1. Data Management Conference Data Security for Audit and Compliance Terry Room Architect, Microsoft Ltd London September 29th

2. Session Objectives Understand that Security is an important consideration for applications as well as the server Know what is available in SQL Server and how it can help you achieve security objectives

3. Agenda Protecting applications −Data protection −Authentication/Authorization −SQL Injection SQL 2008 Compliance New Features −Transparent Data Encryption −Extensible Key Management −Audit

4. A true story.....(kind of) The Company The Application The MD The IT Manager The DBA

5. What happened Day 1 due diligence −Review and change admin passwords 10 minutes later −Helpdesk reports problems −Login failures Smoking gun −ODBC DSN 10 minutes later −Helpdesk reports problems −Module failures, report failures −Code review ! using ‘sa’ context!

6. Code review Issues −No centralized data access layer −Embedded SQL −Lookup Order: −Lookup Customer: −Connection strings with hardcoded passwords “SELECT * FROM Orders WHERE OrderId=“ + varOrderId SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’” Provider=sqloledb;Data Source=xxx;Initial Catalog=billingDB;User Id=sa;Password=‘’;

7. Protecting Applications

8. Authentication SQL AUTHENTICATIONWINDOWS AUTHENTICATION Userid/PasswordEncrypted Token (Kerberos) Challenge-Response (NTLM) Password obfuscated on wirePassword not transmitted on wire Subject to replay attack if channel not encrypted Not subject to replay attack (Kerberos) No mutual authenticationMutual authentication with Kerberos Logins managed in SQL ServerLogins managed by Windows DBAs create login accountsWindows/domain admins create login accounts Password policy enforced by Windows (Windows 2003+) Password policy enforced by Windows Security context may or may not be common between servers Security context is common between servers

9. Data Encryption In SQL Server 2000, 3 rd party support required Since SQL Server 2005 −Built-in support for data encryption −Support for key management Encryption additions in SQL Server 2008 −Transparent Data Encryption −Extensible Key Management

10. Channel Encryption Support for full SSL Encryption since SQL Server 2000 −Clients: MDAC 2.6 or later −Force encryption from client or server Login packet encryption −Used regardless of encryption settings −Supported since 2000 −Self-generated certificates avail since 2005

11. Permission Strategy Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo −Grant required perms to normal login Never use the dbo schema −User-schema separation Applications should have own schema −Consider multiple schemas Leverage Flexible Database Roles −Facilitates role separation Consider Auditing user activity

12. Ownership Chaining Beware of Ownership Chaining

13. Execution Context Best Practices Controlled escalation of privileges −DB scoped: EXECUTE AS and App Roles −Cross-DB scoped: Certificates −Avoid using dynamic SQL under an escalated context Do not use use CDOC and SETUSER Avoid allowing guest access on user DBs

14. SQL Injection SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution. SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’” ''';DROP TABLE CUSTOMERS--' SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS—’

15. SQL Injection – defence Use parameterized SQL queries Use Type-Safe SqlParameter in.Net Use parameterized SPs Least-privilege Principle Escape special characters Escape quotes with quotename/replace Escape wildcards in LIKE statements Validate buffer length to avoid truncation

16. DEMO : Protecting Applications

17. SQL 2008 Compliance New Features

18. Business Reasons Compliance requirements for PCI, HIPAA, GLBA among many other acronyms Key Management, Encryption, and Auditing are key components to meeting these compliance requirements Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance http://www.microsoft.com/sql/compliance

19. Data Encyption SQL Server 2005 −Built-in encryption functions −Key management in SQL Server −Encrypted File System (EFS) −Bit-Locker SQL Server 2008 −Extensible Key Management (EKM) −Transparent Data Encryption (TDE)

20. Extensible Key Management Key storage, management and encryption done by HSM module SQL EKM key is a proxy to HSM key SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module SQL EKM Provider DLL SQL EKM Key (HSM key proxy) Data SQL Server

21. Advantages of using EKM Security −Data and keys are physically separated (keys are stored in HSM modules) −Centralized key management and storage for enterprise −Additional authentication layer −Separation of duties between db_owner and data owner Performance −Pluggable hardware encryption boards

22. EKM Key Hierarchy in SQL 2008 DataDataDataData Native Symmetric key TDE DEK key EKM Symmetric keyEKM Asymmetric key SQL Server Symmetric keyAsymmetric key

23. Transparent Data Encryption (TDE) Encryption/decryption at database level DEK is encrypted with: −Certificate −Key residing in a Hardware Security Module (HSM) Certificate required to attach database files or restore a backup SQL Server 2008 DEK Client Application Encrypted data page

24. TDE – Key Hierarchy Database Master Key encrypts Certificate In Master Database DPAPI encrypts Service Master Key Service Master Key encrypts Database Master Key Certificate encrypts Database Encryption Key

25. TDE – Key Hierarchy with EKM Asymmetric Key resides on the EKM device Asymmetric Key encrypts Database Encryption Key

26. TDE considerations Compatible with Database Compression Not recommended with Backup Compression Database Mirroring −Copy certificate from primary to mirror Log files are not retroactively encrypted −Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only

27. Transparent Data Encryption Operational Impact Storage replication at hardware level −Background task to encrypt all pages −At HW level, all pages get changed, i.e. all pages need to be replicated −Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, −Ensure that the mirror server has the master key and certificate as well −Bottleneck isn’t throughput of pages −Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted −But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity −Possible Failover Issues −Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours −For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. −May want to consider disabling HA and perform resynchronization of your HA configuration

28. Auditing Database Activity SQL Server 2005 −SQL Trace −DDL/DML Triggers −Third-party tools to read transaction logs −No management tools support SQL Server 2008 −SQL Server Audit

29. Audit Specifications 29 Audit Security Event Log Application Event Log File system 0..1 Server audit specification per Audit object 0..1 DB audit specification per database per Audit object CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public) CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public) Server Audit Specification Server Audit Action Database Audit Components Database Audit Specification Database Audit Action File

30. Reasons to use SQL Audit Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)

31. DEMO : SQL 2008 Compliance Features

32. Auditing Centralizing audit logs and reporting

33. Take aways Protect applications not just databases Get the basics right! Leverage all of the features of SQL Server to meet your compliance needs

34. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.