SQL Server 2005 Security Best Practices Operational and Administrative Tasks

SQL Server Technical Article

Writers: Bob Beauchemin, SQLskills Technical Reviewers: Laurentiu Cristofor, Al Comeau, Sameer Tejani, Rob Walters, "iraj "a#rani even!ra Tiwari,

$ublishe!: %arch &''( A))lies To: SQL Server &''* S$& Summary Securit+ is a crucial )art of an+ mission,critical a))lication- This )a)er !escribes best )ractices for settin# u) an! maintainin# securit+ in SQL Server &''*-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&

!opyri"ht
The information containe! in this !ocument re)resents the current view of %icrosoft Cor)oration on the issues !iscusse! as of the !ate of )ublication- Because %icrosoft must res)on! to chan#in# market con!itions, it shoul! not be inter)rete! to be a commitment on the )art of %icrosoft, an! %icrosoft cannot #uarantee the accurac+ of an+ information )resente! after the !ate of )ublication-

This White $a)er is for informational )ur)oses onl+- %/CR.S.0T %A12S ". WARRA"T/2S, 23$R2SS, /%$L/2 .R STAT4T.R5, AS T. T62 /"0.R%AT/." /" T6/S .C4%2"T-

Com)l+in# with all a))licable co)+ri#ht laws is the res)onsibilit+ of the user- Without limitin# the ri#hts un!er co)+ri#ht, no )art of this !ocument ma+ be re)ro!uce!, store! in or intro!uce! into a retrieval s+stem, or transmitte! in an+ form or b+ an+ means 7electronic, mechanical, )hotoco)+in#, recor!in#, or otherwise8, or for an+ )ur)ose, without the e9)ress written )ermission of %icrosoft Cor)oration-

%icrosoft ma+ have )atents, )atent a))lications, tra!emarks, co)+ri#hts, or other intellectual )ro)ert+ ri#hts coverin# subject matter in this !ocument- 29ce)t as e9)ressl+ )rovi!e! in an+ written license a#reement from %icrosoft, the furnishin# of this !ocument !oes not #ive +ou an+ license to these )atents, tra!emarks, co)+ri#hts, or other intellectual )ro)ert+-

4nless otherwise note!, the e9am)le com)anies, or#ani:ations, )ro!ucts, !omain names, e,mail a!!resses, lo#os, )eo)le, )laces an! events !e)icte! herein are fictitious, an! no association with an+ real com)an+, or#ani:ation, )ro!uct, !omain name, email a!!ress, lo#o, )erson, )lace or event is inten!e! or shoul! be inferre! &''( %icrosoft Cor)oration- All ri#hts reserve!-

%icrosoft, Active

irector+, Win!ows, Win!ows Server, an! Win!ows ;ista are either re#istere! tra!emarks or

tra!emarks of %icrosoft Cor)oration in the 4nite! States an!<or other countries-

The names of actual com)anies an! )ro!ucts mentione! herein ma+ be the tra!emarks of their res)ective owners-

Ta#le o$ !ontents
%ntroduction &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&' Sur$ace Area (eduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&' Service Account Selection and )ana"ement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&* Authentication )ode&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&+ ,et-ork !onnectivity&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.0 Lockdo-n o$ System Stored Procedures&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&./ Pass-ord Policy&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.' Administrator Privile"es&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.* 0ata#ase O-nership and Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.1 Schemas &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.1 Authori2ation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&20 !atalo" Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2. (emote 0ata Source 34ecution&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&22 34ecution !onte4t&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2/ 3ncryption&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&25 Auditin"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&25 )icroso$t Baseline Security Analy2er and SQL Server Best Practices Analy2er 2+ Patchin"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2+ !onclusion&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/0

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

/ntro!uction
This white )a)er covers some of the o)erational an! a!ministrative tasks associate! with %icrosoft> SQL Server? &''* securit+ an! enumerates best )ractices an! o)erational an! a!ministrative tasks that will result in a more secure SQL Server s+stem- 2ach to)ic !escribes a feature an! best )ractices- 0or a!!itional information on the s)ecifics of utilities, features, an! L statements reference! in this white )a)er, see SQL Server &''* Books .nline- 0eatures an! o)tions that are new or !efaults that are chan#e! for SQL Server &''* are i!entifie!- Co!in# e9am)les for o)erational tasks use Transact,SQL, so un!erstan!in# Transact,SQL is re@uire! for +ou to #et the most out of this )a)er-

Surface Area Re!uction

SQL Server &''* installation minimi:es the Aattack surfaceA because b+ !efault, o)tional features are not installe!- urin# installation the a!ministrator can choose to install: atabase 2n#ine Anal+sis Services 2n#ine Re)ortin# Services /nte#ration Services "otification Services ocumentation an! Sam)les

/t is a #oo! )ractice to review which )ro!uct features +ou actuall+ nee! an! install onl+ those features- Later, install a!!itional features onl+ as nee!e!SQL Server &''* inclu!es sam)le !atabases for .LT$, !ata warehousin#, an! Anal+sis Services- /nstall sam)le !atabases on test servers onl+B the+ are not installe! b+ !efault when +ou install the corres)on!in# en#ine featureSQL Server &''* inclu!es sam)le co!e coverin# ever+ feature of the )ro!uct- These sam)les are not installe! b+ !efault an! shoul! be installe! onl+ on a !evelo)ment server, not on a )ro!uction server- 2ach item of sam)le co!e has un!er#one a review to ensure that the co!e follows best )ractices for securit+- 2ach sam)le uses %icrosoft Win!ows> securit+ )rinci)als an! illustrates the )rinci)al of least )rivile#eSQL Server has alwa+s been a feature,rich !atabase an! the number of new features in SQL Server &''* can be overwhelmin#- .ne wa+ to make a s+stem more secure is to limit the number of o)tional features that are installe! an! enable! b+ !efault- /t is easier to enable features when the+ are nee!e! than it is to enable ever+thin# b+ !efault an! then turn off features that +ou !o not nee!- This is the installation )olic+ of SQL Server &''*, known as Aoff b+ !efault, enable when nee!e!-A .ne wa+ to ensure that securit+ )olicies are followe! is to make secure settin#s the !efault an! make them eas+ to useSQL Server &''* )rovi!es a Aone,sto)A utilit+ that can be use! to enable o)tional features on a )er,service an! )er,instance basis as nee!e!- Althou#h there are other utilities 7such as Services in Control $anel8, server confi#uration comman!s 7such as sp6con$i"ure8, an! A$/s such as W%/ 7Win!ows %ana#ement /nstrumentation8 that +ou can use, the SQL Server Surface Area Confi#uration tool combines this

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

functionalit+ into a sin#le utilit+ )ro#ram- This )ro#ram can be use! either from the comman! line or via a #ra)hic user interfaceSQL Server Service Area Confi#uration !ivi!es confi#uration into two subsets: services an! connections, an! features- 4se the Surface Area Confi#uration for Services an! Connections tool to view the installe! com)onents of SQL Server an! the client network interfaces for each en#ine com)onent- The startu) t+)e for each service 7Automatic, %anual, or isable!8 an! the client network interfaces that are available can be confi#ure! on a )er,instance basis- 4se the Surface Area Confi#uration for 0eatures tool to view an! confi#ure instance,level featuresThe features enable! for confi#uration are: CLR /nte#ration Remote use of a !e!icate! a!ministrator connection .L2 Automation s+stem )roce!ures S+stem )roce!ures for atabase %ail an! SQL %ail A! hoc remote @ueries 7the .$2"R.WS2T an! .$2" ATAS.4RC2 functions8 SQL Server Web Assistant 4p6cmdshell availabilit+ 6TT$ en!)oints Service Broker en!)oint

The features enable! for viewin# are:

The SQL Server Surface Area Confi#uration comman!,line interface, sac-e9e, )ermits +ou to im)ort an! e9)ort settin#s- This enables +ou to stan!ar!i:e the confi#uration of a #rou) of SQL Server &''* instances- 5ou can im)ort an! e9)ort settin#s on a )er,instance basis an! also on a )er,service basis b+ usin# comman!,line )arameters- 0or a list of comman!,line )arameters, use the -7 comman!,line o)tion5ou must have sysadmin )rivile#e to use this utilit+- The followin# co!e is an e9am)le of e9)ortin# all settin#s from the !efault instance of SQL Server on serverC an! im)ortin# them into server&: sac out server1.out S server1 U admin I MSSQLSERVER sac in server1.out S server2 When +ou u)#ra!e an instance of SQL Server to SQL Server &''* b+ )erformin# an in,)lace u)#ra!e, the confi#uration o)tions of the instance are unchan#e!- 4se SQL Server Surface Area Confi#uration to review feature usa#e an! turn off features that are not nee!e!- 5ou can turn off the features in SQL Server Surface Area Confi#uration or b+ usin# the s+stem store! )roce!ure, sp6con$i"ure- 6ere is an e9am)le of usin# sp6con$i"ure to !isallow the e9ecution o$ 4p6cmdshell on a SQL Server instance: -- Allow advanced o tions to !e c"an#ed. E$E% s &con'i#ure (s"ow advanced o tions() 1 *+ -- U date t"e currentl, con'i#ured value 'or advanced o tions. RE%+-.I*URE

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

*+ -- /isa!le t"e 'eature. E$E% s &con'i#ure (0 &cmds"ell() 1 *+ -- U date t"e currentl, con'i#ured value 'or t"is 'eature. RE%+-.I*URE E. /n SQL Server &''*, SQL Server Browser functionalit+ has been factore! into its own service an! is no lon#er )art of the core !atabase en#ine- A!!itional functions are also factore! into se)arate services- Services that are not a )art of the core !atabase en#ine an! can be enable! or !isable! se)aratel+ inclu!e: SQL Server Active SQL Server A#ent SQL Server 0ullTe9t Search SQL Server Browser SQL Server ;SS Writer irector+ 6el)er

