SQ L 2005 Sec Best Pract

SQL Server 2005 Security Best Practices -
Operational and Administrative Tasks

SQL Server Technical Article
Writers: Bob Beauchemin, SQLskills
Technical Reviewers: Laurentiu Cristofor, Al Comeau, Sameer Tejani, even!ra Tiwari,
Rob Walters, "iraj "a#rani
$ublishe!: %arch &''(
A))lies To: SQL Server &''* S$&
Summary Securit+ is a crucial )art of an+ mission,critical a))lication- This )a)er
!escribes best )ractices for settin# u) an! maintainin# securit+ in SQL Server &''*-
SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks &
!opyri"ht
The information containe! in this !ocument re)resents the current view of %icrosoft Cor)oration on the issues
!iscusse! as of the !ate of )ublication- Because %icrosoft must res)on! to chan#in# market con!itions, it
shoul! not be inter)rete! to be a commitment on the )art of %icrosoft, an! %icrosoft cannot #uarantee the
accurac+ of an+ information )resente! after the !ate of )ublication-
This White $a)er is for informational )ur)oses onl+- %/CR.S.0T %A12S ". WARRA"T/2S, 23$R2SS,
/%$L/2 .R STAT4T.R5, AS T. T62 /"0.R%AT/." /" T6/S .C4%2"T-
Com)l+in# with all a))licable co)+ri#ht laws is the res)onsibilit+ of the user- Without limitin# the ri#hts un!er
co)+ri#ht, no )art of this !ocument ma+ be re)ro!uce!, store! in or intro!uce! into a retrieval s+stem, or
transmitte! in an+ form or b+ an+ means 7electronic, mechanical, )hotoco)+in#, recor!in#, or otherwise8, or
for an+ )ur)ose, without the e9)ress written )ermission of %icrosoft Cor)oration-
%icrosoft ma+ have )atents, )atent a))lications, tra!emarks, co)+ri#hts, or other intellectual )ro)ert+ ri#hts
coverin# subject matter in this !ocument- 29ce)t as e9)ressl+ )rovi!e! in an+ written license a#reement
from %icrosoft, the furnishin# of this !ocument !oes not #ive +ou an+ license to these )atents, tra!emarks,
co)+ri#hts, or other intellectual )ro)ert+-
4nless otherwise note!, the e9am)le com)anies, or#ani:ations, )ro!ucts, !omain names, e,mail a!!resses,
lo#os, )eo)le, )laces an! events !e)icte! herein are fictitious, an! no association with an+ real com)an+,
or#ani:ation, )ro!uct, !omain name, email a!!ress, lo#o, )erson, )lace or event is inten!e! or shoul! be
inferre!-
&''( %icrosoft Cor)oration- All ri#hts reserve!-
%icrosoft, Active irector+, Win!ows, Win!ows Server, an! Win!ows ;ista are either re#istere! tra!emarks or
tra!emarks of %icrosoft Cor)oration in the 4nite! States an!<or other countries-
The names of actual com)anies an! )ro!ucts mentione! herein ma+ be the tra!emarks of their res)ective
owners-
Ta#le o$ !ontents
%ntroduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'
Sur$ace Area (eduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'
Service Account Selection and )ana"ement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&*
Authentication )ode&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&+
,et-ork !onnectivity&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.0
Lockdo-n o$ System Stored Procedures&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&./
Pass-ord Policy&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.'
Administrator Privile"es&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.*
0ata#ase O-nership and Trust&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.1
Schemas&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.2
Authori3ation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&.+
!atalo" Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2.
(emote 0ata Source 45ecution&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&22
45ecution !onte5t&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2/
4ncryption&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2'
Auditin"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2*
)icroso$t Baseline Security Analy3er and SQL Server Best Practices Analy3er 2+
Patchin"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2+
!onclusion&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2+
SQL Server &''* Securit+ Best $ractices , .)erational an! A!ministrative Tasks
/ntro!uction
This white )a)er covers some of the o)erational an! a!ministrative tasks associate!
with %icrosoft= SQL Server> &''* securit+ an! enumerates best )ractices an!
o)erational an! a!ministrative tasks that will result in a more secure SQL Server
s+stem- 2ach to)ic !escribes a feature an! best )ractices- 0or a!!itional information
on the s)ecifics of utilities, features, an! L statements reference! in this white
)a)er, see SQL Server &''* Books .nline- 0eatures an! o)tions that are new or
!efaults that are chan#e! for SQL Server &''* are i!entifie!- Co!in# e9am)les for
o)erational tasks use Transact,SQL, so un!erstan!in# Transact,SQL is re?uire! for
+ou to #et the most out of this )a)er-
Surface Area Re!uction
SQL Server &''* installation minimi:es the @attack surface@ because b+ !efault,
o)tional features are not installe!- urin# installation the a!ministrator can choose
to install:
atabase 2n#ine
Anal+sis Services 2n#ine
Re)ortin# Services
/nte#ration Services
"otification Services
ocumentation an! Sam)les
/t is a #oo! )ractice to review which )ro!uct features +ou actuall+ nee! an! install
onl+ those features- Later, install a!!itional features onl+ as nee!e!-
SQL Server &''* inclu!es sam)le !atabases for .LT$, !ata warehousin#, an!
Anal+sis Services- /nstall sam)le !atabases on test servers onl+A the+ are not
installe! b+ !efault when +ou install the corres)on!in# en#ine feature-
SQL Server &''* inclu!es sam)le co!e coverin# ever+ feature of the )ro!uct- These
sam)les are not installe! b+ !efault an! shoul! be installe! onl+ on a !evelo)ment
server, not on a )ro!uction server- 2ach item of sam)le co!e has un!er#one a review
to ensure that the co!e follows best )ractices for securit+- 2ach sam)le uses
%icrosoft Win!ows= securit+ )rinci)als an! illustrates the )rinci)al of least )rivile#e-
SQL Server has alwa+s been a feature,rich !atabase an! the number of new features
in SQL Server &''* can be overwhelmin#- .ne wa+ to make a s+stem more secure is
to limit the number of o)tional features that are installe! an! enable! b+ !efault- /t
is easier to enable features when the+ are nee!e! than it is to enable ever+thin# b+
!efault an! then turn off features that +ou !o not nee!- This is the installation )olic+
of SQL Server &''*, known as @off b+ !efault, enable when nee!e!-@ .ne wa+ to
ensure that securit+ )olicies are followe! is to make secure settin#s the !efault an!
make them eas+ to use-
SQL Server &''* )rovi!es a @one,sto)@ utilit+ that can be use! to enable o)tional
features on a )er,service an! )er,instance basis as nee!e!- Althou#h there are other
utilities 7such as Services in Control $anel8, server confi#uration comman!s 7such as
sp6con$i"ure8, an! A$/s such as W%/ 7Win!ows %ana#ement /nstrumentation8 that
+ou can use, the SQL Server Surface Area Confi#uration tool combines this
functionalit+ into a sin#le utilit+ )ro#ram- This )ro#ram can be use! either from the
comman! line or via a #ra)hic user interface-
SQL Server Service Area Confi#uration !ivi!es confi#uration into two subsets:
services an! connections, an! features- 4se the Surface Area Confi#uration for
Services an! Connections tool to view the installe! com)onents of SQL Server an!
the client network interfaces for each en#ine com)onent- The startu) t+)e for each
service 7Automatic, %anual, or isable!8 an! the client network interfaces that are
available can be confi#ure! on a )er,instance basis- 4se the Surface Area
Confi#uration for 0eatures tool to view an! confi#ure instance,level features-
The features enable! for confi#uration are:
CLR /nte#ration
Remote use of a !e!icate! a!ministrator connection
.L2 Automation s+stem )roce!ures
S+stem )roce!ures for atabase %ail an! SQL %ail
A! hoc remote ?ueries 7the .$2"R.WS2T an! .$2"ATAS.4RC2 functions8
SQL Server Web Assistant
5p6cmdshell availabilit+
The features enable! for viewin# are:
6TT$ en!)oints
Service Broker en!)oint
The SQL Server Surface Area Confi#uration comman!,line interface, sac-e9e, )ermits
+ou to im)ort an! e9)ort settin#s- This enables +ou to stan!ar!i:e the confi#uration
of a #rou) of SQL Server &''* instances- 5ou can im)ort an! e9)ort settin#s on a
)er,instance basis an! also on a )er,service basis b+ usin# comman!,line
)arameters- 0or a list of comman!,line )arameters, use the -7 comman!,line o)tion-
5ou must have sysadmin )rivile#e to use this utilit+- The followin# co!e is an
e9am)le of e9)ortin# all settin#s from the !efault instance of SQL Server on serverB
an! im)ortin# them into server&:
sac out server1.out S server1 U admin I MSSQLSERVER
sac in server1.out S server2
When +ou u)#ra!e an instance of SQL Server to SQL Server &''* b+ )erformin# an
in,)lace u)#ra!e, the confi#uration o)tions of the instance are unchan#e!- 4se
SQL Server Surface Area Confi#uration to review feature usa#e an! turn off features
that are not nee!e!- 5ou can turn off the features in SQL Server Surface Area
Confi#uration or b+ usin# the s+stem store! )roce!ure, sp6con$i"ure- 6ere is an
e9am)le of usin# sp6con$i"ure to !isallow the e9ecution o$ 5p6cmdshell on a
SQL Server instance:
-- Allow advanced otions to !e c"an#ed.
E$E% s&con'i#ure (s"ow advanced otions() 1
*+
-- Udate t"e currentl, con'i#ured value 'or advanced otions.
RE%+-.I*URE
*+
-- /isa!le t"e 'eature.
E$E% s&con'i#ure (0&cmds"ell() 1
*+
-- Udate t"e currentl, con'i#ured value 'or t"is 'eature.
RE%+-.I*URE
C.
