SQL Server Security

SQL ServerSQL Server™™ Security Security

Girish Chander, SQL Server Security Program ManagerGirish Chander, SQL Server Security Program Manager

James Hamilton, SQL Server ArchitectJames Hamilton, SQL Server Architect

AgendaAgenda

Changing threat environmentChanging threat environment The growing software security issueThe growing software security issue Database Security: shifting groundDatabase Security: shifting ground Evolving database threat environmentEvolving database threat environment

Securing SQL ServerSecuring SQL Server™™ InstallationInstallation ConfigurationConfiguration Monitoring security of installizationMonitoring security of installization

Customer toolsCustomer tools Recommended periodic scansRecommended periodic scans

SQL Server in the enterpriseSQL Server in the enterprise Best practices for applications over SQLBest practices for applications over SQL

Growing Problem: S/W SecurityGrowing Problem: S/W Security SurvivabilitySurvivability: the capability of a system to fulfill its : the capability of a system to fulfill its

mission, in a timely manner, in the presence of mission, in a timely manner, in the presence of attacks, failures and accidents. attacks, failures and accidents. — Lipson, Howard and Fisher, 1999— Lipson, Howard and Fisher, 1999

Survivability challengeSurvivability challenge Previous focus primarily on S/W failure, human error and Previous focus primarily on S/W failure, human error and

natural disasternatural disaster Primary security measure was physicalPrimary security measure was physical

Keep external bad guys awayKeep external bad guys away Protection against insiders primarily via legal Protection against insiders primarily via legal

protection and data isolationprotection and data isolation Industry shiftsIndustry shifts

Shift from mediated access to direct application accessShift from mediated access to direct application access Vendors, customers and partnersVendors, customers and partners

Shift from central administration to distributed Shift from central administration to distributed administration administration

Shift from survivability focus largely ignoring security to Shift from survivability focus largely ignoring security to security as the prime concernsecurity as the prime concern

Incidents ReportedIncidents Reported CERT/CC incident statistics 1988 through 2002CERT/CC incident statistics 1988 through 2002 IncidentIncident: single security issue grouping together all : single security issue grouping together all

impacts of that that issueimpacts of that that issue e.g., LoveLetter worm defined to be a single “incident”e.g., LoveLetter worm defined to be a single “incident”

IssueIssue: disruption, DOS, loss of data, misuse, damage, loss : disruption, DOS, loss of data, misuse, damage, loss of confidentialityof confidentiality

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

'88

'90

'92

'94

'96

'98

'00

'02

Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html

Database Security: Shifting GroundDatabase Security: Shifting Ground

Most applications of value have persistent dataMost applications of value have persistent data Data valuable to company, organization or even individual Data valuable to company, organization or even individual

typically also has value to otherstypically also has value to others Information is becoming the most valuable asset in many Information is becoming the most valuable asset in many

industries; e.g., Charles Schwab and Wal-Mart both identify industries; e.g., Charles Schwab and Wal-Mart both identify management of information assets as key competitive management of information assets as key competitive advantageadvantage

Even ephemeral data has significant value, when trends Even ephemeral data has significant value, when trends analyzed and understoodanalyzed and understood Decreased storage and data management costs enable Decreased storage and data management costs enable

ephemeral dataephemeral data Competitive pressure demands ephemeral dataCompetitive pressure demands ephemeral data

Where there is value, there are bad guysWhere there is value, there are bad guys And professional services guys, and press guys, and industry And professional services guys, and press guys, and industry

analysts …analysts … Battleground evolving to include the databaseBattleground evolving to include the database

““Port 1433 [SQL Server] regularly registered as one of the top Port 1433 [SQL Server] regularly registered as one of the top scan ports in the Internet Storm Center” — Source: scan ports in the Internet Storm Center” — Source: http://www.sans.org/top20/http://www.sans.org/top20/