The SQL Server Browser service nee!s to be runnin# onl+ to connect to name! SQL Server instances that use TC$</$ !+namic )ort assi#nments- /t is not necessar+ to connect to !efault instances of SQL Server &''* an! name! instances that use static TC$</$ )orts- 0or a more secure confi#uration, alwa+s use static TC$</$ )ort assi#nments an! !isable the SQL Server Browser service- The ;SS Writer allows backu) an! restore usin# the ;olume Sha!ow Co)+ framework- This service is !isable! b+ !efault- /f +ou !o not use ;olume Sha!ow Co)+, !isable this service- /f +ou are runnin# SQL Server outsi!e of an Active irector+> !irector+ service, !isable the Active irector+ 6el)erBest practices $or sur$ace area reduction /nstall onl+ those com)onents that +ou will imme!iatel+ use- A!!itional com)onents can alwa+s be installe! as nee!e!2nable onl+ the o)tional features that +ou will imme!iatel+ useReview o)tional feature usa#e before !oin# an in,)lace u)#ra!e an! !isable unnee!e! features either before or after the u)#ra!eevelo) a )olic+ with res)ect to )ermitte! network connectivit+ choices- 4se SQL Server Surface Area Confi#uration to stan!ar!i:e this )olic+evelo) a )olic+ for the usa#e of o)tional features- 4se SQL Server Surface Area Confi#uration to stan!ar!i:e o)tional feature enablin#- ocument an+ e9ce)tions to the )olic+ on a )er,instance basisTurn off unnee!e! services b+ settin# the service to either %anual startu) or isable!-

Service Account Selection an! %ana#ement

SQL Server &''* e9ecutes as a set of Win!ows services- 2ach service can be confi#ure! to use its own service account- This facilit+ is e9)ose! at installationSQL Server )rovi!es a s)ecial tool, SQL Server Confi#uration %ana#er, to mana#e

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

these accounts- /n a!!ition, these accounts can be set )ro#rammaticall+ throu#h the SQL Server W%/ $rovi!er for Confi#uration- When +ou select a Win!ows account to be a SQL Server service account, +ou have a choice of: omain user that is not a Win!ows a!ministrator Local user that is not a Win!ows a!ministrator "etwork Service account Local S+stem account Local user that is a Win!ows a!ministrator omain user that is a Win!ows a!ministrator

When choosin# service accounts, consi!er the )rinci)le of least )rivile#e- The service account shoul! have e9actl+ the )rivile#es that it nee!s to !o its job an! no more )rivile#es- 5ou also nee! to consi!er account isolationB the service accounts shoul! not onl+ be !ifferent from one another, the+ shoul! not be use! b+ an+ other service on the same server- .nl+ the first two account t+)es in the list above have both of these )ro)erties- %akin# the SQL Server service account an a!ministrator, at either a server level or a !omain level, bestows too man+ unnee!e! )rivile#es an! shoul! never be !one- The Local S+stem account is not onl+ an account with too man+ )rivile#es, but it is a share! account an! mi#ht be use! b+ other services on the same server- An+ other service that uses this account has the same set u) )rivile#es as the SQL Server service that uses the account- Althou#h "etwork Service has network access an! is not a Win!ows su)eruser account, it is a shareable accountThis account is useable as a SQL Server service account onl+ if +ou can ensure that no other services that use this account are installe! on the server4sin# a local user or !omain user that is not a Win!ows a!ministrator is the best choice- /f the server that is runnin# SQL Server is )art of a !omain an! must access !omain resources such as file shares or uses linke! server connections to other com)uters runnin# SQL Server, a !omain account is the best choice- /f the server is not )art of a !omain 7for e9am)le, a server runnin# in the )erimeter network 7also known as the %F8 in a Web a))lication8 or !oes not nee! to access !omain resources, a local user that is not a Win!ows a!ministrator is )referre!Creatin# the user account that will be use! as a SQL Server service account is easier in SQL Server &''* than in )revious versions- When SQL Server &''* is installe!, a Win!ows #rou) is create! for each SQL Server service, an! the service account is )lace! in the a))ro)riate #rou)- To create a user that will serve as a SQL Server service account, sim)l+ create an Aor!inar+A account that is either a member of the 4sers #rou) 7non,!omain user8 or omain 4sers #rou) 7!omain user8- urin# installation, the user is automaticall+ )lace! in the SQL Server service #rou) an! the #rou) is #rante! e9actl+ the )rivile#es that are nee!e!/f the service account nee!s a!!itional )rivile#es, the )rivile#e shoul! be #rante! to the a))ro)riate Win!ows #rou), rather than #rante! !irectl+ to the service user account- This is consistent with the wa+ access control lists are best mana#e! in Win!ows in #eneral- 0or e9am)le, the abilit+ to use the SQL Server /nstant 0ile /nitiali:ation feature re@uires that the $erform ;olume %aintenance Tasks user ri#hts be set in the Erou) $olic+ A!ministration tool- This )rivile#e shoul! be #rante! to SQLServer&''*%SSQL4serG%achine"ameG%SSQLS2R;2R #rou) for the !efault instance of SQL Server on server A%achine"ame-A

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

SQL Server service accounts shoul! be chan#e! onl+ b+ usin# SQL Server Confi#uration %ana#er, or b+ usin# the e@uivalent functionalit+ in the W%/ A$/s4sin# Confi#uration %ana#er ensures that the new service account is )lace! in the a))ro)riate Win!ows #rou), an! is thus #rante! e9actl+ the correct )rivile#es to run the service- /n a!!ition, usin# SQL Server Confi#uration %ana#er also re,encr+)ts the service master ke+ that is usin# the new account- 0or more information on the service master ke+, see 2ncr+)tion later in this )a)er- Because SQL Server service accounts also abi!e b+ Win!ows )asswor! e9)iration )olicies, it is necessar+ to chan#e the service account )asswor!s at re#ular intervals- /n SQL Server &''*, it is easier to abi!e b+ )asswor! e9)iration )olicies because chan#in# the )asswor! of the service account !oes not re@uire restartin# SQL ServerSQL Server &''* re@uires that the service account have less )rivile#e than in )revious versions- S)ecificall+, the )rivile#e Act As $art of the .)eratin# S+stem 7S2ITCBI"A%28 is not re@uire! for the service account unless SQL Server &''* is runnin# on the %icrosoft Win!ows Server? &''' S$= o)eratin# s+stem- After !oin# an u)#ra!e in )lace, use the Erou) $olic+ A!ministration tool to remove this )rivile#eThe SQL Server A#ent service account re@uires sysadmin )rivile#e in the SQL Server instance that it is associate! with- /n SQL Server &''*, SQL Server A#ent job ste)s can be confi#ure! to use )ro9ies that enca)sulate alternate cre!entials- A CR2 2"T/AL is sim)l+ a !atabase object that is a s+mbolic name for a Win!ows user an! )asswor!- A sin#le CR2 2"T/AL can be use! with multi)le SQL Server A#ent )ro9ies- To accommo!ate the )rinci)al of least )rivile#e, !o not #ive e9cessive )rivile#es to the SQL Server A#ent service account- /nstea!, use a )ro9+ that corres)on!s to a CR2 2"T/AL that has just enou#h )rivile#e to )erform the re@uire! task- A CR2 2"T/AL can also be use! to re!uce the )rivile#e for a s)ecific task if the SQL Server A#ent service account has been confi#ure! with more )rivile#es than nee!e! for the task- $ro9ies can be use! for: Active3 scri)tin# .)eratin# s+stem 7Cm!29ec8 Re)lication a#ents Anal+sis Services comman!s an! @ueries SS/S )acka#e e9ecution 7inclu!in# maintenance )lans8 4se a s)ecific user account or !omain account rather than a share! account for SQL Server services4se a se)arate account for each serviceo not #ive an+ s)ecial )rivile#es to the SQL Server service accountB the+ will be assi#ne! b+ #rou) membershi)%ana#e )rivile#es throu#h the SQL Server su))lie! #rou) account rather than throu#h in!ivi!ual service user accountsAlwa+s use SQL Server Confi#uration %ana#er to chan#e service accountsChan#e the service account )asswor! at re#ular intervals4se CR2 2"T/ALs to e9ecute job ste)s that re@uire s)ecific )rivile#es rather than a!justin# the )rivile#e to the SQL Server A#ent service account-

Best practices $or SQL Server service accounts

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

/f an a#ent user nee!s to e9ecute a job that re@uires !ifferent Win!ows cre!entials, assi#n them a )ro9+ account that has just enou#h )ermissions to #et the task !one-

Authentication %o!e
SQL Server has two authentication mo!es: Win!ows Authentication an! %i9e! %o!e Authentication- /n Win!ows Authentication mo!e, s)ecific Win!ows user an! #rou) accounts are truste! to lo# in to SQL Server- Win!ows cre!entials are use! in the )rocessB that is, either "TL% or 1erberos cre!entials- Win!ows accounts use a series of encr+)te! messa#es to authenticate to SQL ServerB no )asswor!s are )asse! across the network !urin# the authentication )rocess- /n %i9e! %o!e Authentication, both Win!ows accounts an! SQL Server,s)ecific accounts 7known as SQL lo#ins8 are )ermitte!- When SQL lo#ins are use!, SQL lo#in )asswor!s are )asse! across the network for authentication- This makes SQL lo#ins less secure than Win!ows lo#ins/t is a best )ractice to use onl+ Win!ows lo#ins whenever )ossible- 4sin# Win!ows lo#ins with SQL Server achieves sin#le si#n,on an! sim)lifies lo#in a!ministration$asswor! mana#ement uses the or!inar+ Win!ows )asswor! )olicies an! )asswor! chan#e A$/s- 4sers, #rou)s, an! )asswor!s are mana#e! b+ s+stem a!ministratorsB SQL Server !atabase a!ministrators are onl+ concerne! with which users an! #rou)s are allowe! access to SQL Server an! with authori:ation mana#ementSQL lo#ins shoul! be confine! to le#ac+ a))lications, mostl+ in cases where the a))lication is )urchase! from a thir!,)art+ ven!or an! the authentication cannot be chan#e!- Another use for SQL lo#ins is with cross,)latform client,server a))lications in which the non,Win!ows clients !o not )ossess Win!ows lo#ins- Althou#h usin# SQL lo#ins is !iscoura#e!, there are securit+ im)rovements for SQL lo#ins in SQL Server &''*- These im)rovements inclu!e the abilit+ to have SQL lo#ins use the )asswor! )olic+ of the un!erl+in# o)eratin# s+stem an! better encr+)tion when SQL )asswor!s are )asse! over the network- WeKll !iscuss each of these later in the )a)erSQL Server &''* uses stan!ar! L statements to create both Win!ows lo#ins an! SQL lo#ins- 4sin# the CR2AT2 L.E/" statement is )referre!B the sp6addlo"in an! sp6"rantlo"in s+stem store! )roce!ures are su))orte! for backwar! com)atibilit+ onl+- SQL Server &''* also )rovi!es the abilit+ to !isable a lo#in or chan#e a lo#in name b+ usin# the ALT2R L.E/" L statement- 0or e9am)le, if +ou install SQL Server &''* in Win!ows Authentication mo!e rather than %i9e! %o!e, the sa lo#in is !isable!- 4se ALT2R L.E/" rather than the )roce!ures sp6denylo"in or sp6revokelo"in, which are su))orte! for backwar! com)atibilit+ onl+/f +ou install SQL Server in Win!ows Authentication mo!e, the sa lo#in account is !isable! an! a ran!om )asswor! is #enerate! for it- /f +ou later nee! to chan#e to %i9e! %o!e Authentication an! re,enable the sa lo#in account, +ou will not know the )asswor!- Chan#e the sa )asswor! to a known value after installation if +ou think +ou mi#ht ever nee! to use itBest practices $or authentication mode Alwa+s use Win!ows Authentication mo!e if )ossible4se %i9e! %o!e Authentication onl+ for le#ac+ a))lications an! non,Win!ows users-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

