Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,

Published bySamson Knight Modified over 8 years ago

Similar presentations

Presentation on theme: "Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,"— Presentation transcript:

1 Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS, MCAD, MCP, OCA MVP on SQL SERVER

2 2 Overview of SQL Server SecurityOverview of SQL Server Security Protecting the Server ScopeProtecting the Server Scope Protecting the Database ScopeProtecting the Database Scope Managing Keys and CertificatesManaging Keys and Certificates Auditing SecurityAuditing Security Objectives

3 3 Overview of SQL Server Security Security & Auditing on SQL Server 2008 R2

4 4 SQL Server Security FrameworkSQL Server Security Framework What Are Principals?What Are Principals? What Are Securables?What Are Securables? SQL Server PermissionsSQL Server Permissions Overview of SQL Server Security

5 5

6 6 SQL Server Security Framework

7 7 What Are Principals? Server Role SQL Server Login Windows Group Domain User Account Local User Account SQL Server Database Windows Securables Permissions Principals User Database Role Application Role

8 8 What Are Securables? Server Role SQL Server Login Windows Group Domain User Account Local User Account SQL Server Database Windows Files Registry Keys Server Schema Database Securables Permissions Principals User Database Role Application Role

9 9 Server-Level PermissionsServer-Level Permissions LoginsLogins CredentialsCredentials Server-Level RolesServer-Level Roles Database-Level PermissionsDatabase-Level Permissions UsersUsers SchemasSchemas Database Level RolesDatabase Level Roles SQL Server Permissions

10 10 Protecting the Server Scope Security & Auditing on SQL Server 2008 R2

11 11 What Are SQL Server Authentication Methods? What Are SQL Server Authentication Methods? Password Policies Password Policies Server-Level Roles Server-Level Roles Managing SQL Server Logins Managing SQL Server Logins Delegation Between Instances Delegation Between Instances What Are Credentials? What Are Credentials? Server-Scope Permissions Server-Scope Permissions Protecting the Server Scope

12 12 What Are SQL Server Authentication Methods? What Are SQL Server Authentication Methods? Password Policies Password Policies Server-Level Roles Server-Level Roles Managing SQL Server Logins Managing SQL Server Logins Server-Scope Permissions Server-Scope Permissions Protecting the Server Scope

13 13 What Are SQL Server Authentication Methods? Windows Authentication Mixed SQL and Windows Authentication

14 14 Password Policies Group Policy Object (GPO) Pa$$w0rd SQL Server Can Leverage Windows Server 2003/2008 Password Policy Mechanism SQL Server Can Manage: Password Complexity Password Expiration Policy Enforcement

15 15 Server-Level Roles Role Description sysadminPerform any activity dbcreator Create and alter databases diskadmin Manage disk files serveradmin Configure server-wide settings securityadmin Manage and audit server logins processadmin Manage SQL Server processes bulkadmin Run the BULK INSERT statement setupadmin Configure replication and linked servers

16 16 Managing SQL Server Logins CREATE LOGIN [SERVERX\SalesDBUsers] FROM WINDOWS WITH DEFAULT_DATABASE = AdventureWorks2008 CREATE LOGIN [SERVERX\SalesDBUsers] FROM WINDOWS WITH DEFAULT_DATABASE = AdventureWorks2008 CREATE LOGIN Alice WITH Password = 'Pa$$w0rd' CREATE LOGIN Alice WITH Password = 'Pa$$w0rd' CREATE LOGIN login_name { WITH SQL_login_options | FROM WINDOWS [ WITH windows_login_options ] } CREATE LOGIN login_name { WITH SQL_login_options | FROM WINDOWS [ WITH windows_login_options ] }

17 17 Delegation Between Instances Client Server TCP/IP or Named Pipes Registered Trusted for delegation Linked Server Self Mapping TCP/IP or Named Pipes Delegation!

18 18 What Are Credentials? Contain windows authentication informationContain windows authentication information Allow SQL Accounts to connect to non-SQL resourcesAllow SQL Accounts to connect to non-SQL resources SQL Logins can only map to one credentialSQL Logins can only map to one credential Created automatically. Associated with specific endpointsCreated automatically. Associated with specific endpoints

19 19 Server-Scope Permissions Server permissions Server-scope securable permissions USE master GRANT ALTER ANY DATABASE TO [AdventureWorks2008\Holly] USE master GRANT ALTER ON LOGIN :: AWWebApp TO [AdventureWorks2008\Holly]

