Upload
databaseguys
View
186
Download
0
Tags:
Embed Size (px)
Citation preview
SQL ServerSQL Server™™ Security Security
Girish Chander, SQL Server Security Program ManagerGirish Chander, SQL Server Security Program Manager
James Hamilton, SQL Server ArchitectJames Hamilton, SQL Server Architect
AgendaAgenda
Changing threat environmentChanging threat environment The growing software security issueThe growing software security issue Database Security: shifting groundDatabase Security: shifting ground Evolving database threat environmentEvolving database threat environment
Securing SQL ServerSecuring SQL Server™™ InstallationInstallation ConfigurationConfiguration Monitoring security of installizationMonitoring security of installization
Customer toolsCustomer tools Recommended periodic scansRecommended periodic scans
SQL Server in the enterpriseSQL Server in the enterprise Best practices for applications over SQLBest practices for applications over SQL
Growing Problem: S/W SecurityGrowing Problem: S/W Security SurvivabilitySurvivability: the capability of a system to fulfill its : the capability of a system to fulfill its
mission, in a timely manner, in the presence of mission, in a timely manner, in the presence of attacks, failures and accidents. attacks, failures and accidents. — Lipson, Howard and Fisher, 1999— Lipson, Howard and Fisher, 1999
Survivability challengeSurvivability challenge Previous focus primarily on S/W failure, human error and Previous focus primarily on S/W failure, human error and
natural disasternatural disaster Primary security measure was physicalPrimary security measure was physical
Keep external bad guys awayKeep external bad guys away Protection against insiders primarily via legal Protection against insiders primarily via legal
protection and data isolationprotection and data isolation Industry shiftsIndustry shifts
Shift from mediated access to direct application accessShift from mediated access to direct application access Vendors, customers and partnersVendors, customers and partners
Shift from central administration to distributed Shift from central administration to distributed administration administration
Shift from survivability focus largely ignoring security to Shift from survivability focus largely ignoring security to security as the prime concernsecurity as the prime concern
Incidents ReportedIncidents Reported CERT/CC incident statistics 1988 through 2002CERT/CC incident statistics 1988 through 2002 IncidentIncident: single security issue grouping together all : single security issue grouping together all
impacts of that that issueimpacts of that that issue e.g., LoveLetter worm defined to be a single “incident”e.g., LoveLetter worm defined to be a single “incident”
IssueIssue: disruption, DOS, loss of data, misuse, damage, loss : disruption, DOS, loss of data, misuse, damage, loss of confidentialityof confidentiality
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
'88
'90
'92
'94
'96
'98
'00
'02
Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html
Database Security: Shifting GroundDatabase Security: Shifting Ground
Most applications of value have persistent dataMost applications of value have persistent data Data valuable to company, organization or even individual Data valuable to company, organization or even individual
typically also has value to otherstypically also has value to others Information is becoming the most valuable asset in many Information is becoming the most valuable asset in many
industries; e.g., Charles Schwab and Wal-Mart both identify industries; e.g., Charles Schwab and Wal-Mart both identify management of information assets as key competitive management of information assets as key competitive advantageadvantage
Even ephemeral data has significant value, when trends Even ephemeral data has significant value, when trends analyzed and understoodanalyzed and understood Decreased storage and data management costs enable Decreased storage and data management costs enable
ephemeral dataephemeral data Competitive pressure demands ephemeral dataCompetitive pressure demands ephemeral data
Where there is value, there are bad guysWhere there is value, there are bad guys And professional services guys, and press guys, and industry And professional services guys, and press guys, and industry
analysts …analysts … Battleground evolving to include the databaseBattleground evolving to include the database
““Port 1433 [SQL Server] regularly registered as one of the top Port 1433 [SQL Server] regularly registered as one of the top scan ports in the Internet Storm Center” — Source: scan ports in the Internet Storm Center” — Source: http://www.sans.org/top20/http://www.sans.org/top20/
Evolving Database Threat EnvironmentEvolving Database Threat Environment
A decade agoA decade ago Databases were physically secureDatabases were physically secure They were housed in central data centers — not distributedThey were housed in central data centers — not distributed External access was mediated through customer service External access was mediated through customer service
