|
Thursday, May 31, 2007 |
Overview of the SQL Server Security Model |
Security is a major concern for the modern age systems, network, and database administrators. It is natural for an administrator to worry about hackers and external attacks while implementing security. But there is more to it. It is essential to first implement security within the organization, to make sure the right people have access to the right data. Without these security measures in place, you might find someone destroying your valuable data, or selling your company's secrets to your competitors, or someone invading the privacy of others. Primarily, a security plan must identify which users in the organization can see which data and perform which activities in the database.
The SQL Server Security Model
To be able to access data from a database, a user must pass through two stages of authentication: one at the SQL Server level and the other at the database level. These two stages are implemented using logins names and user accounts, respectively. A valid login is required to connect to SQL Server and a valid user account is required to access a database. Login: A valid login name is required to connect to a SQL Server instance. A login can be: - A Windows NT/2000 login that has been granted access to SQL Server.
- A SQL Server login, that is maintained within SQL Server.
These login names are maintained within the master database. So it is essential to backup the master database after adding new logins to SQL Server.
User: A valid user account within a database is required to access that database. User accounts are specific to a database. All permissions and ownership of objects in the database are controlled by the user account. SQL Server logins are associated with these user accounts. A login can have associated users in different databases, but only one user per database. During a new connection request, SQL Server verifies the login name supplied, to make sure that login is authorized to access SQL Server. This verification process is called authentication. SQL Server supports two authentication modes:
Windows Authentication Mode: With Windows authentication, you do not have to specify a login name and password to connect to SQL Server. Instead, your access to SQL Server is controlled by your Windows NT/2000 account (or the group to which your account belongs to), that you used to login to the Windows operating system on the client computer or workstation. A DBA must specify to SQL Server all the Microsoft Windows NT/2000 accounts or groups that can connect to SQL Server.
Mixed Mode: Mixed mode allows users to connect using Windows authentication or SQL Server authentication. Your DBA must first create valid SQL Server login accounts and passwords. These are not related to your Microsoft Windows NT/2000 accounts. With this authentication mode, you must supply the SQL Server login and password when you connect to SQL Server. If you do not specify SQL Server login name and password, or request Windows Authentication, you will be authenticated using Windows Authentication. One point to note is that whatever mode you configure your SQL Server to use, you can always login using Windows authentication.
Windows authentication is the recommended security mode, as it is more secure and you don't have to send login names and passwords over the network. You should avoid mixed mode, unless you have a non-Windows NT/2000 environment, or when your SQL Server is installed on Windows 95/98, or for backward compatibility with your existing applications.
SQL Server's authentication mode can be changed using Enterprise Manager (Right-click on the server name and click on “Properties,” then go to the “Security” tab).
Authentication mode can also be changed using SQL DMO object model, allowing developers to write programs to manage SQL Server security.
Here is a list of helpful stored procedures for managing logins and users:
sp_addlogin: Creates a new login that allows users to connect to SQL Server using SQL Server authentication
sp_grantlogin: Allows a Windows NT/2000 user account or group to connect to SQL Server using Windows authentication
sp_droplogin: Drops a SQL Server login
sp_revokelogin: Drops a Windows NT/2000 login/group from SQL Server
sp_denylogin: Prevents a Windows NT/2000 login/group from connecting to SQL Server
sp_password: Adds or changes the password for an SQL Server login
sp_helplogins: Provides information about logins and their associated users in each database
sp_defaultdb: Changes the default database for a login
sp_grantdbaccess: Adds an associated user account in the current database for an SQL Server login or Windows NT/2000 login
sp_revokedbaccess: Drops a user account from the current database
sp_helpuser: Reports information about the Microsoft users and roles in the current database Now let's talk about controlling access to objects within the database, and managing permissions. Apart from managing permissions at the individual database user level, SQL Server 7.0 and 2000 implements permissions using roles. A role is nothing but a group to which individual logins and users can be added, so that the permissions can be applied to a group, instead of applying the permissions to all the individual logins and users.