/n SQL Server &''*, SQL Server Browser functionalit+ has been factore! into its own
service an! is no lon#er )art of the core !atabase en#ine- A!!itional functions are
also factore! into se)arate services- Services that are not a )art of the core !atabase
en#ine an! can be enable! or !isable! se)aratel+ inclu!e:
SQL Server Active irector+ 6el)er
SQL Server A#ent
SQL Server 0ullTe9t Search
SQL Server Browser
SQL Server ;SS Writer
The SQL Server Browser service nee!s to be runnin# onl+ to connect to name!
SQL Server instances that use TC$</$ !+namic )ort assi#nments- /t is not necessar+
to connect to !efault instances of SQL Server &''* an! name! instances that use
static TC$</$ )orts- 0or a more secure confi#uration, alwa+s use static TC$</$ )ort
assi#nments an! !isable the SQL Server Browser service- The ;SS Writer allows
backu) an! restore usin# the ;olume Sha!ow Co)+ framework- This service is
!isable! b+ !efault- /f +ou !o not use ;olume Sha!ow Co)+, !isable this service- /f
+ou are runnin# SQL Server outsi!e of an Active irector+= !irector+ service, !isable
the Active irector+ 6el)er-
Best practices $or sur$ace area reduction
/nstall onl+ those com)onents that +ou will imme!iatel+ use- A!!itional
com)onents can alwa+s be installe! as nee!e!-
2nable onl+ the o)tional features that +ou will imme!iatel+ use-
Review o)tional feature usa#e before !oin# an in,)lace u)#ra!e an! !isable
unnee!e! features either before or after the u)#ra!e-
evelo) a )olic+ with res)ect to )ermitte! network connectivit+ choices- 4se
SQL Server Surface Area Confi#uration to stan!ar!i:e this )olic+-
evelo) a )olic+ for the usa#e of o)tional features- 4se SQL Server Surface Area
Confi#uration to stan!ar!i:e o)tional feature enablin#- ocument an+ e9ce)tions
to the )olic+ on a )er,instance basis-
Turn off unnee!e! services b+ settin# the service to either %anual startu) or
isable!-
Service Account Selection an! %ana#ement
SQL Server &''* e9ecutes as a set of Win!ows services- 2ach service can be
confi#ure! to use its own service account- This facilit+ is e9)ose! at installation-
SQL Server )rovi!es a s)ecial tool, SQL Server Confi#uration %ana#er, to mana#e
these accounts- /n a!!ition, these accounts can be set )ro#rammaticall+ throu#h the
SQL Server W%/ $rovi!er for Confi#uration- When +ou select a Win!ows account to
be a SQL Server service account, +ou have a choice of:
omain user that is not a Win!ows a!ministrator
Local user that is not a Win!ows a!ministrator
"etwork Service account
Local S+stem account
Local user that is a Win!ows a!ministrator
omain user that is a Win!ows a!ministrator
When choosin# service accounts, consi!er the )rinci)le of least )rivile#e- The service
account shoul! have e9actl+ the )rivile#es that it nee!s to !o its job an! no more
)rivile#es- 5ou also nee! to consi!er account isolationA the service accounts shoul!
not onl+ be !ifferent from one another, the+ shoul! not be use! b+ an+ other service
on the same server- .nl+ the first two account t+)es in the list above have both of
these )ro)erties- %akin# the SQL Server service account an a!ministrator, at either a
server level or a !omain level, bestows too man+ unnee!e! )rivile#es an! shoul!
never be !one- The Local S+stem account is not onl+ an account with too man+
)rivile#es, but it is a share! account an! mi#ht be use! b+ other services on the
same server- An+ other service that uses this account has the same set u) )rivile#es
as the SQL Server service that uses the account- Althou#h "etwork Service has
network access an! is not a Win!ows su)eruser account, it is a shareable account-
This account is useable as a SQL Server service account onl+ if +ou can ensure that
no other services that use this account are installe! on the server-
4sin# a local user or !omain user that is not a Win!ows a!ministrator is the best
choice- /f the server that is runnin# SQL Server is )art of a !omain an! must access
!omain resources such as file shares or uses linke! server connections to other
com)uters runnin# SQL Server, a !omain account is the best choice- /f the server is
not )art of a !omain 7for e9am)le, a server runnin# in the )erimeter network 7also
known as the %D8 in a Web a))lication8 or !oes not nee! to access !omain
resources, a local user that is not a Win!ows a!ministrator is )referre!-
Creatin# the user account that will be use! as a SQL Server service account is easier
in SQL Server &''* than in )revious versions- When SQL Server &''* is installe!, a
Win!ows #rou) is create! for each SQL Server service, an! the service account is
)lace! in the a))ro)riate #rou)- To create a user that will serve as a SQL Server
service account, sim)l+ create an @or!inar+@ account that is either a member of the
4sers #rou) 7non,!omain user8 or omain 4sers #rou) 7!omain user8- urin#
installation, the user is automaticall+ )lace! in the SQL Server service #rou) an! the
#rou) is #rante! e9actl+ the )rivile#es that are nee!e!-
/f the service account nee!s a!!itional )rivile#es, the )rivile#e shoul! be #rante! to
the a))ro)riate Win!ows #rou), rather than #rante! !irectl+ to the service user
account- This is consistent with the wa+ access control lists are best mana#e! in
Win!ows in #eneral- 0or e9am)le, the abilit+ to use the SQL Server /nstant 0ile
/nitiali:ation feature re?uires that the $erform ;olume %aintenance Tasks user ri#hts
be set in the Crou) $olic+ A!ministration tool- This )rivile#e shoul! be #rante! to
SQLServer&''*%SSQL4serE%achine"ameE%SSQLS2R;2R #rou) for the !efault
instance of SQL Server on server @%achine"ame-@
SQL Server service accounts shoul! be chan#e! onl+ b+ usin# SQL Server
Confi#uration %ana#er, or b+ usin# the e?uivalent functionalit+ in the W%/ A$/s-
4sin# Confi#uration %ana#er ensures that the new service account is )lace! in the
a))ro)riate Win!ows #rou), an! is thus #rante! e9actl+ the correct )rivile#es to run
the service- /n a!!ition, usin# SQL Server Confi#uration %ana#er also re,encr+)ts
the service master ke+ that is usin# the new account- 0or more information on the
service master ke+, see 2ncr+)tion later in this )a)er- Because SQL Server service
accounts also abi!e b+ Win!ows )asswor! e9)iration )olicies, it is necessar+ to
chan#e the service account )asswor!s at re#ular intervals- /n SQL Server &''*, it is
easier to abi!e b+ )asswor! e9)iration )olicies because chan#in# the )asswor! of the
service account !oes not re?uire restartin# SQL Server-
SQL Server &''* re?uires that the service account have less )rivile#e than in
)revious versions- S)ecificall+, the )rivile#e Act As $art of the .)eratin# S+stem
7S2FTCBF"A%28 is not re?uire! for the service account unless SQL Server &''* is
runnin# on the %icrosoft Win!ows Server> &''' S$G o)eratin# s+stem- After !oin#
an u)#ra!e in )lace, use the Crou) $olic+ A!ministration tool to remove this
)rivile#e-
The SQL Server A#ent service account re?uires sysadmin )rivile#e in the
SQL Server instance that it is associate! with- /n SQL Server &''*, SQL Server
A#ent job ste)s can be confi#ure! to use )ro9ies that enca)sulate alternate
cre!entials- A CR22"T/AL is sim)l+ a !atabase object that is a s+mbolic name for a
Win!ows user an! )asswor!- A sin#le CR22"T/AL can be use! with multi)le
SQL Server A#ent )ro9ies- To accommo!ate the )rinci)al of least )rivile#e, !o not
#ive e9cessive )rivile#es to the SQL Server A#ent service account- /nstea!, use a
)ro9+ that corres)on!s to a CR22"T/AL that has just enou#h )rivile#e to )erform
the re?uire! task- A CR22"T/AL can also be use! to re!uce the )rivile#e for a
s)ecific task if the SQL Server A#ent service account has been confi#ure! with more
)rivile#es than nee!e! for the task- $ro9ies can be use! for:
Active3 scri)tin#
.)eratin# s+stem 7Cm!29ec8
Re)lication a#ents
Anal+sis Services comman!s an! ?ueries
SS/S )acka#e e9ecution 7inclu!in# maintenance )lans8
Best practices $or SQL Server service accounts
4se a s)ecific user account or !omain account rather than a share! account for
SQL Server services-
4se a se)arate account for each service-
o not #ive an+ s)ecial )rivile#es to the SQL Server service accountA the+ will be
assi#ne! b+ #rou) membershi)-
%ana#e )rivile#es throu#h the SQL Server su))lie! #rou) account rather than
throu#h in!ivi!ual service user accounts-
Alwa+s use SQL Server Confi#uration %ana#er to chan#e service accounts-
Chan#e the service account )asswor! at re#ular intervals-
4se CR22"T/ALs to e9ecute job ste)s that re?uire s)ecific )rivile#es rather than
a!justin# the )rivile#e to the SQL Server A#ent service account-
/f an a#ent user nee!s to e9ecute a job that re?uires !ifferent Win!ows
cre!entials, assi#n them a )ro9+ account that has just enou#h )ermissions to #et
the task !one-
Authentication %o!e
SQL Server has two authentication mo!es: Win!ows Authentication an! %i9e! %o!e
Authentication- /n Win!ows Authentication mo!e, s)ecific Win!ows user an! #rou)
accounts are truste! to lo# in to SQL Server- Win!ows cre!entials are use! in the
)rocessA that is, either "TL% or 1erberos cre!entials- Win!ows accounts use a series
of encr+)te! messa#es to authenticate to SQL ServerA no )asswor!s are )asse!