Evolving Database Threat EnvironmentEvolving Database Threat Environment

A decade agoA decade ago Databases were physically secureDatabases were physically secure They were housed in central data centers — not distributedThey were housed in central data centers — not distributed External access was mediated through customer service External access was mediated through customer service

representatives, purchasing managers, etc.representatives, purchasing managers, etc. Security issues were rarely reportedSecurity issues were rarely reported

Now increasingly databases are externally accessibleNow increasingly databases are externally accessible Suppliers are directly connectedSuppliers are directly connected Customers are directly connectedCustomers are directly connected Customers and partners are directly sharing dataCustomers and partners are directly sharing data

Data is most valuable resource in application stackData is most valuable resource in application stack Value increases with greater integration and aggregationValue increases with greater integration and aggregation Opportunities exist for data theft, modification or destructionOpportunities exist for data theft, modification or destruction

Database security is a growing problemDatabase security is a growing problem 101 database alerts since January 2001 101 database alerts since January 2001 (Source: (Source:

http://www.securitytracker.com/)http://www.securitytracker.com/) Two database issues on SANS/FBI top 20 list Two database issues on SANS/FBI top 20 list (Source: (Source:

http://www.sans.org/top20/)http://www.sans.org/top20/)

AgendaAgenda

Changing threat environmentChanging threat environment The growing software security issueThe growing software security issue Database security: shifting groundDatabase security: shifting ground Evolving database threat environmentEvolving database threat environment

Securing SQL ServerSecuring SQL Server InstallationInstallation ConfigurationConfiguration Monitoring security of installationMonitoring security of installation



Secure InstallationSecure Installation Physical securityPhysical security

Protect all related systems, media, backups, etc Protect all related systems, media, backups, etc Never place database unprotected on public netNever place database unprotected on public net

Or on unprotected private netOr on unprotected private net Firewall protectedFirewall protected S/W mediating database accessS/W mediating database access

Install on NTFS file systemInstall on NTFS file system This allows securing the files appropriatelyThis allows securing the files appropriately

Do not install on a domain controllerDo not install on a domain controller Choose weak service accountChoose weak service account

Do not choose LocalSystem, box admin or domain adminDo not choose LocalSystem, box admin or domain admin Cracked database won’t get access to rest of enterprise Cracked database won’t get access to rest of enterprise

Latest code is most secure codeLatest code is most secure code Apply latest service packs and security patchesApply latest service packs and security patches

Configuration OptionsConfiguration Options Authentication modeAuthentication mode

Use Integrated SecurityUse Integrated Security More secure protocols (Kerberos and NTLM)More secure protocols (Kerberos and NTLM) Kerberos allows for delegationKerberos allows for delegation Allows for password policy enforcementsAllows for password policy enforcements Typically does not require application to store Typically does not require application to store

passwordspasswords If using Mixed mode (Standard SQL Authentication)If using Mixed mode (Standard SQL Authentication)

Use SSL to encrypt network trafficUse SSL to encrypt network traffic Use strong passwordsUse strong passwords Never use blank passwordsNever use blank passwords

Login auditingLogin auditing Audit failed login attempts at the very leastAudit failed login attempts at the very least

Disallow ad hoc queriesDisallow ad hoc queries Choose static ports for named instancesChoose static ports for named instances

Avoid opening UDP1434 at firewallAvoid opening UDP1434 at firewall

Secure OperationSecure Operation Understand the security modelUnderstand the security model

Security White Paper for SQL 2000Security White Paper for SQL 2000 Security White Paper for SQL 7.0Security White Paper for SQL 7.0 Security section of SQL Server 2000 Operations GuideSecurity section of SQL Server 2000 Operations Guide

Only configure and run needed featuresOnly configure and run needed features Replication, Agent, SQL MAIL, etc.Replication, Agent, SQL MAIL, etc.