There are three types of roles in SQL Server 7.0 and 2000:
Fixed server roles
Fixed database roles
Application roles
Fixed Server Roles
Fixed server roles are server-wide roles. Logins can be added to these roles to gain the associated administrative permissions of the role. Fixed server roles cannot be altered and new server roles cannot be created. Here are the fixed server roles and their associated permissions in SQL Server 2000:
Fixed Server Role Descriptions
sysadmin: Can perform any activity in SQL Server
serveradmin: Can set server-wide configuration options, shut down the server
setupadmin: Can manage linked servers and startup procedures
securityadmin: Can manage logins and CREATE DATABASE permissions, also read error logs and change passwords
processadmin: Can manage processes running in SQL Server
dbcreator: Can create, alter, and drop databases
diskadmin: Can manage disk files
bulkadmin: Can execute BULK INSERT statements
Here is a list of stored procedures that are helpful in managing fixed server roles:
sp_addsrvrolemember: Adds a login as a member of a fixed server role
sp_dropsrvrolemember: Removes an SQL Server login, Windows user or group from a fixed server role
sp_helpsrvrole: Returns a list of the fixed server roles
sp_helpsrvrolemember: Returns information about the members of fixed server roles
sp_srvrolepermission: Returns the permissions applied to a fixed server role
Fixed Database Roles
Each database has a set of fixed database roles, to which database users can be added. These fixed database roles are unique within the database. While the permissions of fixed database roles cannot be altered, new database roles can be created. Here are the fixed database roles and their associated permissions in SQL Server 2000:
Fixed Database Role Description
db_owner: Has all permissions in the database
db_accessadmin: Can add or remove user IDs
db_securityadmin: Can manage all permissions, object ownerships, roles and role memberships
db_ddladmin: Can issue ALL DDL, but cannot issue GRANT, REVOKE, or DENY statements
db_backupoperator: Can issue DBCC, CHECKPOINT, and BACKUP statements
db_datareader: Can select all data from any user table in the database
db_datawriter: Can modify any data in any user table in the database
db_denydatareader: Cannot select any data from any user table in the database
db_denydatawriter: Cannot modify any data in any user table in the database
Here is a list of stored procedures that are helpful in managing fixed database roles:
sp_addrole: Creates a new database role in the current database
sp_addrolemember: Adds a user to an existing database role in the current database
sp_dbfixedrolepermission: Displays permissions for each fixed database role
sp_droprole: Removes a database role from the current database
sp_helpdbfixedrole: Returns a list of fixed database roles
sp_helprole: Returns information about the roles in the current database
sp_helprolemember: Returns information about the members of a role in the current database
sp_droprolemember: Removes users from the specified role in the current database
Application Roles
Application roles are another way of implementing permissions. These are quite different from the server and database roles. After creating and assigning the required permissions to an application role, the client application needs to activate this role at run-time to get the permissions associated with that application role. Application roles simplify the job of DBAs, as they don't have to worry about managing permissions at individual user level. All they need to do is to create an application role and assign permissions to it. The application that is connecting to the database activates the application role and inherits the permissions associated with that role. Here are the characteristics of application roles:
There are no built-in application roles.
Application roles contain no members.
Application roles need to be activated at run-time, by the application, using a password.
Application roles override standard permissions. For example, after activating the application role, the application will lose all the permissions associated with the login/user account used while connecting to SQL Server and gain the permissions associated with the application role.
Application roles are database specific. After activating an application role in a database, if that application wants to run a cross-database transaction, the other database must have a guest user account enabled.
Here are the stored procedures that are required to manage application roles:
sp_addapprole: Adds an application role in the current database
sp_approlepassword: Changes the password of an application role in the current database
sp_dropapprole: Drops an application role from the current database
sp_setapprole: Activates the permissions associated with an application role in the current database
Permissions
Now that we discussed different kinds of roles, let's talk about granting and revoking permissions to and from database users and database roles and application roles. The following T-SQL commands are used to manage permissions at the user and role level.
