Security In Sql Server 2008

  • Uploaded by: LearnItFirst
  • 0
  • 0
  • June 2020
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Security In Sql Server 2008 as PDF for free.

More details

  • Words: 11,591
  • Pages: 335
SQL Server 2008 Security

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

What We’re Going to Cover

• Encryption overview • Linked servers • SIDs and User accounts

Chapter Overview

• This chapter focuses on – How to create and manage logins – How to design and manage database security – Understanding Transparent Data Encryption – Creating and managing Linked Servers

Chapter Overview

• SQL Server Security is not that difficult – Understanding the main security model is easy – Remembering what each term does is easy – Understanding what to do when is easy once explained

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

What We’re Going to Cover

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server Security

• A primary principle of security is to “reduce the attack surface area” • Another main focus is to only allow the least amount of privileges needed to do a task • This chapter teaches how to do both

SQL Server Security

• There are many levels of security in SQL Server – Physical machine – Operating System – Network – Instance – Database

SQL Server Security

• Physical Machine – Who has access to the actual machine? • Hard drives in many servers can easily be removed

– Recommendations to reduce attack surface area: • Server in a locked room with access limited to systems admins only

SQL Server Security

• Operating System – Should you run other software on this machine? • Internet Information Server (IIS), Exchange, SharePoint

– Which users have logins to the server? • If they can login to the server, can they make a file copy of SQL Server databases?

– Recommendations to reduce attack surface area: • The more critical/sensitive/large the database(s), the more likely you need a dedicated machine • Only allow system administrators and DBAs to login to the operating system

SQL Server Security

• Network – By changing default network settings you can reduce the surface area • Changing default instance TCP port from 1433 to another value

– Recommendations to reduce attack surface area: • Place your web SQL Server behind a firewall to prevent remote access (if possible) • Consider allowing local-only connections for applications installed on the server

SQL Server Security

• Instance-level – Defines who can login to the SQL Server instance and what permissions they have instance-wide – sa has instance-wide administrator privileges – Anyone who can login to the SQL Server is called a “login”

SQL Server Security

• Database-level – Defines which logins are able to use this database and what permissions each has in that database – By default, database permissions are granular • Permissions in “AdventureWorks” do not mean a user has those same permissions in another database

SQL Server Security

• Let’s look in-depth at instance-level and database-level security next!

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video…

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server Security

• Something you need to know before we begin: – Permissions are GRANT, DENY and REVOKE • REVOKE is like an eraser • DENY cannot be overturned • One GRANT is all it takes

SQL Server Security

• Other basic terms to know are: – Logins – Users – Roles – Principals

• Let’s do a quick definition of each!

SQL Server Security

• New term: “Login” – To use a SQL Server, you must have a login – The “sa” login has full rights to the instance – Having a login does not necessarily give you access to a database

SQL Server Security

• New term: “User” – To use a database, you must have a user account • For brevity, just called a “user”

– Just having a user account does not mean you can access a particular table

SQL Server Security

• New term: “Role” – Logins or users can be grouped into a “Role” and then permissions granted to the role • Called “Groups” in Windows and other systems

– There are server roles (instance-level) and database roles – SQL Server combines login/user/role level permissions when evaluating requests

SQL Server Security

• New term: “Principal” – “Principals are entities that can request SQL Server resources”1 • A resource is anything from logging in to manipulating data

– A principal is an abstraction layer that encompasses users, roles, and logins • There are server principals (logins, server roles) and database principals (users, database roles) 1 – Source: SQL Server Books Online

SQL Server Security

• Why the abstraction layer? – Instance-wide permissions can be granted: • To an individual login • To a role that the login belongs to

– Remember that SQL Server combines the login, user and role permissions to determine whether a user is GRANT or DENY • A single DENY prevents access

SQL Server Security

• Why the abstraction layer?

(cont.)

– A “Login” can be created from: • Windows Group – All members of the group are granted/denied access

• Windows User account – A single Windows User account is granted/denied access

• SQL Server Authentication login – The DBA creates a login/password and grants/denies access

SQL Server Security

• Why the abstraction layer?

(cont.)

– By using the generic term “principal” when talking about permissions, it encompasses roles as well as logins of all types – Easier to say “Make sure to DENY all principals” than to say “Make sure you DENY John, Mark, Jane, the CustomerSupport role, and the public role”

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video…

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server Logins

• The SQL Server DBA is like the door person at an exclusive, invitation-only party – To enter requires your name being on “the list” – If your name isn’t on the list, you can’t get in!

• “The List”, in SQL Server terms, is the list of logins

SQL Server Logins

• A login can be created from: – Windows User account – Windows Group – SQL Server login

• Logins can be granted or denied access

SQL Server Logins

• Example scenario: – The Windows Group “SQLDevs” is granted access – Chad is a member of SQLDevs – Chad’s latest code check-in caused major data problems – What are our options to prevent Chad from logging in?

SQL Server Logins

• Solution #1: Remove Chad’s Windows User account from the Windows group – PROs: • Problem solved quickly and easily

– CONs: • The Windows Group may have other necessary permissions outside of SQL Server • SQL Server DBA may not have rights to Active Directory

SQL Server Logins

• Solution #2: 1. Add Chad’s Windows User account as a login 2. Deny Chad’s Windows User login access 3. Now all other SQLDevs except Chad can login

• PROs – Does not affect Chad’s other Windows permissions outside of SQL Server – SQL Server DBA can implement regardless of Active Directory access

• CONs – Requires an extra step

SQL Server Logins

• Let’s demo!

SQL Server 2008 Security

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server Logins

• SQL Server authentication logins are used when a user/application does not have a Windows account – A 3rd party application uses a custom login

• The “sa” account is a SQL Server login

SQL Server Logins

• To use SQL Server logins requires Mixed Mode – Changing authentication mode requires restarting SQL Server

SQL Server Logins

• SQL Server logins can use password policies of the computer/domain

SQL Server Logins

• Administrative Tools -> Local Security Policy

SQL Server Logins

• There are other logins as well for specific situations – Certificate-based logins and logins mapped to an asymmetric key • Used to sign routines for extra/elevated security

– Logins mapped to a credential • Credentials are simply a fancy database name for a Windows user/password

SQL Server Logins

• All logins have – A default database – Default language for error messages – Server role membership(s) – User mapping – Securables – Status

• Let’s look at each in the next video!

SQL Server Logins

• But first – demo!

