Embed Size (px)
Citation preview
SQL Server 2005 Security EnhancementsSQL Server 2005 Security Enhancements
Dr Greg LowSenior [email protected]
Original version of this material was DAT330 TechEd 2004 presented by Girish Chander
Original version of this material was DAT330 TechEd 2004 presented by Girish Chander
AgendaAgenda
Yukon Security FeaturesAuthentication
Endpoint Based AuthenticationPassword Policy EnforcementStrengthening SQL Authentication
AuthorizationUser-Schema SeparationModule Execution ContextGranular Permissions ControlCatalog Security
Crypto supportData Encryption
Endpoint-Based AuthenticationEndpoint-Based Authentication
PayloadsTDS SOAP SSBDatabase Mirroring
Endpoint:Point of entry into an instanceBinds transport protocol to payload
For HTTPOff by default, Endpoints need to be explicitly createdNo permissions on endpoint by default
Transport Protocol Named pipes Shared Memory TCP HTTP VIA
Endpoint-Based Authentication (Cont)Endpoint-Based Authentication (Cont)For Other transports
Default endpoint created for every enabled transport at start upCONNECT permissions granted to authenticated loginsPermissions can be denied on a per endpoint basis
AdvantagesTransport/payload based access managementControlled within SQL ServerAbility to start/stop/disable individual endpoints
SQL Server Security ModelSQL Server Security Model
Establish login credentials; Authorize against EPEstablish login credentials; Authorize against EP
Connect to the SQL Server computerConnect to the SQL Server computer
Verify permissions for all actionsVerify permissions for all actions
Network connection requestNetwork connection request
Login authentication request to SQL ServerLogin authentication request to SQL Server
Switch to a database and authorize accessSwitch to a database and authorize access
Attempt to perform some actionAttempt to perform some action
Establish a database contextEstablish a database context
Password Policy EnforcementPassword Policy Enforcement
Enforcement of the following on loginsPassword strengthPassword expirationAccount lockouts
Follows local Windows password policySupports consistent enterprise wide policy
ApproachNew password policy check API in Windows Server 2003Called during Authentication, password set and reset
On Win2K serverAPI not availableOnly supports SQL server native password complexity
Password Policy For LoginsPassword Policy For LoginsSecure by default
Policy checked for all logins by defaultCan be configured on a per login basis
Admin options on loginsTurn ON/OFF Password policy checksTurn ON/OFF Password expiration checks
Requires Password Policy to be ONGives ‘password never expires’ ability
Ability to force password change on first loginPresent in the sys.sql_logins catalog view ***
Password Policy For LoginsPassword Policy For LoginsDuring Authentication
Account lockout in case of brute force attackPassword age restrictions – if expiration set
Password Set/ChangePassword complexity enforced and history checked
Client side supportAllows password change on login, similar to Windows
Ability to disable logins quickly
Password Policy EnforcementsPassword Policy Enforcements
Strengthening SQL AuthenticationStrengthening SQL AuthenticationStronger channel for authentication protocol for standard SQL logins
Channel is encrypted using SQL generated certificatesNo SSL certificate loading requiredSimilar to current SSL implementation
Default mechanism for standard SQL logins for Yukon clients talking to Yukon serverSeamless to applications; No application change requiredSupport for old style authentication for down level clients
AgendaAgendaYukon Security Features
AuthenticationEndpoint Based AuthenticationPassword Policy EnforcementStrengthening SQL Authentication
AuthorizationUser-Schema SeparationModule Execution ContextGranular Permissions ControlCatalog Security
Crypto supportData Encryption
User-Schema SeparationUser-Schema Separation
Separation of principals and schemasPrincipal
Entities against whom objects are secured Live in the sys.database_principals view
Schema Container of objects; 3rd part of 4 part nameLive in the sys.schemas view
User-Schema Separation (Cont)User-Schema Separation (Cont)
Notion of default schemaProperty of User or Application roleUsed in name resolution; Look up algorithm for objectsMaintained in sys.database_principals
New DDL for user and schemasCREATE/ALTER/DROP for USER, ROLE, and SCHEMA
Dropping user does not require application re-write
User-Schema SeparationThe Solution User-Schema SeparationThe Solution
SchemaSchemacontained incontained in
TableTable
ViewView
Stored ProcStored Proc
FunctionFunction
User 2
Owned by
Owned by
User-Schema SeparationThe Solution User-Schema SeparationThe Solution
User1User1
Default Schema S1Default Schema S1User2User2
User3User3
Select * from fooSelect * from foo
•S1. fooS1. foo
•Dbo.fooDbo.foo
Default SchemaDefault Schema
Used for name resolution purposes
Not all users need to own schemas
Gives the ability to share out name resolution look up across many users
DBO schema need not be the only shared schema, from name lookup perspective
Default Schema (Cont)Default Schema (Cont)
Why is this useful?