across the network !urin# the authentication )rocess- /n %i9e! %o!e Authentication,
both Win!ows accounts an! SQL Server,s)ecific accounts 7known as SQL lo#ins8 are
)ermitte!- When SQL lo#ins are use!, SQL lo#in )asswor!s are )asse! across the
network for authentication- This makes SQL lo#ins less secure than Win!ows lo#ins-
/t is a best )ractice to use onl+ Win!ows lo#ins whenever )ossible- 4sin# Win!ows
lo#ins with SQL Server achieves sin#le si#n,on an! sim)lifies lo#in a!ministration-
$asswor! mana#ement uses the or!inar+ Win!ows )asswor! )olicies an! )asswor!
chan#e A$/s- 4sers, #rou)s, an! )asswor!s are mana#e! b+ s+stem a!ministratorsA
SQL Server !atabase a!ministrators are onl+ concerne! with which users an! #rou)s
are allowe! access to SQL Server an! with authori:ation mana#ement-
SQL lo#ins shoul! be confine! to le#ac+ a))lications, mostl+ in cases where the
a))lication is )urchase! from a thir!,)art+ ven!or an! the authentication cannot be
chan#e!- Another use for SQL lo#ins is with cross,)latform client,server a))lications
in which the non,Win!ows clients !o not )ossess Win!ows lo#ins- Althou#h usin#
SQL lo#ins is !iscoura#e!, there are securit+ im)rovements for SQL lo#ins in
SQL Server &''*- These im)rovements inclu!e the abilit+ to have SQL lo#ins use the
)asswor! )olic+ of the un!erl+in# o)eratin# s+stem an! better encr+)tion when SQL
)asswor!s are )asse! over the network- WeHll !iscuss each of these later in the
)a)er-
SQL Server &''* uses stan!ar! L statements to create both Win!ows lo#ins an!
SQL lo#ins- 4sin# the CR2AT2 L.C/" statement is )referre!A the sp6addlo"in an!
sp6"rantlo"in s+stem store! )roce!ures are su))orte! for backwar! com)atibilit+
onl+- SQL Server &''* also )rovi!es the abilit+ to !isable a lo#in or chan#e a lo#in
name b+ usin# the ALT2R L.C/" L statement- 0or e9am)le, if +ou install
SQL Server &''* in Win!ows Authentication mo!e rather than %i9e! %o!e, the sa
lo#in is !isable!- 4se ALT2R L.C/" rather than the )roce!ures sp6denylo"in or
sp6revokelo"in, which are su))orte! for backwar! com)atibilit+ onl+-
/f +ou install SQL Server in Win!ows Authentication mo!e, the sa lo#in account is
!isable! an! a ran!om )asswor! is #enerate! for it- /f +ou later nee! to chan#e to
%i9e! %o!e Authentication an! re,enable the sa lo#in account, +ou will not know the
)asswor!- Chan#e the sa )asswor! to a known value after installation if +ou think
+ou mi#ht ever nee! to use it-
Best practices $or authentication mode
Alwa+s use Win!ows Authentication mo!e if )ossible-
4se %i9e! %o!e Authentication onl+ for le#ac+ a))lications an! non,Win!ows
users-
4se the stan!ar! lo#in L statements instea! of the com)atibilit+ s+stem
)roce!ures-
Chan#e the sa account )asswor! to a known value if +ou mi#ht ever nee! to use
it- Alwa+s use a stron# )asswor! for the sa account an! chan#e the sa account
)asswor! )erio!icall+-
o not mana#e SQL Server b+ usin# the sa lo#in accountA assi#n sysadmin
)rivile#e to a knows user or #rou)-
Rename the sa account to a !ifferent account name to )revent attacks on the sa
account b+ name-
"etwork Connectivit+
A stan!ar! network )rotocol is re?uire! to connect to the SQL Server !atabase-
There are no internal connections that b+)ass the network- SQL Server &''*
intro!uces an abstraction for mana#in# an+ connectivit+ channelIentr+ )oints into a
SQL Server instance are all re)resente! as en!)oints- 2n!)oints e9ist for the
followin# network client connectivit+ )rotocols:
Share! %emor+
"ame! $i)es
TC$</$
;/A
e!icate! a!ministrator connection
/n a!!ition, en!)oints ma+ be !efine! to )ermit access to the SQL Server instance
for:
Service Broker
6TT$ Web Services
atabase mirrorin#
0ollowin# is an e9am)le of creatin# an en!)oint for Service Broker-
%REA2E E-/3+I-2 4ro5erEndoint&SQL/EV11
AS 2%3
6 LIS2E-ER&3+R2 7 8122 9
.+R SERVI%E&4R+:ER
6 AU2;E-2I%A2I+- 7 <I-/+<S 9
SQL Server &''* !iscontinues su))ort for some network )rotocols that were
available with earlier versions of SQL Server, inclu!in# /$3<S$3, A))letalk, an!
Ban+on ;ines-
/n kee)in# with the #eneral )olic+ of @off b+ !efault, enable onl+ when nee!e!,@ no
Service Broker, 6TT$, or !atabase mirrorin# en!)oints are create! when
SQL Server &''* is installe!, an! the ;/A en!)oint is !isable! b+ !efault- /n
a!!ition, in SQL Server &''* 29)ress 2!ition, SQL Server &''* evelo)er 2!ition,
an! SQL Server &''* 2valuation 2!ition, the "ame! $i)es an! TC$</$ )rotocols are
!isable! b+ !efault- .nl+ Share! %emor+ is available b+ !efault in those e!itions-
The !e!icate! a!ministrator connection 7AC8, new with SQL Server &''*, is
available onl+ locall+ b+ !efault, althou#h it can be ma!e available remotel+- "ote
that the AC is not available in SQL Server 29)ress 2!ition b+ !efault an! re?uires
that the server be run with a s)ecial trace fla# to enable it- Access to !atabase
en!)oints re?uires the lo#in )rinci)al to have C.""2CT )ermission- B+ !efault, no
lo#in account has C.""2CT )ermission to Service Broker or 6TT$ Web Services
en!)oints- This restricts access )aths an! blocks some known attack vectors- /t is a
best )ractice to enable onl+ those )rotocols that are nee!e!- 0or e9am)le, if TC$</$
is sufficient, there is no nee! to enable the "ame! $i)es )rotocol-
Althou#h en!)oint a!ministration can be accom)lishe! via L, the a!ministration
)rocess is ma!e easier an! )olic+ can be ma!e more uniform b+ usin# the
SQL Server Surface Area Confi#uration tool an! SQL Server Confi#uration %ana#er-
SQL Server Surface Area Confi#uration )rovi!es a sim)lifie! user interface for
enablin# or !isablin# client )rotocols for a SQL Server instance, as shown in 0i#ure B
an! 0i#ure &- Confi#uration is !escribe! in 1nowle!#e Base article 1BJBG&((, 6ow to
confi#ure SQL Server &''* to allow remote connections, as well as in
SQL Server &''* Books .nline- A screenshot showin# the remote connections
confi#uration !ialo# bo9 is shown in 0i#ure B-
8i"ure . !on$i"urin" remote connections
/n the Surface Area Confi#uration for Services an! Connections !ialo# bo9, +ou can
see if an+ 6TT$ or Service Broker en!)oints are !efine! for the instance- "ew
en!)oints must be !efine! b+ usin# L statementsA SQL Server Surface Area
Confi#uration cannot be use! to !efine these- 5ou can use the Surface Area
Confi#uration for 0eatures tool to enable remote access to the !e!icate!
a!ministrator connection-
SQL Server Confi#uration %ana#er )rovi!es more #ranular confi#uration of server
)rotocols- With Confi#uration %ana#er, +ou can:
Choose a certificate for SSL encr+)tion-
Allow onl+ encr+)tion connections from clients-
6i!e an instance of SQL Server from the server enumeration A$/s-
2nable an! !isable TC$</$, Share! %emor+, "ame! $i)es, an! ;/A )rotocols-
Confi#ure the name of the )i)e each instance of SQL Server will use-
Confi#ure a TC$</$ )ort number that each instance listens on for TC$</$
connections-
Choose whether to use TC$</$ !+namic )ort assi#nment for name! instances-
The !ialo# for confi#urin# TC$</$ a!!ress )ro)erties such as )ort numbers an!
!+namic )ort assi#nment is shown in 0i#ure &-
8i"ure 2 T!P9%P Addresses con$i"uration pa"e in SQL Server !on$i"uration
)ana"er
SQL Server &''* can use an encr+)te! channel for two reasons: to encr+)t
cre!entials for SQL lo#ins, an! to )rovi!e en!,to,en! encr+)tion of entire sessions-
4sin# encr+)te! sessions re?uires usin# a client A$/ that su))orts these- The .L2
B, .BC, an! A.-"2T clients all su))ort encr+)te! sessionsA currentl+ the
%icrosoft KBC client !oes not- The other reason for usin# SSL is to encr+)t
cre!entials !urin# the lo#in )rocess for SQL lo#ins when a )asswor! is )asse! across
the network- /f an SSL certificate is installe! in a SQL Server instance, that certificate
is use! for cre!ential encr+)tion- /f an SSL certificate is not installe!,
SQL Server &''* can #enerate a self,si#ne! certificate an! use this certificate
instea!- 4sin# the self,si#ne! certificate )revents )assive man,in,the,mi!!le attacks,
in which the man,in,the,mi!!le interce)ts network traffic, but !oes not )rovi!e
mutual authentication- 4sin# an SSL certificate with a truste! root certificate
authorit+ )revents active man,in,the,mi!!le attacks an! )rovi!es mutual
authentication-
/n SQL Server &''*, +ou can CRA"T, R2;.12, or 2"5 )ermission to C.""2CT to a
s)ecific en!)oint on a )er,lo#in basis- B+ !efault, all lo#ins are CRA"Te! )ermission
on the Share! %emor+, "ame! $i)es, TC$</$, an! ;/A en!)oints- 5ou must
s)ecificall+ CRA"T users C.""2CT )ermission to other en!)ointsA no users are
CRA"Te! this )rivile#e b+ !efault- An e9am)le of #rantin# this )ermission is:
*RA-2 %+--E%2 +- M,;223Endoint 2+ M,/omain=Accountin#
Best practices $or net-ork connectivity
Limit the network )rotocols su))orte!-
o not enable network )rotocols unless the+ are nee!e!-
o not e9)ose a server that is runnin# SQL Server to the )ublic /nternet-
Confi#ure name! instances of SQL Server to use s)ecific )ort assi#nments for
TC$</$ rather than !+namic )orts-
/f +ou must su))ort SQL lo#ins, install an SSL certificate from a truste! certificate
authorit+ rather than usin# SQL Server &''* self,si#ne! certificates-
4se @allow onl+ encr+)te! connections@ onl+ if nee!e! for en!,to,en! encr+)tion
of sensitive sessions-
Crant C.""2CT )ermission onl+ on en!)oints to lo#ins that nee! to use them-
29)licitl+ !en+ C.""2CT )ermission to en!)oints that are not nee!e! b+ users or
#rou)s-
Lock!own of S+stem Store! $roce!ures
SQL Server uses s+stem store! )roce!ures to accom)lish some a!ministrative tasks-
These )roce!ures almost alwa+s be#in with the )refi9 5p6 or sp6- 2ven with the
intro!uction of stan!ar! L for some tasks 7for e9am)le, creatin# lo#ins an!