SQL Server 2008 Security

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server Logins

• All logins have – A default database – Default language – Server role membership(s) – User mapping – Securables – Status

SQL Server Security

• The default database is the database the user is placed in upon login unless the user requests a different database • The default language specifies the language of error messages and functions

SQL Server Security

• Server roles allow for instance-wide grouping of permissions – Inflexible • Permissions cannot be changed • Cannot create your own roles

– To use, put logins in and take them out

SQL Server Security

• sysadmin role has all permissions – “sa” login is a member of sysadmin

• dbcreator sounds good but…. – Members can DROP any database on the server – (Documentation does not list that little goodie…)

SQL Server Security

• Be careful - each server role has the ability to add other logins to it! – If I add Chad to the “dbcreator” role he can add others to it

• Suggestion: Grant permissions in the Securables tab (upcoming)

SQL Server Logins

• All logins have – A default database – Default language – Server role membership(s) – User mapping – Securables – Status

SQL Server Security

• A login must be made a user of a database upon creation – Unless it is a member of sysadmin server role

• User accounts coming up in a future video…

In the next video…

• All logins have – A default database – Default language – Server role membership(s) – User mapping – Securables – Status

SQL Server 2008 Security

Presented by Scott Whigham

In this video…

• All logins have – A default database – Default language – Server role membership(s) – User mapping – Securables – Status

Securables

• First thing: SQL Server uses the GDR for permissions – GRANT – DENY – REVOKE (i.e. The Eraser)

Securables

• Securables are another abstraction layer – Securables are simply things that you define permissions to • Tables, views, etc

• You define permissions on securables to principals

Securables

• Securables have “scope” – Server • Database, Login

– Database • User, role, schema

– Schema • Table, view, procedure, function

Securables

Securables

• For each of these, there are three basic permissions – CONTROL – ALTER – VIEW DEFINITION • Each level can have individual permissions as well – Logins can have IMPERSONATE permission – TABLES have SELECT permission

Securables

• CONTROL permission effectively gives ownership rights – Includes the ability to give others rights as well -- Give the login Chad sysadmin-level rights:

GRANT CONTROL SERVER to Chad

Securables

• ALTER permission gives ability to modify – ALTER ANY <entity> • Permission applied for all entities of that entity type

– ALTER < entity> • Permission applied for only the given <securable>

Securables -- Give the login Terry the ability to change -Chrissy’s password

GRANT ALTER ON LOGIN::Chrissy TO Terry -- Give Chrissy the option to change -- anyone’s password GRANT ALTER ANY LOGIN TO Chrissy -- Yikes!!!!!

Securables

• VIEW DEFINITION permission allows for viewing: – Source code if given to stored procedures, functions, triggers, views – Login names/info if given at Login level – Table metadata if given at table level

Securables -- Give the login Terry the ability to view -information about Chrissy’s login GRANT VIEW DEFINITION ON LOGIN::Chrissy TO TERRY

-- Give Chrissy the option to view the source -code for a view vw_Customer GRANT VIEW DEFINITION ON vw_Customer TO Chrissy

Securables

• Each permission can also be granted using the WITH GRANT option – If I give Chad the VIEW DEFINITION permission on a stored procedure, he can then give that to Chrissy

Alternative to db_creator role

• Remember our problem with db_creator? – Any member can now ALTER or DROP any user database

• It is recommended that you do not use db_creator

Alternative to db_creator role

• To give logins the ability to create a database without giving them “extra” permissions, grant them the server permission “Create any database”

Alternative to db_creator role

Alternative to db_creator role

Alternative to db_creator role

Securables

• Let’s demo the server-scoped securables

SQL Server 2008 Security

Presented by Scott Whigham

In this video…

• All logins have – A default database – Default language – Server role membership(s) – User mapping – Securables – Status

Status

• Logins can be: – Disabled or Enabled – Grant or Deny – Locked out!

A most confusing screenshot…

Account Status

• Logins that are “Disabled” or have “Deny” cannot login – No functional difference

• If you “Deny”: DENY CONNECT SQL to [login]

• If you “Disable”: ALTER LOGIN [login] DISABLE

Status

• Disabling or denying logins: – Allows you to deny access to logins that you may later need to restore access • Consultants, staff on vacation or out of the office

– Allows you to deny access to creators of objects (databases, tables, etc) yet still let others use those objects • Alternative would be to transfer object ownership to other login and then drop the login

Locked out!

• A SQL Server authentication login can be locked out due to policies

Locked out!

• There are two ways to reset a locked-out account: – By resetting the password – By resetting the lockout time

• It is recommended that you reset lockedout accounts by resetting the password – Resetting the lockout time will clear any password history associated with the account!

Locked out!

• To reset a locked-out account by resetting the password, use ALTER LOGIN ALTER LOGIN [Scott] WITH PASSWORD=‘e%3I' UNLOCK

Locked out!

• To reset a locked-out account without resetting the password, use ALTER LOGIN … WITH CHECK_POLICY ALTER LOGIN [Scott] WITH CHECK_POLICY = OFF GO ALTER LOGIN [Scott] WITH CHECK_POLICY = ON GO -- Account may now login using existing password

SQL Server 2008 Security

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Accounts Added by SQL Server

• When you install SQL Server, there are several accounts added by default – SQL Server authentication accounts – Windows authentication accounts – Certificate-based logins

SQL Server accounts added

• sa – Full permissions – Can be disabled – Only available in Mixed mode – Recommendation: DON’T USE IT • Create Windows authentication logins for your sysadmins instead

Certificate-based accounts added

• Logins that are surrounded by the double hash signs are Certificate-based SQL Server logins – – – –

##MS_SQLReplicationSigningCertificate## ##MS_PolicyEventProcessingLogin## ##MS_PolicySigningCertificate## ##MS_PolicyTsqlExecutionLogin## (and several more)

• These get installed depending on which features you have installed

Windows-based accounts added

• SQL Server 2008 also adds several Windows-based logins – NT AUTHORITY\SYSTEM – an internal, default Windows group that is granted sysadmin privilege • Do not modify this account’s privileges • Used by Microsoft Update, service packs, hotfixes, and the SQL Writer Service (and more) • For more information, view KB article 932881

Windows-based accounts added

• SQL Server 2008 creates a local Windows group for each service that you install • These groups are subsequently granted SQL Server logins and given sysadmin privilege

Windows-based accounts added

• For a default install of SQL Server, there are two critical Windows Groups installed: – SQLServerMSSQLUser$<machine_name>$ – SQLServerSQLAgentUser$<machine_name>$

• Remember: Instance IDs for a default instance are MSSQLSERVER

Windows-based accounts added

• For the server named LEARNITFIRST with a default instance of SQL 2008: – SQLServerMSSQLUser$LEARNITFIRST$MSSQLSERVER – SQLServerSQLAgentUser$LEARNITFIRST$MSSQLSERVER

• For a server named COLTRANE with a named instance of SQL Server with an instance ID of “Development”: – SQLServerMSSQLUser$COLTRANE$DEVELOPMENT – SQLServerSQLAgentUser$COLTRANE$DEVELOPMENT

Windows-based accounts added

• SQLServerMSSQLUser group: – Any user in this group can login to SQL Server as a sysadmin – Also has the full privileges of the SQL Server service account – No need to directly edit this group; SQL Server will do the right thing when you change service accounts through the SQL Server Configuration Manager

Windows-based accounts added

• In SQL Server, you will see these new accounts listed as: – NT SERVICE\ – NT SERVICE\SQLAgent

Account Provisioning

• Any accounts that you provision to be system administrators during installation will become sysadmins – Make sure to provision your Windows account during installation!