GRANT: Grants the specific permission (SELECT, DELETE etc.) to the specified user or role in the current database
REVOKE: Removes a previously granted or denied permission from a user or role in the current database
DENY: Denies a specific permission to the specified user or role in the current database Using the above commands, permissions can be granted, denied, or revoked to users and roles on all database objects. You can manage permissions at as low as the column level.
There is no way to manage permissions at the row level. That is, in a given table, you can't grant SELECT permission on a specific row to User1 and deny SELECT permission on another row to User2. This kind of security can be implemented by creating user specific views and granting SELECT permission on these views to users. But it will be an ugly solution in case of too many users with varying data access requirements. Just an FYI, Oracle has a feature called "Virtual Private Databases" (VPD) that allows DBAs to configure permissions at row level.
SQL Server Security Best Practices
Here is an ideal implementation of security in a Windows NT/2000 environment with SQL Server 7.0 or 2000 database server:
Configure SQL Server to use Windows authentication mode.
Depending upon the data access needs of your domain users, group them into different global groups in the domain.
Consolidate these global groups from all the trusted domains into the Windows NT/2000 local groups in your SQL Server computer.
The Windows NT/2000 local groups are then granted access to log into the SQL Server.
Add these Windows NT/2000 local groups to the required fixed server roles in SQL Server.
Associate these local group logins with individual user accounts in the databases and grant them the required permissions using the database roles.
Create custom database roles if required, for finer control over permissions.
Here are some standard security practices and tips:
Restrict physical access to the SQL Server computer. Always lock the server while not in use.
Make sure all the file and disk shares on the SQL Server computer are read-only. In case you have read-write shares, make sure only the right people have access to those shares.
Use the NTFS file system, as it provides advanced security and recovery features.
Prefer Windows authentication to mixed mode. If mixed mode authentication is inevitable, for backward compatibility reasons, make sure you have complex passwords for sa and all other SQL Server logins. It is recommended to have mixed case passwords with a few numbers and/or special characters, to counter the dictionary-based password guessing tools and user identity spoofing by hackers.
Rename the Windows NT/2000 Administrator account on the SQL Server computer to discourage hackers from guessing the administrator password.
In a website environment, keep your databases on a different computer than the one running the web service. In other words, keep your SQL Server off the Internet, for security reasons.
Keep yourself up-to-date with the information on latest service packs and security patches released by Microsoft. Carefully evaluate the service packs and patches before applying them on the production SQL Server. Bookmark the following URL for the latest in the security area from Microsoft: www.microsoft.com/security/.
If it is appropriate for your environment, hide the SQL Server service from appearing in the server enumeration box in Query Analyzer, using the /HIDDEN:YES switch of NET CONFIG SERVER command.
Enable login auditing at the Operating System and SQL Server level. Examine the audit for login failure events and look for trends to detect any possible intrusion.
If it fits your budget, use Intrusion Detection Systems (IDS), especially on high-risk online database servers. IDS can constantly analyze the inbound network traffic, look for trends and detect Denial of Service (DoS) attacks and port scans. IDS can be configured to alert the administrators upon detecting a particular trend.
Disable guest user account of Windows. Drop guest user from production databases using sp_dropuser.
Do not let your applications query and manipulate your database directly using SELECT/INSERT/UPDATE/DELETE statements. Wrap these commands within stored procedures and let your applications call these stored procedures. This helps centralize business logic within the database, at the same time hides the internal database structure from client applications.
Let your users query views instead of giving them access to the underlying base tables.
Discourage applications from executing dynamic SQL statements. To execute a dynamic SQL statement, users need explicit permissions on the underlying tables. This defeats the purpose of restricting access to base tables using stored procedures and views.
Don't let applications accept SQL commands from users and execute them against the database. This could be dangerous (known as SQL injection), as a skilled user can input commands that can destroy the data or gain unauthorized access to sensitive information.
Take advantage of the fixed server and database roles by assigning users to the appropriate roles. You could also create custom database roles that suit your needs.