To create objects guaranteed to hit name lookups from every context, objects need not be created in DBO schema
By having these contexts point to another schema as the default schema
Allowing creation of objects in DBO schema could pose security risks through ownership chaining
This can be mitigated using ‘lower privileged’ schemas as the default schema
‘lower privileged’: Owned by a lower privileged account
User-Schema SeparationUser-Schema SeparationDatabase can contain multiple schemasEach schema has an owning principal – user or roleEach user has a default schema for name resolutionMost database objects live in schemasObject creation inside schema requires CREATE permission and ALTER or CONTROL permission on the schema
Example: Creation of table in schema requires CREATE TABLE permission and ownership of schema or ALTER or CONTROL on schema
Ownership chaining still based on owners not schemas
Role1 User1
Owns
Has default schema
Owns
Approle1
Owns
Schema1 Schema2
Schema3
SP1Fn1
Tab1
Database
User-Schema SeparationUser-Schema Separation
Execution Context Execution Context
User 3User 3
Select Perms Select Perms checked for User3checked for User3
Execute Perms Execute Perms checked for User3checked for User3
User1.Proc1User1.Proc1 User1.T1User1.T1
Execute Perms Execute Perms checked for User3checked for User3
NONO Perms Perms checked for User3checked for User3
User 3User 3 User2.Proc1User2.Proc1 User1.T1User1.T1
‘‘Execute AS ‘X’ ’Execute AS ‘X’ ’
Execute Perms Execute Perms checked for User3checked for User3
Select Perms Select Perms checked forchecked for ‘X’. ‘X’. Not for user3Not for user3
YukonYukon
SQL SQL 20002000
User2.Proc1User2.Proc1 User1.T1User1.T1
Module Execution ContextModule Execution ContextAbility to choose execution context of modules
Module: Stored procs, functions, triggersNo need to rely on ownership chaining to get ‘upfront permission check’ behavior
Ownership chaining rules still apply however
Module Execution Context (Cont)Module Execution Context (Cont)
Permissions checked against current execution context
Unlike Ownership chaining, applies to DDL as well
Option available for dynamic SQL as wellAlternative to the absence of ownership chaining
Execution context maintained in the sys.sql_modules catalog view
ContextsContextsExecute AS CALLER
Statements execute as immediate calling contextDefault behavior, Similar to SQL Server 2000Use when caller’s permission needs to be checked, Or ownership chaining will suffice
Execute AS ‘UserName’Statements execute as the username specifiedImpersonate permission required on user specified
ContextsContexts
Execute AS SELFStatements execute as the person specifying the execute as clause for the moduleMay be useful in application scenarios where calling context may change
Execute AS OWNERStatements execute as the current owner of the moduleImpersonate privileges on owner required, at setting timeOn ownership change, context is new owner
Using Execute As To Create Permission BucketsUsing Execute As To Create Permission Buckets
Scenario
Database Admin wants to delegate the ability to truncate a set of tables each night
Problem
Truncate is not a grantable permission
Closest covering permission is ALTER, but that is too high and gives other ability
Using Execute As To Create Permission Buckets (Solution)Using Execute As To Create Permission Buckets (Solution)
Solution: Execute As to the rescue
Create a Proc that truncates the table
Mark it to execute as a user with ALTER permissions
Grant execute permission to the target user
Result
You’ve just made Truncate a grantable permission!