representatives, purchasing managers, etc.representatives, purchasing managers, etc. Security issues were rarely reportedSecurity issues were rarely reported
Now increasingly databases are externally accessibleNow increasingly databases are externally accessible Suppliers are directly connectedSuppliers are directly connected Customers are directly connectedCustomers are directly connected Customers and partners are directly sharing dataCustomers and partners are directly sharing data
Data is most valuable resource in application stackData is most valuable resource in application stack Value increases with greater integration and aggregationValue increases with greater integration and aggregation Opportunities exist for data theft, modification or destructionOpportunities exist for data theft, modification or destruction
Database security is a growing problemDatabase security is a growing problem 101 database alerts since January 2001 101 database alerts since January 2001 (Source: (Source:
http://www.securitytracker.com/)http://www.securitytracker.com/) Two database issues on SANS/FBI top 20 list Two database issues on SANS/FBI top 20 list (Source: (Source:
http://www.sans.org/top20/)http://www.sans.org/top20/)
AgendaAgenda
Changing threat environmentChanging threat environment The growing software security issueThe growing software security issue Database security: shifting groundDatabase security: shifting ground Evolving database threat environmentEvolving database threat environment
Securing SQL ServerSecuring SQL Server InstallationInstallation ConfigurationConfiguration Monitoring security of installationMonitoring security of installation
Customer toolsCustomer tools Recommended periodic scansRecommended periodic scans
SQL Server in the enterpriseSQL Server in the enterprise Best practices for applications over SQLBest practices for applications over SQL
Secure InstallationSecure Installation Physical securityPhysical security
Protect all related systems, media, backups, etc Protect all related systems, media, backups, etc Never place database unprotected on public netNever place database unprotected on public net
Or on unprotected private netOr on unprotected private net Firewall protectedFirewall protected S/W mediating database accessS/W mediating database access
Install on NTFS file systemInstall on NTFS file system This allows securing the files appropriatelyThis allows securing the files appropriately
Do not install on a domain controllerDo not install on a domain controller Choose weak service accountChoose weak service account
Do not choose LocalSystem, box admin or domain adminDo not choose LocalSystem, box admin or domain admin Cracked database won’t get access to rest of enterprise Cracked database won’t get access to rest of enterprise
Latest code is most secure codeLatest code is most secure code Apply latest service packs and security patchesApply latest service packs and security patches
Configuration OptionsConfiguration Options Authentication modeAuthentication mode
Use Integrated SecurityUse Integrated Security More secure protocols (Kerberos and NTLM)More secure protocols (Kerberos and NTLM) Kerberos allows for delegationKerberos allows for delegation Allows for password policy enforcementsAllows for password policy enforcements Typically does not require application to store Typically does not require application to store
passwordspasswords If using Mixed mode (Standard SQL Authentication)If using Mixed mode (Standard SQL Authentication)
Use SSL to encrypt network trafficUse SSL to encrypt network traffic Use strong passwordsUse strong passwords Never use blank passwordsNever use blank passwords
Login auditingLogin auditing Audit failed login attempts at the very leastAudit failed login attempts at the very least
Disallow ad hoc queriesDisallow ad hoc queries Choose static ports for named instancesChoose static ports for named instances
Avoid opening UDP1434 at firewallAvoid opening UDP1434 at firewall
Secure OperationSecure Operation Understand the security modelUnderstand the security model
Security White Paper for SQL 2000Security White Paper for SQL 2000 Security White Paper for SQL 7.0Security White Paper for SQL 7.0 Security section of SQL Server 2000 Operations GuideSecurity section of SQL Server 2000 Operations Guide
Only configure and run needed featuresOnly configure and run needed features Replication, Agent, SQL MAIL, etc.Replication, Agent, SQL MAIL, etc.
Xp_cmdshell usageXp_cmdshell usage Do not change default permissionsDo not change default permissions If you must change, never set proxy account to If you must change, never set proxy account to
administratoradministrator Smallest possible administrator groupsSmallest possible administrator groups
Don’t put all enterprise/box administrators in one groupDon’t put all enterprise/box administrators in one group Changing service accountsChanging service accounts
Use Enterprise ManagerUse Enterprise Manager KB article Q283811KB article Q283811
Disallow direct catalog updatesDisallow direct catalog updates
Secure Operation Secure Operation (cont.)(cont.)
