Vinod Kumar, profile picture
Uploaded byVinod Kumar
975 views

Sql Server Security

SQL Server 2005 introduced enhancements to security including: 1. Authentication can specify SSL or mutual authentication with client certificates. Authorization establishes login credentials and permissions within a database. 2. A new security model separates users from schemas, allowing dropping a user without breaking applications. Users have a default schema and objects are contained within schemas. 3. Cryptography support provides encryption, decryption, signing and verification functions including symmetric and asymmetric keys. Permissions in SQL 2005 allow finer-grained control at the row level and module execution context.

SQL Server 2005 Security Vinod Kumar M Technology Evangelist Microsoft Corporation www.ExtremeExperts.com
Agenda SQL Server Security Model Authentication Architecture User-Schema Separation Cryptography Support Authorization Row-Level Security Module Execution Context Demo
SQL Server Security Model Network connection request/pre-login handshake Login authentication request to SQL Server Switch to a database and authorize access Attempt to perform some action Establish login credentials Connect to the SQL Server computer Verify permissions for all actions within a database Establish a database context
SQL Server Authentication Mechanism SQL Server Client App MDAC Client 1. Connect 2. Establish Socket 6. Acknowledgement 3. Hello 5. Login Packet (Name + Password) 4. Protocol Negotiate Sent in Clear in Microsoft® SQL Server 2000 Can Specify Secure Sockets Layer (SSL) and/or (5+ is encrypted) Mutual Auth (Client cert-store looked) Protocol Changes in SQL 2005 Server authorizes access Policy Changes in SQL 2005
Windows Authentication Mechanism Server authorizes access SQL Server Client App MDAC Client 1. Connect 2. Establish Socket 10. Acknowledgement 3. Hello 4. Protocol Negotiate Local LSA Local LSA DC LSA 5. Initial Security Ctxt 8. Acpt Security Ctxt 6. Cred. Info. Info. 9. Cred. 7. Credential Info. Protocol Changes in SQL 2005 Policy Changes in SQL 2005
Unified Users and Schema – A Problem User Database Object Owned By User 2 Drop user may require application change!! Table View Stored Proc Function Name resolution Eg: Select * from Foo User.foo Dbo.foo
User-Schema Separation – The Solution User Database Object Schema contained in Owned by Owned By User 2 Owned by Default Schema User1 Default Schema S1 User2 User3 Drop user does NOT require application change!! Table View Stored Proc Function Name Resolution Select * from foo S1. foo Dbo.foo
User-Schema Separation Database can contain multiple schemas Each schema has an owning principal – user or role Each user has a default schema for name resolution Most database objects live in schemas Object creation inside schema requires CREATE permission and ALTER or CONTROL permission on the schema Ownership chaining is still based on owners not schemas Owns Has default schema Owns Owns Schema3 Database Example: creation of table in schema requires CREATE TABLE permission and ownership of schema or ALTER or CONTROL on schema Role1 User1 Approle1 Schema1 Schema2 SP1 Fn1 Tab1
Cryptography Support Overview Set of built-ins for encryption , decryption , signing and verification Key management infrastructure Keys managed by SQL Server Keys managed by end-user All keys are always stored encrypted Key Types Supported Symmetric Keys RC4, RC2, DES Family, AES Family Asymmetric Keys Rivest-Shamir-Adelman Encryption (RSA) Certificates Base set of functionality needed for applications Sample scripts for column level encryption
Encryption Hierarchy
Authorization Terminology
Authorization Model - Permissions New permissions for finer grained control Permissions associated with semantics Not with statements Permissions can imply others Example: CONTROL It implies all other permissions Four states of permissions Grant (+) Deny (-) Revoke (take away) - + Deny Deny Revoke [deny] Revoke Grant Grant
Permission Implications Database Endpoint Schema Table Control Control Connect Control Control Alter Alter Control Select Select Alter Select EXECUTE at database Level means you can Execute any procedure CONTROL at Schema Level means you can Do anything in schema
Row-level Security Today we have permissions at table and column level SQL 2005: Finer-grained access control at the row level
What if there are multiple predicates? The user query is augmented as follows… All GRANTS are Or’d. Negatives of all DENY’s are OR’d The two sets are AND’ed For SELECT Only GRANTs and DENY’s of SELECT considered For UPDATE GRANTSs and DENY’s of UPDATEs and SELECTs considered Remember the update restrictions are based on the pre-image…not what is being updated to. For DELETE GRANTs and DENYs of DELETEs and SELECTs are considered
Module Execution Context Ability to choose execution context of modules Module: Stored procs, functions, assemblies Permissions checked against current execution context Ownership chaining rules still apply Option available for dynamic SQL as well Alternative to the absence of ownership chaining Execution context maintained in the sys.sql_modules catalog view
Execution Context User 3 Select Perms checked for User3 Execute Perms checked for User3 User1.Proc1 User1.T1 Execute Perms checked for User3 NO Perms checked for User3 User2.Proc1 User1.T1 ‘ Execute AS ‘X’ ’ Execute Perms checked for User3 Select Perms checked for ‘X’. Not for user3 SQL 2005 SQL 2000 User 3 User2.Proc1 User1.T1
Impersonation Implicit (four types) Execute as Caller Execute under the caller’s context No extra permissions needed Default behavior like SQL 2000 Execute as Principal Execute under the specified context Impersonate on Principal Syntax: execute as ‘domain\user’ Execute as Owner Execute under the module owner’s context Impersonate on Owner Syntax: execute as owner Execute as Self Run under the context that is creating/modifying the module Syntax: execute as self
Demo …
Questions ?