users8, s+stem )roce!ures remain the onl+ wa+ to accom)lish tasks such as sen!in#
mail or invokin# C.% com)onents- S+stem e9ten!e! store! )roce!ures in )articular
are use! to access resources outsi!e the SQL Server instance- %ost s+stem store!
)roce!ures contain the relevant securit+ checks as )art of the )roce!ure an! also
)erform im)ersonation so that the+ run as the Win!ows lo#in that invoke! the
)roce!ure- An e9am)le of this is sp6reserve6http6namespace, which
im)ersonates the current lo#in an! then attem)ts to reserve )art of the 6TT$
names)ace 76TT$-S5S8 b+ usin# a low,level o)eratin# s+stem function-
Because some s+stem )roce!ures interact with the o)eratin# s+stem or e9ecute co!e
outsi!e of the normal SQL Server )ermissions, the+ can constitute a securit+ risk-
S+stem store! )roce!ures such as 5p6cmdshell or sp6send6d#mail are off b+
!efault an! shoul! remain !isable! unless there is a reason to use them- /n
SQL Server &''*, +ou no lon#er nee! to use store! )roce!ures that access the
un!erl+in# o)eratin# s+stem or network outsi!e of the SQL Server )ermission s)ace-
SQLCLR )roce!ures e9ecutin# in 23T2R"ALFACC2SS mo!e are subject to SQL Server
)ermissions, an! SQLCLR )roce!ures e9ecutin# in 4"SA02 mo!e are subject to
some, but not all, securit+ checks- 0or e9am)le, to catalo# a SQLCLR assembl+
cate#ori:e! as 23T2R"ALFACC2SS or 4"SA02, either the !atabase must be marke!
as TR4STW.RT65 7see atabase .wnershi) an! Trust8 or the assembl+ must be
si#ne! with a certificate or as+mmetric ke+ that is catalo#e! to the master
!atabase- SQLCLR )roce!ures shoul! re)lace user,written e9ten!e! store!
)roce!ures in the future-
Some cate#ories of s+stem store! )roce!ures can be mana#e! b+ usin# SQL Server
Surface Area Confi#uration- These inclu!e:
5p6cmdshell , e9ecutes a comman! in the un!erl+in# o)eratin# s+stem
atabase %ail )roce!ures
SQL %ail )roce!ures
C.% com)onent )roce!ures 7e-#- s)F.ACreate8
2nable these )roce!ures onl+ if necessar+-
Some s+stem store! )roce!ures, such as )roce!ures that use SQL%. an! SQLS%.
libraries, cannot be confi#ure! b+ usin# SQL Server Surface Area Confi#uration- The+
must be confi#ure! b+ usin# sp6con$i"ure or SS%S !irectl+- SS%S or sp6con$i"ure
can also be use! to set most of the confi#uration feature settin#s that are set b+
usin# SQL Server Surface Area Confi#uration-
The s+stem store! )roce!ures shoul! not be !ro))e! from the !atabaseA !ro))in#
these can cause )roblems when a))l+in# service )acks- Removin# the s+stem store!
)roce!ures results in an unsu))orte! confi#uration- /t is usuall+ unnecessar+ to
com)letel+ 2"5 all users access to the s+stem store! )roce!ures, as these store!
)roce!ures have the a))ro)riate )ermission checks internal to the )roce!ure as well
as e9ternal-
Best practices $or system stored procedures
isable 5p6cmdshell unless it is absolutel+ nee!e!-
isable C.% com)onents once all C.% com)onents have been converte! to
SQLCLR-
isable both mail )roce!ures 7atabase %ail an! SQL %ail8 unless +ou nee! to
sen! mail from SQL Server- $refer atabase %ail as soon as +ou can convert to it-
4se SQL Server Surface Area Confi#uration to enforce a stan!ar! )olic+ for
e9ten!e! )roce!ure usa#e-
ocument each e9ce)tion to the stan!ar! )olic+-
o not remove the s+stem store! )roce!ures b+ !ro))in# them-
o not 2"5 all users<a!ministrators access to the e9ten!e! )roce!ures-
$asswor! $olic+
Win!ows lo#ins abi!e b+ the lo#in )olicies of the un!erl+in# o)eratin# s+stem- These
)olicies can be set usin# the omain Securit+ $olic+ or Local Securit+ $olic+
a!ministrator Control $anel a))lets- Lo#in )olicies fall into two cate#ories: $asswor!
)olicies an! Account Lockout )olicies- $asswor! )olicies inclu!e:
2nforce $asswor! 6istor+
%inimum an! %a9imum $asswor! A#e
%inimum $asswor! Len#th
$asswor! %ust %eet Com)le9it+ Re?uirements
$asswor!s are Store! 4sin# Reversible 2ncr+)tion 7"ote: this settin# !oes not
a))l+ to SQL Server8
Account Lockout )olicies inclu!e:
Account Lockout Threshol! 7"umber of invali! lo#ins before lockout8
Account Lockout uration 7Amount of time locke! out8
Reset Lockout Counter After n %inutes
/n SQL Server &''*, SQL lo#ins can also #o b+ the lo#in )olicies of the un!erl+in#
o)eratin# s+stem if the o)eratin# s+stem su))orts it- The o)eratin# s+stem must
su))ort the s+stem call ,et:alidatePass-ordPolicy- Currentl+, the onl+ o)eratin#
s+stem that su))orts this is Win!ows Server &''L an! later versions- /f +ou use SQL
lo#ins, run SQL Server &''* on a Win!ows Server &''L or later o)eratin# s+stem-
CR2AT2 L.C/" )arameters !etermine whether the lo#in #oes b+ the o)eratin#
s+stem )olicies- These )arameters are:
C62C1F$.L/C5
C62C1F23$/RAT/."
%4STFC6A"C2
C62C1F$.L/C5 s)ecifies that the SQL lo#in must abi!e b+ the Win!ows lo#in )olicies
an! Account Lockout )olicies, with the e9ce)tion of )asswor! e9)iration- This is
because, if SQL lo#ins must #o b+ the Win!ows )asswor! e9)iration )olic+,
un!erl+in# a))lications must be outfitte! with a mechanism for )asswor! chan#in#-
%ost a))lications currentl+ !o not )rovi!e a wa+ to chan#e SQL lo#in )asswor!s- /n
SQL Server &''*, both SS%S an! SQLC% )rovi!e a wa+ to chan#e SQL Server
)asswor!s for SQL lo#ins- Consi!er outfittin# +our a))lications with a )asswor!,
chan#in# mechanism as soon as )ossible- 6avin# built,in )asswor! chan#in# also
allows lo#ins to be create! with the %4STFC6A"C2 )arameterA usin# this )arameter
re?uires the user to chan#e the )asswor! at the time of the first lo#in-
A!ministrators shoul! be aware of the fact that )asswor! len#th an! com)le9it+
)olicies, but not e9)iration )olicies, a))l+ to )asswor!s use! with encr+)tion ke+s as
well as to )asswor!s use! with SQL lo#ins- 0or a !escri)tion of encr+)tion ke+s, see
2ncr+)tion-
When SQL lo#ins are use! on )re,Win!ows &''L o)eratin# s+stems, there is a series
of har!,co!e! )asswor! )olicies in lieu of the !omain or o)eratin# s+stem )olicies if
C62C1F$.L/C5 M ."- These )olicies are enumerate! in SQL Server Books .nline-
Best practices $or pass-ord policy
%an!ate a stron# )asswor! )olic+, inclu!in# an e9)iration an! a com)le9it+ )olic+
for +our or#ani:ation-
/f +ou must use SQL lo#ins, ensure that SQL Server &''* runs on the Win!ows
Server &''L o)eratin# s+stem an! use )asswor! )olicies-
.utfit +our a))lications with a mechanism to chan#e SQL lo#in )asswor!s-
Set %4STFC6A"C2 for new lo#ins-
A!ministrator $rivile#es
SQL Server &''* makes all )ermissions #rantable an! also makes #rantable
)ermissions more #ranular than in )revious versions- $rivile#es with elevate!
