafa
 
Sql server basics
Dilfaroz Khan
 
Sql security
Safwan Hashmi
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
7 (1) the motor was very good Lock and complete.pptx
nabeehmohammedtaher
 
Dealing with SQL Security from ADO.NET
Fernando G. Guerrero
 
DBMS SECURITY
Wasim Raza
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
WinWire Technologies Inc
 
Ad

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

The Spy Who Loathed Me - An Intro to SQL Server Security

  • 1. The Spy who loathed me An Introduction to SQL Security
  • 2. Dossier • WaterOx Consulting, Inc. • Founder / CEO / Lead Consultant • PASSDC • SQL Saturday DC *Image from uvvodka.com
  • 4. Service Accounts *Image from uvvodka.com # Accounts Setup Security Maintenance One One / Server One / Service
  • 5. Local Service Accounts • Used more often than it should be • Accounts had local admin rights • Not such an issue after Windows 2008 • Post Windows 2008 = pseudo accounts • NT SERVICEMSSQLSERVER • NT SERVICESQLSERVERAGENT • No passwords to change • You don’t have access to them * Image from asseblysteakhouse.com
  • 6. Credentials and proxy Accounts • Introduced in SQL 2005 • Credentials are used with SQL Agent proxy accounts • Allows SQL to impersonate another domain account • Configure specific job steps • Run under different Windows account
  • 7. OS Rights • SQL Server • Windows System Rights • Log on as a service • Replace a process-level token • Adjust memory quotas for a process • NTFS Permissions • Pre-2008 need to add permission to data files • 2008+ access maintained • What the DBA needs • Profile system performance • OS access granted when installing service packs
  • 8. 002* Users & Roles
  • 9. Server Roles • Fixed Roles • Pre-configured • Most famous & abused: sysadmin • User Defined Roles • New in 2012 • Custom server-wide roles
  • 10. Database Roles • Fixed Roles • 10 created with each DB • Highest level: db_owner • User Defined Roles • Most common • Most recommended • Very granular • Can be nested
  • 11. Application Roles • Not well understood • Not often used • User authenticates against SQL Server • But has no rights • Activated by the application • sp_setapprole
  • 12. Client Connection Strings • Windows Authentication is best • Not always possible • Take extra care to secure connection strings • Watch out for plain text! • Often in configuration files • Web.config
  • 13. Endpoints • Service that listens natively for requests • Once created & defined • access can be granted, revoked & denied • from DB users, groups, roles and logons • Can use to restrict application access • Deny connectivity to default TCP endpoint • Grant connectivity through the endpoint only • When new endpoint created, by default the “public” role has right to connect to default TCP removed
  • 14. SQL Password Security • SQL Server Authentication • Broken by brute force attacks • Windows Authentication • Kerberos • Windows Active Directory Domain Controller • SQL Azure • No SA account • No Windows Authentication
  • 15. Contained Databases • New in 2012 • Quickly and easily moved between instances • User info stored in the DB • No record in master • Some problems • db_owners can create users • Guest accounts in other databases a risk
  • 16. 003* Backup & Restore
  • 17. Backup • Don’t just overwrite prior backup • If failure of current backup, no good file available • Cleanup old backup files • Backup Passwords are a base level of protection • Prevents accidental restore of database • Deprecated as of 2012 • Don’t forget the keys and certificates • Data could be lost of keys are not available
  • 18. New Backup options • SQL Backup to URL • 2012 – T-SQL, PowerShell & SMO only • 2014 – SSMS as well • SQL Server Managed Backup to Azure • 2014 – backup to Azure storage only • Database and instance level • Recommended for SQL on Azure VMs
  • 19. Backup Encryption • New for 2014 • Encrypt while backing up • Requires Database Master Key • Certificate • Asymmetric key (EKM only) • If using TDE use different certificates or keys • Increase security
  • 20. Offsite storage and Restore • Offsite storage • Necessary evil • Mitigate the risks as much as possible • Ensure security at facility as well • Practice restores • Backup is worthless if can’t be restored • Determine time to retrieve files from offsite storage
  • 21. 004* Keys & Certificates
  • 22. Symmetric keys • Simplest type of key • Same key used to encrypt & decrypt • Good performance • Key must be at all locations to decrypt
  • 23. ASymmetric keys • Key Pair • Public key • Private key • Better encryption • More complex & slower • Generally unsuitable for mass encryption & decryption
  • 24. Certificates • Type of asymmetric key pair • Public key • Identity information of the private key owner • Digital signature for a trusted authority to prove identity • Ensure data is encrypted and reaches intended receiver