More Related Content

PPTX
Database security
byArpana shree
 
PPTX
Authentication vs authorization
byFrank Victory
 
PPTX
Fundamental cloud security
byAsmaa Ibrahim
 
PPT
Sql injection
byNitish Kumar
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PDF
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
byEdureka!
 
PPTX
Virtualization
byUtkarsh Soni
 
PPTX
08. networking-part-2
byMuhammad Ahad
 
Database security
byArpana shree
 
Authentication vs authorization
byFrank Victory
 
Fundamental cloud security
byAsmaa Ibrahim
 
Sql injection
byNitish Kumar
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
byEdureka!
 
Virtualization
byUtkarsh Soni
 
08. networking-part-2
byMuhammad Ahad
 

What's hot

PDF
Secure Session Management
byGuidePoint Security, LLC
 
PPTX
Sql Injection attacks and prevention
byhelloanand
 
PPTX
Introduction to Active Directory
bythoms1i
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Data Backup (IT) Lecture Slide # 5
byMuhammad Talha Zaroon
 
PPT
ACTIVE-DIRECTORY.ppt
bymwti2
 
PPTX
Database Security
byShingalaKrupa
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PDF
DNS (Domain Name System)
byShashidhara Vyakaranal
 
PPT
VMware Esx Short Presentation
byBarcamp Cork
 
PPTX
Intrusion detection system
bySweta Sharma
 
PPTX
Virtualization and its Types
byHTS Hosting
 
PPTX
Windows server
byHideo Amezawa
 
PPT
Active Directory
bySandeep Kapadane
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PPTX
1 introduction to windows server 2016
byHameda Hurmat
 
PDF
Database security
byMurchana Borah
 
PPTX
SQL injection
byRaj Parmar
 
Secure Session Management
byGuidePoint Security, LLC
 
Sql Injection attacks and prevention
byhelloanand
 
Introduction to Active Directory
bythoms1i
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Data Backup (IT) Lecture Slide # 5
byMuhammad Talha Zaroon
 
ACTIVE-DIRECTORY.ppt
bymwti2
 
Database Security
byShingalaKrupa
 
Detection Rules Coverage
bySunny Neo
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
DNS (Domain Name System)
byShashidhara Vyakaranal
 