Carefully choose the members of the sysadmin role, as the members of the sysadmin role can do anything in the SQL Server. Note that, by default, the Windows NT/2000 local administrators group is a part of the sysadmin fixed server role. You will probably want to remove this builtin group from SQL Server.
Constantly monitor error logs and event logs for security related alerts and errors.
Secure your registry by restricting access to the SQL Server specific registry keys like HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer.
If your databases contain sensitive information, consider encrypting the sensitive pieces (like credit card numbers and Social Security Numbers (SSN)). There are undocumented encryption functions in SQL Server, but I wouldn't recommend those. If you have the right skills available in your organization, develop your own encryption/decryption modules using Crypto API or other encryption libraries.
If you are running SQL Server 7.0, you could use the encryption capabilities of the Multi-Protocol net library for encrypted data exchange between the client and SQL Server. SQL Server 2000 supports encryption over all protocols using Secure Socket Layer (SSL). See SQL Server 7.0 and 2000 Books Online (BOL) for more information on this topic. Please note that, enabling encryption is always a tradeoff between security and performance, because of the additional overhead of encryption and decryption.
Prevent unauthorized access to linked servers by deleting the linked server entries that are no longer needed. Pay special attention to the login mapping between the local and remote servers. Use logins with the bare minimum privileges for configuring linked servers.
DBAs generally tend to run SQL Server service's using a domain administrator account. That is asking for trouble. A malicious SQL Server user could take advantage of these domain admin privileges. Most of the times, a local administrator account would be more than enough for SQL Server service.
DBAs also tend to drop system stored procedures like xp_cmdshell and all the OLE automation stored procedures (sp_OACreate and the likes). Instead of dropping these procedures, deny EXECUTE permission on them to specific users/roles. Dropping these procedures would break some of the SQL Server functionality.
Be prompt in dropping the SQL Server logins of employees leaving the organization. Especially, in the case of a layoff, drop the logins of those poor souls ASAP as they could do anything to your data out of frustration.
When using mixed mode authentication, consider customizing the system stored procedure sp_password, to prevent users from using simple and easy-to-guess passwords.
To setup secure data replication over Internet or Wide Area Networks (WAN), implement Virtual Private Networks (VPN). Securing the snapshot folder is important too, as the snapshot agent exports data and object scripts from published databases to this folder in the form of text files. Only the replication agents should have access to the snapshot folder.
It is good to have a tool like Lumigent Log Explorer handy, for a closer look at the transaction log to see who is doing what in the database.
Do not save passwords in your .udf files, as the password gets stored in clear text.
If your database code is proprietary, encrypt the definition of stored procedures, triggers, views and user defined functions using the WITH ENCRYPTION clause.
In database development environments, use a source code control system like Visual Source Safe (VSS) or Rational Clear Case. Control access to source code by creating users in VSS and giving permissions by project. Reserve the 'destroy permanently' permission for VSS administrator only. After project completion, lock your VSS database or leave your developers with just read-only access. For a list of other best practices in a database development environment, click here to visit my database programming guidelines and coding conventions.
Store the data files generated by DTS or BCP in a secure folder or share and delete these files once you are done.
Install anti-virus software on the SQL Server computer, but exclude your database folders from regular scans. Keep your anti-virus signature files up to date.
SQL Server 2000 allows you to specify a password for backups. If a backup is created with a password, you must provide that password to restore from that backup. This discourages unauthorized access to backup files.