Account Provisioning

Changes in security

• Unlike previous editions, operating system and domain administrators are not sysadmins in SQL Server by default – BUILTIN\Administrators is no longer added by default – Can be added manually if necessary

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security: Users

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Database-Level Security

• A login allows access to the SQL Server • A user account is required to access a database • Remember: logins and users are actually “principals”

Database-Level Security

• You, the DBA, can grant user accounts: – When creating the login – After the login has been created – Using SSMS’s GUI tools – Using T-SQL’s CREATE USER command

Database-Level Security

• There are four built-in user accounts – dbo • Full privileges; the person who creates the database is the dbo by default unless changed • Sysadmins are dbo of every database

– Guest • Disabled by default

– INFORMATION_SCHEMA • Internal

– Sys • Internal

Database-Level Security

• A login has no user accounts created for it by default – If you enable Guest in a database, this means that any login can use that database even without a user account – Guest is disabled by default; It is not a standard practice to enable Guest

Database-Level Security

• A login may have zero or one user account per database – A login without a user account in a database cannot access that database unless the Guest account is enabled

Database-Level Security

• User names do not have to match login names – Let’s look at the login ScottWhigham: Database

User mapping

master

guest

model

guest

msdb

ScottWhigham

tempdb

guest

AdventureWorks

<none>

ScottsDatabase

dbo

WebsiteMarketing Scott

Database-Level Security

• A login may have zero or one user account per database – A login without a user account in a database cannot access that database

Database-Level Security

• Imagine your SQL Server as a 100-floor skyscraper – Huge foyer complete with menacing looking security guards – Unlike most skyscrapers, you must show your key card (i.e. your credentials) to enter the foyer Image by wallyg at flikr.com

Database-Level Security

• Think of the “secure” foyer as the master database – Anyone who has access to any floor of the skyscraper is allowed in through the turnstiles and into the foyer – Certain staff are only allowed into the foyer

• In SQL Server, this is called a login

Database-Level Security

• The elevators of our skyscraper require a key card – This key card determines which floor(s) you have access to – You may only go to floors that your key card specifically allows Image by SYangPhoto at flikr.com

Database-Level Security

• In SQL Server parlance, the “floor” is really a database – Logins may not use a database unless they have a user account – A user account in one database has no effect on whether a login may access another database • Example: your key card lets you go to the 32nd floor. Would you also expect that key card to allow you permission to the 23rd floor? No!

Database-Level Security

• Let’s demo!

SQL Server 2008 Security: Schemas

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Roles and Schemas

• The word schema has multiple definitions in SQL Server: – The structure of a database including tables, columns, and relationships – An XML schema collection – A container

Roles and Schemas

• The word schema has multiple definitions in SQL Server: – The structure of a database including tables, columns, and relationships – An XML schema collection – A container

Roles and Schemas

• DBAs and Developers place objects in schemas for – Organization of objects – Security of objects

HumanResources schema

• Organization: • HumanResources schema in AdventureWorks contains all objects containing information about the Human Resources department

Schemas and name resolution

• When you request an object, SQL Server allows up to four “levels”: SELECT * FROM Server.Database.Schema.Object SELECT * FROM Jupiter.LearnItFirst.dbo.Customer

Schemas and name resolution

• If you are on the same server, you can skip the server name -- Logged on to Jupiter server: SELECT * FROM LearnItFirst.dbo.Customer

Schemas and name resolution

• If you are already in the correct database, you can skip the database -- Logged on to Jupiter server and using LearnItFirst:

SELECT * FROM dbo.Customer

Schemas and name resolution

• How would you query a table in the WebMarketing database while you were in the LearnItFirst database? _________________________________________

Schemas and name resolution

• How would you query a table in the WebMarketing database while you were in the LearnItFirst database? SELECT * FROM WebMarketing.dbo.Log

Schemas and name resolution

• If the default schema for your user account is the same as your desired object’s schema, you can omit the schema: -- Logged on to Jupiter server, in LearnItFirst db, and default schema is “dbo”: SELECT * FROM Customer -- Warning: not best practice

Schemas and name resolution

• We’ll cover more on schemas and name resolution later in the chapter

Schemas

• Let’s demo!

SQL Server 2008 Security: Roles

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Roles

• Roles are easy: same thing as a group! • There are three types of roles: – Fixed Server Roles (covered already) – Database-level roles – Application Roles

Roles

• Roles are easy: same thing as a group! • There are three types of roles: – Fixed Server Roles (covered already) – Database-level roles – Application Roles

Database-level Roles

• Database-level roles allow DBAs to group users together and assign permissions to the role – Far superior to doing user-level permissions – Fixed database roles = the built-in roles – Flexible database roles = the ones you create

Database-level Roles

• You can use the built-in database roles as well as creating your own • Some commonly used built-in roles are: Role

Description

db_owner

Full rights to database

public

Any user is a member of public; sets base permissions for all connections

db_ddladmin

Create objects of any type; can alter or drop objects they created

db_datawriter

Can modify the data any table

db_datareader

Can read the data from any table

db_securityadmin

Manage role memberships and permissions

Database-level Roles

• Example of using roles: – Your database has 10 users – Your security assessment shows that there are really three types of permissions needed: • Full control (Micah and Thomas) • Development work (Sam and Nica) • Read-only access to all tables but modify to dbo.Customer table (all others)

Database-level Roles User

Permission

Micah, Thomas

Full control

Sam, Nica

Developers

All others

Read all tables; modify dbo.Customer

• Option 1: Assign each permission to each individual user – Pros: easy to understand when creating – Cons: repetitive, difficult to maintain, silly

Database-level Roles User

Permission

Micah, Thomas

Full control

Sam, Nica

Developers

All others

Read all tables; modify dbo.Customer

• Option 2: Create roles for each group – Pros: easy to understand when creating, easy to assign permissions, easy to add/remove – Cons: ?