Xp_cmdshell usageXp_cmdshell usage Do not change default permissionsDo not change default permissions If you must change, never set proxy account to If you must change, never set proxy account to

administratoradministrator Smallest possible administrator groupsSmallest possible administrator groups

Don’t put all enterprise/box administrators in one groupDon’t put all enterprise/box administrators in one group Changing service accountsChanging service accounts

Use Enterprise ManagerUse Enterprise Manager KB article Q283811KB article Q283811

Disallow direct catalog updatesDisallow direct catalog updates

http://www.microsoft.com/sql/techinfo/administration/2000/securityWP.asp

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q283811

Secure Operation Secure Operation (cont.)(cont.)

Media security including backupsMedia security including backups Assume damage possible and have aggressive backup policyAssume damage possible and have aggressive backup policy Test disaster recovery systemTest disaster recovery system

Turn on appropriate level of auditingTurn on appropriate level of auditing Track critical user actions at a minimumTrack critical user actions at a minimum

Examples: sysadmin actions, server role membership Examples: sysadmin actions, server role membership changes, password changes, login-related activitychanges, password changes, login-related activity

Keep overhead minimumKeep overhead minimum

Encryption optionsEncryption options Protect sensitive data over the wireProtect sensitive data over the wire

Use SSL, IPSEC, VPN, etc.Use SSL, IPSEC, VPN, etc. File-level encryptionFile-level encryption

Prevents illicit copying of database filesPrevents illicit copying of database files SQL supports Encrypted File SystemSQL supports Encrypted File System Third-party support: Third-party support: http://http://www.netlib.comwww.netlib.com//

http://www.netlib.com/



Monitoring SQL HealthMonitoring SQL Health Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer

Graphical and command-line toolGraphical and command-line tool Performs local and remote scansPerforms local and remote scans Scans for missing weaknesses inScans for missing weaknesses in

WindowsWindows®®

IISIIS SQL ServerSQL Server

Enables customers to verify the security of the Enables customers to verify the security of the current configuration of their systemscurrent configuration of their systems

Built in association with Shavlik SystemsBuilt in association with Shavlik Systems Example SQL Server checksExample SQL Server checks

Blank SA passwords, file and registry Blank SA passwords, file and registry permissions, number of sysadmins, exposure of permissions, number of sysadmins, exposure of xp_cmdshell to nonsysadminsxp_cmdshell to nonsysadmins

Version 1.1 will support multiple instancesVersion 1.1 will support multiple instances

Monitoring SQL Health Monitoring SQL Health (cont.)(cont.)

Scan for/remove accounts with NULL passwordsScan for/remove accounts with NULL passwords Remove old unused loginsRemove old unused logins Scan for objects with permissions granted to Scan for objects with permissions granted to

publicpublic Verify login-user mappingVerify login-user mapping

Interesting in attach/detach scenariosInteresting in attach/detach scenarios Sp_change_users_login with report optionSp_change_users_login with report option

Enumerate membership in privileged rolesEnumerate membership in privileged roles Ensure membership is given to trusted individuals onlyEnsure membership is given to trusted individuals only

Ensure startup procedures are safe and trustedEnsure startup procedures are safe and trusted Verify file and registry key permissionsVerify file and registry key permissions Ensure passwords not present in install filesEnsure passwords not present in install files

Run Killpwd utilityRun Killpwd utility

AgendaAgenda





Multitier ScenariosMultitier Scenarios Three possible options Three possible options

Flowing original caller to databaseFlowing original caller to database Single Windows context to database Single Windows context to database Single connection to database using SQL Single connection to database using SQL

authenticationauthentication

Consider IIS, to ASP.NET talking to SQL Consider IIS, to ASP.NET talking to SQL

IISIIS ASP.NETASP.NET SQLSQL

Flowing Caller ContextFlowing Caller Context

All machines need to be on same or trusted All machines need to be on same or trusted domainsdomains Active directory requiredActive directory required Kerberos and delegation need to be enabledKerberos and delegation need to be enabled

Impersonation must be enabled in ASP.NETImpersonation must be enabled in ASP.NET The service needs to be trusted for delegationThe service needs to be trusted for delegation