C'

4se the stan!ar! lo#in )roce!ures-

L statements instea! of the com)atibilit+ s+stem

Chan#e the sa account )asswor! to a known value if +ou mi#ht ever nee! to use it- Alwa+s use a stron# )asswor! for the sa account an! chan#e the sa account )asswor! )erio!icall+o not mana#e SQL Server b+ usin# the sa lo#in accountB assi#n sysadmin )rivile#e to a knows user or #rou)Rename the sa account to a !ifferent account name to )revent attacks on the sa account b+ name-

"etwork Connectivit+
A stan!ar! network )rotocol is re@uire! to connect to the SQL Server !atabaseThere are no internal connections that b+)ass the network- SQL Server &''* intro!uces an abstraction for mana#in# an+ connectivit+ channelLentr+ )oints into a SQL Server instance are all re)resente! as en!)oints- 2n!)oints e9ist for the followin# network client connectivit+ )rotocols: Share! %emor+ "ame! $i)es TC$</$ ;/A e!icate! a!ministrator connection

/n a!!ition, en!)oints ma+ be !efine! to )ermit access to the SQL Server instance for: Service Broker 6TT$ Web Services atabase mirrorin#

0ollowin# is an e9am)le of creatin# an en!)oint for Service Broker%REA2E E-/3+I-2 4ro5erEnd oint&SQL/EV11 AS 2%3 6 LIS2E-ER&3+R2 7 8122 .+R SERVI%E&4R+:ER 6 AU2;E-2I%A2I+- 7 <I-/+<S 9 SQL Server &''* !iscontinues su))ort for some network )rotocols that were available with earlier versions of SQL Server, inclu!in# /$3<S$3, A))letalk, an! Ban+on ;ines/n kee)in# with the #eneral )olic+ of Aoff b+ !efault, enable onl+ when nee!e!,A no Service Broker, 6TT$, or !atabase mirrorin# en!)oints are create! when SQL Server &''* is installe!, an! the ;/A en!)oint is !isable! b+ !efault- /n a!!ition, in SQL Server &''* 29)ress 2!ition, SQL Server &''* evelo)er 2!ition, an! SQL Server &''* 2valuation 2!ition, the "ame! $i)es an! TC$</$ )rotocols are !isable! b+ !efault- .nl+ Share! %emor+ is available b+ !efault in those e!itionsThe !e!icate! a!ministrator connection 7 AC8, new with SQL Server &''*, is 9

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

CC

available onl+ locall+ b+ !efault, althou#h it can be ma!e available remotel+- "ote that the AC is not available in SQL Server 29)ress 2!ition b+ !efault an! re@uires that the server be run with a s)ecial trace fla# to enable it- Access to !atabase en!)oints re@uires the lo#in )rinci)al to have C.""2CT )ermission- B+ !efault, no lo#in account has C.""2CT )ermission to Service Broker or 6TT$ Web Services en!)oints- This restricts access )aths an! blocks some known attack vectors- /t is a best )ractice to enable onl+ those )rotocols that are nee!e!- 0or e9am)le, if TC$</$ is sufficient, there is no nee! to enable the "ame! $i)es )rotocolAlthou#h en!)oint a!ministration can be accom)lishe! via L, the a!ministration )rocess is ma!e easier an! )olic+ can be ma!e more uniform b+ usin# the SQL Server Surface Area Confi#uration tool an! SQL Server Confi#uration %ana#erSQL Server Surface Area Confi#uration )rovi!es a sim)lifie! user interface for enablin# or !isablin# client )rotocols for a SQL Server instance, as shown in 0i#ure C an! 0i#ure &- Confi#uration is !escribe! in 1nowle!#e Base article 1BJC=&((, 6ow to confi#ure SQL Server &''* to allow remote connections, as well as in SQL Server &''* Books .nline- A screenshot showin# the remote connections confi#uration !ialo# bo9 is shown in 0i#ure C-

8i"ure .

!on$i"urin" remote connections

/n the Surface Area Confi#uration for Services an! Connections !ialo# bo9, +ou can see if an+ 6TT$ or Service Broker en!)oints are !efine! for the instance- "ew en!)oints must be !efine! b+ usin# L statementsB SQL Server Surface Area Confi#uration cannot be use! to !efine these- 5ou can use the Surface Area Confi#uration for 0eatures tool to enable remote access to the !e!icate! a!ministrator connectionSQL Server Confi#uration %ana#er )rovi!es more #ranular confi#uration of server )rotocols- With Confi#uration %ana#er, +ou can: Choose a certificate for SSL encr+)tion-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

C&

Allow onl+ encr+)tion connections from clients6i!e an instance of SQL Server from the server enumeration A$/s2nable an! !isable TC$</$, Share! %emor+, "ame! $i)es, an! ;/A )rotocolsConfi#ure the name of the )i)e each instance of SQL Server will useConfi#ure a TC$</$ )ort number that each instance listens on for TC$</$ connectionsChoose whether to use TC$</$ !+namic )ort assi#nment for name! instances-

The !ialo# for confi#urin# TC$</$ a!!ress )ro)erties such as )ort numbers an! !+namic )ort assi#nment is shown in 0i#ure &-

8i"ure 2 T!P9%P Addresses con$i"uration pa"e in SQL Server !on$i"uration )ana"er SQL Server &''* can use an encr+)te! channel for two reasons: to encr+)t cre!entials for SQL lo#ins, an! to )rovi!e en!,to,en! encr+)tion of entire sessions4sin# encr+)te! sessions re@uires usin# a client A$/ that su))orts these- The .L2 B, . BC, an! A .-"2T clients all su))ort encr+)te! sessionsB currentl+ the %icrosoft M BC client !oes not- The other reason for usin# SSL is to encr+)t cre!entials !urin# the lo#in )rocess for SQL lo#ins when a )asswor! is )asse! across the network- /f an SSL certificate is installe! in a SQL Server instance, that certificate is use! for cre!ential encr+)tion- /f an SSL certificate is not installe!, SQL Server &''* can #enerate a self,si#ne! certificate an! use this certificate

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

CN

instea!- 4sin# the self,si#ne! certificate )revents )assive man,in,the,mi!!le attacks, in which the man,in,the,mi!!le interce)ts network traffic, but !oes not )rovi!e mutual authentication- 4sin# an SSL certificate with a truste! root certificate authorit+ )revents active man,in,the,mi!!le attacks an! )rovi!es mutual authentication/n SQL Server &''*, +ou can ERA"T, R2;.12, or 2"5 )ermission to C.""2CT to a s)ecific en!)oint on a )er,lo#in basis- B+ !efault, all lo#ins are ERA"Te! )ermission on the Share! %emor+, "ame! $i)es, TC$</$, an! ;/A en!)oints- 5ou must s)ecificall+ ERA"T users C.""2CT )ermission to other en!)ointsB no users are ERA"Te! this )rivile#e b+ !efault- An e9am)le of #rantin# this )ermission is: *RA-2 %+--E%2 +- M,;223End oint 2+ M,/omain=Accountin# Best practices $or net-ork connectivity Limit the network )rotocols su))orte!o not enable network )rotocols unless the+ are nee!e!o not e9)ose a server that is runnin# SQL Server to the )ublic /nternetConfi#ure name! instances of SQL Server to use s)ecific )ort assi#nments for TC$</$ rather than !+namic )orts/f +ou must su))ort SQL lo#ins, install an SSL certificate from a truste! certificate authorit+ rather than usin# SQL Server &''* self,si#ne! certificates4se Aallow onl+ encr+)te! connectionsA onl+ if nee!e! for en!,to,en! encr+)tion of sensitive sessionsErant C.""2CT )ermission onl+ on en!)oints to lo#ins that nee! to use them29)licitl+ !en+ C.""2CT )ermission to en!)oints that are not nee!e! b+ users or #rou)s-

Lock!own of S+stem Store! $roce!ures

SQL Server uses s+stem store! )roce!ures to accom)lish some a!ministrative tasksThese )roce!ures almost alwa+s be#in with the )refi9 4p6 or sp6- 2ven with the intro!uction of stan!ar! L for some tasks 7for e9am)le, creatin# lo#ins an! users8, s+stem )roce!ures remain the onl+ wa+ to accom)lish tasks such as sen!in# mail or invokin# C.% com)onents- S+stem e9ten!e! store! )roce!ures in )articular are use! to access resources outsi!e the SQL Server instance- %ost s+stem store! )roce!ures contain the relevant securit+ checks as )art of the )roce!ure an! also )erform im)ersonation so that the+ run as the Win!ows lo#in that invoke! the )roce!ure- An e9am)le of this is sp6reserve6http6namespace, which im)ersonates the current lo#in an! then attem)ts to reserve )art of the 6TT$ names)ace 76TT$-S5S8 b+ usin# a low,level o)eratin# s+stem functionBecause some s+stem )roce!ures interact with the o)eratin# s+stem or e9ecute co!e outsi!e of the normal SQL Server )ermissions, the+ can constitute a securit+ riskS+stem store! )roce!ures such as 4p6cmdshell or sp6send6d#mail are off b+ !efault an! shoul! remain !isable! unless there is a reason to use them- /n SQL Server &''*, +ou no lon#er nee! to use store! )roce!ures that access the un!erl+in# o)eratin# s+stem or network outsi!e of the SQL Server )ermission s)aceSQLCLR )roce!ures e9ecutin# in 23T2R"ALIACC2SS mo!e are subject to SQL Server )ermissions, an! SQLCLR )roce!ures e9ecutin# in 4"SA02 mo!e are