Database-level Roles

Login

User

Role

Micah

Micah

public, db_owner

Thomas

Thomas

public, db_owner

Sam

Sam

public, db_ddladmin, Developers

Nica

Nica

public, db_ddladmin, Developers

Five other logins

Five users, one for each login

public, db_datareader, CustomerManagers

Roles and Schemas

• Notice that roles can be given the same permissions that users can

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security: Roles

Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Roles

• Roles are easy: same thing as a group! • There are three types of roles: – Fixed Server Roles – Database-level roles – Application Roles

Roles

• Application roles allow you to tie a specific application to certain permissions in the database – Step 1: User launches application – Step 2: Application logs into SQL Server – Step 3: Application uses a database – Step 4: App sets or invokes the application role • The application has now lost the user perms and now has the app role perms

Roles

• To use app roles, you still must have: – Login – User

• You can create app roles in SSMS or TSQL

Roles

Roles

• For an application to use the app role, it must know the password • The stored procedure sp_setapprole is how you invoke or set the app role • sp_unsetapprole can be used to restore the original security contexts

Roles

Roles

Roles

• Application roles are for specific situations – For stateful apps, not stateless apps like websites – Useful for kiosk-style apps in which users will not have their own logins – Useful for apps that bypass SQL Server users and create their own table-based security system – Most people will not ever encounter app roles

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security: Permissions Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

The GDR

• As we saw earlier, permissions are given using the GDR – GRANT – DENY – REVOKE

The SQL Server Security Model

• Deny takes precedence • User cannot perform an action unless they have been granted that permission • Users inherit permissions from roles • It only takes one DENY to prevent!

The SQL Server Security Model

• Micah is a user of the WebsiteMarketing db – public has DENY SELECT on dbo.Log – Micah belongs to db_datareader – Micah’s user account: • GRANT SELECT on dbo.Log • GRANT UPDATE on dbo.Customer

• What are Micah’s effective permissions?

The SQL Server Security Model

• Micah’s effective permissions are: – Read all tables except dbo.Log – Update dbo.Customer

• Micah is a user of the WebsiteMarketing db – public has DENY SELECT on dbo.Log – Micah belongs to db_datareader – Micah’s user account: • GRANT SELECT on dbo.Log • GRANT UPDATE on dbo.Customer

Securables and Principals

• You will use the GDR to manage permissions at every level • Permissions have scope – Server – Database – Schema

Server scoped permissions

• Server scoped permissions – Apply to the connection and are always “on” -- Give the login Chad sysadmin-level rights:

GRANT CONTROL SERVER to Chad -- Give Chrissy the option to change -- anyone’s password GRANT ALTER ANY LOGIN TO Chrissy

Server scoped permissions

Permission

Description

Administer bulk operations

Required to perform bulk operations

Alter any login

Change anyone’s password, et al

Control server

Sysadmin privileges

Create any database

Allows non-sysadmins to create databases

Shutdown

Uhhhhhhhhh

View any database

Can see metadata about every database; PUBLIC has this permission by default

View any definition

Discussed on next slide

View server state

Discussed on next slide

• Server roles often include these •

Adding a login to sysadmin grants “Control server”

Server scoped permissions

• In SQL Server 7.0 and SQL Server 2000, users were allowed to view the metadata about every object in the database -- Return metadata about every object in SQL 2000:

SELECT * FROM sysobjects

Server scoped permissions

• Starting with SQL Server 2005, you must enable permissions: -- Returns only objects that user has perms defined for:

SELECT * FROM sys.objects

Server scoped permissions

• If you need backward compatibility, then you need to GRANT server scoped permissions -- So that any user can view objects in db:

GRANT VIEW ANY DEFINITION to public -- Give users permissions to see health of server

GRANT VIEW SERVER STATE to public

Server scoped permissions

• Please! Do not issue these statements on a production server unless you know that need them! – These changes in security reflect changes to the SQL Server security model that were put in place for a reason

Roles

• When you use SSMS’ GUI to manage permissions, behind the scenes it will execute GDR statements to perform the requested action

Roles

• The easiest way to learn the Transact-SQL statements that DBAs use is to use the Script button to view the statements that SSMS will execute

Roles

• (We’ll do a full Transact SQL review later)

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security: Database Permissions Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Securables and Principals

• You will use the GDR to manage permissions at every level • Permissions have scope – Server – Database – Schema

Database scoped permissions

• Database scoped permissions – Apply to objects in the database only – Can assign permissions to: • Users • Roles • Schemas

Admin-related permissions

Permission

Description

Alter any application role

Change passwords

Alter any role

Create/alter/drop app roles, modify privileges

Alter any schema

Create/alter/drop schemas, modify perms, change object ownership

Alter any user

Create/alter/drop users, rename user; change default schema

Backup database

Can perform FULL and DIFFERENTIAL backups

Backup log

Can perform LOG backups

Control

Same permission as dbo

View database state

Required to view dynamic management views (DMVs) related to database state

Developer-related permissions

Permission

Description

Create assembly

Load new assemblies into database

Create function

Can create functions in any schema unless specifically denied

Create procedure

Can create stored procedures in any schema unless specifically denied

Create table

Can create tables in any schema unless specifically denied

Create view

Can create views in any schema unless specifically denied

Select

Same as placing in db_datareader

Insert, Update, Delete

Same as db_datawriter

Database scoped permissions

• Many user-level and flexible role permissions can be handled with the fixed database roles – “DENY Insert, Update, Delete…” is equivalent to adding user/role to db_denydatawriter role – Giving a user create function, view, proc, and table is the same as db_ddladmin

Database scoped permissions

• Roles can be nested – Step 1: Create DbAdmins flexible database role – Step 2: Make DbAdmins members of db_ddladmin

• The DbAdmins now have the same permissions as db_ddladmin – This may not make much sense yet…

Transact SQL

• Give the user Chrissy the ability to create functions -- Always make sure you are in the right db!

USE[LearnItFirst.com] GO GRANT CREATE FUNCTION TO [Chrissy]

Transact SQL

• Remove Chrissy’s ability to create functions REVOKE CREATE FUNCTION FROM [Chrissy] -- Chrissy now has no permissions

Transact SQL

• Prevent Chrissy from ever being able to create functions DENY CREATE FUNCTION TO [Chrissy]

Exercise

• What is the best way to give a user the ability to read all tables in the WebsiteMarketing db? _________________________________________ • Can you think of at least two other alternatives? _________________________________________

Exercise

• What is the best way to give all users the ability to read all tables in the WebsiteMarketing db? – Add user to db_datareader

• Can you think of at least two other alternatives? – Grant SELECT TABLE as database permission – Manually GRANT SELECT on each table in database – Grant SELECT on each table public role

Up next…

• Enough lecture – let’s demo!

SQL Server 2008 Security: Database Permissions Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Securables and Principals

• You will use the GDR to manage permissions at every level • Permissions have scope – Server – Database – Schema

What is a schema again?