AdvantagesAdvantages All security enforced in SQL ServerAll security enforced in SQL Server Full auditability of all user actionsFull auditability of all user actions

DisadvantagesDisadvantages Not always feasible in extranet/Internet scenariosNot always feasible in extranet/Internet scenarios Connection pooling is limitedConnection pooling is limited

Original callers cannot share connectionsOriginal callers cannot share connections

Midtier to Database ConnectionMidtier to Database Connection (Integrated Security)(Integrated Security) Run ASP.NET as low-privileged accountRun ASP.NET as low-privileged account End users authenticate at application levelEnd users authenticate at application level

Database trusts application to authenticate usersDatabase trusts application to authenticate users Connection to database in context of ASP.NET accountConnection to database in context of ASP.NET account

Recommend low-privileged domain accountRecommend low-privileged domain account Alternatively, local Windows account on SQL Server box Alternatively, local Windows account on SQL Server box

with same username and passwordwith same username and password Useful if connection made across nontrusted domainUseful if connection made across nontrusted domain

Account has only necessary runtime permissions in SQLAccount has only necessary runtime permissions in SQL Is not a high-privileged account; not a sysadminIs not a high-privileged account; not a sysadmin

AdvantagesAdvantages No storage of credentials neededNo storage of credentials needed No need to pass credentials over the wire to SQLNo need to pass credentials over the wire to SQL Running as low-privileged account, minimizes potential Running as low-privileged account, minimizes potential

damage from compromisedamage from compromise Connection pooling possible as single account is usedConnection pooling possible as single account is used

Midtier to Database Connection Midtier to Database Connection (SQL Security)(SQL Security) End users authenticate at application levelEnd users authenticate at application level

Database trusts application to authenticate usersDatabase trusts application to authenticate users Connection to database using standard SQL loginConnection to database using standard SQL login Use low-privileged login accountUse low-privileged login account

Use strong passwordsUse strong passwords Leverage SSL to protect authentication over the wireLeverage SSL to protect authentication over the wire

Secure midtier credentials data protection APIsSecure midtier credentials data protection APIs Encrypted using service’s credentialsEncrypted using service’s credentials Only same service account can decryptOnly same service account can decrypt

DisadvantagesDisadvantages Credentials storage requiredCredentials storage required Standard SQL authentication weaker than Windows Standard SQL authentication weaker than Windows

authenticationauthentication AdvantagesAdvantages

Works across firewalls and nontrusted domainsWorks across firewalls and nontrusted domains Connection pooling possible Connection pooling possible

AgendaAgenda





Application Best PracticesApplication Best Practices Use weak access accountsUse weak access accounts

Only capable of actions needed to run applicationOnly capable of actions needed to run application Use different account for administrationUse different account for administration

Use Windows auth rather than SQL AuthUse Windows auth rather than SQL Auth Easier to secureEasier to secure No password storage requiredNo password storage required If using SQL auth, use SSL If using SQL auth, use SSL

Turn on encryption for sensitive dataTurn on encryption for sensitive data Use roles for permissions and ownershipUse roles for permissions and ownership

Ease of managementEase of management Objects owned by roles, need not be dropped/renamed when Objects owned by roles, need not be dropped/renamed when

user droppeduser dropped Do not grant permissions to publicDo not grant permissions to public

Don’t show “developer quality” error messages to usersDon’t show “developer quality” error messages to users Can reveal information to attackers in multiphase attacksCan reveal information to attackers in multiphase attacks

Using Ownership ChainingUsing Ownership Chaining Hide underlying schema through views/SPsHide underlying schema through views/SPs

Leverage ownership chaining to manage permsLeverage ownership chaining to manage perms Ownership Chaining: Ownership Chaining: calling and called object have same ownercalling and called object have same owner

Permissions check skipped on called objectPermissions check skipped on called object ExampleExample

