Security & Auditing on SQL Server 2008 R2
description
Transcript of Security & Auditing on SQL Server 2008 R2
![Page 1: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/1.jpg)
Security & Auditing on SQL Server 2008 R2
Antonios ChatzipavlisSoftware Architect Evangelist, IT ConsultantMCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS, MCAD, MCP, OCAMVP on SQL SERVER
![Page 2: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/2.jpg)
2
• Overview of SQL Server Security• Protecting the Server Scope• Protecting the Database Scope• Managing Keys and Certificates• Auditing Security
Objectives
![Page 3: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/3.jpg)
3
Overview of SQL Server Security
Security & Auditing on SQL Server 2008 R2
![Page 4: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/4.jpg)
4
• SQL Server Security Framework• What Are Principals?• What Are Securables?• SQL Server Permissions
Overview of SQL Server Security
![Page 5: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/5.jpg)
5
Overview of SQL Server Security
![Page 6: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/6.jpg)
6
SQL Server Security Framework
![Page 7: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/7.jpg)
7
What Are Principals?
Server RoleSQL Server Login
Windows GroupDomain User AccountLocal User Account
SQL Server
Database
Windows
SecurablesPermissions
Principals
UserDatabase RoleApplication Role
![Page 8: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/8.jpg)
8
What Are Securables?
Server RoleSQL Server Login
Windows GroupDomain User AccountLocal User Account
SQL Server
Database
Windows
FilesRegistry Keys
Server
Schema
Database
SecurablesPermissions
Principals
UserDatabase RoleApplication Role
![Page 9: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/9.jpg)
9
• Server-Level Permissions• Logins• Credentials• Server-Level Roles
• Database-Level Permissions• Users• Schemas• Database Level Roles
SQL Server Permissions
![Page 10: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/10.jpg)
10
Protecting the Server ScopeSecurity & Auditing on SQL Server 2008 R2
![Page 11: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/11.jpg)
12
• What Are SQL Server Authentication Methods?• Password Policies• Server-Level Roles• Managing SQL Server Logins• Server-Scope Permissions
Protecting the Server Scope
![Page 12: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/12.jpg)
13
What Are SQL Server Authentication Methods?
Windows Authentication
Mixed SQL and Windows Authentication
![Page 13: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/13.jpg)
14
Password Policies
Group Policy Object (GPO)
Pa$$w0rd
SQL Server Can Leverage Windows Server 2003/2008 Password Policy Mechanism
SQL Server Can Manage:• Password Complexity• Password Expiration• Policy Enforcement
![Page 14: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/14.jpg)
15
Server-Level Roles
Role Descriptionsysadmin Perform any activitydbcreator Create and alter databasesdiskadmin Manage disk filesserveradmin Configure server-wide settingssecurityadmin Manage and audit server logins
processadmin Manage SQL Server processes
bulkadmin Run the BULK INSERT statementsetupadmin Configure replication and linked servers
![Page 15: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/15.jpg)
16
Managing SQL Server Logins
CREATE LOGIN [SERVERX\SalesDBUsers]FROM WINDOWSWITH DEFAULT_DATABASE = AdventureWorks2008
CREATE LOGIN AliceWITH Password = 'Pa$$w0rd'CREATE LOGIN login_name
{ WITH SQL_login_options | FROM WINDOWS [ WITH
windows_login_options ] }
![Page 16: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/16.jpg)
19
Server-Scope Permissions
Server permissions
Server-scope securable permissions
USE masterGRANT ALTER ANY DATABASETO [AdventureWorks2008\Holly]
USE masterGRANT ALTERON LOGIN :: AWWebAppTO [AdventureWorks2008\Holly]
![Page 17: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/17.jpg)
21
Protecting the Database Scope
Security & Auditing on SQL Server 2008 R2
![Page 18: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/18.jpg)
22
• What Are Database Roles?• What Are Application Roles?• Managing Users• Special Users• Database-Scope Permissions• Schema-Scope Permissions
Protecting the Database Scope
![Page 19: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/19.jpg)
24
What Are Database Roles?Database-Level Roles
Application-Level Roles
Users
![Page 20: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/20.jpg)
25
What Are Application Roles?User runs
appApp connects
to db as userApp authenticates
using sp_setapproleApp assumes
app role
![Page 21: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/21.jpg)
26
• Create a login• Create a database scope user• Assign permissions to the user
Managing Users
Steps to Manage Users
![Page 22: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/22.jpg)
27
Special Users
DBOThe sa login and members of sysadmin role are mapped to dbo account
GuestThis user account allows logins without user accounts to access a database
![Page 23: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/23.jpg)
28
Database-Scope Permissions
Database permissions
Database-scope securable permissions
USE AdventureWorks2008GRANT ALTER ANY USERTO HRManager
USE AdventureWorks2008GRANT SELECTON SCHEMA :: SalesTO SalesUser
![Page 24: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/24.jpg)
29
Schema-Scope Permissions
User-defined type permissions
All other schema-scope permissions
USE AdventureWorks2008GRANT EXECUTEON TYPE :: Person.addressTypeTO SalesUser
USE AdventureWorks2008GRANT SELECTON Sales.OrderTO SalesUser
![Page 25: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/25.jpg)
33
Managing Keys and Certificates
Security & Auditing on SQL Server 2008 R2
![Page 26: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/26.jpg)
34
• What Are Keys?• What Are Certificates?• SQL Server Cryptography Architecture • When to Use Keys and Certificates• Transparent Data Encryption
Managing Keys and Certificates
![Page 27: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/27.jpg)
35
What Are Keys?