• Schemas are containers – For convenience – Addictive

• Schemas are used in name resolution SELECT * FROM Server.Database.Schema.Object

Schema scoped permissions

• Schema-scoped permissions – Apply to objects in the schema only – Can assign permissions to: • Tables, views, procedures, functions and much more

• A schema is a database-level securable – Permissions on a schema in one database have no effect on a user’s permissions in another database

Schema level permissions

• If you have a schema-level permission, you have that permission for all objects contained within that schema Permission

Meaning

CONTROL

User has owner-like privileges on all objects in schema

ALTER

User may alter all objects in schema

INSERT, UPDATE, DELETE, SELECT

User may perform these operations (specified individually) on all objects in schema

VIEW DEFINITION

User may view definition (i.e. metadata) on all objects in schema

Roles and Schemas

• DBAs can secure objects at the schema level • DBAs can GRANT/DENY permissions on all objects in schema to users

Up next…

• Impersonation and EXECUTE AS • Demos

SQL Server 2008 Security: Impersonation and EXECUTE AS Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Impersonation and EXECUTE AS

• Before we get into deep demo mode, you need to understand impersonation at a high level – Impersonation allows you to change the execution context – This means you can execute statements as another login or another user without physically logging in as that principal

Impersonation and EXECUTE AS

• We use the EXECUTE AS command to perform impersonation – You can impersonate a login or a user – Requires the IMPERSONATE permission

• We use REVERT to switch back to our login

Impersonation and EXECUTE AS

• Sysadmins have impersonate permission for all logins and users – This means that the ‘sa’ can execute statements as any login or user

• Normal users cannot perform impersonation by default – You must grant them IMPERSONATE permission on a specific login or user

Granting login impersonation

-- We are logged in as „sa‟ GRANT IMPERSONATE ON Login::[LearnItFirst] TO [Chrissy] -- Chrissy is a login GO

Granting user impersonation

-- We are logged in as „sa‟ USE [LearnItFirst.com] GO GRANT IMPERSONATE ON User::[LIF] TO [Chrissy] -- Chrissy is a user GO

EXECUTE AS syntax { EXEC | EXECUTE ] AS [;] ::= { LOGIN | USER } = 'name' [ WITH { NO REVERT | COOKIE INTO @varbinary_variable } ] | CALLER

– NO REVERT – once activated, cannot be undone using REVERT

Impersonation and EXECUTE AS

• There are two types of context switching – Server-level (impersonating a login) • EXECUTE AS LOGIN = ‘NewLogin’

– Database-level (impersonating a user) • EXECUTE AS USER = ‘NewUser’

Impersonation and EXECUTE AS

• Server-level impersonation: – Once you switch, you are no longer you; you are the login you are now impersonating – Use REVERT to return to your original context – Can impersonate while impersonating! -- Useful T-SQL functions for server-level impersonation: SELECT SUSER_SNAME() AS CurrentLogin, ORIGINAL_LOGIN() AS OriginalLogin

Impersonation and EXECUTE AS

• Database-level impersonation: – Once you switch, you are no longer you; you are the user you are now impersonating – Use REVERT to return to your original context – Can also impersonate while impersonating

• One “gotcha”: once triggered, you cannot access objects from databases that do not have a guest account

Impersonation and EXECUTE AS -- Useful T-SQL functions for database-level impersonation: SELECT SUSER_SNAME() AS CurrentLogin, USER_NAME() AS CurrentUser

Impersonation and EXECUTE AS

• After we discuss object ownership, we will see there is another level of impersonation

Up next…

• Let’s do a few demos showing permissions, roles, users, and context switching!

SQL Server 2008 Security: Ownership Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Ownership

• In SQL Server, we talk about database ownership, object ownership, and schema ownership – The owner has full rights

Database Ownership

• Database ownership: – The database owner is a login – The dbo user is the database owner – By placing users in the db_owner role, they have similar permissions • However, the dbo can DENY privileges to the members of the db_owner role

Cross database ownership chaining

• “Cross database ownership chaining” (‘CDOC’) allows database owners of one database to act as owners of other databases without having specific user access

Cross database ownership chaining

• “Cross database ownership chaining” is both a server setting and a database setting – Set it at the server-level to enable for entire instance – Set it at the database-level to allow specific databases to participate

Cross database ownership chaining

• “Cross database ownership chaining” is not recommended – Disabled by default – “… should not be enabled unless it is specifically required.” – Source: Books Online

Schema Ownership

• Schema ownership is extremely important – Remember that all objects in a database are contained within a schema – The schema owner has full rights on all objects in that schema

Object Ownership

• Object ownership: – You can grant CONTROL on certain objects within a schema instead of granting permission on the entire schema

Object Ownership

• Transferring ownership is easy – Can transfer schema ownership – Can transfer object ownership

• Can use Transact-SQL (recommended) or the SSMS GUI screens (lots of clicks!)

Object Ownership

• Example #1 – Terry owns the “Sales” schema – Terry leaves the company and we hire Chad to replace him – We transfer ownership of the “Sales” schema to Chad

Object Ownership

• Example #2 – Chrissy owns a table in the “Sales” schema named “Prospects” – Chad owns the schema – We hire Candy to replace Chrissy – We grant CONTROL on “Sales.Prospects” to Candy – We remove Chrissy!

In the next videos…

• Examples and scenarios • Ownership chains • How impersonation can affect permissions • How to transfer ownership of databases and schemas

SQL Server 2008 Security: Ownership Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Object Ownership

• Let’s walk through a few examples on object ownership first – Remember that the owner has full rights

Example #1

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: <none>

• Can Chad SELECT from dbo.Merchant? – ___________________

• Can Chad execute dbo.AddMerchant? – ___________________

• Why is this? – ___________________

Example #1

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: <none>

• Can Chad SELECT from dbo.Merchant? – Yes!

• Can Chad execute dbo.AddMerchant? – Yes!

• Why is this? – He is the dbo and has full rights to the database

Example #2

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: <none>

• Chrissy is a user with no permissions • Can Chrissy SELECT dbo.Merchant? – ___________________

• Why or why not? – ___________________

Example #2

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: <none>

• Chrissy is a user with no permissions • Can Chrissy SELECT dbo.Merchant? – No

• Why or why not? – Her effective permission does not contain a GRANT

Example #3

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: SELECT on dbo.Merchant

• Chrissy is a user with no permissions • Can Chrissy SELECT dbo.Merchant? – ___________________

• Why or why not? – ___________________

Example #3

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: SELECT on dbo.Merchant

• Chrissy is a user with no permissions • Can Chrissy SELECT dbo.Merchant? – Yes

• Why or why not? – Her effective permission contains a GRANT with no DENY

Example #4

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: SELECT on dbo.Merchant

• Chrissy: member of db_datareader • Chrissy: DENY SELECT ON SCHEMA::[dbo] • Can Chrissy SELECT dbo.Merchant? – ___________________

• Why or why not? – ___________________

Example #4

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: SELECT on dbo.Merchant

• Chrissy: member of db_datareader • Chrissy: DENY SELECT ON SCHEMA::[dbo] • Can Chrissy SELECT dbo.Merchant? – No

• Why or why not? – Her effective permission contains a DENY

Object Ownership

• Clear cut examples like the previous ones make things seem easy • What happens when there are multiple objects and multiple permissions?