Media security including backupsMedia security including backups Assume damage possible and have aggressive backup policyAssume damage possible and have aggressive backup policy Test disaster recovery systemTest disaster recovery system
Turn on appropriate level of auditingTurn on appropriate level of auditing Track critical user actions at a minimumTrack critical user actions at a minimum
Examples: sysadmin actions, server role membership Examples: sysadmin actions, server role membership changes, password changes, login-related activitychanges, password changes, login-related activity
Keep overhead minimumKeep overhead minimum
Encryption optionsEncryption options Protect sensitive data over the wireProtect sensitive data over the wire
Use SSL, IPSEC, VPN, etc.Use SSL, IPSEC, VPN, etc. File-level encryptionFile-level encryption
Prevents illicit copying of database filesPrevents illicit copying of database files SQL supports Encrypted File SystemSQL supports Encrypted File System Third-party support: Third-party support: http://http://www.netlib.comwww.netlib.com//
Monitoring SQL HealthMonitoring SQL Health Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer
Graphical and command-line toolGraphical and command-line tool Performs local and remote scansPerforms local and remote scans Scans for missing weaknesses inScans for missing weaknesses in
WindowsWindows®®
IISIIS SQL ServerSQL Server
Enables customers to verify the security of the Enables customers to verify the security of the current configuration of their systemscurrent configuration of their systems
Built in association with Shavlik SystemsBuilt in association with Shavlik Systems Example SQL Server checksExample SQL Server checks
Blank SA passwords, file and registry Blank SA passwords, file and registry permissions, number of sysadmins, exposure of permissions, number of sysadmins, exposure of xp_cmdshell to nonsysadminsxp_cmdshell to nonsysadmins
Version 1.1 will support multiple instancesVersion 1.1 will support multiple instances
Monitoring SQL Health Monitoring SQL Health (cont.)(cont.)
Scan for/remove accounts with NULL passwordsScan for/remove accounts with NULL passwords Remove old unused loginsRemove old unused logins Scan for objects with permissions granted to Scan for objects with permissions granted to
publicpublic Verify login-user mappingVerify login-user mapping
Interesting in attach/detach scenariosInteresting in attach/detach scenarios Sp_change_users_login with report optionSp_change_users_login with report option
Enumerate membership in privileged rolesEnumerate membership in privileged roles Ensure membership is given to trusted individuals onlyEnsure membership is given to trusted individuals only
Ensure startup procedures are safe and trustedEnsure startup procedures are safe and trusted Verify file and registry key permissionsVerify file and registry key permissions Ensure passwords not present in install filesEnsure passwords not present in install files
Run Killpwd utilityRun Killpwd utility
AgendaAgenda
Changing threat environmentChanging threat environment The growing software security issueThe growing software security issue Database security: shifting groundDatabase security: shifting ground Evolving database threat environmentEvolving database threat environment
Securing SQL ServerSecuring SQL Server InstallationInstallation ConfigurationConfiguration Monitoring security of installationMonitoring security of installation
Customer toolsCustomer tools Recommended periodic scansRecommended periodic scans
SQL Server in the enterpriseSQL Server in the enterprise Best practices for applications over SQLBest practices for applications over SQL
Multitier ScenariosMultitier Scenarios Three possible options Three possible options
Flowing original caller to databaseFlowing original caller to database Single Windows context to database Single Windows context to database Single connection to database using SQL Single connection to database using SQL
authenticationauthentication
Consider IIS, to ASP.NET talking to SQL Consider IIS, to ASP.NET talking to SQL
IISIIS ASP.NETASP.NET SQLSQL
Flowing Caller ContextFlowing Caller Context
All machines need to be on same or trusted All machines need to be on same or trusted domainsdomains Active directory requiredActive directory required Kerberos and delegation need to be enabledKerberos and delegation need to be enabled
Impersonation must be enabled in ASP.NETImpersonation must be enabled in ASP.NET The service needs to be trusted for delegationThe service needs to be trusted for delegation
AdvantagesAdvantages All security enforced in SQL ServerAll security enforced in SQL Server Full auditability of all user actionsFull auditability of all user actions