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

C=

subject to some, but not all, securit+ checks- 0or e9am)le, to catalo# a SQLCLR assembl+ cate#ori:e! as 23T2R"ALIACC2SS or 4"SA02, either the !atabase must be marke! as TR4STW.RT65 7see atabase .wnershi) an! Trust8 or the assembl+ must be si#ne! with a certificate or as+mmetric ke+ that is catalo#e! to the master !atabase- SQLCLR )roce!ures shoul! re)lace user,written e9ten!e! store! )roce!ures in the futureSome cate#ories of s+stem store! )roce!ures can be mana#e! b+ usin# SQL Server Surface Area Confi#uration- These inclu!e: 4p6cmdshell , e9ecutes a comman! in the un!erl+in# o)eratin# s+stem atabase %ail )roce!ures SQL %ail )roce!ures C.% com)onent )roce!ures 7e-#- s)I.ACreate8

2nable these )roce!ures onl+ if necessar+Some s+stem store! )roce!ures, such as )roce!ures that use SQL %. an! SQLS%. libraries, cannot be confi#ure! b+ usin# SQL Server Surface Area Confi#uration- The+ must be confi#ure! b+ usin# sp6con$i"ure or SS%S !irectl+- SS%S or sp6con$i"ure can also be use! to set most of the confi#uration feature settin#s that are set b+ usin# SQL Server Surface Area Confi#urationThe s+stem store! )roce!ures shoul! not be !ro))e! from the !atabaseB !ro))in# these can cause )roblems when a))l+in# service )acks- Removin# the s+stem store! )roce!ures results in an unsu))orte! confi#uration- /t is usuall+ unnecessar+ to com)letel+ 2"5 all users access to the s+stem store! )roce!ures, as these store! )roce!ures have the a))ro)riate )ermission checks internal to the )roce!ure as well as e9ternalBest practices $or system stored procedures isable 4p6cmdshell unless it is absolutel+ nee!e!isable C.% com)onents once all C.% com)onents have been converte! to SQLCLRisable both mail )roce!ures 7 atabase %ail an! SQL %ail8 unless +ou nee! to sen! mail from SQL Server- $refer atabase %ail as soon as +ou can convert to it4se SQL Server Surface Area Confi#uration to enforce a stan!ar! )olic+ for e9ten!e! )roce!ure usa#eocument each e9ce)tion to the stan!ar! )olic+o not remove the s+stem store! )roce!ures b+ !ro))in# themo not 2"5 all users<a!ministrators access to the e9ten!e! )roce!ures-

$asswor! $olic+
Win!ows lo#ins abi!e b+ the lo#in )olicies of the un!erl+in# o)eratin# s+stem- These )olicies can be set usin# the omain Securit+ $olic+ or Local Securit+ $olic+ a!ministrator Control $anel a))lets- Lo#in )olicies fall into two cate#ories: $asswor! )olicies an! Account Lockout )olicies- $asswor! )olicies inclu!e: 2nforce $asswor! 6istor+ %inimum an! %a9imum $asswor! A#e %inimum $asswor! Len#th

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

C*

$asswor! %ust %eet Com)le9it+ Re@uirements $asswor!s are Store! 4sin# Reversible 2ncr+)tion 7"ote: this settin# !oes not a))l+ to SQL Server8 Account Lockout Threshol! 7"umber of invali! lo#ins before lockout8 Account Lockout uration 7Amount of time locke! out8 Reset Lockout Counter After n %inutes

Account Lockout )olicies inclu!e:

/n SQL Server &''*, SQL lo#ins can also #o b+ the lo#in )olicies of the un!erl+in# o)eratin# s+stem if the o)eratin# s+stem su))orts it- The o)eratin# s+stem must su))ort the s+stem call ,et:alidatePass-ordPolicy- Currentl+, the onl+ o)eratin# s+stem that su))orts this is Win!ows Server &''N an! later versions- /f +ou use SQL lo#ins, run SQL Server &''* on a Win!ows Server &''N or later o)eratin# s+stemCR2AT2 L.E/" )arameters !etermine whether the lo#in #oes b+ the o)eratin# s+stem )olicies- These )arameters are: C62C1I$.L/C5 C62C1I23$/RAT/." %4STIC6A"E2

C62C1I$.L/C5 s)ecifies that the SQL lo#in must abi!e b+ the Win!ows lo#in )olicies an! Account Lockout )olicies, with the e9ce)tion of )asswor! e9)iration- This is because, if SQL lo#ins must #o b+ the Win!ows )asswor! e9)iration )olic+, un!erl+in# a))lications must be outfitte! with a mechanism for )asswor! chan#in#%ost a))lications currentl+ !o not )rovi!e a wa+ to chan#e SQL lo#in )asswor!s- /n SQL Server &''*, both SS%S an! SQLC% )rovi!e a wa+ to chan#e SQL Server )asswor!s for SQL lo#ins- Consi!er outfittin# +our a))lications with a )asswor!, chan#in# mechanism as soon as )ossible- 6avin# built,in )asswor! chan#in# also allows lo#ins to be create! with the %4STIC6A"E2 )arameterB usin# this )arameter re@uires the user to chan#e the )asswor! at the time of the first lo#inA!ministrators shoul! be aware of the fact that )asswor! len#th an! com)le9it+ )olicies, but not e9)iration )olicies, a))l+ to )asswor!s use! with encr+)tion ke+s as well as to )asswor!s use! with SQL lo#ins- 0or a !escri)tion of encr+)tion ke+s, see 2ncr+)tionWhen SQL lo#ins are use! on )re,Win!ows &''N o)eratin# s+stems, there is a series of har!,co!e! )asswor! )olicies in lieu of the !omain or o)eratin# s+stem )olicies if C62C1I$.L/C5 O ."- These )olicies are enumerate! in SQL Server Books .nlineBest practices $or pass-ord policy %an!ate a stron# )asswor! )olic+, inclu!in# an e9)iration an! a com)le9it+ )olic+ for +our or#ani:ation/f +ou must use SQL lo#ins, ensure that SQL Server &''* runs on the Win!ows Server &''N o)eratin# s+stem an! use )asswor! )olicies.utfit +our a))lications with a mechanism to chan#e SQL lo#in )asswor!sSet %4STIC6A"E2 for new lo#ins-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

CD

A!ministrator $rivile#es
SQL Server &''* makes all )ermissions #rantable an! also makes #rantable )ermissions more #ranular than in )revious versions- $rivile#es with elevate! )ermissions now inclu!e: %embers of the sysadmin server roleThe sa built,in lo#in, if it is enable!An+ lo#in with C."TR.L S2R;2R )ermission-

C."TR.L S2R;2R )ermission is new in SQL Server &''*- Chan#e +our au!itin# )roce!ures to inclu!e an+ lo#in with C."TR.L S2R;2R )ermissionSQL Server automaticall+ #rants the serverKs A!ministrators #rou) 7B4/LT/"Pa!ministrators8 the sysadmin server role- When runnin# SQL Server &''* un!er %icrosoft Win!ows ;ista?, the o)eratin# s+stem !oes not reco#ni:e membershi) in the B4/LT/"PA!ministrators #rou) unless the user has elevate! themselves to a full a!ministrator- /n S$&, +ou can use SQL Server Surface Area Confi#uration to enable a )rinci)al to act as a!ministrator b+ selectin# Add ,eAdministrator from the main win!ow as shown in 0i#ure N-

8i"ure / Addin" a ne- administrator in SP2 SQL Server Sur$ace Area !on$i"uration Clickin# on this link o)ens the SQL Server &''* 4ser $rovisionin# Tool for ;ista as shown in 0i#ure =- This tool can also be automaticall+ invoke! as the last ste) of an SQL Server &''* S$& installation-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

C(

8i"ure '

The SQL Server 2005 ;ser Provisionin" Tool $or :ista

When runnin# SQL Server 29)ress S$& un!er the ;ista o)eratin# s+stem, Set 4) incor)orates the s)ecification of a s)ecific )rinci)al to act as a!ministratorSQL Server 29)ress S$& Set 4) also allows comman!,line o)tions to turn user instances on or off 72"ABL2RA"48 an! to a!! the current Set 4) user to the SQL Server Administrator role 7A 4S2RASA %/"8- 0or more !etaile! information, see Confi#uration .)tions 7SQL Server 29)ress8 in SQL Server &''* S$& Books .nline- 0or a!!itional securit+,relate! consi!erations when runnin# SQL Server &''* with the Win!ows ;ista o)eratin# s+stem, see the SQL Server &''* S$& Rea!me file- /n )articular, see section *-*-& A/ssues Cause! b+ 4ser Account Control in Win!ows ;ista-A 0or accountabilit+ in the !atabase, avoi! rel+in# on the A!ministrators #rou) an! a!! onl+ s)ecific !atabase a!ministrators to the sysadmin role- Another o)tion is to have a s)ecific atabaseA!ministrators role at the o)eratin# s+stem level- %inimi:in# the number of a!ministrators who have sysadmin or C."TR.L S2R;2R )rivile#e also makes it easier to resolve )roblemsB fewer lo#ins with a!ministrator )rivile#e means fewer )eo)le to check with if thin#s #o wron#- The )ermission ;/2W S2R;2R STAT2 is useful for allowin# a!ministrators an! troubleshooters to view server information 7!+namic mana#ement views8 without #rantin# full sysadmin or C."TR.L S2R;2R )ermissionBest practices $or administrator privile"es 4se a!ministrator )rivile#es onl+ when nee!e!%inimi:e the number of a!ministrators$rovision a!min )rinci)als e9)licitl+6ave multi)le !istinct a!ministrators if more than one is nee!e!Avoi! !e)en!enc+ on the builtinPa!ministrators Win!ows #rou)-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