20 20 Managing Logins

21 21 Protecting the Database Scope Security & Auditing on SQL Server 2008 R2

22 22 What Are Database Roles? What Are Database Roles? What Are Application Roles? What Are Application Roles? Managing Users Managing Users Special Users Special Users Database-Scope Permissions Database-Scope Permissions Schema-Scope Permissions Schema-Scope Permissions Protecting the Database Scope

23 23 What Are Database Roles? What Are Database Roles? What Are Application Roles? What Are Application Roles? Managing Users Managing Users Special Users Special Users Database-Scope Permissions Database-Scope Permissions Schema-Scope Permissions Schema-Scope Permissions Ownership Chains Ownership Chains Applying Roles in Common Scenarios Applying Roles in Common Scenarios Protecting the Database Scope

24 24 What Are Database Roles? Database-Level Roles Application-Level Roles Users

25 25 What Are Application Roles? User runs app App connects to db as user App authenticates using sp_setapprole App assumes app role

26 26 Create a loginCreate a login Create a database scope userCreate a database scope user Assign permissions to the userAssign permissions to the user Managing Users Steps to Manage Users

27 27 Special Users DBO The sa login and members of sysadmin role are mapped to dbo account Guest This user account allows logins without user accounts to access a database

28 28 Database-Scope Permissions Database permissions Database-scope securable permissions USE AdventureWorks2008 GRANT ALTER ANY USER TO HRManager USE AdventureWorks2008 GRANT SELECT ON SCHEMA :: Sales TO SalesUser

29 29 Schema-Scope Permissions User-defined type permissions All other schema-scope permissions USE AdventureWorks2008 GRANT EXECUTE ON TYPE :: Person.addressType TO SalesUser USE AdventureWorks2008 GRANT SELECT ON Sales.Order TO SalesUser

30 30 Ownership Chains 1 2 3 4 5 6

31 31 dbo – database ownerdbo – database owner Read-only usersRead-only users Data authors – Read / Write / DeleteData authors – Read / Write / Delete Applying Roles in Common Scenarios

32 32 Managing Roles and Users

33 33 Managing Keys and Certificates Security & Auditing on SQL Server 2008 R2

34 34 What Are Keys? What Are Keys? What Are Certificates? What Are Certificates? SQL Server Cryptography Architecture SQL Server Cryptography Architecture When to Use Keys and Certificates When to Use Keys and Certificates Transparent Data Encryption Transparent Data Encryption Managing Keys and Certificates

35 35 What Are Keys? Symmetric Symmetric  Same key used to encrypt and decrypt Asymmetric Asymmetric  Pair of values: public key and private key  One encrypts, the other decrypts Encrypt Decrypt

36 36 What Are Certificates? Associates a public key with entity that holds that key Associates a public key with entity that holds that key Contents: Contents:  The public key of the subject  The identifier information of the subject  The validity period  Issuer identifier information  The digital signature of the issuer

37 37 SQL Server Cryptography Architecture

38 38 When to Use Keys and Certificates When to use CertificatesWhen to use Certificates To secure communication in database mirroringTo secure communication in database mirroring To sign packetsTo sign packets To encrypt data or connectionsTo encrypt data or connections When to use Keys When to use Keys To help secure dataTo help secure data To sign plaintextTo sign plaintext To secure symmetric keysTo secure symmetric keys

39 39 Transparent Data Encryption Transparent data encryption performs real-time I/O encryption and decryption of the data and log files Create a master keyCreate a master key Create or obtain a certificate protected by the master keyCreate or obtain a certificate protected by the master key Create a database encryption key and protect it by the CertificateCreate a database encryption key and protect it by the Certificate Set the database to use encryptionSet the database to use encryption Steps to use Transparent Data Encryption

40 40 Transparent data encryption

41 41 Entire database is protectedEntire database is protected Applications do not need to explicitly encrypt/decrypt data!Applications do not need to explicitly encrypt/decrypt data! No restrictions with indexes or data types (except FILESTREAM)No restrictions with indexes or data types (except FILESTREAM) Performance cost is smallPerformance cost is small Backups are unusable without keyBackups are unusable without key Can be used with Extensible Key ManagementCan be used with Extensible Key Management Transparent Database Encryption: More Benefits

42 42 Very simple:Very simple: Database pages are encrypted before being written to diskDatabase pages are encrypted before being written to disk Page protection (e.g. checksums) applied after encryptionPage protection (e.g. checksums) applied after encryption Page protection (e.g. checksums) checked before decryptionPage protection (e.g. checksums) checked before decryption Database pages are decrypted when read into memoryDatabase pages are decrypted when read into memory When TDE is enabled, initial encryption of existing pages happens as a background processWhen TDE is enabled, initial encryption of existing pages happens as a background process Similar mechanism for disabling TDESimilar mechanism for disabling TDE The process can be monitored using the encryption_state column of sys.dm_database_encryption_keysThe process can be monitored using the encryption_state column of sys.dm_database_encryption_keys Encryption state 2 means the background process has not completedEncryption state 2 means the background process has not completed Encryption state 3 means the database is fully encryptedEncryption state 3 means the database is fully encrypted Transparent Data Encryption: Mechanism

