Embed Size (px)
Citation preview
“Unexplained” of SQL Server
SecurityVinod Kumar M
MTC – Technology Specialisthttp://
blogs.ExtremeExperts.com@vinodk_sql
Level: 300
http://Blogs.ExtremeExperts.com T: @vinodk_sql
Session Takeaways
• Security is a complex topic but we will stick to basics.
• The session is based on real-customer surprises and requirements experienced at MTC.
• This is not exhaustive nor extensive of what can be covered inside Security
http://Blogs.ExtremeExperts.com T: @vinodk_sql
Session flow !!!
• Authentication– Login Tracing– sa (facts)
• Authorization• Signed modules• Auditing– User Data Auditing• Demo
http://Blogs.ExtremeExperts.com T: @vinodk_sql
DEMO
Security flow !!!!
Vinod Kumar M
http://Blogs.ExtremeExperts.com T: @vinodk_sql
Summary
• Authentication and Authorization are interesting and core to SQL Security model
• Believe in auditing and start thinking on what to audit
• Data security is based on application requirement– Has an inherent performance impact– Encryption is at multiple levels and mix-n-
match
धन्यवा�दઆભા�ર ধন্য�বা�দ
ਧੰ�ਨਵਾ�ਦ
ଧନ୍ୟ�ବା�ଦ
நன்றி�
ధన్య�వాదాలు� ಧನ್ಯ�ವಾ�ದಗಳು
നി�ങ്ങള്ക്ക്� നിന്ദി�
http://Blogs.ExtremeExperts.com T: @vinodk_sql
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
http://Blogs.ExtremeExperts.com T: @vinodk_sql
http://Blogs.ExtremeExperts.com T: @vinodk_sql
Backup slides
http://Blogs.ExtremeExperts.com T: @vinodk_sql
{All Action} Auditing – New in SQL Server 2008• Create an Audit object to
automatically log actions to:– File– Windows Application Log– Windows Security Log
• Create an Audit Specification to include server and database actions in an audit– Pre-defined action groups– Individual action filters
http://Blogs.ExtremeExperts.com T: @vinodk_sql
{Encryption Hierarchy}
Wraps Associatedwith
Secured By
Secured By
Secured By
Password Certificate
Public Key
Master Key Password
Service KeyDP API
Key
Private Key
KeySecured By
http://Blogs.ExtremeExperts.com T: @vinodk_sql
Don't Forget Module Signing (1)
• Need ALTER ANY LOGIN server permission to ALTER LOGIN
• Need to GRANT ALTER ANY LOGIN TO Alice? – No!
ALTER LOGIN Bob ENABLE
Alice (non privileged login)
http://Blogs.ExtremeExperts.com T: @vinodk_sql
Don't Forget Module Signing (2)
• Alice has permission to call SP• SP run under Alice’s context but with
elevated privilege• SP protected against tampering
Alice (non privileged login)
SP_ENABLE_LOGIN
ALTER LOGIN Bob ENABLE
Cert_login
ALTER ANY LOGIN