CH

atabase .wnershi) an! Trust

A SQL Server instance can contain multi)le user !atabases- 2ach user !atabase has a s)ecific ownerB the owner !efaults to the !atabase creator- B+ !efinition, members of the sysadmin server role 7inclu!in# s+stem a!ministrators if the+ have access to SQL Server throu#h their !efault #rou) account8 are !atabase owners 7 B.s8 in ever+ user !atabase- /n a!!ition, there is a !atabase role, d#6o-ner, in ever+ user !atabase- %embers of the d#6o-ner role have a))ro9imatel+ the same )rivile#es as the d#o userSQL Server can be thou#ht of as runnin# in two !istinct mo!es, which can be referre! to as IT department mode an! ISV mode- These are not !atabase settin#s but sim)l+ !ifferent wa+s to mana#e SQL Server- /n an /T !e)artment, the sysadmin of the instance mana#es all user !atabases- /n an /nternet service )rovi!er environment 7sa+, a Web,hostin# service8, each customer is )ermitte! to mana#e their own !atabase an! is restricte! from accessin# s+stem !atabases or other user !atabases- 0or e9am)le, the !atabases of two com)etin# com)anies coul! be hoste! b+ the same /nternet service )rovi!er 7/S;8 an! e9ist in the same SQL Server instance- an#erous co!e coul! be a!!e! to a user !atabase when attache! to its ori#inal instance, an! the co!e woul! be enable! on the /S; instance when !e)lo+e!- This situation makes controllin# cross,!atabase access crucial/f each !atabase is owne! an! mana#e! b+ the same #eneral entit+, it is still not a #oo! )ractice to establish a Atrust relationshi)A with a !atabase unless an a))lication,s)ecific feature, such as cross,!atabase Service Broker communication, is re@uire!- A trust relationshi) between !atabases can be establishe! b+ allowin# cross,!atabase ownershi) chainin# or b+ markin# a !atabase as truste! b+ the instance b+ usin# the TR4STW.RT65 )ro)ert+- An e9am)le of settin# the TR4STW.RT65 )ro)ert+ follows: AL2ER /A2A4ASE u!s SE2 2RUS2<+R2;> +-

Best practices $or data#ase o-nership and trust 6ave !istinct owners for !atabasesB not all !atabases shoul! be owne! b+ sa%inimi:e the number of owners for each !atabaseConfer trust selectivel+Leave the Cross, atabase .wnershi) Chainin# settin# off unless multi)le !atabases are !e)lo+e! at a sin#le unit%i#rate usa#e to selective trust instea! of usin# the TR4STW.RT65 )ro)ert+-

Schemas
SQL Server &''* intro!uces schemas to the !atabase- A schema is sim)l+ a name! container for !atabase objects- 2ach schema is a sco)e that fits into the hierarch+ between !atabase level an! object level, an! each schema has a s)ecific owner- The owner of a schema can be a user, a !atabase role, or an a))lication role- The schema name takes the )lace of the owner name in the SQL Server multi,)art object namin# scheme- /n SQL Server &''' an! )revious versions, a table name! 2m)lo+ee that was )art of a !atabase name! $a+roll an! was owne! b+ a user name Bob woul! be )a+roll-bob-em)lo+ee- /n SQL Server &''*, the table woul! have to be )art

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

CJ

of a schema- /f )a+rollIa)) is the name of the SQL Server &''* schema, the table name in SQL Server &''* is )a+roll-)a+rollIa))-em)lo+eeSchemas solve an a!ministration )roblem that occurs when each !atabase object is name! after the user who creates it- /n SQL Server versions )rior to &''*, if a user name! Bob 7who is not d#o8 creates a series of tables, the tables woul! be name! after Bob- /f Bob leaves the com)an+ or chan#es job assi#nments, these tables woul! have to be manuall+ transferre! to another user- /f this transfer were not )erforme!, a securit+ )roblem coul! ensue- Because of this, )rior to SQL Server &''*, BAs were unlikel+ to allow in!ivi!ual users to create !atabase objects such as tables- 2ach table woul! be create! b+ someone actin# as the s)ecial d#o user an! woul! have a user name of d#o- Because, in SQL Server &''*, schemas can be owne! b+ roles, s)ecial roles can be create! to own schemas if nee!e!Lever+ !atabase object nee! not be owne! b+ d#o- "ot havin# ever+ object owne! b+ d#o makes for more #ranular object mana#ement an! makes it )ossible for users 7or a))lications8 that nee! to !+namicall+ create tables to !o so without d#o )ermission6avin# schemas that are role,base! !oes not mean that itQs a #oo! )ractice to have ever+ user be a schema owner- .nl+ users who nee! to create !atabase objects shoul! be )ermitte! to !o so- The abilit+ to create objects !oes not im)l+ schema ownershi)B ERA"Tin# Bob ALT2R SC62%A )ermission in the )a+rollIa)) schema can be accom)lishe! without makin# Bob a schema owner- /n a!!ition, #rantin# CR2AT2 TABL2 to a user !oes not allow that user to create tablesB the user must also have ALT2R SC62%A )ermission on some schema in or!er to have a schema in which to create the table- .bjects create! in a schema are owne! b+ the schema owner b+ !efault, not b+ the creator of the object- This makes it )ossible for a user to create tables in a known schema without the a!ministrative )roblems that ensue when that user leaves the com)an+ or switches job assi#nments2ach user has a !efault schema- /f an object is create! or reference! in a SQL statement b+ usin# a one,)art name, SQL Server first looks in the userKs !efault schema- /f the object isnKt foun! there, SQL Server looks in the d#o schema- The userKs !efault schema is assi#ne! b+ usin# the CR2AT2 4S2R or ALT2R 4S2R L statements- /f the !efault schema is s)ecifie!, the !efault is d#o- 4sin# name! schemas for like #rou)s of !atabase objects an! assi#nin# each userKs !efault schema to d#o is a wa+ to man!ate usin# two,)art object names in SQL statementsThis is because objects that are not in the d#o schema will not be foun! when a one, )art object name is s)ecifie!- %i#ratin# #rou)s of user objects out of the d#o schema is also a #oo! wa+ to allow users to create an! mana#e objects if nee!e! 7for e9am)le, to install an a))lication )acka#e8 without makin# the installin# user d#oBest practices $or usin" schemas Erou) like objects to#ether into the same schema%ana#e !atabase object securit+ b+ usin# ownershi) an! )ermissions at the schema level6ave !istinct owners for schemas"ot all schemas shoul! be owne! b+ d#o%inimi:e the number of owners for each schema-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&'

Authori:ation
Authori:ation is the )rocess of #rantin# )ermissions on securables to users- At an o)eratin# s+stem level, securables mi#ht be files, !irectories, re#istr+ ke+s, or share! )rinters- /n SQL Server, securables are !atabase objects- SQL Server )rinci)als inclu!e both instance,level )rinci)als, such as Win!ows lo#ins, Win!ows #rou) lo#ins, SQL Server lo#ins, an! server roles an! !atabase,level )rinci)als, such as users, !atabase roles, an! a))lication roles- 29ce)t for a few objects that are instance,sco)e!, most !atabase objects, such as tables, views, an! )roce!ures are schema,sco)e!- This means that authori:ation is usuall+ #rante! to !atabase,level )rinci)als/n SQL Server, authori:ation is accom)lishe! via ata Access Lan#ua#e 7 AL8 rather than L or %L- /n a!!ition to the two AL verbs, ERA"T an! R2;.12, man!ate! b+ the /S.,A"S/ stan!ar!, SQL Server also contains a 2"5 AL verb- 2"5 !iffers from R2;.12 when a user is a member of more than one !atabase )rinci)al- /f a user 0re! is a member of three !atabase roles A, B, an! C an! roles A an! B are ERA"Te! )ermission to a securable, if the )ermission is R2;.12! from role C, 0re! still can access the securable- /f the securable is 2"5e! to role C, 0re! cannot access the securable- This makes mana#in# SQL Server similar to mana#in# other )arts of the Win!ows famil+ of o)eratin# s+stemsSQL Server &''* makes each securable available b+ usin# AL statements an! makes )ermissions more #ranular than in )revious versions- 0or e9am)le, in SQL Server &''' an! earlier versions, certain functions were available onl+ if a lo#in was )art of the sysadmin role- "ow sysadmin role )ermissions are !efine! in terms of ERA"Ts- 2@uivalent access to securables can be achieve! b+ ERA"Tin# a lo#in the C."TR.L S2R;2R )ermissionAn e9am)le of better #ranularit+ is the abilit+ to use SQL Server $rofiler to trace events in a )articular !atabase- /n SQL Server &''', this abilit+ was limite! to the s)ecial d#o user- The new #ranular )ermissions are also arran#e! in a hierarch+B some )ermissions im)l+ other )ermissions- 0or e9am)le, C."TR.L )ermission on a !atabase object t+)e im)lies ALT2R )ermission on that object as well as all other object,level )ermissions- SQL Server &''* also intro!uces the conce)t of #rantin# )ermissions on all of the objects in a schema- ALT2R )ermission on a SC62%A inclu!es the abilit+ to CR2AT2, ALT2R, or R.$ objects in that SC62%A- The AL statement that #rants access to all securables in the )a+roll schema is: *RA-2 SELE%2 +- sc"ema?? a,roll 2+ 'red The a!vanta#e of #rantin# )ermissions at the schema level is that the user automaticall+ has )ermissions on all new objects create! in the schemaB e9)licit #rant after object creation is not nee!e!- 0or more information on the )ermission hierarch+, see the $ermission 6ierarch+ section of SQL Server Books .nlineA best )ractice for authori:ation is to enca)sulate access throu#h mo!ules such as store! )roce!ures an! user,!efine! functions- 6i!in# access behin! )roce!ural co!e means that users can onl+ access objects in the wa+ the !evelo)er an! !atabase a!ministrator 7 BA8 inten!B a! hoc chan#es to objects are !isallowe!- An e9am)le of this techni@ue woul! be )ermittin# access to the em)lo+ee )a+ rate table onl+ throu#h a store! )roce!ure A4)!ate$a+Rate-A 4sers that nee! to u)!ate )a+ rates woul! be #rante! 232C4T2 access to the )roce!ure, rather than 4$ AT2 access to