43 43 Create a master keyCreate a master key CREATE MASTER KEY ENCRYPTION BY PASSWORD = ' ';CREATE MASTER KEY ENCRYPTION BY PASSWORD = ' '; Create or obtain a certificate protected by the master keyCreate or obtain a certificate protected by the master key CREATE CERTIFICATE MyDEKCert WITH SUBJECT = 'My DEK Certificate';CREATE CERTIFICATE MyDEKCert WITH SUBJECT = 'My DEK Certificate'; Create a database encryption key and protect it by the certificateCreate a database encryption key and protect it by the certificate CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyDEKCert;CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyDEKCert; Set the database to use encryptionSet the database to use encryption ALTER DATABASE MyDatabase SET ENCRYPTION ON;ALTER DATABASE MyDatabase SET ENCRYPTION ON; Transparent Data Encryption: Enabling

44 44 A backup of a TDE encrypted database is also encrypted using the database encryption keyA backup of a TDE encrypted database is also encrypted using the database encryption key To restore the backup OR attach the database, the DEK must be available!To restore the backup OR attach the database, the DEK must be available! There is no way around this – if you lose the DEK, you lose the ability to restore the backup (that’s the point!)There is no way around this – if you lose the DEK, you lose the ability to restore the backup (that’s the point!) Maintain backups of server certificates tooMaintain backups of server certificates too Transparent Data Encryption: Backups

45 45 Database | Tasks | Manage Database EncryptionDatabase | Tasks | Manage Database Encryption Transparent Data Encryption: Tools Support

46 46 Auditing Security Security & Auditing on SQL Server 2008 R2

47 47 What Is Auditing? What Is Auditing? Security Auditing with Profiler Security Auditing with Profiler Auditing with DDL Triggers Auditing with DDL Triggers Introducing SQL Server Audit Introducing SQL Server Audit SQL Server Audit Action Groups and Actions SQL Server Audit Action Groups and Actions Auditing Security

48 48 What is Auditing?What is Auditing? What auditing options are available in SQL Server?What auditing options are available in SQL Server? Have you ever had to audit SQL Server?Have you ever had to audit SQL Server? If so, how did you do it?If so, how did you do it? If not, what do you think is the best use of auditing?If not, what do you think is the best use of auditing? What Is Auditing?

49 49 Security Auditing with Profiler Using SQL Server Profiler, you can do the following:Using SQL Server Profiler, you can do the following: Create a trace that is based on a reusable templateCreate a trace that is based on a reusable template Watch the trace results as the trace runsWatch the trace results as the trace runs Store the trace results in a tableStore the trace results in a table Start, stop, pause and modify the trace resultsStart, stop, pause and modify the trace results Replay the trace resultsReplay the trace results

50 50 Auditing with DDL Triggers Use DDL triggers when you want to do the following:Use DDL triggers when you want to do the following: Prevent certain changes in your database schemaPrevent certain changes in your database schema You want something to occur in the database in response to a change in your database schemaYou want something to occur in the database in response to a change in your database schema You want to record changes or events in the database schemaYou want to record changes or events in the database schema Start, stop, pause and modify the trace resultsStart, stop, pause and modify the trace results Replay the trace resultsReplay the trace results

51 51 Introducing SQL Server Audit SQL Server AuditingSQL Server Auditing Tracks and logs events that occur on the systemTracks and logs events that occur on the system Can track changes on the server or database levelCan track changes on the server or database level Can be managed with Transact-SQLCan be managed with Transact-SQL

52 52 Using SQL Server Audit

53 53 Thank you!

54 54 Q & A

55 55 For SQL Server and DatabasesFor SQL Server and Databases www.autoexec.gr/blogs/antonchwww.autoexec.gr/blogs/antonchwww.autoexec.gr/blogs/antonch For.NET & Visual StudioFor.NET & Visual Studio www.dotnetzone.gr/cs/blogs/antonchwww.dotnetzone.gr/cs/blogs/antonchwww.dotnetzone.gr/cs/blogs/antonch My Blogs

56 56

Download ppt "Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,"

Similar presentations

Login dan Permission dfd, 2012. Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.

Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

Similar presentations

Ads by Google