DisadvantagesDisadvantages Not always feasible in extranet/Internet scenariosNot always feasible in extranet/Internet scenarios Connection pooling is limitedConnection pooling is limited
Original callers cannot share connectionsOriginal callers cannot share connections
Midtier to Database ConnectionMidtier to Database Connection (Integrated Security)(Integrated Security) Run ASP.NET as low-privileged accountRun ASP.NET as low-privileged account End users authenticate at application levelEnd users authenticate at application level
Database trusts application to authenticate usersDatabase trusts application to authenticate users Connection to database in context of ASP.NET accountConnection to database in context of ASP.NET account
Recommend low-privileged domain accountRecommend low-privileged domain account Alternatively, local Windows account on SQL Server box Alternatively, local Windows account on SQL Server box
with same username and passwordwith same username and password Useful if connection made across nontrusted domainUseful if connection made across nontrusted domain
Account has only necessary runtime permissions in SQLAccount has only necessary runtime permissions in SQL Is not a high-privileged account; not a sysadminIs not a high-privileged account; not a sysadmin
AdvantagesAdvantages No storage of credentials neededNo storage of credentials needed No need to pass credentials over the wire to SQLNo need to pass credentials over the wire to SQL Running as low-privileged account, minimizes potential Running as low-privileged account, minimizes potential
damage from compromisedamage from compromise Connection pooling possible as single account is usedConnection pooling possible as single account is used
Midtier to Database Connection Midtier to Database Connection (SQL Security)(SQL Security) End users authenticate at application levelEnd users authenticate at application level
Database trusts application to authenticate usersDatabase trusts application to authenticate users Connection to database using standard SQL loginConnection to database using standard SQL login Use low-privileged login accountUse low-privileged login account
Use strong passwordsUse strong passwords Leverage SSL to protect authentication over the wireLeverage SSL to protect authentication over the wire
Secure midtier credentials data protection APIsSecure midtier credentials data protection APIs Encrypted using service’s credentialsEncrypted using service’s credentials Only same service account can decryptOnly same service account can decrypt
DisadvantagesDisadvantages Credentials storage requiredCredentials storage required Standard SQL authentication weaker than Windows Standard SQL authentication weaker than Windows
authenticationauthentication AdvantagesAdvantages
Works across firewalls and nontrusted domainsWorks across firewalls and nontrusted domains Connection pooling possible Connection pooling possible
AgendaAgenda
Changing threat environmentChanging threat environment The growing software security issueThe growing software security issue Database security: shifting groundDatabase security: shifting ground Evolving database threat environmentEvolving database threat environment
Securing SQL ServerSecuring SQL Server InstallationInstallation ConfigurationConfiguration Monitoring security of installationMonitoring security of installation
Customer toolsCustomer tools Recommended periodic scansRecommended periodic scans
SQL Server in the enterpriseSQL Server in the enterprise Best practices for applications over SQLBest practices for applications over SQL
Application Best PracticesApplication Best Practices Use weak access accountsUse weak access accounts
Only capable of actions needed to run applicationOnly capable of actions needed to run application Use different account for administrationUse different account for administration
Use Windows auth rather than SQL AuthUse Windows auth rather than SQL Auth Easier to secureEasier to secure No password storage requiredNo password storage required If using SQL auth, use SSL If using SQL auth, use SSL
Turn on encryption for sensitive dataTurn on encryption for sensitive data Use roles for permissions and ownershipUse roles for permissions and ownership
Ease of managementEase of management Objects owned by roles, need not be dropped/renamed when Objects owned by roles, need not be dropped/renamed when
user droppeduser dropped Do not grant permissions to publicDo not grant permissions to public
Don’t show “developer quality” error messages to usersDon’t show “developer quality” error messages to users Can reveal information to attackers in multiphase attacksCan reveal information to attackers in multiphase attacks
Using Ownership ChainingUsing Ownership Chaining Hide underlying schema through views/SPsHide underlying schema through views/SPs