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&C

the table itself- /n SQL Server &''' an! earlier versions, enca)sulatin# access was !e)en!ent on a SQL Server feature known as ownership chains- /n an ownershi) chain, if the owner of store! )roce!ure A an! the owner of table B that the store! )roce!ure accesses are the same, no )ermission check is !one- Althou#h this works well most of the time, even with multi)le levels of store! )roce!ures, ownershi) chains !o not work when: The !atabase objects are in two !ifferent !atabases 7unless cross,!atabase ownershi) chainin# is enable!8The )roce!ure uses !+namic SQLThe )roce!ure is a SQLCLR )roce!ure-

SQL Server &''* contains features to a!!ress these shortcomin#s, inclu!in# si#nin# of )roce!ural co!e, alternate e9ecution conte9t, an! a TR4STW.RT65 !atabase )ro)ert+ if ownershi) chainin# is !esirable because a sin#le a))lication encom)asses multi)le !atabases- All of these features are !iscusse! in this white )a)erA lo#in onl+ can onl+ be #rante! authori:ation to objects in a !atabase if a !atabase user has been ma))e! to the lo#in- A s)ecial user, "uest, e9ists to )ermit access to a !atabase for lo#ins that are not ma))e! to a s)ecific !atabase user- Because an+ lo#in can use the !atabase throu#h the "uest user, it is su##este! that the "uest user not be enable!SQL Server &''* contains a new t+)e of user, a user that is not ma))e! to a lo#in4sers that are not ma))e! to lo#ins )rovi!e an alternative to usin# a))lication roles5ou can invoke selective im)ersonation b+ usin# the 232C4T2 AS statement 7see 29ecution Conte9t later in this )a)er8 an! allow that user onl+ the )rivile#es nee!e! to )erform a s)ecific task- 4sin# users without lo#ins makes it easier to move the a))lication to a new instance an! limits the connectivit+ re@uirements for the function- 5ou create a user without a lo#in usin# L: %REA2E USER m,newuser <I2;+U2 L+*IBest practices $or data#ase o#<ect authori2ation 2nca)sulate access within mo!ules%ana#e )ermissions via !atabase roles or Win!ows #rou)s4se )ermission #ranularit+ to im)lement the )rinci)le of least )rivile#eo not enable "uest access4se users without lo#ins instea! of a))lication roles

Catalo# Securit+
/nformation about !atabases, tables, an! other !atabase objects is ke)t in the s+stem catalo#- The s+stem meta!ata e9ists in tables in the master !atabase an! in user !atabases- These meta!ata tables are e9)ose! throu#h meta!ata views- /n SQL Server &''', the s+stem catalo# was )ublicl+ rea!able an!, the instance coul! be confi#ure! to make the s+stem tables writeable as well- /n SQL Server &''*, the s+stem meta!ata tables are rea!,onl+ an! their structure has chan#e! consi!erabl+The onl+ wa+ that the s+stem meta!ata tables are rea!able at all is in sin#le,user mo!e- Also in SQL Server &''*, the s+stem meta!ata views were refactore! an! ma!e )art of a s)ecial schema, the sys schema- So as not to break e9istin#

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&&

a))lications, a set of com)atibilit+ meta!ata views are e9)ose!- The com)atibilit+ views ma+ be remove! in a future release of SQL ServerSQL Server &''* makes all meta!ata views secure! b+ !efault- This inclu!es: The new meta!ata views 7for e9am)le, sys&ta#les, sys&procedures8The com)atibilit+ meta!ata views 7for e9am)le, sysinde4es, syso#<ects8The /"0.R%AT/."ISC62%A views 7)rovi!e! for SQL,J& com)liance8-

The information in the s+stem meta!ata views is secure! on a )er,row basis- /n or!er to be able to see s+stem meta!ata for an object, a user must have some )ermission on the object- 0or e9am)le, to see meta!ata about the !bo-authors table, S2L2CT )ermission on the table is sufficient- This )rohibits browsin# the s+stem catalo# b+ users who !o not have a))ro)riate object access- iscover+ is often the first level of )revention- There are two e9ce)tions to this rule: sys&data#ases an! sys&schemas are )ublic,rea!able- These meta!ata views ma+ be secure! with the 2"5 verb if re@uire!Some a))lications )resent lists of !atabase objects to the user throu#h a #ra)hic user interface- /t ma+ be necessar+ to kee) the user interface the same b+ )ermittin# users to view information about !atabase objects while #ivin# them no other e9)licit )ermission on the object- A s)ecial )ermission, ;/2W 20/"/T/.", e9ists for this )ur)oseBest practices $or catalo" security The catalo# views are secure b+ !efault- "o a!!itional action is re@uire! to secure themErant ;/2W 20/"/T/." selectivel+ at the object, schema, !atabase, or server level to #rant )ermission to view s+stem meta!ata without conferrin# a!!itional )ermissionsReview le#ac+ a))lications that ma+ !e)en! on access to s+stem meta!ata when mi#ratin# the a))lications to SQL Server &''*-

Remote

ata Source 29ecution

There are two wa+s that )roce!ural co!e can be e9ecute! on a remote instance of SQL Server: confi#urin# a linke! server !efinition with the remote SQL Server an! confi#urin# a remote server !efinition for it- Remote servers are su))orte! onl+ for backwar! com)atibilit+ with earlier versions of SQL Server an! shoul! be )hase! out in )reference to linke! servers- Linke! servers allow more #ranular securit+ than remote servers- A! hoc @ueries throu#h linke! servers 7.$2"R.WS2T an! .$2" ATAS.4RC28 are !isable! b+ !efault in a newl+ installe! instance of SQL Server &''*When +ou use Win!ows to authenticate to SQL Server, +ou are usin# a Win!ows network cre!ential- "etwork cre!entials that use both "TL% an! 1erberos securit+ s+stems are vali! for one network Aho)A b+ !efault- /f +ou use network cre!entials to lo# on to SQL Server an! attem)t to use the same cre!entials to connect via a linke! server to a SQL Server instance on a !ifferent com)uter, the cre!entials will not be vali!- This is known as the A!ouble ho) )roblemA an! also occurs in environments that use Win!ows authentication to connect to a Web server an! attem)t to use im)ersonation to connect to SQL Server- /f +ou use 1erberos for authentication, +ou can enable constraine! !ele#ation, that is, !ele#ation of cre!entials constraine! to a

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&N

s)ecific a))lication, to overcome the A!ouble ho) )roblem-A .nl+ 1erberos authentication su))orts !ele#ation of Win!ows cre!entials- 0or more information, see Constraine! ele#ation in SQL Server Books .nlineBest practices $or remote data source e4ecution $hase out an+ remote server !efinitionsRe)lace remote servers with linke! serversLeave a! hoc @ueries throu#h linke! servers !isable! unless the+ are absolutel+ nee!e!4se constraine! !ele#ation if )ass,throu#h authentication to a linke! server is necessar+-

29ecution Conte9t
SQL Server alwa+s e9ecutes SQL statements an! )roce!ural co!e as the currentl+ lo##e! on user- This behavior is a SQL Server,s)ecific behavior an! is ma!e )ossible, in the case of )roce!ural co!e, b+ the conce)t of ownershi) chains- That is, althou#h a store! )roce!ure e9ecutes as the caller of the store! )roce!ure rather than as the owner, if ownershi) chainin# is in )lace, )ermissions are not checke! for object access an! store! )roce!ures can be use! to enca)sulate tables, as mentione! )reviousl+ in this )a)er- /n SQL Server &''*, the creator of a )roce!ure can !eclarativel+ set the e9ecution conte9t of the )roce!ure b+ usin# the 232C4T2 AS ke+wor! in the CR2AT2 $R.C2 4R2, 04"CT/.", an! TR/EE2R statements- The e9ecution conte9t choices are: 232C4T2 AS CALL2R , the caller of the )roce!ure 7no im)ersonation8- This is the onl+ )re,SQL Server &''* behavior232C4T2 AS .W"2R , the owner of the )roce!ure232C4T2 AS S2L0 , the creator of the )roce!ure232C4T2 AS KusernameK , a s)ecific user-

To maintain backwar! com)atibilit+, 232C4T2 AS CALL2R is the !efault- The !istinction between AS .W"2R an! AS S2L0 is nee!e! because the creator of the )roce!ure ma+ not be the owner of the schema in which the )roce!ure resi!es- /n this case, AS S2L0 refers to the )roce!ure owner, AS .W"2R refers to the object owner 7the schema owner8- /n or!er to use 232C4T2 AS KusernameK, the )roce!ure creator must have /%$2RS."AT2 )ermission on the user name! in the e9ecution conte9t.ne reason to use an alternate e9ecution conte9t woul! be when a )roce!ure e9ecutes without a )articular e9ecution conte9t- An e9am)le of this is a service broker @ueue activation )roce!ure- /n a!!ition, 232C4T2 AS .W"2R can be use! to circumvent )roblems that are cause! when ownershi) chains are broken- 0or e9am)le, ownershi) chains in a )roce!ure are alwa+s broken when !+namic SQL statements 7such as sp6e4ecuteSQL8 are use!.ften what is nee!e! is to #rant the a))ro)riate )ermissions to the )roce!ural co!e itself, rather than either chan#in# the e9ecution conte9t or rel+in# on the callerKs )ermissions- SQL Server &''* offers a much more #ranular wa+ of associatin# )rivile#es with )roce!ural co!eLco!e si#nin#- B+ usin# the A S/E"AT4R2 L statement, +ou can si#n the )roce!ure with a certificate or as+mmetric ke+- A user can then be create! for the certificate or as+mmetric ke+ itself an! )ermissions

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&=

assi#ne! to that user- When the )roce!ure is e9ecute!, the co!e e9ecutes with a combination of the callerKs )ermissions an! the ke+<certificateKs )ermissions- An e9am)le of this woul! be: %REA2E %ER2I.I%A2E ;R%erti'icate <I2; E-%R>32I+- 4> 3ASS<+R/ 7 (;acde-@1A25B2( %REA2E USER ;R%erti'icateUser .+R %ER2I.I%A2E ;R%erti'icate <I2;+U2 L+*I*RA-2 U3/A2E +-- t"is #ives t"e -- additional -- !ac5u t"e ension&criteria 2+ ;R%erti'icate rocedure u date& ension&criteria rivile#es o' ;R%erti'icate rivate 5e, and remove it 'rom t"e certi'icate) rocedure cannot !e re-si#ned wit"out ermission

A// SI*-A2URE 2+ u date& ension&criteria 4> %ER2I.%A2E ;R%erti'icate -- so t"at t"e