  • 25. Service Master key • Root of all SQL Encryption Hierarchy • Uses newer AES encryption in 2012 • Was triple DES • Regenerate if upgrading to 2012 • Take advantage of new algorithms • Backup the SMK as one of the first DBA tasks done • Backup Service Master Key to File = ‘path’ Encryption by password = ‘password’ • Restore Service Master Key from File = ‘path to file’ decryption by password ‘password’ • Be aware, restore is very resource intensive
  • 26. Database Master key • Symmetric key • Protects the private keys of certificates and asymmetric keys • Secured by password • Triple DES algorithm • AES algorithm in 2012 • Copy encrypted with the SMK as well • Stored in database as well as master database • Create Master Key Encryption by password = ‘password’ • Must open key first to then backup • Open Master Key decryption by = ‘password’ • Backup master Key to File = ‘filename’ encryption by password = ‘password’
  • 27. Extensible key management • Hardware Security Modules (HSM) • Store keys on hardware or software modules • More secure as keys are separated from data • Enable 3rd party EKM/HSM module registration • SQL can then use the keys • Access to • Advanced features • Key management
  • 28. Backup the keys • Extremely important • Backup and store keys offsite • Practice restore • If keys lost, no easy way to retrieve the data
  • 30. SQL Injection • Adding characters to a SQL query • Via form field or application front end • Modify its action • Usually due to dynamic SQL within front-end application • Caused by poor coding practices • Both application and stored procedure code • Simple dynamic SQL statement • SELECT * FROM Sales_Hist WHERE OrderID=1256 • SELECT * FROM Sales_Hist WHERE OrderID=1256; delete from Customers;
  • 31. SQL Injection • Prevent by checking for keywords? • Can bypass using binary data that is converted by SQL • Cast(0x64656C6574652066726F6D20637573746F6D657273 as varchar(21)) • Don’t assume 3rd party tools are safe • Not only a SQL Server issue • Why successful? • New developers don’t know about the problem • Short timelines lead to quick deployments
  • 32. SQL Injection prevention • Prevent dynamic in-line SQL against the database • All DB interaction must be abstracted • Only use Dynamic SQL if no other option • Applications should not access tables & views directly • Calls to SQL should all be parameterized • No user input should be trusted • ORMs greatly lessen the risk • When done properly • EXECUTE AS • Impersonate a lesser privileged user
  • 33. Brute Force • Usually used against passwords • Easy for computers to figure out • Harder for people to remember • Easy to download tools to use • Try passphrases instead • ‘I like using at least 5 passphrases!’ • Disable the SA account • ALTER LOGIN [sa] DISABLE • May break old code
  • 34. Denial of service • Inelegant but effective • Goal is to overload the server with requests • Usually a web service attack, but affects SQL on back-end • Limit the number of concurrent connections • sp_configure ‘user connection’, ###; • Use query governor to prevent long running queries • Blocks queries estimated to be longer than X seconds • Resource Governor • Define resource pools and workload groups
  • 35. Dedicated admin access • DBA ‘backdoor’ on port 1434 (default) • Must be member of sysadmin role • Prior to 2012 • ADMIN:<instance> • 2012+ • Sqlcmd only • -A switch • Or prefix admin: to the instance name • Sqlcmd –Sadmin:<instance_name> • Not enabled for remote connections • sp_configure 'remote admin connections', 1;
  • 36. 006* Hashing & Encryption
  • 37. Encrypting objects • Encrypt code behind objects • WITH ENCRYPTION statement • Stored procedures • Functions • Commonly used when deploying DB to a client • Object encryption is easily broken • Lose ability to view execution plans, etc.
  • 38. Encrypting data • Different options • Application • Database • In Database • Minimal to no changes to front end • CPU load increase
  • 39. Transparent data encryption • Encrypts / decrypts data as it is written to / from the HDD • Protects backups as well • If able to connect, can see data like normal • Increased CPU load • Encrypts tempdb as well
  • 40. Transparent data encryption • Used in mirroring • Both primary and mirror encrypted • Data encrypted in transport as well • When used with backup compression • Much lower compression amounts • Replication will need TDE on • Publisher • Subscriber • Does not encrypt FILESTREAM • Only data in DB files encrypted (MDF, LDF, NDF)
  • 41. Hashing and Encryption Hashing Encryption Purpose Mask Values Secure Values Reversible No Yes Indexes Yes No Keys Req’d No Yes CPU Load Lower Higher
  • 43. @CBellDBA www.linkedin.com/in/chrisbellwaterox/ Chris@WaterOxConsulting.com Rate this session or me: http://speakerrate.com/speakers/136671-wateroxconsulting
  • 44. References • Securing SQL Server Second Edition • Denny Cherry • Microsoft SQL Server 2012 Security Cookbook • Rudi Bruchez • MSDN / BOL • Personal Experience * All images are copyright of their owners and are used strictly in an educational manner