Leverage ownership chaining to manage permsLeverage ownership chaining to manage perms Ownership Chaining: Ownership Chaining: calling and called object have same ownercalling and called object have same owner
Permissions check skipped on called objectPermissions check skipped on called object ExampleExample
Create table user1.t1 (c1 int not null)Create table user1.t1 (c1 int not null) Create proc user2.proc1 as select * from user1.t1 returnCreate proc user2.proc1 as select * from user1.t1 return If user3 has execute permissions on proc1, still need select If user3 has execute permissions on proc1, still need select
permissions on user1.t1permissions on user1.t1
User3
Select Perms checked for User3
Execute Perms checked for User3
User2.Proc1
User1.Proc1
Execute Perms checked for User3
NO Perms checked for User3
User1.T1
User1.T1
Preventing SQL InjectionPreventing SQL Injection Attacker allowed to send SQL queries to backed Attacker allowed to send SQL queries to backed
datastoredatastoreAPPLICATION CODEAPPLICATION CODE
var shipcity;var shipcity;ShipCity = Request.form (“Shipcity”)ShipCity = Request.form (“Shipcity”)var sql = “SELECT * FROM OrdersTable var sql = “SELECT * FROM OrdersTable
WHERE ShipCity = ‘” + Shipcity + “’”;WHERE ShipCity = ‘” + Shipcity + “’”;GOOD USERGOOD USER
Inputs Inputs RedmondRedmond in the form in the formQuery to back-end is:Query to back-end is:
SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’
MALICIOUS USERMALICIOUS USERInputs the following in the form:Inputs the following in the form:Redmond’ DROP TABLE OrderTable –Redmond’ DROP TABLE OrderTable –Query to the back-end is:Query to the back-end is:
SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’ SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’ DROP TABLE OrdersTable—’DROP TABLE OrdersTable—’
SQL InjectionSQL Injection Why SQL injection works?Why SQL injection works?
Connection made in context of higher-Connection made in context of higher-privileged accountprivileged account
Application accepts arbitrary user inputApplication accepts arbitrary user input Mitigating SQL injectionMitigating SQL injection
Validate all user inputValidate all user input Define set of valid input, accept only thatDefine set of valid input, accept only that Reject all invalid inputReject all invalid input
Avoid using dynamic SQL in stored procsAvoid using dynamic SQL in stored procs Run applications in minimally privileged Run applications in minimally privileged
contextscontexts Never run as sysadminNever run as sysadmin
Tips for App Dev TeamsTips for App Dev Teams Understanding various security issuesUnderstanding various security issues
Different threat vectors, attack scenariosDifferent threat vectors, attack scenarios Awareness of issues such as SQL injection, cross-site Awareness of issues such as SQL injection, cross-site
scripting, buffer-overflow attacksscripting, buffer-overflow attacks Construct threat analysis for each S/W componentConstruct threat analysis for each S/W component
Enumerate component boundariesEnumerate component boundaries Analyze component data flow, interfaces and interactionsAnalyze component data flow, interfaces and interactions
Can it be compromised?Can it be compromised? What data flows in and out?What data flows in and out?
Compromise could be through different kinds of threatsCompromise could be through different kinds of threats Escalation of privileges, tampering of data, spoofing, Escalation of privileges, tampering of data, spoofing,
information disclosure, code injectioninformation disclosure, code injection Code ReviewCode Review
Develop Code review checklistsDevelop Code review checklists Guideline for common security issuesGuideline for common security issues
Directed code reviews — based on threat analysisDirected code reviews — based on threat analysis Generic file reviews — top-down approachGeneric file reviews — top-down approach
SP3 Security ChangesSP3 Security Changes Nonblank SA passwords required on upgradeNonblank SA passwords required on upgrade Sp_change_users_loginSp_change_users_login
Password required for autofix optionPassword required for autofix option No creation of logins with NULL passwordsNo creation of logins with NULL passwords
Changing database ownershipChanging database ownership Only sysadmins canOnly sysadmins can Restriction to prevent cross-database escalation of Restriction to prevent cross-database escalation of
privilegeprivilege Cross-database Ownership ChainingCross-database Ownership Chaining
Off by default; option to turn on at instance levelOff by default; option to turn on at instance level Per database knob as wellPer database knob as well
Marking system objectsMarking system objects Only sysadmin can mark objects as system objectsOnly sysadmin can mark objects as system objects
© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.