4A%:U3 %ER2I.I%A2E ;R%erti'icate 2+ .ILE 7 (c?=certs&!ac5u =;R%erti'icate.cer( <I2; 3RIVA2E :E> 6.ILE 7 (c?=certs&!ac5u = ;R%erti'icate. v5() E-%R>32I+- 4> 3ASS<+R/ 7 (@4@e!'38C@1D() /E%R>32I+- 4> 3ASS<+R/ 7 (e<,ve,>B<EAAFDB(9 AL2ER %ER2I.I%A2E ;R%erti'icate REM+VE 3RIVA2E :E> 232C4T2 AS can also be use! to set the e9ecution conte9t within an SQL batch- /n this form, the SQL batch contains an 232C4T2 AS 4S2ROKsomeuserK or 232C4T2 AS L.E/"OKsomelo#inK statement- This alternate e9ecution conte9t lasts until the R2;2RT statement is encountere!- 232C4T2 AS an! R2;2RT blocks can also be neste!B R2;2RT reverts one level of e9ecution conte9t- As with 232C4T2 AS an! )roce!ural co!e, the user chan#in# the e9ecution conte9t must have /%$2RS."AT2 )ermission on the user or lo#in bein# im)ersonate!- 232C4T2 AS in SQL batches shoul! be use! as a re)lacement for the S2T4S2R statement, which is much less fle9ible/f the e9ecution conte9t is set but shoul! not be reverte! without )ermission, +ou can use 232C4T2 AS --- W/T6 C..1/2 or 232C4T2 AS --- W/T6 ". R2;2RT- When W/T6 C..1/2 is s)ecifie!, a binar+ cookie is returne! to the caller of 232C4T2 AS an! the cookie must be su))lie! in or!er to R2;2RT back to the ori#inal conte9tWhen a )roce!ure or batch uses an alternate e9ecution conte9t, the s+stem functions normall+ use! for au!itin#, such as S4S2RI"A%278, return the name of the im)ersonate! user rather than the name of the ori#inal user or ori#inal lo#in- A new s+stem function, .R/E/"ALIL.E/"78, can be use! to obtain the ori#inal lo#in, re#ar!less of the number of levels of im)ersonation use!Best practices $or e4ecution conte4t Set e9ecution conte9t on mo!ules e9)licitl+ rather than lettin# it !efault4se 232C4T2 AS instea! of S2T4S2R-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&*

4se W/T6 ". R2;2RT<C..1/2 instea! of A))lication RolesConsi!er usin# co!e si#nin# of )roce!ural co!e if a sin#le #ranular a!!itional )rivile#e is re@uire! for the )roce!ure-

2ncr+)tion
SQL Server &''* has built,in !ata encr+)tion- The !ata encr+)tion e9ists at a cell level an! is accom)lishe! b+ means of built,in s+stem )roce!ures- 2ncr+)tin# !ata re@uires secure encr+)tion ke+s an! ke+ mana#ement- A ke+ mana#ement hierarch+ is built into SQL Server &''*- 2ach instance of SQL Server has a built,in service master ke+ that is #enerate! at installationB s)ecificall+, the first time that SQL Server is starte! after installation- The service master ke+ is encr+)te! b+ usin# both the SQL Server Service account ke+ an! also the machine ke+- Both encr+)tions use the $A$/ 7 ata $rotection A$/8- A !atabase a!ministrator can !efine a !atabase master ke+ b+ usin# the followin# L%REA2E MAS2ER :E> <I2; E-%R>32I+- 4> 3ASS<+R/ 7 (GH6;,'dl5RMI&HA8J*Rt@K6-SLM&NOP6( This ke+ is actuall+ encr+)te! an! store! twice b+ !efault- 2ncr+)tion that uses a )asswor! an! stora#e in the !atabase is re@uire!- 2ncr+)tion that uses the service master ke+ an! stora#e in the master !atabase is o)tionalB it is useful to be able to automaticall+ o)en the !atabase master ke+ without s)ecif+in# the )asswor!- The service master ke+ an! !atabase master ke+s can be backe! u) an! restore! se)aratel+ from the rest of the !atabaseSQL Server &''* can use L to !efine certificates, as+mmetric ke+s, an! s+mmetric ke+s on a )er,!atabase basis- Certificates an! as+mmetric ke+s consist of a )rivate ke+<)ublic ke+ )air- The )ublic ke+ can be use! to encr+)t !ata that can be !ecr+)te! onl+ b+ usin# the )rivate ke+- .r, for the sake of )erformance, the )ublic ke+ can be use! to encr+)t a hash that can be !ecr+)te! onl+ b+ usin# the )rivate ke+- 2ncr+)te! checksum #eneration to ensure non,re)u!iation is known as signingAlternativel+, the )rivate ke+ can be use! to encr+)t !ata that can be !ecr+)te! b+ the receiver b+ usin# the )ublic ke+- A s+mmetric ke+ consists of a sin#le ke+ that is use! for encr+)tion an! !ecr+)tion- S+mmetric ke+s are #enerall+ use! for !ata encr+)tion because the+ are or!ers of ma#nitu!e faster than as+mmetric ke+s for encr+)tion an! !ecr+)tion- 6owever, !istributin# s+mmetric ke+s can be !ifficult because both )arties must have the same co)+ of the ke+- /n a!!ition, it is not )ossible with s+mmetric ke+ encr+)tion to !etermine which user encr+)te! the !ataAs+mmetric ke+s can be use! to encr+)t an! !ecr+)t !ata but or!inaril+ the+ are use! to encr+)t an! !ecr+)t s+mmetric ke+sB the s+mmetric ke+s are use! for the !ata encr+)tion- This is the )referre! wa+ to encr+)t !ata for the best securit+ an! )erformance- S+mmetric ke+s can also be )rotecte! b+ in!ivi!ual )asswor!sSQL Server &''* makes use of an! also can #enerate 3-*'J certificates- A certificate is sim)l+ an as+mmetric ke+ )air with a!!itional meta!ata, inclu!in# a subject 7the )erson the ke+ is inten!e! for8, root certificate authorit+ 7who vouches for the certificateKs authenticit+8, an! e9)iration !ate- SQL Server #enerates self,si#ne! certificates 7SQL Server itself is the root certificate authorit+8 with a !efault e9)iration !ate of one +ear- The e9)iration !ate an! subject can be s)ecifie! in the L statement- SQL Server !oes not use certificate Ane#ative listsA or the e9)iration

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&D

!ate with !ata encr+)tion- A certificate can be backe! u) an! restore! se)aratel+ from the !atabaseB certificates, as+mmetric ke+s, an! s+mmetric ke+s are backe! u) with the !atabase- A variet+ of block ci)her encr+)tion al#orithms are su))orte!, inclu!in# 2S, Tri)le 2S, an! A2S 7Rijn!ael8 al#orithms for s+mmetric ke+s an! RSA for as+mmetric ke+s- A variet+ of ke+ stren#ths are su))orte! for each al#orithm- Stream ci)her al#orithms, such as RC= are also su))orte! but shoul! ".T be use! for !ata encr+)tion- Some al#orithms 7such as A2S8 are not su))orte! b+ all o)eratin# s+stems that can host SQL Server- 4ser,!efine! al#orithms are not su))orte!- The ke+ al#orithm an! ke+ len#th choice shoul! be )re!icate! on the sensitivit+ of the !ataSQL Server encr+)ts !ata on a cell levelL!ata is s)ecificall+ encr+)te! before it is store! into a column value an! each row can use a !ifferent encr+)tion ke+ for a s)ecific column- To use !ata encr+)tion, a column must use the ;ARB/"AR5 !ata t+)e- The len#th of the column !e)en!s on the encr+)tion al#orithm use! an! the len#th of the !ata to be encr+)te! 7see Choosin# an 2ncr+)tion Al#orithm in SQL Server Books .nline8- The 125IE4/ of the ke+ that is use! for encr+)tion is store! with the column value- When the !ata is !ecr+)te!, this 125IE4/ is checke! a#ainst all o)en ke+s in the session- The !ata uses initiali:ation vectors 7also known as salted hashes8- Because of this, it is not )ossible to !etermine if two values are i!entical b+ lookin# at the encr+)te! value- This means, for e9am)le, that / cannot !etermine all of the )atients who have a !ia#nosis of 0lu if / know that $atient A has a !ia#nosis of 0lu- Althou#h this means that !ata is more secure, it also means that +ou cannot use a column that is encr+)te! b+ usin# the !ata encr+)tion routines in in!e9es, because !ata values are not com)arableata encr+)tion is becomin# more common)lace with some ven!ors an! in!ustries 7for e9am)le, the )a+ment car! in!ustr+8- 4se !ata encr+)tion onl+ when it is re@uire! or for ver+ hi#h,value sensitive !ata- /n some cases, encr+)tin# the network channel or usin# SQL Server )ermissions is a better choice because of the com)le9it+ involve! in mana#in# ke+s an! invokin# encr+)tion<!ecr+)tion routinesBecause unencr+)te! !ata must be store! in memor+ buffers before bein# transmitte! to clients, it is im)ossible to kee) !ata awa+ from an a!ministrator who has the abilit+ to !ebu# the )rocess or to )atch the server- %emor+ !um)s can also be a source of uninten!e! !ata leaka#e- /f s+mmetric ke+s are )rotecte! b+ as+mmetric ke+s an! the as+mmetric ke+s are encr+)te! b+ usin# the !atabase master ke+, a !atabase a!ministrator coul! im)ersonate a user of encr+)te! !ata an! access the !ata throu#h the ke+s- /f )rotection from the !atabase a!ministrator is )referre!, encr+)tion ke+s must be secure! b+ )asswor!s, rather than b+ the !atabase master ke+- To #uar! a#ainst !ata loss, encr+)tion ke+s that are secure! b+ )asswor!s must have an associate! !isaster recover+ )olic+ 7offsite stora#e, for e9am)le8 in case of ke+ loss- 5ou can also re@uire users to s)ecif+ the !atabase master ke+ b+ !ro))in# encr+)tion of the !atabase master ke+ b+ the instance master ke+- Remember to back u) the !atabase in or!er to back u) the s+mmetric ke+s, because there are no s)ecific L statements to back u) s+mmetric an! as+mmetric ke+s, just as there are s)ecific L statements to back u) certificates, the !atabase master ke+, an! the service master ke+Best practices $or data encryption 2ncr+)t hi#h,value an! sensitive !ata-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&(