VMware Esx Short Presentation
byBarcamp Cork
 
Intrusion detection system
bySweta Sharma
 
Virtualization and its Types
byHTS Hosting
 
Windows server
byHideo Amezawa
 
Active Directory
bySandeep Kapadane
 
Sql injection in cybersecurity
bySanad Bhowmik
 
Application Security - Your Success Depends on it
byWSO2
 
1 introduction to windows server 2016
byHameda Hurmat
 
Database security
byMurchana Borah
 
SQL injection
byRaj Parmar
 

Similar to Sql Server Security

PPT
Database Systems Security
byamiable_indian
 
PPT
Creating Secure Applications
byguest879f38
 
PPT
Oracle Database Vault
byMarco Alamanni
 
PPTX
DB2 Security Model
byuniqueYGB
 
PPTX
Vault_KT.pptx
bySDPL Technologies
 
PPT
Sql server basics
byDilfaroz Khan
 
PPTX
03_DP_300T00A_Secure_Environment.pptx
byKareemBullard1
 
PPTX
Cairo meetup low code best practices
byAhmed Keshk
 
PPT
Intro to tsql
bySyed Asrarali
 
PPT
Intro to tsql unit 14
bySyed Asrarali
 
PPT
Windows Server 2008 (Active Directory Yenilikleri)
byÇözümPARK
 
PPT
Saying goodbye to SQL Server 2000
byukdpe
 
PDF
Auditing Data Access in SQL Server
byAntonios Chatzipavlis
 
ODP
Under the Hood 11g Identity Management
byInSync Conference
 
PPT
SQL Server 2008 Security Overview
byukdpe
 
PDF
DB2 10 Security Enhancements
byLaura Hood
 
PPTX
Oracle Database Security For Developers
bySzymon Skorupinski
 
PPTX
Securing Your Enterprise Web Apps with MongoDB Enterprise
byMongoDB
 
PPTX
Day2
bymadamewoolf
 
PPTX
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
byMichael Noel
 
Database Systems Security
byamiable_indian
 
Creating Secure Applications
byguest879f38
 
Oracle Database Vault
byMarco Alamanni
 
DB2 Security Model
byuniqueYGB
 
Vault_KT.pptx
bySDPL Technologies
 
Sql server basics
byDilfaroz Khan
 
03_DP_300T00A_Secure_Environment.pptx
byKareemBullard1
 
Cairo meetup low code best practices
byAhmed Keshk
 
Intro to tsql
bySyed Asrarali
 
Intro to tsql unit 14
bySyed Asrarali
 
Windows Server 2008 (Active Directory Yenilikleri)
byÇözümPARK
 
Saying goodbye to SQL Server 2000
byukdpe
 
Auditing Data Access in SQL Server
byAntonios Chatzipavlis
 
Under the Hood 11g Identity Management
byInSync Conference
 
SQL Server 2008 Security Overview
byukdpe
 
DB2 10 Security Enhancements
byLaura Hood
 
Oracle Database Security For Developers
bySzymon Skorupinski
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
byMongoDB
 
Day2
bymadamewoolf
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
byMichael Noel
 

More from Vinod Kumar

PPTX
Backup beyond just a strategy with SQL Server
byVinod Kumar
 
PPTX
SQL Server Query Optimization, Execution and Debugging Query Performance
byVinod Kumar
 
PPT
Advanced t sql - querying and programming inside sql server
byVinod Kumar
 
PPT
Choosing a concurrency model, optimistic or pessimistic
byVinod Kumar
 
PPTX
Choosing A Concurrency Model, Optimistic Or Pessimistic
byVinod Kumar
 
PPT
Windows Mobile 5.0 Data Access And Storage Webcast
byVinod Kumar
 
PPT
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
byVinod Kumar
 
Backup beyond just a strategy with SQL Server
byVinod Kumar
 
SQL Server Query Optimization, Execution and Debugging Query Performance
byVinod Kumar
 
Advanced t sql - querying and programming inside sql server
byVinod Kumar
 
Choosing a concurrency model, optimistic or pessimistic
byVinod Kumar
 
Choosing A Concurrency Model, Optimistic Or Pessimistic
byVinod Kumar
 
Windows Mobile 5.0 Data Access And Storage Webcast
byVinod Kumar
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
byVinod Kumar
 

Recently uploaded

PDF
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
PDF
Google Agentspace: Enterprise AI search platform
byKAVAIYAYASHKUMARAMRU
 
PPTX
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
PDF
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
PDF
Session 3 - Specialized AI Associate Series: AI Powered Automation through sp...
byDianaGray10
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
PPTX
Google Cloud Quest : An introductory training session on how to solve Google ...
byrajashreeborah705
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
PDF
Master Deck: GraphSummit Bengaluru (Oct 7)
byNeo4j
 
PDF
NeuroXR: Current Research and Opportunities
byMark Billinghurst
 
PPTX
Open Source business is of strategic importance to the EUpptx
byMindtrek
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
CIDT: Blockchain, DeFi & Product Engineering - MVPs in 4 Weeks with a Senior-...
byTetianaBuchynska1
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
PDF
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
Google Agentspace: Enterprise AI search platform
byKAVAIYAYASHKUMARAMRU
 
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
Session 3 - Specialized AI Associate Series: AI Powered Automation through sp...
byDianaGray10
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
Google Cloud Quest : An introductory training session on how to solve Google ...
byrajashreeborah705
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
Master Deck: GraphSummit Bengaluru (Oct 7)
byNeo4j
 
NeuroXR: Current Research and Opportunities
byMark Billinghurst
 
Open Source business is of strategic importance to the EUpptx
byMindtrek
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
CIDT: Blockchain, DeFi & Product Engineering - MVPs in 4 Weeks with a Senior-...
byTetianaBuchynska1
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 