Module Execution Module Execution ContextContext
Granular Permissions ControlGranular Permissions ControlMore permissions – at multiple scopes
Server, Database, Schema, Object, Principal
Principle of least privilegesAssign only required permissions to perform an action
Granular permissions enable that
Many new permission verbs added for granular control
SQL 2000 fixed roles still supported
Catalog ViewsDatabase permissions live in sys.database_permissions view
Server permissions live in sys.server_permissions view
Permission States Permission States Three permission states
Grant gives a rightDeny explicitly denies a rightRevoke takes away an existing grant or deny
GrantGrant
Revoke [deny]Revoke [deny]
DenyDeny
DENYDENY
RevokeRevoke
GrantGrant
- +
General Permissions SchemeGeneral Permissions SchemeGrantee
Server level permissions grantable to loginsDatabase level permissions grantable to users/db roles/application roles
SecurableEntity to be securedExample: Tables, assemblies, databases, server, etc…
Same permission can be at multiple scopesExample CONTROL on schema level and CONTROL on table within a schema
DENY at any level always take precedence
General Permissions SchemeGeneral Permissions Scheme
Most securables have the following permissions
CONTROL: Owner like permissionsALTER: Ability to change the properties of the securable. Also grants the ability to CREATE/DROP/ALTER sub entities
Example: ALTER permission on a schema allows altering the name of the schema; And also altering tables, views etc. within schema
General Permissions Scheme (Cont)General Permissions Scheme (Cont)
ALTER ANY ‘X’: Ability to alter any object of type X
Example: ALTER ANY ASSEMBLY allows altering any assembly in the database
Take Ownership: Grants the ability to take ownership of an object
New permissionsFurther ExamplesNew permissionsFurther Examples
Concern: I want to delegate auditing power without giving access to the entire server
Solution: ALTER TRACENew server level permission. Sysadmin no longer required to run profiler
Concern: There is db_datareader and db_datawriter, but I want a db_procexecutor equivalent
Solution: EXECUTE (higher scope--database or schema)
Can execute any proc/function/assembly in database, or schema (if schema scoped)Equivalent SELECT, INSERT, UPDATE, DELETE permissions introduced as well
New permissionsFurther ExamplesNew permissionsFurther Examples
Concern: I want to be able to selectively impersonate another user, without having full database, or instance privileges
Solution: IMPERSONATE (for login and user)No longer require sysadmin or DBO for impersonating user/login
Catalog SecurityCatalog SecuritySystem tables implemented as views: Catalog viewsMetadata is secured by default
Minimal permissions to publicCatalog views are row level secured
Need to be owner or have some permission on object to see it in catalog view
SA can see everything in serverDBO can see everything in database
New permission to allow viewing of metadataVIEW DEFINITONApplicable at object level, schema level, database, and server level
AgendaAgendaYukon Security Features
AuthenticationEndpoint Based AuthenticationPassword Policy EnforcementStrengthening SQL Authentication
AuthorizationUser-Schema SeparationModule Execution ContextGranular Permissions ControlCatalog Security
Crypto supportData Encryption
Encryption Support Inside DBEncryption Support Inside DBEncrypt and Decrypt built-ins for encryption support
Encryption built-insEncrypts cleartext and returns ciphertext ***
EncryptByKey()EncryptByCert()EncryptByPassphrase()
Decryption built-insDoes the reverseSymmetric Keys and Certificates
Used for encryption/decryptionEntities inside SQL ServerSupport for creation and storage in SQL
Symmetric keys and private keys always stored encrypted in SQL
Symmetric KeysSymmetric KeysEntities inside the database
CREATE SYMMETRIC KEY DDL
Used in the built-ins for encryption and decryptionKeys are always stored encrypted or in ‘closed’ stateUsage of Key requires ‘opening’ the key
OPEN KEY DDLInvolves decrypting the keyKnowledge of mechanism used to encrypt the key required
Once ‘open’, keys can be used until they are ‘closed’ or sessions is terminatedAll keys are encrypted in memoryCatalog views