)ermissions now inclu!e:
%embers of the sysadmin server role-
The sa built,in lo#in, if it is enable!-
An+ lo#in with C."TR.L S2R;2R )ermission-
C."TR.L S2R;2R )ermission is new in SQL Server &''*- Chan#e +our au!itin#
)roce!ures to inclu!e an+ lo#in with C."TR.L S2R;2R )ermission-
SQL Server automaticall+ #rants the serverHs A!ministrators #rou)
7B4/LT/"Na!ministrators8 the sysadmin server role- When runnin# SQL Server &''*
un!er %icrosoft Win!ows ;ista>, the o)eratin# s+stem !oes not reco#ni:e
membershi) in the B4/LT/"NA!ministrators #rou) unless the user has elevate!
themselves to a full a!ministrator- /n S$&, +ou can use SQL Server Surface Area
Confi#uration to enable a )rinci)al to act as a!ministrator b+ selectin# Add ,e-
Administrator from the main win!ow as shown in 0i#ure L-
8i"ure / Addin" a ne- administrator in SP2 SQL Server Sur$ace Area
!on$i"uration
Clickin# on this link o)ens the SQL Server &''* 4ser $rovisionin# Tool for ;ista as
shown in 0i#ure G- This tool can also be automaticall+ invoke! as the last ste) of an
SQL Server &''* S$& installation-
8i"ure ' The SQL Server 2005 ;ser Provisionin" Tool $or :ista
When runnin# SQL Server 29)ress S$& un!er the ;ista o)eratin# s+stem, Set 4)
incor)orates the s)ecification of a s)ecific )rinci)al to act as a!ministrator-
SQL Server 29)ress S$& Set 4) also allows comman!,line o)tions to turn user
instances on or off 72"ABL2RA"48 an! to a!! the current Set 4) user to the
SQL Server Administrator role 7A4S2RASA%/"8- 0or more !etaile!
information, see Confi#uration .)tions 7SQL Server 29)ress8 in SQL Server &''* S$&
Books .nline- 0or a!!itional securit+,relate! consi!erations when runnin#
SQL Server &''* with the Win!ows ;ista o)eratin# s+stem, see the
SQL Server &''* S$& Rea!me file- /n )articular, see section *-*-& @/ssues Cause! b+
4ser Account Control in Win!ows ;ista-@
0or accountabilit+ in the !atabase, avoi! rel+in# on the A!ministrators #rou) an! a!!
onl+ s)ecific !atabase a!ministrators to the sysadmin role- Another o)tion is to
have a s)ecific atabaseA!ministrators role at the o)eratin# s+stem level- %inimi:in#
the number of a!ministrators who have sysadmin or C."TR.L S2R;2R )rivile#e
also makes it easier to resolve )roblemsA fewer lo#ins with a!ministrator )rivile#e
means fewer )eo)le to check with if thin#s #o wron#- The )ermission ;/2W S2R;2R
STAT2 is useful for allowin# a!ministrators an! troubleshooters to view server
information 7!+namic mana#ement views8 without #rantin# full sysadmin or
C."TR.L S2R;2R )ermission-
Best practices $or administrator privile"es
4se a!ministrator )rivile#es onl+ when nee!e!-
%inimi:e the number of a!ministrators-
$rovision a!min )rinci)als e9)licitl+-
6ave multi)le !istinct a!ministrators if more than one is nee!e!-
Avoi! !e)en!enc+ on the builtinNa!ministrators Win!ows #rou)-
atabase .wnershi) an! Trust
A SQL Server instance can contain multi)le user !atabases- 2ach user !atabase has
a s)ecific ownerA the owner !efaults to the !atabase creator- B+ !efinition, members
of the sysadmin server role 7inclu!in# s+stem a!ministrators if the+ have access to
SQL Server throu#h their !efault #rou) account8 are !atabase owners 7B.s8 in
ever+ user !atabase- /n a!!ition, there is a !atabase role, d#6o-ner, in ever+ user
!atabase- %embers of the d#6o-ner role have a))ro9imatel+ the same )rivile#es
as the d#o user-
SQL Server can be thou#ht of as runnin# in two !istinct mo!es, which can be
referre! to as IT department mode an! ISV mode- These are not !atabase settin#s
but sim)l+ !ifferent wa+s to mana#e SQL Server- /n an /T !e)artment, the
sysadmin of the instance mana#es all user !atabases- /n an /nternet service
)rovi!er environment 7sa+, a Web,hostin# service8, each customer is )ermitte! to
mana#e their own !atabase an! is restricte! from accessin# s+stem !atabases or
other user !atabases- 0or e9am)le, the !atabases of two com)etin# com)anies coul!
be hoste! b+ the same /nternet service )rovi!er 7/S;8 an! e9ist in the same
SQL Server instance- an#erous co!e coul! be a!!e! to a user !atabase when
attache! to its ori#inal instance, an! the co!e woul! be enable! on the /S; instance
when !e)lo+e!- This situation makes controllin# cross,!atabase access crucial-
/f each !atabase is owne! an! mana#e! b+ the same #eneral entit+, it is still not a
#oo! )ractice to establish a @trust relationshi)@ with a !atabase unless an
a))lication,s)ecific feature, such as cross,!atabase Service Broker communication, is
re?uire!- A trust relationshi) between !atabases can be establishe! b+ allowin#
cross,!atabase ownershi) chainin# or b+ markin# a !atabase as truste! b+ the
instance b+ usin# the TR4STW.RT65 )ro)ert+- An e9am)le of settin# the
TR4STW.RT65 )ro)ert+ follows:
AL2ER /A2A4ASE u!s SE2 2RUS2<+R2;> +-
Best practices $or data#ase o-nership and trust
6ave !istinct owners for !atabasesA not all !atabases shoul! be owne! b+ sa-
%inimi:e the number of owners for each !atabase-
Confer trust selectivel+-
Leave the Cross,atabase .wnershi) Chainin# settin# off unless multi)le
!atabases are !e)lo+e! at a sin#le unit-
%i#rate usa#e to selective trust instea! of usin# the TR4STW.RT65 )ro)ert+-
Schemas
SQL Server &''* intro!uces schemas to the !atabase- A schema is sim)l+ a name!
container for !atabase objects- 2ach schema is a sco)e that fits into the hierarch+
between !atabase level an! object level, an! each schema has a s)ecific owner- The
owner of a schema can be a user, a !atabase role, or an a))lication role- The schema
name takes the )lace of the owner name in the SQL Server multi,)art object namin#
scheme- /n SQL Server &''' an! )revious versions, a table name! 2m)lo+ee that
was )art of a !atabase name! $a+roll an! was owne! b+ a user name Bob woul! be
)a+roll-bob-em)lo+ee- /n SQL Server &''*, the table woul! have to be )art of a
schema- /f )a+rollFa)) is the name of the SQL Server &''* schema, the table name
in SQL Server &''* is )a+roll-)a+rollFa))-em)lo+ee-
Schemas solve an a!ministration )roblem that occurs when each !atabase object is
name! after the user who creates it- /n SQL Server versions )rior to &''*, if a user
name! Bob 7who is not d#o8 creates a series of tables, the tables woul! be name!
after Bob- /f Bob leaves the com)an+ or chan#es job assi#nments, these tables
woul! have to be manuall+ transferre! to another user- /f this transfer were not
)erforme!, a securit+ )roblem coul! ensue- Because of this, )rior to
SQL Server &''*, BAs were unlikel+ to allow in!ivi!ual users to create !atabase
objects such as tables- 2ach table woul! be create! b+ someone actin# as the s)ecial
d#o user an! woul! have a user name of d#o- Because, in SQL Server &''*,
schemas can be owne! b+ roles, s)ecial roles can be create! to own schemas if
nee!e!Iever+ !atabase object nee! not be owne! b+ d#o- "ot havin# ever+ object
owne! b+ d#o makes for more #ranular object mana#ement an! makes it )ossible
for users 7or a))lications8 that nee! to !+namicall+ create tables to !o so without
d#o )ermission-
6avin# schemas that are role,base! !oes not mean that itOs a #oo! )ractice to have
ever+ user be a schema owner- .nl+ users who nee! to create !atabase objects
shoul! be )ermitte! to !o so- The abilit+ to create objects !oes not im)l+ schema
ownershi)A CRA"Tin# Bob ALT2R SC62%A )ermission in the )a+rollFa)) schema can
be accom)lishe! without makin# Bob a schema owner- /n a!!ition, #rantin# CR2AT2
TABL2 to a user !oes not allow that user to create tablesA the user must also have
ALT2R SC62%A )ermission on some schema in or!er to have a schema in which to
create the table- .bjects create! in a schema are owne! b+ the schema owner b+
!efault, not b+ the creator of the object- This makes it )ossible for a user to create
tables in a known schema without the a!ministrative )roblems that ensue when that
user leaves the com)an+ or switches job assi#nments-
2ach user has a !efault schema- /f an object is create! or reference! in a SQL
statement b+ usin# a one,)art name, SQL Server first looks in the userHs !efault
schema- /f the object isnHt foun! there, SQL Server looks in the d#o schema- The
userHs !efault schema is assi#ne! b+ usin# the CR2AT2 4S2R or ALT2R 4S2R L
statements- /f the !efault schema is s)ecifie!, the !efault is d#o- 4sin# name!
schemas for like #rou)s of !atabase objects an! assi#nin# each userHs !efault
schema to d#o is a wa+ to man!ate usin# two,)art object names in SQL statements-
This is because objects that are not in the d#o schema will not be foun! when a one,
)art object name is s)ecifie!- %i#ratin# #rou)s of user objects out of the d#o
schema is also a #oo! wa+ to allow users to create an! mana#e objects if nee!e!