Sql Server Security

  • 1.
    SQL Server 2005 Security Vinod Kumar M Technology Evangelist Microsoft Corporation www.ExtremeExperts.com
  • 2.
    Agenda SQL ServerSecurity Model Authentication Architecture User-Schema Separation Cryptography Support Authorization Row-Level Security Module Execution Context Demo
  • 3.
    SQL Server SecurityModel Network connection request/pre-login handshake Login authentication request to SQL Server Switch to a database and authorize access Attempt to perform some action Establish login credentials Connect to the SQL Server computer Verify permissions for all actions within a database Establish a database context
  • 4.
    SQL Server AuthenticationMechanism SQL Server Client App MDAC Client 1. Connect 2. Establish Socket 6. Acknowledgement 3. Hello 5. Login Packet (Name + Password) 4. Protocol Negotiate Sent in Clear in Microsoft® SQL Server 2000 Can Specify Secure Sockets Layer (SSL) and/or (5+ is encrypted) Mutual Auth (Client cert-store looked) Protocol Changes in SQL 2005 Server authorizes access Policy Changes in SQL 2005
  • 5.
    Windows Authentication MechanismServer authorizes access SQL Server Client App MDAC Client 1. Connect 2. Establish Socket 10. Acknowledgement 3. Hello 4. Protocol Negotiate Local LSA Local LSA DC LSA 5. Initial Security Ctxt 8. Acpt Security Ctxt 6. Cred. Info. Info. 9. Cred. 7. Credential Info. Protocol Changes in SQL 2005 Policy Changes in SQL 2005
  • 6.
    Unified Users andSchema – A Problem User Database Object Owned By User 2 Drop user may require application change!! Table View Stored Proc Function Name resolution Eg: Select * from Foo User.foo Dbo.foo
  • 7.
    User-Schema Separation – The Solution User Database Object Schema contained in Owned by Owned By User 2 Owned by Default Schema User1 Default Schema S1 User2 User3 Drop user does NOT require application change!! Table View Stored Proc Function Name Resolution Select * from foo S1. foo Dbo.foo
  • 8.
    User-Schema Separation Databasecan contain multiple schemas Each schema has an owning principal – user or role Each user has a default schema for name resolution Most database objects live in schemas Object creation inside schema requires CREATE permission and ALTER or CONTROL permission on the schema Ownership chaining is still based on owners not schemas Owns Has default schema Owns Owns Schema3 Database Example: creation of table in schema requires CREATE TABLE permission and ownership of schema or ALTER or CONTROL on schema Role1 User1 Approle1 Schema1 Schema2 SP1 Fn1 Tab1
  • 9.
    Cryptography Support OverviewSet of built-ins for encryption , decryption , signing and verification Key management infrastructure Keys managed by SQL Server Keys managed by end-user All keys are always stored encrypted Key Types Supported Symmetric Keys RC4, RC2, DES Family, AES Family Asymmetric Keys Rivest-Shamir-Adelman Encryption (RSA) Certificates Base set of functionality needed for applications Sample scripts for column level encryption
  • 10.
  • 11.
  • 12.
    Authorization Model -Permissions New permissions for finer grained control Permissions associated with semantics Not with statements Permissions can imply others Example: CONTROL It implies all other permissions Four states of permissions Grant (+) Deny (-) Revoke (take away) - + Deny Deny Revoke [deny] Revoke Grant Grant
  • 13.
    Permission Implications DatabaseEndpoint Schema Table Control Control Connect Control Control Alter Alter Control Select Select Alter Select EXECUTE at database Level means you can Execute any procedure CONTROL at Schema Level means you can Do anything in schema
  • 14.
    Row-level Security Todaywe have permissions at table and column level SQL 2005: Finer-grained access control at the row level
  • 15.
    What if thereare multiple predicates? The user query is augmented as follows… All GRANTS are Or’d. Negatives of all DENY’s are OR’d The two sets are AND’ed For SELECT Only GRANTs and DENY’s of SELECT considered For UPDATE GRANTSs and DENY’s of UPDATEs and SELECTs considered Remember the update restrictions are based on the pre-image…not what is being updated to. For DELETE GRANTs and DENYs of DELETEs and SELECTs are considered
  • 16.
    Module Execution ContextAbility to choose execution context of modules Module: Stored procs, functions, assemblies Permissions checked against current execution context Ownership chaining rules still apply Option available for dynamic SQL as well Alternative to the absence of ownership chaining Execution context maintained in the sys.sql_modules catalog view
  • 17.
    Execution Context User3 Select Perms checked for User3 Execute Perms checked for User3 User1.Proc1 User1.T1 Execute Perms checked for User3 NO Perms checked for User3 User2.Proc1 User1.T1 ‘ Execute AS ‘X’ ’ Execute Perms checked for User3 Select Perms checked for ‘X’. Not for user3 SQL 2005 SQL 2000 User 3 User2.Proc1 User1.T1
  • 18.
    Impersonation Implicit (fourtypes) Execute as Caller Execute under the caller’s context No extra permissions needed Default behavior like SQL 2000 Execute as Principal Execute under the specified context Impersonate on Principal Syntax: execute as ‘domain\user’ Execute as Owner Execute under the module owner’s context Impersonate on Owner Syntax: execute as owner Execute as Self Run under the context that is creating/modifying the module Syntax: execute as self
  • 19.
  • 20.