Sys.symmetric_keysSys.Open_keys
CertificatesCertificatesEntities inside the database
CREATE CERTIFICATE DDL
Can be loaded into SQL Server Private key is optionalRequired if signing, decryption, or authentication is needed
Can be created in SQL ServerSQL server generates the certificates
Support for ‘dumping’ certificates and private keysPrivate keys always stored encryptedRequired for
Service Broker: Authentication and message integrity and secrecyEncryption supportSecuring SQL authentication nativelyModule Signing
Encryption LayersEncryption Layers
Database Master KeyDatabase Master KeyA Key that is specific to the databaseUsed to secure certificate private keys inside the databaseExplicitly created by owner of the databaseSupport for regeneration and recovery
ALTER MASTER KEY DDLDUMP/LOAD MASTER KEY DDL
Always secured using user passwordStored in the database
Can also be secured using Service Master Key Used when SQL server does key management
Does not rely on user password to get to key
Stored in the sysdatabases table
Service Master KeyService Master KeyKey that is specific to the instanceUsed to secure system data
Linked server passwordsConnection stringsDatabase Master keysMapped account credentials
Created upon installSupport for regeneration and recovery
ALTER SERVICE MASTER KEY DDLDUMP/LOAD SERVICE MASTER KEY DDL
Secured using DPAPIThe service accounts credentials
Encrypting DataEncrypting Data
The SQL Server 2005 University Masters
•Fully accredited, masters level degree from Charles Sturt University •SQL Server 2005 MCDBA certification included as an integral component•Graduates eligible for full professional level membership of the Australian Computing Society •Part time study delivered via Distance Education•Qualifies for Government FEE-HELP program•Places available for experienced applicants without previous qualifications
First intake commences September 2005Register your interest at www.itmasters.info
Technical Readiness ResourcesTechnical Readiness Resources
Microsoft SQL Server 2005 Workshops
1 or 2 day hands on workshops on each of :
Database InfrastructureDatabase DevelopmentBusiness Intelligence
Tour 1 Starts Mid MayTour 2 has been added due to popular demand – starts late August
Event: Microsoft SQL Server 2005 WorkshopsEvent: Microsoft SQL Server 2005 Workshops
Microsoft SQL Server 2005 Database Infrastructure & ScalabilityPresented by Brent Challis from DDLS this workshop covers Installation and upgrade options, Management tools, Architecture, Security enhancements, Scalability and performance enhancements and Maintenance enhancements.
Microsoft SQL Server 2005 DevelopmentThis intensive workshop led by Greg Low from Readify, this workshop covers the developer-related enhancements in SQL Server 2005, with a focus on T-SQL enhancements, CLR Integration, Security enhancements and ADO.NET enhancements.
Microsoft SQL Server 2005 Business IntelligencePresented by Peter Myers from Tenix Connections, this workshop covers the building of Analysis Services 2005 databases, cubes, dimensions, & aggregations, enhancements made to MDX, the new Integration Services 2005 (formerly DTS), the new data mining algorithms of Analysis Services 2005 and creating reports from Analysis Services cubes.
http://www.microsoft.com/australia/events/sql2005/
Microsoft SQL Server 2005 Workshops - DatesMicrosoft SQL Server 2005 Workshops - DatesCity MS SQL Server 2005
Database Infrastructure & Scalability
MS SQL Server 2005 Development
MS SQL Server 2005 Business Intelligence
Sydney 23-24 May [ SOLD OUT] 30-31 May [SOLD OUT] 6-7 June
9-10 June 14-15 June 21-22 June
22-23 August 1-2 September 7-8 September
Canberra 26-27 May 1-2 June 7-8 July
25-26 August 5-6 September 14-15 September
Melbourne 20-21 June 27-28 June 4-5 July
6-7 September 12-13 September 21-22 September
Brisbane 23-24 June 30 June-1 July 9-10 June
19-20 September 26-27 September 6-7 October
Perth 4-5 July [SOLD OUT] 6-7 July [SOLD OUT] 11-12 July
26-27 September 4-5 October 12-13 October
Adelaide 20-21 July 18-19 July 14-15 July
4-5 October 10-11 October 17-18 October
http://www.microsoft.com/australia/events/sql2005/
© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