Create table user1.t1 (c1 int not null)Create table user1.t1 (c1 int not null) Create proc user2.proc1 as select * from user1.t1 returnCreate proc user2.proc1 as select * from user1.t1 return If user3 has execute permissions on proc1, still need select If user3 has execute permissions on proc1, still need select

permissions on user1.t1permissions on user1.t1

User3

Select Perms checked for User3

Execute Perms checked for User3

User2.Proc1

User1.Proc1

Execute Perms checked for User3

NO Perms checked for User3

User1.T1

User1.T1

Preventing SQL InjectionPreventing SQL Injection Attacker allowed to send SQL queries to backed Attacker allowed to send SQL queries to backed

datastoredatastoreAPPLICATION CODEAPPLICATION CODE

var shipcity;var shipcity;ShipCity = Request.form (“Shipcity”)ShipCity = Request.form (“Shipcity”)var sql = “SELECT * FROM OrdersTable var sql = “SELECT * FROM OrdersTable

WHERE ShipCity = ‘” + Shipcity + “’”;WHERE ShipCity = ‘” + Shipcity + “’”;GOOD USERGOOD USER

Inputs Inputs RedmondRedmond in the form in the formQuery to back-end is:Query to back-end is:

SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’

MALICIOUS USERMALICIOUS USERInputs the following in the form:Inputs the following in the form:Redmond’ DROP TABLE OrderTable –Redmond’ DROP TABLE OrderTable –Query to the back-end is:Query to the back-end is:

SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’ SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’ DROP TABLE OrdersTable—’DROP TABLE OrdersTable—’

SQL InjectionSQL Injection Why SQL injection works?Why SQL injection works?

Connection made in context of higher-Connection made in context of higher-privileged accountprivileged account

Application accepts arbitrary user inputApplication accepts arbitrary user input Mitigating SQL injectionMitigating SQL injection

Validate all user inputValidate all user input Define set of valid input, accept only thatDefine set of valid input, accept only that Reject all invalid inputReject all invalid input

Avoid using dynamic SQL in stored procsAvoid using dynamic SQL in stored procs Run applications in minimally privileged Run applications in minimally privileged

contextscontexts Never run as sysadminNever run as sysadmin

Tips for App Dev TeamsTips for App Dev Teams Understanding various security issuesUnderstanding various security issues

Different threat vectors, attack scenariosDifferent threat vectors, attack scenarios Awareness of issues such as SQL injection, cross-site Awareness of issues such as SQL injection, cross-site

scripting, buffer-overflow attacksscripting, buffer-overflow attacks Construct threat analysis for each S/W componentConstruct threat analysis for each S/W component

Enumerate component boundariesEnumerate component boundaries Analyze component data flow, interfaces and interactionsAnalyze component data flow, interfaces and interactions

Can it be compromised?Can it be compromised? What data flows in and out?What data flows in and out?

Compromise could be through different kinds of threatsCompromise could be through different kinds of threats Escalation of privileges, tampering of data, spoofing, Escalation of privileges, tampering of data, spoofing,

information disclosure, code injectioninformation disclosure, code injection Code ReviewCode Review

Develop Code review checklistsDevelop Code review checklists Guideline for common security issuesGuideline for common security issues

Directed code reviews — based on threat analysisDirected code reviews — based on threat analysis Generic file reviews — top-down approachGeneric file reviews — top-down approach

SP3 Security ChangesSP3 Security Changes Nonblank SA passwords required on upgradeNonblank SA passwords required on upgrade Sp_change_users_loginSp_change_users_login

Password required for autofix optionPassword required for autofix option No creation of logins with NULL passwordsNo creation of logins with NULL passwords

Changing database ownershipChanging database ownership Only sysadmins canOnly sysadmins can Restriction to prevent cross-database escalation of Restriction to prevent cross-database escalation of

privilegeprivilege Cross-database Ownership ChainingCross-database Ownership Chaining

Off by default; option to turn on at instance levelOff by default; option to turn on at instance level Per database knob as wellPer database knob as well

Marking system objectsMarking system objects Only sysadmin can mark objects as system objectsOnly sysadmin can mark objects as system objects

© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

SQL Server Security