Example #5

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: SELECT on dbo.Merchant

• Chrissy: DENY SELECT ON dbo.Merchant • Chrissy: GRANT SELECT ON dbo.ViewMerchants • Can Chrissy SELECT dbo.ViewMerchants? – ___________________

Example #5

dbo schema (owned by dbo, the user): • Merchant (table) • AddMerchant (proc) • ViewMerchants (view) WebsiteMarketing dbo: Chad

Permissions: • public: SELECT on dbo.Merchant

• Chrissy: DENY SELECT ON dbo.Merchant • Chrissy: GRANT SELECT ON dbo.ViewMerchants • Can Chrissy SELECT dbo.ViewMerchants? – Yes, and she can see all of dbo.Merchant!

Object Ownership

• When multiple objects access each other sequentially, this is called a chain

Object Ownership

• When the owner of all objects in the ownership chain is the same, permission is only checked at the entry point of the chain – Example: if the dbo owns all objects in the chain

Ownership Chain Demo

Object Ownership

• This makes life easy for the DBA: you only need to concern yourself with whether your user/role has permissions at the entry point – Most real-world database work is done on objects all owned by the same user

In the next videos…

• Ownership chains • How impersonation can affect permissions • How to transfer ownership of databases and schemas

SQL Server 2008 Security: Ownership Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Object Ownership

• When there are different owners in the chain, SQL Server checks the permission at each change in ownership – This is called ownership chaining – It’s a hard life dealing with databases with multiple schema owners that also contain objects controlled by multiple users

Ownership Chain Demo

Example #1

• The dbo creates a view, Admin.GetMerchants, that references dbo.Merchant

• The dbo grants Chrissy SELECT on the view • When Chrissy selects from the view, is ownership chaining in effect? – No, the same owner owns all objects!

Object Ownership

• It is not the schema name that causes ownership chaining – It is the fact that the schemas are owned by different users

Object Ownership

• This is hard stuff… Follow me here: – Chrissy: • Owns Admin schema • Has CREATE VIEW privilege • Creates a view, Admin.GetMerchants, based on dbo.Merchant

– Can Chrissy create this view despite not having the SELECT permission?

Object Ownership

• This is hard stuff… Follow me here: – Chrissy: • Owns Admin schema • Has CREATE VIEW privilege • Creates a view, Admin.GetMerchants, based on dbo.Merchant

– Since Chrissy cannot select but can create the view, can she select from her own view and get the data in that way?

Object Ownership

• This is hard stuff… Follow me here: – Chrissy: • Owns Admin schema • Has CREATE VIEW privilege • Creates a view, Admin.GetMerchants, based on dbo.Merchant

– Since Chrissy cannot select but can create the view, can she select from her own view and get the data in that way? • No! She must be given SELECT privilege on dbo.Merchant

Object Ownership

• This is hard stuff… Follow me here: – Chrissy: • Owns Admin schema • Has CREATE VIEW privilege • Creates a view, Admin.GetMerchants, based on dbo.Merchant

– Chrissy GRANTs Terry SELECT permission on her view. Terry has no permissions on dbo.Merchant. Can he SELECT from the view?

Object Ownership

• This is hard stuff… Follow me here: – Chrissy: • Owns Admin schema • Has CREATE VIEW privilege • Creates a view, Admin.GetMerchants, based on dbo.Merchant

– Chrissy GRANTs Terry SELECT permission on her view. Terry has no permissions on dbo.Merchant. Can he SELECT from the view? • No! But for a different reason…

Object Ownership

• Remember: SQL Server checks permissions at each change in ownership • Terry must have: – SELECT permission on Admin.GetMerchants – SELECT permission on dbo.Merchant

• But there is another way……………………….

In the next videos…

• How impersonation can affect permissions • How to transfer ownership of databases and schemas

SQL Server 2008 Security: Ownership Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Object Ownership

• This is hard stuff… Follow me here: – Chrissy: • Owns Admin schema • Has CREATE VIEW privilege • Creates a view, Admin.GetMerchants, based on dbo.Merchant

– Chrissy GRANTs Terry SELECT permission on her view. Terry has no permissions on dbo.Merchant. Can he SELECT from the view?

Object Ownership

• Remember: SQL Server checks permissions at each change in ownership • Terry must have: – SELECT permission on Admin.GetMerchants – SELECT permission on dbo.Merchant

• But there is another way……………………….

Impersonation in Modules

• The creator of the module (i.e. procedure, view, function, trigger) can specify the execution context – Just because you can doesn’t mean you should…

Example #1: • Chrissy: – Owns Admin schema – Has CREATE VIEW privilege – Creates a view, Admin.GetMerchants, based on dbo.Merchant

CREATE VIEW Admin.GetMerchants AS SELECT * FROM dbo.Merchant GO

Impersonation in Modules

• This example actually runs under the execution context EXECUTE AS CALLER: – EXECUTE AS CALLER says that SQL Server should check permissions at each change in ownership (the default)

Impersonation in Modules

• There are actually four options for switching execution context in modules: – EXECUTE AS CALLER (the default) – EXECUTE AS ‘user_name’ – EXECUTE AS SELF – EXECUTE AS OWNER

Impersonation in Modules

• EXECUTE AS ‘user_name’ – All access to other tables and modules in this module is done via the security context of ‘user_name’ – Creator of module must have IMPERSONATE ‘user_name’

Impersonation in Modules

• EXECUTE AS SELF – All access to other tables and modules in this module is done via the security context of the creator of the module

Impersonation in Modules

• EXECUTE AS OWNER – All access to other tables and modules in this module is done via the security context of the current owner of the module

Example #1: •

Chrissy: – – – –

Owns Admin schema Has CREATE VIEW privilege Creates a view, Admin.GetMerchants, based on dbo.Merchant Has IMPERSONATE „Terry‟

CREATE VIEW Admin.GetMerchants EXECUTE AS ‘Terry’ AS SELECT * FROM dbo.Merchant GO -- Terry must have SELECT on -- dbo.Merchant for any user -- (except dbo) to get data

How to transfer objects…

• The final piece here is knowing how to transfer objects • You can transfer: – Databases to new logins – Schemas and modules to users or roles

To Transfer a Database

• DBAs often create databases and then transfer them to another login – We are stingy about giving out GRANT CREATE DATABASE permissions…

To Transfer a Database

• To transfer a database, use the sp_changedbowner stored procedure – The login must not be an existing user in the database prior to transfer - why? -- Make sure you are in the right DB! USE [LearnItFirst.com] GO EXEC sp_changedbowner „Chrissy‟ -- The login „Chrissy‟ is now the dbo!