Editor's Notes

  • #5: Easiest approach Weakest technique Any compromised Access to all Usually a sysadmin fixed server roles Maintenance Less to change All SQL Servers restarted 1 / server Secure technique Additional administrative effort Manage usernames & passwords Not all restarted at once Work in smaller batches 1 / service Most administrative overhead 3-10 accounts for each SQL Server instance Most secure Large enterprises Lots of accounts to maintain Changes in small batches
  • #8: Replace process-level token – one service can start another Adjust mem quotas – change max memory that can be consumed by a process
  • #10: Pre configured roles sysadmin Members of the sysadmin fixed server role can perform any activity in the server. serveradmin Members of the serveradmin fixed server role can change server-wide configuration options and shut down the server. securityadmin Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins. Security Note The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role. processadmin Members of the processadmin fixed server role can end processes that are running in an instance of SQL Server. setupadmin Members of the setupadmin fixed server role can add and remove linked servers by using Transact-SQL statements. (sysadmin membership is needed when using Management Studio.) bulkadmin Members of the bulkadmin fixed server role can run the BULK INSERT statement. diskadmin The diskadmin fixed server role is used for managing disk files. dbcreator Members of the dbcreator fixed server role can create, alter, drop, and restore any database. public Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Only assign public permissions on any object when you want the object to be available to all users. You cannot change membership in public.
  • #11: db_owner Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database. db_securityadmin Members of the db_securityadmin fixed database role can modify role membership and manage permissions. Adding principals to this role could enable unintended privilege escalation. db_accessadmin Members of the db_accessadmin fixed database role can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins. db_backupoperator Members of the db_backupoperator fixed database role can back up the database. db_ddladmin Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. db_datawriter Members of the db_datawriter fixed database role can add, delete, or change data in all user tables. db_datareader Members of the db_datareader fixed database role can read all data from all user tables. db_denydatawriter Members of the db_denydatawriter fixed database role cannot add, modify, or delete any data in the user tables within a database. db_denydatareader Members of the db_denydatareader fixed database role cannot read any data in the user tables within a database.
  • #14: Database mirroring Specify mirroring role & if encryption is enabled Service broker – Msg forwarding, max number of connections allowed and authentication mode SOAP (Simple Object Access Protocol) - Various properties to be set – “ADD” property to specify SOAP payload mehtos available to clients (Stored procs & functions)
  • #15: Strong, secure passwords SQL Server SQL Azure - no sa account
  • #42: One way technique Masks data Typical for passwords or payment information Non-reversible Determinate Security depends on the algorithm used 2012 added SHA-2 algorithms for better security Encryption - Several algorithms Stronger = More CPU power Reversible Non-determinate Need correct key or null Same when entering data to database Stronger levels require more CPU