7for e9am)le, to install an a))lication )acka#e8 without makin# the installin# user
d#o-
Best practices $or usin" schemas
Crou) like objects to#ether into the same schema-
%ana#e !atabase object securit+ b+ usin# ownershi) an! )ermissions at the
schema level-
6ave !istinct owners for schemas-
"ot all schemas shoul! be owne! b+ d#o-
%inimi:e the number of owners for each schema-
Authori:ation
Authori:ation is the )rocess of #rantin# )ermissions on securables to users- At an
o)eratin# s+stem level, securables mi#ht be files, !irectories, re#istr+ ke+s, or
share! )rinters- /n SQL Server, securables are !atabase objects- SQL Server
)rinci)als inclu!e both instance,level )rinci)als, such as Win!ows lo#ins, Win!ows
#rou) lo#ins, SQL Server lo#ins, an! server roles an! !atabase,level )rinci)als, such
as users, !atabase roles, an! a))lication roles- 29ce)t for a few objects that are
instance,sco)e!, most !atabase objects, such as tables, views, an! )roce!ures are
schema,sco)e!- This means that authori:ation is usuall+ #rante! to !atabase,level
)rinci)als-
/n SQL Server, authori:ation is accom)lishe! via ata Access Lan#ua#e 7AL8 rather
than L or %L- /n a!!ition to the two AL verbs, CRA"T an! R2;.12, man!ate!
b+ the /S.,A"S/ stan!ar!, SQL Server also contains a 2"5 AL verb- 2"5 !iffers
from R2;.12 when a user is a member of more than one !atabase )rinci)al- /f a
user 0re! is a member of three !atabase roles A, B, an! C an! roles A an! B are
CRA"Te! )ermission to a securable, if the )ermission is R2;.12! from role C, 0re!
still can access the securable- /f the securable is 2"5e! to role C, 0re! cannot
access the securable- This makes mana#in# SQL Server similar to mana#in# other
)arts of the Win!ows famil+ of o)eratin# s+stems-
SQL Server &''* makes each securable available b+ usin# AL statements an!
makes )ermissions more #ranular than in )revious versions- 0or e9am)le, in
SQL Server &''' an! earlier versions, certain functions were available onl+ if a lo#in
was )art of the sysadmin role- "ow sysadmin role )ermissions are !efine! in
terms of CRA"Ts- 2?uivalent access to securables can be achieve! b+ CRA"Tin# a
lo#in the C."TR.L S2R;2R )ermission-
An e9am)le of better #ranularit+ is the abilit+ to use SQL Server $rofiler to trace
events in a )articular !atabase- /n SQL Server &''', this abilit+ was limite! to the
s)ecial d#o user- The new #ranular )ermissions are also arran#e! in a hierarch+A
some )ermissions im)l+ other )ermissions- 0or e9am)le, C."TR.L )ermission on a
!atabase object t+)e im)lies ALT2R )ermission on that object as well as all other
object,level )ermissions- SQL Server &''* also intro!uces the conce)t of #rantin#
)ermissions on all of the objects in a schema- ALT2R )ermission on a SC62%A
inclu!es the abilit+ to CR2AT2, ALT2R, or R.$ objects in that SC62%A- The AL
statement that #rants access to all securables in the )a+roll schema is:
*RA-2 SELE%2 +- sc"ema??a,roll 2+ 'red
The a!vanta#e of #rantin# )ermissions at the schema level is that the user
automaticall+ has )ermissions on all new objects create! in the schemaA e9)licit
#rant after object creation is not nee!e!- 0or more information on the )ermission
hierarch+, see the $ermission 6ierarch+ section of SQL Server Books .nline-
A best )ractice for authori:ation is to enca)sulate access throu#h mo!ules such as
store! )roce!ures an! user,!efine! functions- 6i!in# access behin! )roce!ural co!e
means that users can onl+ access objects in the wa+ the !evelo)er an! !atabase
a!ministrator 7BA8 inten!A a! hoc chan#es to objects are !isallowe!- An e9am)le of
this techni?ue woul! be )ermittin# access to the em)lo+ee )a+ rate table onl+
throu#h a store! )roce!ure @4)!ate$a+Rate-@ 4sers that nee! to u)!ate )a+ rates
woul! be #rante! 232C4T2 access to the )roce!ure, rather than 4$AT2 access to
the table itself- /n SQL Server &''' an! earlier versions, enca)sulatin# access was
!e)en!ent on a SQL Server feature known as ownership chains- /n an ownershi)
chain, if the owner of store! )roce!ure A an! the owner of table B that the store!
)roce!ure accesses are the same, no )ermission check is !one- Althou#h this works
well most of the time, even with multi)le levels of store! )roce!ures, ownershi)
chains !o not work when:
The !atabase objects are in two !ifferent !atabases 7unless cross,!atabase
ownershi) chainin# is enable!8-
The )roce!ure uses !+namic SQL-
The )roce!ure is a SQLCLR )roce!ure-
SQL Server &''* contains features to a!!ress these shortcomin#s, inclu!in# si#nin#
of )roce!ural co!e, alternate e9ecution conte9t, an! a TR4STW.RT65 !atabase
)ro)ert+ if ownershi) chainin# is !esirable because a sin#le a))lication encom)asses
multi)le !atabases- All of these features are !iscusse! in this white )a)er-
A lo#in onl+ can onl+ be #rante! authori:ation to objects in a !atabase if a !atabase
user has been ma))e! to the lo#in- A s)ecial user, "uest, e9ists to )ermit access to
a !atabase for lo#ins that are not ma))e! to a s)ecific !atabase user- Because an+
lo#in can use the !atabase throu#h the "uest user, it is su##este! that the "uest
user not be enable!-
SQL Server &''* contains a new t+)e of user, a user that is not ma))e! to a lo#in-
4sers that are not ma))e! to lo#ins )rovi!e an alternative to usin# a))lication roles-
5ou can invoke selective im)ersonation b+ usin# the 232C4T2 AS statement 7see
29ecution Conte9t later in this )a)er8 an! allow that user onl+ the )rivile#es nee!e!
to )erform a s)ecific task- 4sin# users without lo#ins makes it easier to move the
a))lication to a new instance an! limits the connectivit+ re?uirements for the
function- 5ou create a user without a lo#in usin# L:
%REA2E USER m,newuser <I2;+U2 L+*I-
Best practices $or data#ase o#<ect authori3ation
2nca)sulate access within mo!ules-
%ana#e )ermissions via !atabase roles or Win!ows #rou)s-
4se )ermission #ranularit+ to im)lement the )rinci)le of least )rivile#e-
o not enable "uest access-
4se users without lo#ins instea! of a))lication roles
Catalo# Securit+
/nformation about !atabases, tables, an! other !atabase objects is ke)t in the
s+stem catalo#- The s+stem meta!ata e9ists in tables in the master !atabase an! in
user !atabases- These meta!ata tables are e9)ose! throu#h meta!ata views- /n
SQL Server &''', the s+stem catalo# was )ublicl+ rea!able an!, the instance coul!
be confi#ure! to make the s+stem tables writeable as well- /n SQL Server &''*, the
s+stem meta!ata tables are rea!,onl+ an! their structure has chan#e! consi!erabl+-
The onl+ wa+ that the s+stem meta!ata tables are rea!able at all is in sin#le,user
mo!e- Also in SQL Server &''*, the s+stem meta!ata views were refactore! an!
ma!e )art of a s)ecial schema, the sys schema- So as not to break e9istin#
a))lications, a set of com)atibilit+ meta!ata views are e9)ose!- The com)atibilit+
views ma+ be remove! in a future release of SQL Server-
SQL Server &''* makes all meta!ata views secure! b+ !efault- This inclu!es:
The new meta!ata views 7for e9am)le, sys&ta#les, sys&procedures8-
The com)atibilit+ meta!ata views 7for e9am)le, sysinde5es, syso#<ects8-
The /"0.R%AT/."FSC62%A views 7)rovi!e! for SQL,J& com)liance8-
The information in the s+stem meta!ata views is secure! on a )er,row basis- /n
or!er to be able to see s+stem meta!ata for an object, a user must have some
)ermission on the object- 0or e9am)le, to see meta!ata about the !bo-authors table,
S2L2CT )ermission on the table is sufficient- This )rohibits browsin# the s+stem
catalo# b+ users who !o not have a))ro)riate object access- iscover+ is often the
first level of )revention- There are two e9ce)tions to this rule: sys&data#ases an!
sys&schemas are )ublic,rea!able- These meta!ata views ma+ be secure! with the
2"5 verb if re?uire!-
Some a))lications )resent lists of !atabase objects to the user throu#h a #ra)hic
user interface- /t ma+ be necessar+ to kee) the user interface the same b+
)ermittin# users to view information about !atabase objects while #ivin# them no
other e9)licit )ermission on the object- A s)ecial )ermission, ;/2W 20/"/T/.",
e9ists for this )ur)ose-
Best practices $or catalo" security
The catalo# views are secure b+ !efault- "o a!!itional action is re?uire! to secure
them-
Crant ;/2W 20/"/T/." selectivel+ at the object, schema, !atabase, or server
level to #rant )ermission to view s+stem meta!ata without conferrin# a!!itional
)ermissions-
Review le#ac+ a))lications that ma+ !e)en! on access to s+stem meta!ata when
mi#ratin# the a))lications to SQL Server &''*-
Remote ata Source 29ecution
There are two wa+s that )roce!ural co!e can be e9ecute! on a remote instance of
SQL Server: confi#urin# a linke! server !efinition with the remote SQL Server an!
confi#urin# a remote server !efinition for it- Remote servers are su))orte! onl+ for
backwar! com)atibilit+ with earlier versions of SQL Server an! shoul! be )hase! out
in )reference to linke! servers- Linke! servers allow more #ranular securit+ than
remote servers- A! hoc ?ueries throu#h linke! servers 7.$2"R.WS2T an!