To Transfer an Object

• Transferring object ownership is really transferring the object to a new schema or changing the schema’s owner – Generally you want to change the schema’s owner in the real world

To Transfer an Object

• To transfer ownership of a schema: – Generally you want to change the schema’s owner in the real world

To Transfer an Object

• To transfer ownership of a schema in Transact-SQL: ALTER AUTHORIZATION ON SCHEMA::[Customer] TO [Terry]

To Transfer an Object

• If you absolutely, positively have to change the schema of an object (table, view, etc), it is easiest to do so in T-SQL – You can do it in SSMS’ GUI but sheesh! ALTER SCHEMA [NewSchema] TRANSFER „OldSchema.MyTable‟

SQL Server 2008 Security: Encryption Overview Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Encryption Overview

• SQL Server 2008 has native encryption built in – Connections can be encrypted – Source code can be encrypted – Data can be encrypted

Encryption Overview

• DBAs need to know about: – How to encrypt connections – How to enable encryption – How to backup and restore the encryption mechanisms (i.e. the encryption ‘keys’)

• Let’s talk about each!

Encryption Overview

• DBAs need to know about: – How to encrypt connections – How to enable encryption – How to backup and restore the encryption mechanisms (i.e. the encryption ‘keys’)

Encrypting Connections to SQL Server

• SQL Server can use 40 or 128-bit Secure Sockets Layer (“SSL”) to encrypt network packets – Slower performance but higher security – Requires a certificate to be installed on the machine that hosts the SQL Server – Best practice is to use a trusted certificate • Self-signed certificates can be thwarted

Encrypting Connections to SQL Server

– Step 1: Install certificate – Step 2: In the SQL Server Configuration Manager, right click on Protocols for

Encrypting Connections to SQL Server

– Step 3: Choose your certificate in the Certificates tab

Encrypting Connections to SQL Server

– Step 4: Choose whether or not encryption is required • The Force Encryption option: – If “No”, encryption is optional – If “Yes”, clients who are not encrypted will not be allowed to connect

Encryption Overview

• DBAs need to know about: – How to encrypt connections – How to enable encryption – How to backup and restore the encryption mechanisms (i.e. the encryption ‘keys’)

Encrypting Source Code

• Source code can also be encrypted – However, whether it can be decrypted or not is another matter – Always have a separate copy of your encrypted source code

CREATE PROC MyProc WITH ENCRYPTION AS PRINT „You cannot see the source code now!‟ GO

Encrypting Data

• When we talk about encryption in SQL Server, we are generally discussing the encryption of actual data • There are many ways to encrypt data inside your SQL Server – Pass in data that is already encrypted – Have SQL Server handle the encryption for you

Encrypting Data

• In the next video, we’ll cover the types and techniques of native SQL Server encryption

SQL Server 2008 Security: Encryption Overview Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Encryption Overview

• DBAs need to know about: – How to encrypt connections – How to enable encryption – How to backup and restore the encryption mechanisms (i.e. the encryption ‘keys’)

Encryption

• Encryption can be done at the databaselevel or at the column-level (or cell-level) • Be aware that encryption will result in poorer performing queries

Encryption

• If you don’t have Enterprise Edition… – You must perform column-level encryption manually using functions like: • • • •

EncryptByPassphrase() EncryptByCert() EncryptByAsymKey() EncryptByKey()

– Column-level encryption is covered in detail in out SQL Server 2008 Transact-SQL programming class • Course 161

Encryption

• If you do have Enterprise Edition, then you can use Transparent Data Encryption (“TDE”) – Entire database is encrypted – Requires no coding changes by developers – Encryption/decryption is done automatically and cannot be bypassed – Performance hit of “3-5%” – Source: Microsoft article, “Database Encryption in SQL Server 2008” via http://learnitfirst.com/go.aspx?id=J4EK

Encryption

• To enable TDE: – Step 1: Create a master key in the master database – Step 2: Create a certificate based on the master key – Step 3: Create a database encryption key – Step 4: Turn it on!

• Let’s look at each step

Encryption

• To enable TDE: – Step 1: Create a master key in the master database – Step 2: Create a certificate based on the master key – Step 3: Create a database encryption key – Step 4: Turn it on!

Encryption

• Step 1: Create a master key in the master database – A master key is a symmetric key used to protect the private keys of certificates and asymmetric keys – There is no “default” master key so you must either create it or use an existing key if already present

Encryption

• Step 1: Create a master key in the master database (cont.) USE master GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password„ -- Encrypted using Triple DES

Encryption

• To enable TDE: – Step 1: Create a master key in the master database – Step 2: Create a certificate based on the master key – Step 3: Create a database encryption key – Step 4: Turn it on!

• Let’s look at each step

Encryption

• Step 2: Create a certificate based on the master key – Required to create Step 3’s database encryption key

USE master GO CREATE CERTIFICATE LearnItFirstCert WITH SUBJECT = „Transparent Data Encryption Cert‟

Encryption

• To enable TDE: – Step 1: Create a master key in the master database – Step 2: Create a certificate based on the master key – Step 3: Create a database encryption key – Step 4: Turn it on!

Encryption

• Step 3: Create a database encryption key – Based on the certificate from Step 2 – Can use AES, DES, Triple DES, RC4, and more USE [LearnItFirst.com] -- The db to protect GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY SERVER CERTIFICATE LearnItFirstCert -- Cert from Step 2

Encryption

• To enable TDE: – Step 1: Create a master key in the master database – Step 2: Create a certificate based on the master key – Step 3: Create a database encryption key – Step 4: Turn it on!

Encryption

• Step 4: Turn it on! USE [LearnItFirst.com] -- The db to protect GO ALTER DATABASE [LearnItFirst.com] SET ENCRYPTION ON GO

TDE

• A few tips for working with TDE: – Backup master and your DB before beginning – Configure on multiple test servers and databases until you are very comfortable before rolling into production – TDE requires time to do the encryption so schedule over a weekend or during planned downtime – Once you enable TDE, tempdb will be encrypted as well • This lowers the performance of SQL Server for non-TDE databases

TDE

• Backup and Restore – Take backups of your service master key, your master key and certificate(s) at the same time you turn on TDE – Store these backups in a separate location from your database backup – Your database cannot be attached or restored without these!

TDE

• Backing up TDE databases requires more… – The service master key will be covered later… BACKUP SERVICE MASTER KEY TO FILE = „F:\SMK_Timestamp.bak„ ENCRYPTION BY PASSWORD = „p@55w0rD!'