• Symmetric Same key used to encrypt and decrypt
• Asymmetric Pair of values: public key and private key One encrypts, the other decrypts
Encrypt
Decrypt
![Page 28: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/28.jpg)
36
What Are Certificates?
• Associates a public key with entity that holds that key• Contents:
The public key of the subject The identifier information of the subject The validity period Issuer identifier information The digital signature of the issuer
![Page 29: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/29.jpg)
37
SQL Server Cryptography Architecture
![Page 30: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/30.jpg)
38
When to Use Keys and Certificates• When to use Certificates
• To secure communication in database mirroring
• To sign packets• To encrypt data or connections
• When to use Keys• To help secure data• To sign plaintext• To secure symmetric keys
![Page 31: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/31.jpg)
39
Transparent Data EncryptionTransparent data encryption performs real-time I/O encryption and decryption of the data and log files
• Create a master key• Create or obtain a certificate protected by the
master key• Create a database encryption key and protect it
by the Certificate• Set the database to use encryption
Steps to use Transparent Data Encryption
![Page 32: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/32.jpg)
40
demoTransparent data encryption
![Page 33: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/33.jpg)
41
• Entire database is protected• Applications do not need to explicitly
encrypt/decrypt data!• No restrictions with indexes or data types
(except FILESTREAM)• Performance cost is small• Backups are unusable without key• Can be used with Extensible Key Management
Transparent Database Encryption: More Benefits
![Page 34: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/34.jpg)
42
• Very simple:• Database pages are encrypted before being written to
disk• Page protection (e.g. checksums) applied after
encryption• Page protection (e.g. checksums) checked before
decryption• Database pages are decrypted when read into memory
• When TDE is enabled, initial encryption of existing pages happens as a background process• Similar mechanism for disabling TDE• The process can be monitored using the
encryption_state column of sys.dm_database_encryption_keys
• Encryption state 2 means the background process has not completed
• Encryption state 3 means the database is fully encrypted
Transparent Data Encryption: Mechanism
![Page 35: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/35.jpg)
43
• Create a master key• CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'<UseStrongPwdHere>';• Create or obtain a certificate protected by the master key
• CREATE CERTIFICATE MyDEKCert WITH SUBJECT = 'My DEK Certificate';
• Create a database encryption key and protect it by the certificate• CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM
= AES_128 ENCRYPTION BY SERVER CERTIFICATE MyDEKCert;
• Set the database to use encryption• ALTER DATABASE MyDatabase SET ENCRYPTION ON;
Transparent Data Encryption: Enabling
![Page 36: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/36.jpg)
44
• A backup of a TDE encrypted database is also encrypted using the database encryption key
• To restore the backup OR attach the database, the DEK must be available!• There is no way around this – if you lose the DEK, you
lose the ability to restore the backup (that’s the point!)• Maintain backups of server certificates too
Transparent Data Encryption: Backups
![Page 37: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/37.jpg)
45
• Database | Tasks | Manage Database Encryption
Transparent Data Encryption: Tools Support
![Page 38: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/38.jpg)
46
Auditing SecuritySecurity & Auditing on SQL Server 2008 R2
![Page 39: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/39.jpg)
47
• What Is Auditing?• Security Auditing with Profiler• Auditing with DDL Triggers• Introducing SQL Server Audit• SQL Server Audit Action Groups and Actions
Auditing Security
![Page 40: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/40.jpg)
48
• What is Auditing?• What auditing options are available in SQL
Server?• Have you ever had to audit SQL Server?• If so, how did you do it?• If not, what do you think is the best use of
auditing?
What Is Auditing?
![Page 41: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/41.jpg)
49
Security Auditing with Profiler• Using SQL Server Profiler, you can do the
following:• Create a trace that is based on a reusable
template• Watch the trace results as the trace runs• Store the trace results in a table• Start, stop, pause and modify the trace
results• Replay the trace results
![Page 42: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/42.jpg)
50
Auditing with DDL Triggers• Use DDL triggers when you want to do the
following:• Prevent certain changes in your database
schema• You want something to occur in the database
in response to a change in your database schema
• You want to record changes or events in the database schema
• Start, stop, pause and modify the trace results
• Replay the trace results
![Page 43: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/43.jpg)
51
Introducing SQL Server Audit• SQL Server Auditing
• Tracks and logs events that occur on the system
• Can track changes on the server or database level
• Can be managed with Transact-SQL
![Page 44: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/44.jpg)
52
demoUsing SQL Server Audit
![Page 45: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/45.jpg)
53
Thank you!
![Page 46: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/46.jpg)
54
Q & A
![Page 47: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/47.jpg)
55
• For SQL Server and Databases• www.autoexec.gr/blogs/antonch
• For .NET & Visual Studio• www.dotnetzone.gr/cs/blogs/antonch
My Blogs
![Page 48: Security & Auditing on SQL Server 2008 R2](https://reader038.fdocuments.in/reader038/viewer/2022110214/56815c6c550346895dca7f3a/html5/thumbnails/48.jpg)
56