Windows 2000 introduced Encrypted File System (EFS) that allows you to encrypt individual files and folders on an NTFS partition. Use this feature to encrypt your SQL Server database files. You must encrypt the files using the service account of SQL Server. When you want to change the service account of SQL Server, you must decrypt the files, change the service account and encrypt the files again with the new service account. The above points pretty much cover my security check list.Labels: Model, Security, Server, SQL Server |
posted by WebTeks @ 8:17 AM |
|
|
Wednesday, May 16, 2007 |
SQL Server 2005 - Security (Authentication) |
In this installment of our series covering new and improved functionality of SQL Server 2005 Beta 2, we will focus on the topic of security, which has been becoming increasingly prominent among the issues on every database and system administrator's agenda. A new approach to software development started with the Trustworthy Computing initiative launched in early 2002, necessitated by the growing number of exploits directed at the Microsoft operating system and applications, resulted in a "secure by default" product with highly customizable security features further increasing the degree of protection. We will start with the features related to authentication (the process of identifying logins connecting to the SQL Server and users accessing databases), and continue with authorization (determining the level of permissions granted once the initial connection is established) and encryption in the future articles. In particular, we will cover here, password policy implementation and management as well as endpoint-based authentication (in the context of native support for HTTTP SOAP requests).
It is worth pointing out that the new version of SQL Server has been designed with the "secure by default" principle in mind, resulting in a system with optimum, from the security standpoint, settings. The typical setup avoids installing or activating non-essential components and features which can expose the server and its data to potential attacks. This applies, for example, to SQL Server Agent, Full-Text Search, and Data Transformation Services (all set to manual startup), Analysis, Reporting, and Notification Services, SQL Browser, Service Broker Network Connectivity, Database Mirroring, SQLMail, or SQL Debugging.
Just like its predecessors, SQL Server 2005 still supports Windows and Mixed authentication modes. In the Windows Authentication Mode, access is granted based on a security token assigned during successful domain (or local server) logon by a Windows account, which subsequently requests access to SQL Server resources. In this case, such accounts must belong to the same Windows environment as the computer hosting SQL Server (this environment can consist of any combination of trusted domains or forests). In the Active Directory domain environment, an additional level of protection is provided by Kerberos protocol, which governs the behavior of the Windows authentication mechanism (on Windows 2003 Server based-clusters, Kerberos authentication can be used against SQL Server 2005 virtual servers). The Mixed Authentication Mode also allows SQL Server Authentication (in addition to Windows Authentication), which relies on the verification of credentials stored and maintained by the SQL Server. Due to increased security and no need for a separate set of accounts (since existing Windows users and groups are leveraged), Windows Authentication is the preferred option; however, security of SQL Server based logins has improved through its encryption with SQL generated certificates, as long as communication involves the new MDAC client software, based on .NET provider. New in SQL Server 2005 is the ability to manage SQL Server account password and lockout properties (in addition to Windows accounts used with Windows Authentication) with local and domain-based group policies (remember though that this functionality is available only on Windows 2003 Server systems). This allows you to enforce such restrictions on password complexity, password expiration, and account lockout. Password complexity is defined by a number of the following characteristics:
- length of the password must be at least 6 characters (in general, SQL Server passwords can have between 1 and 128 characters)
- password must contain at least three out of four types of characters such as uppercase letters, lowercase letters, numbers, and non-alphanumeric characters
- password can not match any of the values: "Admin", "Administrator", "Password", "sa", "sysadmin", name of the compute hosting SQL Server installation, and all or part (three or more consecutive alpha-numeric characters delimited on both ends by space, tab, comma, period, underscore, dash, or hash sign) of the name of currently logged on Windows account.
Note that regardless of authentication mode and policy enforcement, SQL Server 2005 Setup Wizard does not permit non-blank passwords for sa account during the installation. Password expiration is determined by the value of "Maximum password age" group policy setting, while account lockout behavior depends on values assigned to "Account lockout duration", "Account lockout threshold", and "Reset account lockout counter after" entries.
You can use CHECK_EXPIRATION and CHECK_POLICY clauses when creating new logins with the CREATE LOGIN T-SQL statement to enable or disable compliance with respective group policy settings (by setting them to ON or OFF, respectively). CHECK_EXPIRATION controls password expiration, while CHECK_POLICY determines both the state of password complexity and account lockout settings (which limits to some extent the flexibility in configuring these options - further restricted by the fact that a combination of CHECK_POLICY set to OFF and CHECK_EXPIRATION set to ON is not supported). Including the MUST_CHANGE clause forces the user to change the password when logging in for the first time. For example, the following statement creates a new login with password complexity, password expiration, and account lockout enabled, and assigns a new password that will need to be changed at the first login.