TDE

• Backing up TDE databases requires more… BACKUP MASTER KEY TO FILE = „F:\MasterKey.bak„ ENCRYPTION BY PASSWORD = „n3Wp@55!‟

TDE

• Backing up TDE databases requires more… BACKUP CERTIFICATE LearnItFirstCert TO FILE = „F:\LearnItFirstCert.bak‟

TDE

• Restoring TDE databases is exciting! – Make sure you take your heart medicine first… – Step 1: Restore Service Master Key (if needed) – Step 2: Restore Master Key (if needed) – Step 3: Re-create the certificate (if needed) – Step 4: Restore the database

TDE

• We will cover restoring service master keys in chapter 6 • Once all keys are restored and the certificate is created, just restore the database – No need to go through any hoops if restoring to the same server (all keys and certs are present!)

SQL Server 2008 Security: Linked Servers and Distributed Queries Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Distributed Queries Overview

• You are able to query additional data sources using Transact-SQL: – Linked servers are pre-configured for granular security and repeated use – OPENQUERY(), OPENROWSET() and OPENDATASOURCE() allow you to specify data source at run-time

• These are called distributed queries

Distributed Queries Overview

• Distributed queries often involve multiple data source types – You can JOIN a SQL Server table to an Oracle table, for example

Linked Servers

• Linked Servers: – Allow you to write easy Transact-SQL statements against multiple data sources without having to enter login credentials with each query – Login credentials are stored with the linked server’s definition – Used whenever you need to repeatedly access an external data source from within SQL Server and do not want to have to enter credentials each time

Linked Servers

• Linked Servers are configured by the DBA – In SSMS, go to Server Objects

Linked Servers

• Let’s view a demo!

SQL Server 2008 Security: Linked Servers and Distributed Queries Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

Pass-through queries

• Pass-through queries are queries whose parsing is done completely by the remote data source – Are written in the language of the underlying data source – The SQL Server query parser does not even parse the statement

OPENQUERY()

• OPENQUERY() allows us to issue passthrough queries against linked servers – Anyone can execute – Permission is checked in the linked server – Can issue any SELECT, INSERT, UPDATE and DELETE

OPENQUERY()

-- If we have a linked server named -- JUPITER to a SQL Server 2008 -- instance SELECT * FROM OPENQUERY(Jupiter, „SELECT FirstName, LastName FROM dbo.Customer‟)

OPENQUERY()

-- OPENQUERY is not necessary here -- This is not a pass-through query: SELECT FirstName, LastName FROM Jupiter.TheDb.dbo.Customer -- Notice the four-part address -- Required for linked servers

OPENQUERY()

• OPENQUERY is generally used with nonSQL Server-based linked servers – Like Microsoft Access or Excel, Oracle, DB2 – For SQL Server-based linked servers, we generally just use “regular old four-part queries” SELECT FirstName, LastName FROM Jupiter.TheDb.dbo.Customer

OPENDATASOURCE() and OPENROWSET()

• OPENDATASOURCE() and OPENROWSET() are functions that allow ad-hoc queries to remote data sources – No linked servers – Require the server-level option “Ad Hoc Distributed Queries” to be enabled EXEC sp_configure „Ad Hoc Distributed Queries‟, 1 RECONFIGURE WITH OVERRIDE GO

OPENROWSET()

• OPENROWSET() is extremely flexible – Can bulk load data from text files – Can load data from Oracle, Access, et al -- Example query to MS Access database SELECT * FROM OPENROWSET('Microsoft.Jet.OLEDB.4.0', 'C:\Program Files\Microsoft Office\OFFICE11\SAMPLES\Northwind.mdb';'admin ';'', Orders) AS x

OPENROWSET()

• Example showing OPENROWSET() -- Example query to a .txt file SELECT * FROM OPENROWSET(BULK 'c:\test\values.txt„)

OPENDATASOURCE()

• OPENDATASOURCE() allows four-part addressing without using a linked server – Not that common

OPENDATASOURCE () -- Example query to MS Access database SELECT * FROM OPENDATASOURCE('Microsoft.Jet.OLEDB.4.0', 'C:\Program Files\Microsoft Office\OFFICE11\SAMPLES\Northwind.mdb';'admin ';'', Orders)...[Customers] -- Notice the “...”

-- Example query to SQL Server instance SELECT * FROM OPENDATASOURCE('SQLNCLI', 'Data Source=London\Payroll;Integrated Security=SSPI') .AdventureWorks.HumanResources.Employee

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In the next video

• Encryption overview • Linked servers • SIDs and User accounts

SQL Server 2008 Security: SIDs and Users - What You Need to Know Presented by Scott Whigham

• Database principals • Schemas • Roles • Assigning Database permissions

More….

• Chapter Overview • Reducing the attack surface area • An Overview of SQL Server Security Model • Logins and Permissions

Database-level Security

Server-level Security

In this video

• Encryption overview • Linked servers • SIDs and User accounts

What is a SID?

• SID is an acronym for Security IDentifier • When you create a login, it is given a SID: – Windows-based login SIDs are the same as the Windows account/group SID – SQL Server login SIDs are unique values for that instance

Example

• SIDs are important: – What happens if we want to restore a database on another server? Let’s look at a scenario…

Example

• Your production server has a SQL Server authentication login, “BigLogin” and a database, “OurDb” – BigLogin can access the OurDb database using BigLogin’s user account, “BigUser” – Your application is configured to use the BigLogin login to access SQL Server

Example

• You want to create an offsite copy of the database on another server – You take a backup of OurDb and restore it onto your new SQL Server – You configure your application to use this new server

• Will your application be able to connect?

Example

• No! – You have not created the BigLogin login on the new server

• Lesson learned… So you go create the BigLogin SQL Server authentication login on the new server • Will your application be able to connect?

Example

• Maybe! – It depends on whether or not you have set the default database for the connection string to be OurDb • If you set it, you cannot log in • If you did not set it (unlikely), then you can log in

• Right now, the login on the new server cannot access OurDb!

Example

• Here’s the key take away from this video: – When you create a SQL Server authentication login, it creates it with a random SID by default

Example CREATE LOGIN Scott WITH PASSWORD='p@55w0rD!' GO SELECT sid FROM sys.server_principals WHERE name = 'Scott' GO DROP LOGIN Scott GO CREATE LOGIN Scott WITH PASSWORD='p@55w0rD!' GO SELECT sid FROM sys.server_principals WHERE name = 'Scott„

Example

• When you create a SQL Server authentication login, it creates it with a random SID by default

Example

• So back to our scenario… – When you created the new login, it created it with a random SID – Main point: The user account in the OurDb database on the new server is not associated with your new login!

• Why not?

Example

• Because the SIDs for the login BigLogin are different on each server! • Enough for now… We’ll revisit this in the next chapter and show examples and how to resolve!

Example

• Speaking of the next chapter… • Up next: Chapter 6: Backup and Recovery

Related Documents

Sql Server 2008 Dw
October 2019 32
Sql Server 2008 Tips_2
December 2019 24
Sql Server 2008 Tips_3
December 2019 20
Sql Server 2008 Tips_1
December 2019 37

More Documents from ""