.$2"ATAS.4RC28 are !isable! b+ !efault in a newl+ installe! instance of
SQL Server &''*-
When +ou use Win!ows to authenticate to SQL Server, +ou are usin# a Win!ows
network cre!ential- "etwork cre!entials that use both "TL% an! 1erberos securit+
s+stems are vali! for one network @ho)@ b+ !efault- /f +ou use network cre!entials to
lo# on to SQL Server an! attem)t to use the same cre!entials to connect via a linke!
server to a SQL Server instance on a !ifferent com)uter, the cre!entials will not be
vali!- This is known as the @!ouble ho) )roblem@ an! also occurs in environments
that use Win!ows authentication to connect to a Web server an! attem)t to use
im)ersonation to connect to SQL Server- /f +ou use 1erberos for authentication, +ou
can enable constraine! !ele#ation, that is, !ele#ation of cre!entials constraine! to a
s)ecific a))lication, to overcome the @!ouble ho) )roblem-@ .nl+ 1erberos
authentication su))orts !ele#ation of Win!ows cre!entials- 0or more information, see
Constraine! ele#ation in SQL Server Books .nline-
Best practices $or remote data source e5ecution
$hase out an+ remote server !efinitions-
Re)lace remote servers with linke! servers-
Leave a! hoc ?ueries throu#h linke! servers !isable! unless the+ are absolutel+
nee!e!-
4se constraine! !ele#ation if )ass,throu#h authentication to a linke! server is
necessar+-
29ecution Conte9t
SQL Server alwa+s e9ecutes SQL statements an! )roce!ural co!e as the currentl+
lo##e! on user- This behavior is a SQL Server,s)ecific behavior an! is ma!e )ossible,
in the case of )roce!ural co!e, b+ the conce)t of ownershi) chains- That is, althou#h
a store! )roce!ure e9ecutes as the caller of the store! )roce!ure rather than as the
owner, if ownershi) chainin# is in )lace, )ermissions are not checke! for object
access an! store! )roce!ures can be use! to enca)sulate tables, as mentione!
)reviousl+ in this )a)er- /n SQL Server &''*, the creator of a )roce!ure can
!eclarativel+ set the e9ecution conte9t of the )roce!ure b+ usin# the 232C4T2 AS
ke+wor! in the CR2AT2 $R.C24R2, 04"CT/.", an! TR/CC2R statements- The
e9ecution conte9t choices are:
232C4T2 AS CALL2R , the caller of the )roce!ure 7no im)ersonation8- This is the
onl+ )re,SQL Server &''* behavior-
232C4T2 AS .W"2R , the owner of the )roce!ure-
232C4T2 AS S2L0 , the creator of the )roce!ure-
232C4T2 AS HusernameH , a s)ecific user-
To maintain backwar! com)atibilit+, 232C4T2 AS CALL2R is the !efault- The
!istinction between AS .W"2R an! AS S2L0 is nee!e! because the creator of the
)roce!ure ma+ not be the owner of the schema in which the )roce!ure resi!es- /n
this case, AS S2L0 refers to the )roce!ure owner, AS .W"2R refers to the object
owner 7the schema owner8- /n or!er to use 232C4T2 AS HusernameH, the )roce!ure
creator must have /%$2RS."AT2 )ermission on the user name! in the e9ecution
conte9t-
.ne reason to use an alternate e9ecution conte9t woul! be when a )roce!ure
e9ecutes without a )articular e9ecution conte9t- An e9am)le of this is a service
broker ?ueue activation )roce!ure- /n a!!ition, 232C4T2 AS .W"2R can be use! to
circumvent )roblems that are cause! when ownershi) chains are broken- 0or
e9am)le, ownershi) chains in a )roce!ure are alwa+s broken when !+namic SQL
statements 7such as sp6e5ecuteSQL8 are use!-
.ften what is nee!e! is to #rant the a))ro)riate )ermissions to the )roce!ural co!e
itself, rather than either chan#in# the e9ecution conte9t or rel+in# on the callerHs
)ermissions- SQL Server &''* offers a much more #ranular wa+ of associatin#
)rivile#es with )roce!ural co!eIco!e si#nin#- B+ usin# the A S/C"AT4R2 L
statement, +ou can si#n the )roce!ure with a certificate or as+mmetric ke+- A user
can then be create! for the certificate or as+mmetric ke+ itself an! )ermissions
assi#ne! to that user- When the )roce!ure is e9ecute!, the co!e e9ecutes with a
combination of the callerHs )ermissions an! the ke+<certificateHs )ermissions- An
e9am)le of this woul! be:
%REA2E %ER2I.I%A2E ;R%erti'icate
<I2; E-%R>32I+- 4> 3ASS<+R/ 7 (;acde-@1A25B2(
%REA2E USER ;R%erti'icateUser
.+R %ER2I.I%A2E ;R%erti'icate <I2;+U2 L+*I-
*RA-2 U3/A2E +- ension&criteria 2+ ;R%erti'icate
-- t"is #ives t"e rocedure udate&ension&criteria
-- additional rivile#es o' ;R%erti'icate
A// SI*-A2URE 2+ udate&ension&criteria 4> %ER2I.%A2E ;R%erti'icate
-- !ac5u t"e rivate 5e, and remove it 'rom t"e certi'icate)
-- so t"at t"e rocedure cannot !e re-si#ned wit"out ermission
4A%:U3 %ER2I.I%A2E ;R%erti'icate
2+ .ILE 7 (c?=certs&!ac5u=;R%erti'icate.cer(
<I2; 3RIVA2E :E> 6.ILE 7 (c?=certs&!ac5u= ;R%erti'icate.v5()
E-%R>32I+- 4> 3ASS<+R/ 7 (@4@e!'38C@1D()
/E%R>32I+- 4> 3ASS<+R/ 7 (e<,ve,>B<EAAFDB(9
AL2ER %ER2I.I%A2E ;R%erti'icate REM+VE 3RIVA2E :E>
232C4T2 AS can also be use! to set the e9ecution conte9t within an SQL batch- /n
this form, the SQL batch contains an 232C4T2 AS 4S2RMHsomeuserH or 232C4T2 AS
L.C/"MHsomelo#inH statement- This alternate e9ecution conte9t lasts until the
R2;2RT statement is encountere!- 232C4T2 AS an! R2;2RT blocks can also be
neste!A R2;2RT reverts one level of e9ecution conte9t- As with 232C4T2 AS an!
)roce!ural co!e, the user chan#in# the e9ecution conte9t must have /%$2RS."AT2
)ermission on the user or lo#in bein# im)ersonate!- 232C4T2 AS in SQL batches
shoul! be use! as a re)lacement for the S2T4S2R statement, which is much less
fle9ible-
/f the e9ecution conte9t is set but shoul! not be reverte! without )ermission, +ou
can use 232C4T2 AS --- W/T6 C..1/2 or 232C4T2 AS --- W/T6 ". R2;2RT- When
W/T6 C..1/2 is s)ecifie!, a binar+ cookie is returne! to the caller of 232C4T2 AS
an! the cookie must be su))lie! in or!er to R2;2RT back to the ori#inal conte9t-
When a )roce!ure or batch uses an alternate e9ecution conte9t, the s+stem
functions normall+ use! for au!itin#, such as S4S2RF"A%278, return the name of the
im)ersonate! user rather than the name of the ori#inal user or ori#inal lo#in- A new
s+stem function, .R/C/"ALFL.C/"78, can be use! to obtain the ori#inal lo#in,
re#ar!less of the number of levels of im)ersonation use!-
Best practices $or e5ecution conte5t
Set e9ecution conte9t on mo!ules e9)licitl+ rather than lettin# it !efault-
4se 232C4T2 AS instea! of S2T4S2R-
4se W/T6 ". R2;2RT<C..1/2 instea! of A))lication Roles-
Consi!er usin# co!e si#nin# of )roce!ural co!e if a sin#le #ranular a!!itional
)rivile#e is re?uire! for the )roce!ure-
2ncr+)tion
SQL Server &''* has built,in !ata encr+)tion- The !ata encr+)tion e9ists at a cell
level an! is accom)lishe! b+ means of built,in s+stem )roce!ures- 2ncr+)tin# !ata
re?uires secure encr+)tion ke+s an! ke+ mana#ement- A ke+ mana#ement hierarch+
is built into SQL Server &''*- 2ach instance of SQL Server has a built,in service
master ke+ that is #enerate! at installationA s)ecificall+, the first time that
SQL Server is starte! after installation- The service master ke+ is encr+)te! b+ usin#
both the SQL Server Service account ke+ an! also the machine ke+- Both encr+)tions
use the $A$/ 7ata $rotection A$/8- A !atabase a!ministrator can !efine a !atabase
master ke+ b+ usin# the followin# L-
%REA2E MAS2ER :E>
<I2; E-%R>32I+- 4> 3ASS<+R/ 7 (GH6;,'dl5RMI&HA8J*Rt@K6-SLM&NOP6(
This ke+ is actuall+ encr+)te! an! store! twice b+ !efault- 2ncr+)tion that uses a
)asswor! an! stora#e in the !atabase is re?uire!- 2ncr+)tion that uses the service
master ke+ an! stora#e in the master !atabase is o)tionalA it is useful to be able to
automaticall+ o)en the !atabase master ke+ without s)ecif+in# the )asswor!- The
service master ke+ an! !atabase master ke+s can be backe! u) an! restore!
se)aratel+ from the rest of the !atabase-
SQL Server &''* can use L to !efine certificates, as+mmetric ke+s, an!
s+mmetric ke+s on a )er,!atabase basis- Certificates an! as+mmetric ke+s consist of
a )rivate ke+<)ublic ke+ )air- The )ublic ke+ can be use! to encr+)t !ata that can be
!ecr+)te! onl+ b+ usin# the )rivate ke+- .r, for the sake of )erformance, the )ublic
ke+ can be use! to encr+)t a hash that can be !ecr+)te! onl+ b+ usin# the )rivate
ke+- 2ncr+)te! checksum #eneration to ensure non,re)u!iation is known as signing-
Alternativel+, the )rivate ke+ can be use! to encr+)t !ata that can be !ecr+)te! b+
the receiver b+ usin# the )ublic ke+- A s+mmetric ke+ consists of a sin#le ke+ that is
use! for encr+)tion an! !ecr+)tion- S+mmetric ke+s are #enerall+ use! for !ata
encr+)tion because the+ are or!ers of ma#nitu!e faster than as+mmetric ke+s for
encr+)tion an! !ecr+)tion- 6owever, !istributin# s+mmetric ke+s can be !ifficult
because both )arties must have the same co)+ of the ke+- /n a!!ition, it is not
)ossible with s+mmetric ke+ encr+)tion to !etermine which user encr+)te! the !ata-
As+mmetric ke+s can be use! to encr+)t an! !ecr+)t !ata but or!inaril+ the+ are
use! to encr+)t an! !ecr+)t s+mmetric ke+sA the s+mmetric ke+s are use! for the
!ata encr+)tion- This is the )referre! wa+ to encr+)t !ata for the best securit+ an!
