Microsoft SQL Server Securityand Auditing
Clay RisenhooverISACA North TexasApril 14, 2016http://tinyurl.com/ISACAClay
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 1
GoalsUnderstand new and important
security featuresDemonstrate use of some of themDiscuss security ramifications of
all of them
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 2
AssumptionsThe ideal student:• Not a DBA• Not freaked out by SQL• Understand security/assurance• Understand basic database
concepts (like ACID)
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 3
ACIDAtomicity (all or nothing
transactions)Consistency (transactions leave DB
in stable state)Isolation (concurrency)Durability (transactions don’t go
away once committed)
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 4
ModelServer hardeningConfidentialityIntegrityAvailability
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 5
Server HardeningPatch levelAuthentication modes
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 6
PatchingDetermine running versionSqlserverversions.blogspot.comselect @@versionselect SERVERPROPERTY('productversion')
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 7
AuthenticationDetermine authentication mode
SELECTSERVERPROPERTY('IsIntegratedSecurityOnly')
SELECT CASESERVERPROPERTY('IsIntegratedSecurityOnly')WHEN 1 THEN 'Windows Authentication'WHEN 0 THEN ‘Mixed Mode Authentication'
END as [Authentication Mode]
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 8
ConfidentialityEncryptionRow-level securityUser permissions
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 9
Encryption OptionsTransparent data encryption (TDE)Encrypted BackupsAlways encrypted
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 10
Encryption - TDEIntroduced in SQL Server 2008
EnterpriseEncrypts data at restUses hierarchy of keys
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 11
TDE Key Hierarchy
Database Encryption Key
Database Master Key
Service Master Key (OS Level)
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 12
TDE – Key BackupsBACKUP MASTER KEY TO FILE ='path_to_file' ENCRYPTION BYPASSWORD = 'password‘
RESTORE MASTER KEY FROM FILE ='path_to_file' DECRYPTION BYPASSWORD = 'password' ENCRYPTION BYPASSWORD = 'password' [ FORCE ]
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 13
Encryption – Encrypted BackupsIntroduced in SQL Server 2014Encrypt database backup filesCan use
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 14
Encryption – Always EncryptedIntroduced in SQL Server 2016Protects data in transit and at restColumns encrypted with keys
stored with application, not inserver
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 15
Encryption – Final ThoughtsBackup and protect all
cryptographic keysTEST YOUR BACKUPS
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 16
Row-Level SecurityIntroduced in SQL Server 2016Uses functions to restrict table
rows available to a userOlder versions, had to use views
and stored procedures toemulate
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 17
Special PermissionsServer-level permissions:• Apply to all databases, present
and futureIntroduced in SQL Server 2014:
CONNECT ANY DATABASESELECT ALL USER SECURABLES
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 18
IntegrityDelayed durabilityMark transaction as committed,
even if logs have not beenflushed
Makes our ACID a little less ACID-ic
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 19
Integrity – Delayed DurabilityMay be set at:• Database level• Transaction level• For in-memory natively
compiled procedures
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 20
Database levelALTER DATABASE dbnameSET DELAYED_DURABILITY= DISABLED | ALLOWED |FORCED;
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 21
Transaction LevelCOMMIT TRANSACTION WITH(DELAYED_DURABILITY =ON);
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 22
Atomic levelFor natively-compiled procedure
used with in-memory OLTP:BEGIN ATOMIC WITH(DELAYED_DURABILITY =ON, ...)
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 23
Delayed Durability CheckingDatabase properties dialog
Options tab
Query
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 24
Delayed Durability – Query
SELECT name,DATABASEPROPERTYEX(name,'DelayedDurability') ASDelayedDurability,
DATABASEPROPERTYEX(name,Status') AS Status
FROM master.dbo.sysdatabasesORDER BY name
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 26
AvailabilityFor on-premise installations, a
number of Azure availabilityoptions:
• Managed backups to Azure• “Always on” availability groups
with Azure replicas
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 27
Managed Backup to AzureIntroduced in SQL Server 2014Automated backup to Azure
“blob” storage containerSimilar to disk/tape backup, but
stored in cloud“Backup to URL”
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 28
Backup to URLBACKUP DATABASE TestDB TO URL ='https://<accountname>.blob.core.windows.net/<containername>/TestDB.bak'
WITH CREDENTIAL ='<mycredentialname>' ,COMPRESSION,STATS = 5;
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 29
Always-On Azure ReplicasAlways-On availability groups
used for database replicationReplicas can be hosted in AzureFailover to on-premise or Azure
replica
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 30
ConclusionBrief overview of interesting
featuresNot exhaustive2016 deployments a good time to
re-check your DB environment
© 2016, Risenhoover Consulting, Inc. All Rights Reserved 31