4se s+mmetric ke+s to encr+)t !ata, an! as+mmetric ke+s or certificates to )rotect the s+mmetric ke+s$asswor!,)rotect ke+s an! remove master ke+ encr+)tion for the most secure confi#urationAlwa+s back u) the service master ke+, !atabase master ke+s, an! certificates b+ usin# the ke+,s)ecific L statementsAlwa+s back u) +our !atabase to back u) +our s+mmetric an! as+mmetric ke+s-

Au!itin#
SQL Server &''* su))orts lo#in au!itin#, tri##er,base! au!itin#, an! event au!itin# b+ usin# a built,in trace facilit+- $asswor! )olic+ com)liance is automaticall+ enforceable throu#h )olic+ in SQL Server &''* for both Win!ows lo#ins an! SQL lo#ins- Lo#in au!itin# is available b+ usin# an instance,level confi#uration )arameterAu!itin# faile! lo#ins is the !efault, but +ou can s)ecif+ to au!it all lo#ins- Althou#h au!itin# all lo#ins increases overhea!, +ou ma+ be able to !e!uce )atterns of multi)le faile! lo#ins followe! b+ a successful lo#in, an! use this information to !etect a )ossible lo#in securit+ breech- Au!itin# is )rovi!e! on a wi!e variet+ of events inclu!in# A!! atabase 4ser, A!! Lo#in, BCC events, Chan#e $asswor!, E R events 7Erant< en+<Revoke events8, an! Server $rinci)al /m)ersonation events- SQL Server &''* S$& also su))orts lo#in tri##ersSQL Server &''* intro!uces au!itin# base! on L tri##ers an! event notifications5ou can use L tri##ers not onl+ to recor! the occurrence of L, but also to roll back L statements as )art of the tri##er )rocessin#- Because a L tri##er e9ecutes s+nchronousl+ 7the L !oes not com)lete until the tri##er is finishe!8, L tri##ers can )otentiall+ slow !own L, !e)en!in# on the content an! volume of the co!e- 2vent notifications can be use! to recor! L usa#e information as+nchronousl+- An event notification is a !atabase object that uses Service Broker to sen! messa#es to the !estination 7Service Broker,base!8 service of +our choosin#L cannot be rolle! back b+ usin# event notificationsBecause the surface area of SQL Server &''* is lar#er than )revious versions, more au!itin# events are available in SQL Server &''* than in )revious versions- To au!it securit+ events, use event,base! au!itin#, s)ecificall+ the events in the securit+ au!it event cate#or+ 7liste! in SQL Server Books .nline8- 2vent,base! au!itin# can be trace,base!, or event notifications,base!- Trace,base! event au!itin# is easier to confi#ure, but ma+ result in a lar#e event lo#s, if man+ events are trace!- .n the other han!, event notifications sen! @ueue! messa#es to Service Broker @ueues that are in,!atabase objects- Trace,base! event au!itin# cannot trace all eventsB some events, such as SQL:StmtCom)lete events, are not available when usin# event notificationsThere is a W%/ )rovi!er for events that can be use! in conjunction with SQL Server A#ent alerts- This mechanism )rovi!es imme!iate notification throu#h the Alert s+stem that a s)ecific event has occurre!- To use the W%/ )rovi!er, select a W%/, base! alert an! )rovi!e a WQL @uer+ that )ro!uces the event that +ou want to cause the alert- WQL @ueries use the same s+nta9 for namin# as !oes event notificationsAn e9am)le of a WQL @uer+ that looks for !atabase )rinci)al im)ersonation chan#es woul! be: SELE%2 K .R+M AU/I2&/A2A4ASE&3RI-%I3AL&IM3ERS+-A2I+-&EVE-2

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&H

SQL Server can be confi#ure! to su))ort au!itin# that is com)liant with C& certification un!er the Truste! atabase /nter)retation 7T /8 of the Truste! Com)uter S+stem 2valuation Criteria 7TCS2C8 of the 4nite! States "ational Securit+ A#enc+- This is known as C2 auditing- C& au!itin# is confi#ure! on an instance level b+ usin# the !2 audit mode confi#uration o)tion in sp6con$i"ureWhen C& au!itin# is enable!, !ata is save! in a lo# file in the ata sub!irector+ in the !irector+ in which SQL Server is installe!- The initial lo# file si:e for C& au!itin# is &'' me#ab+tes- When this file is full, another &'' me#ab+tes is allocate!- /f the volume on which the lo# file is store! runs out of s)ace, SQL Server shuts !own until sufficient s)ace is available or until the s+stem is manuall+ starte! without au!itin#2nsure that there is sufficient s)ace available before enablin# C& au!itin# an! )ut a )roce!ure in )lace for archivin# the lo# filesSQL Server &''* S$& allows confi#urin# an o)tion that )rovi!es three elements re@uire! for Common Criteria com)liance- The Common Criteria re)resents the outcome of efforts to !evelo) criteria for evaluation of /T securit+ that are wi!el+ useful within the international communit+- /t stems from a number of source criteria: the e9istin# 2uro)ean, 4S, an! Cana!ian criteria 7/TS2C, TCS2C, an! CTC$2C res)ectivel+8- The Common Criteria resolves the conce)tual an! technical !ifferences between the source criteria- The three Common Criteria elements that can be confi#ure! b+ usin# an instance confi#uration o)tion are: Resi!ual /nformation $rotection, which overwrites memor+ with a known bit )attern before it is reallocate! to a new resourceThe abilit+ to view lo#in statisticsA column,level ERA"T !oes not overri!e table,level 2"5-

5ou can confi#ure an instance to )rovi!e these three elements for Common Criteria com)liance b+ settin# the confi#uration o)tion common criteria compliance ena#led as shown in the followin# co!es &con'i#ure (s"ow advanced o tions() 1Q *+ RE%+-.I*UREQ *+ s &con'i#ure (common criteria com liance ena!led() 1Q *+ RE%+-.I*UREQ *+ /n a!!ition to enablin# the Common Criteria o)tions in a SQL Server instance, +ou can use lo#in tri##ers in SQL Server &''* S$& to limit lo#ins base! u)on time of !a+ or base! on an e9cessive number of e9istin# connections- The abilit+ to limit lo#ins base! on these criteria is re@uire! for Common Criteria com)lianceBest practices $or auditin" Au!itin# is scenario,s)ecific- Balance the nee! for au!itin# with the overhea! of #eneratin# a!!ition !ata-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

&J

Au!it successful lo#ins in a!!ition to unsuccessful lo#ins if +ou store hi#hl+ sensitive !ataAu!it L an! s)ecific server events b+ usin# trace events or event notifications%L must be au!ite! b+ usin# trace events4se W%/ to be alerte! of emer#enc+ events2nable C& au!itin# or Common Criteria com)liance onl+ if re@uire!-

%icrosoft Baseline Securit+ Anal+:er an! SQL Server Best $ractices Anal+:er
%icrosoft Baseline Securit+ Anal+:er 7%BSA8 is a utilit+ that scans for common insecurities in a SQL Server confi#uration- Run %BSA on a re#ularl+ sche!ule! basis, either locall+ or across the network- %BSA scans for Win!ows o)eratin# s+stem, securit+ )rinci)al, network, an! file s+stem insecurities an! tests for SQL Server &''' an! %S 2,s)ecific insecurities, but !oes not incor)orate SQL Server &''*,s)ecific checks +et- /t will check to see if SQL Server &''* is )atche! to the latest Service $ack versionSQL Server &''* Best $ractices Anal+:er &-' CT$ has been release! in conjunction with Service $ack &- 5ou can !ownloa! it from the %icrosoft ownloa! Center, SQL Server &''* Best $ractices Anal+:er 70ebruar+ &''( CT$8 )a#eSQL Server &''* Best $ractices Anal+:er 7B$A8 #athers !ata from %icrosoft Win!ows an! SQL Server confi#uration settin#s- Best $ractices Anal+:er uses a )re!efine! list of SQL Server &''* recommen!ations an! best )ractices to !etermine if there are )otential securit+ issues in the !atabase environmentBest practice analysis utilities recommendations Run B$A a#ainst SQL Server &''*Re#ularl+ run %BSA &-' to ensure latest SQL Server &''* )atch level Re#ularl+ run %BSA &-' for SQL Server &''' instances

$atchin#
The best wa+ to ensure the securit+ of the server software an! to ensure the securit+ of SQL Server &''* is to install securit+ hotfi9es an! service )acks as soon as )ossible- 4se manual u)!ates on an o)eratin# s+stem basis b+ usin# Win!ows 4)!ate or %icrosoft 4)!ate- 5ou can enable automatic u)!ates usin# Win!ows 4)!ate or %icrosoft 4)!ate as well, but u)!ates shoul! be teste! before the+ are a))lie! to )ro!uction s+stems- SQL Server &''* incor)orates SQL Server hotfi9es an! service )acks into Win!ows 4)!ate- All hotfi9es shoul! be installe! imme!iatel+ an! service )acks shoul! be teste! an! installe! as soon as )ossible- This re@uirement cannot be em)hasi:e! enou#h- 0or su##estions on minimi:in# !owntime when installin# hotfi9es an! service )acks, see $reventin# Reboots, /nstallin# %ulti)le 4)!ates, an! %ore on %icrosoft Tech"etBest practices $or patchin" SQL Server Alwa+s sta+ as current as )ossible2nable automatic u)!ates whenever feasible but test them before a))l+in# to )ro!uction s+stems-

SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks

N'

Conclusion
Securit+ is a crucial )art of an+ mission,critical a))lication- To im)lement securit+ for SQL Server &''* in a wa+ that is not )rone to mistakes, securit+ setu) must be relativel+ eas+ to im)lement- The AcorrectA securit+ confi#uration shoul! be the !efault confi#uration- This )a)er !escribes how it is a strai#htforwar! task to start from the SQL Server &''* securit+ !efaults an! create a secure !atabase confi#uration accor!in# to the Trustworth+ Com)utin# /nitiative #ui!elines8or more in$ormation htt):<<www-microsoft-com<technet<)ro!technol<s@l<themes<securit+-ms)9 i! this )a)er hel) +ouR $lease #ive us +our fee!back- .n a scale of C 7)oor8 to * 7e9cellent8, how woul! +ou rate this )a)erR