CREATE LOGIN shankar WITH PASSWORD = 'chngfirst' MUST_CHANGE, CHECK_EXPIRATION = ON, CHECK_POLICY = ON
sys.sql_logins catalog view produces output indicating whether password policy and password expiration have been enforced for existing SQL logins (within is_policy_checked and is_expiration_checked fields). The same information is available for individual accounts through the graphical interface of SQL Server Management Studio. ALTER LOGIN T-SQL statement supports the UNLOCK clause, intended for unlocking SQL Server logins that have been locked by mistyping the password more times than the value assigned via group policy to account lockout threshold setting. Endpoint-based authentication is used to provide secure communication in scenarios where SQL Server 2005, running on a Windows 2003 Server, functions natively as a Web Service, listening and responding to HTTP SOAP requests. (Windows 2003 Server implements the HTTP.SYS listener process outside of World Wide Web service, which eliminates the need for Internet Information Server functioning as an intermediary). This makes it possible to execute remotely stored procedures, scalar-valued user-defined functions, and T-SQL batches. However, endpoints, which are, in essence, points of entry to a SQL Server 2005 instance, are more versatile, allowing combining different transport (such as Named Pipes, Shared Memory, TCP/IP, or HTTP) and payload protocols (such as SOAP, Service Broker, Tabular Data Stream, or Database Mirroring), listening ports, authentication modes, and permissions (although the choice of a transport protocol has implications on other characteristics, such as, default permissions). Both SQL Server login authentication modes are supported - the preferred one is designated by the LOGIN_TYPE option (which can take on WINDOWS or MIXED values, corresponding, of course, to Windows and Mixed authentication) when creating or modifying HTTP endpoints using CREATE ENDPOINT and ALTER ENDPOINT statements. WINDOWS is the default and recommended choice, since, besides added security, it is also easier to configure. Otherwise, with MIXED LOGIN_TYPE, SQL Server must be configured with Mixed Authentication, endpoints are required to operate over a Secure Socket Layer channel (which is set by assigning an SSL value to the PORTS option of the endpoint), and login credentials need to be specified in the Web Services Security headers preceding the SOAP requests, formed by a client application. For more details on this subject, refer to the "SQL Authentication over SOAP" topic in the SQL Server Books Online.
In the case of SOAP-based communication, CREATE ENDPOINT and ALTER ENDPOINT statements also support the AUTHENTICATION clause, which controls the transport protocol (HTTP) authentication mechanism and which can be assigned one of three values:
- INTEGRATED - applies Windows-based Kerberos or NTLM authentication protocol when establishing HTTP communication between the client and server. The choice of the authentication protocol depends on the capabilities of the client operating system. Older ones (such as Windows 9x and Windows NT 4.0 are limited to NTLM only), while the newer ones will attempt Kerberos first (responding to negotiate challenge from the server). However, in order for mutual Kerberos authentication to work, the SQL Server service account must be associated with a Service Principal Name (SPN). This can be accomplished by running sp_register_kerberos_spn_for_http stored procedure, which creates two SPNs, for NetBIOS and fully qualified DNS names, respectively. If the SQL Server runs in the security context of the Local System account, the SPN is associated with the computer account of the server hosting the SQL Server installation.
- DIGEST - based on MD5 one-way hashing algorithm, which is applied to user's Windows credentials on the client side and compared with the result of the same algorithm being applied on the server side.
- BASIC - compares BASE64-encoded Windows credentials on the client and server side. Note that encoding is easily reversible and therefore must be used in combination with Secure Sockets Layer encryption of HTTP connection, enforced by PORTS=(SSL) option on the endpoints.
Labels: Authentication, Security, SQL Server |
posted by WebTeks @ 8:36 PM |
|
|
|
|
|
|
|
Previous Post |
|
Archives |
|
Links |
|
Template by |
|
|