)erformance- S+mmetric ke+s can also be )rotecte! b+ in!ivi!ual )asswor!s-
SQL Server &''* makes use of an! also can #enerate 3-*'J certificates- A certificate
is sim)l+ an as+mmetric ke+ )air with a!!itional meta!ata, inclu!in# a subject 7the
)erson the ke+ is inten!e! for8, root certificate authorit+ 7who vouches for the
certificateHs authenticit+8, an! e9)iration !ate- SQL Server #enerates self,si#ne!
certificates 7SQL Server itself is the root certificate authorit+8 with a !efault
e9)iration !ate of one +ear- The e9)iration !ate an! subject can be s)ecifie! in the
L statement- SQL Server !oes not use certificate @ne#ative lists@ or the e9)iration
!ate with !ata encr+)tion- A certificate can be backe! u) an! restore! se)aratel+
from the !atabaseA certificates, as+mmetric ke+s, an! s+mmetric ke+s are backe! u)
with the !atabase- A variet+ of block ci)her encr+)tion al#orithms are su))orte!,
inclu!in# 2S, Tri)le 2S, an! A2S 7Rijn!ael8 al#orithms for s+mmetric ke+s an!
RSA for as+mmetric ke+s- A variet+ of ke+ stren#ths are su))orte! for each
al#orithm- Stream ci)her al#orithms, such as RCG are also su))orte! but shoul! ".T
be use! for !ata encr+)tion- Some al#orithms 7such as A2S8 are not su))orte! b+ all
o)eratin# s+stems that can host SQL Server- 4ser,!efine! al#orithms are not
su))orte!- The ke+ al#orithm an! ke+ len#th choice shoul! be )re!icate! on the
sensitivit+ of the !ata-
SQL Server encr+)ts !ata on a cell levelI!ata is s)ecificall+ encr+)te! before it is
store! into a column value an! each row can use a !ifferent encr+)tion ke+ for a
s)ecific column- To use !ata encr+)tion, a column must use the ;ARB/"AR5 !ata
t+)e- The len#th of the column !e)en!s on the encr+)tion al#orithm use! an! the
len#th of the !ata to be encr+)te! 7see Choosin# an 2ncr+)tion Al#orithm in
SQL Server Books .nline8- The 125FC4/ of the ke+ that is use! for encr+)tion is
store! with the column value- When the !ata is !ecr+)te!, this 125FC4/ is checke!
a#ainst all o)en ke+s in the session- The !ata uses initiali:ation vectors 7also known
as salted hashes8- Because of this, it is not )ossible to !etermine if two values are
i!entical b+ lookin# at the encr+)te! value- This means, for e9am)le, that / cannot
!etermine all of the )atients who have a !ia#nosis of 0lu if / know that $atient A has
a !ia#nosis of 0lu- Althou#h this means that !ata is more secure, it also means that
+ou cannot use a column that is encr+)te! b+ usin# the !ata encr+)tion routines in
in!e9es, because !ata values are not com)arable-
ata encr+)tion is becomin# more common)lace with some ven!ors an! in!ustries
7for e9am)le, the )a+ment car! in!ustr+8- 4se !ata encr+)tion onl+ when it is
re?uire! or for ver+ hi#h,value sensitive !ata- /n some cases, encr+)tin# the network
channel or usin# SQL Server )ermissions is a better choice because of the com)le9it+
involve! in mana#in# ke+s an! invokin# encr+)tion<!ecr+)tion routines-
Because unencr+)te! !ata must be store! in memor+ buffers before bein#
transmitte! to clients, it is im)ossible to kee) !ata awa+ from an a!ministrator who
has the abilit+ to !ebu# the )rocess or to )atch the server- %emor+ !um)s can also
be a source of uninten!e! !ata leaka#e- /f s+mmetric ke+s are )rotecte! b+
as+mmetric ke+s an! the as+mmetric ke+s are encr+)te! b+ usin# the !atabase
master ke+, a !atabase a!ministrator coul! im)ersonate a user of encr+)te! !ata
an! access the !ata throu#h the ke+s- /f )rotection from the !atabase a!ministrator
is )referre!, encr+)tion ke+s must be secure! b+ )asswor!s, rather than b+ the
!atabase master ke+- To #uar! a#ainst !ata loss, encr+)tion ke+s that are secure!
b+ )asswor!s must have an associate! !isaster recover+ )olic+ 7offsite stora#e, for
e9am)le8 in case of ke+ loss- 5ou can also re?uire users to s)ecif+ the !atabase
master ke+ b+ !ro))in# encr+)tion of the !atabase master ke+ b+ the instance
master ke+- Remember to back u) the !atabase in or!er to back u) the s+mmetric
ke+s, because there are no s)ecific L statements to back u) s+mmetric an!
as+mmetric ke+s, just as there are s)ecific L statements to back u) certificates,
the !atabase master ke+, an! the service master ke+-
Best practices $or data encryption
2ncr+)t hi#h,value an! sensitive !ata-
4se s+mmetric ke+s to encr+)t !ata, an! as+mmetric ke+s or certificates to
)rotect the s+mmetric ke+s-
$asswor!,)rotect ke+s an! remove master ke+ encr+)tion for the most secure
confi#uration-
Alwa+s back u) the service master ke+, !atabase master ke+s, an! certificates b+
usin# the ke+,s)ecific L statements-
Alwa+s back u) +our !atabase to back u) +our s+mmetric an! as+mmetric ke+s-
Au!itin#
SQL Server &''* su))orts lo#in au!itin#, tri##er,base! au!itin#, an! event au!itin#
b+ usin# a built,in trace facilit+- $asswor! )olic+ com)liance is automaticall+
enforceable throu#h )olic+ in SQL Server &''* for both Win!ows lo#ins an! SQL
lo#ins- Lo#in au!itin# is available b+ usin# an instance,level confi#uration )arameter-
Au!itin# faile! lo#ins is the !efault, but +ou can s)ecif+ to au!it all lo#ins- Althou#h
au!itin# all lo#ins increases overhea!, +ou ma+ be able to !e!uce )atterns of
multi)le faile! lo#ins followe! b+ a successful lo#in, an! use this information to
!etect a )ossible lo#in securit+ breech- Au!itin# is )rovi!e! on a wi!e variet+ of
events inclu!in# A!! atabase 4ser, A!! Lo#in, BCC events, Chan#e $asswor!,
CR events 7Crant<en+<Revoke events8, an! Server $rinci)al /m)ersonation
events- SQL Server &''* S$& also su))orts lo#in tri##ers-
SQL Server &''* intro!uces au!itin# base! on L tri##ers an! event notifications-
5ou can use L tri##ers not onl+ to recor! the occurrence of L, but also to roll
back L statements as )art of the tri##er )rocessin#- Because a L tri##er
e9ecutes s+nchronousl+ 7the L !oes not com)lete until the tri##er is finishe!8,
L tri##ers can )otentiall+ slow !own L, !e)en!in# on the content an! volume
of the co!e- 2vent notifications can be use! to recor! L usa#e information
as+nchronousl+- An event notification is a !atabase object that uses Service Broker
to sen! messa#es to the !estination 7Service Broker,base!8 service of +our choosin#-
L cannot be rolle! back b+ usin# event notifications-
Because the surface area of SQL Server &''* is lar#er than )revious versions, more
au!itin# events are available in SQL Server &''* than in )revious versions- To au!it
securit+ events, use event,base! au!itin#, s)ecificall+ the events in the securit+
au!it event cate#or+ 7liste! in SQL Server Books .nline8- 2vent,base! au!itin# can
be trace,base!, or event notifications,base!- Trace,base! event au!itin# is easier to
confi#ure, but ma+ result in a lar#e event lo#s, if man+ events are trace!- .n the
other han!, event notifications sen! ?ueue! messa#es to Service Broker ?ueues that
are in,!atabase objects- Trace,base! event au!itin# cannot trace all eventsA some
events, such as SQL:StmtCom)lete events, are not available when usin# event
notifications-
There is a W%/ )rovi!er for events that can be use! in conjunction with SQL Server
A#ent alerts- This mechanism )rovi!es imme!iate notification throu#h the Alert
s+stem that a s)ecific event has occurre!- To use the W%/ )rovi!er, select a W%/,
base! alert an! )rovi!e a WQL ?uer+ that )ro!uces the event that +ou want to cause
the alert- WQL ?ueries use the same s+nta9 for namin# as !oes event notifications-
An e9am)le of a WQL ?uer+ that looks for !atabase )rinci)al im)ersonation chan#es
woul! be:
SELE%2 K .R+M AU/I2&/A2A4ASE&3RI-%I3AL&IM3ERS+-A2I+-&EVE-2
SQL Server can be confi#ure! to su))ort au!itin# that is com)liant with
C& certification un!er the Truste! atabase /nter)retation 7T/8 of the Truste!
Com)uter S+stem 2valuation Criteria 7TCS2C8 of the 4nite! States "ational Securit+
A#enc+- This is known as C2 auditing- C& au!itin# is confi#ure! on an instance level
b+ usin# the !2 audit mode confi#uration o)tion in sp6con$i"ure-
When C& au!itin# is enable!, !ata is save! in a lo# file in the ata sub!irector+ in
the !irector+ in which SQL Server is installe!- The initial lo# file si:e for C& au!itin# is
&'' me#ab+tes- When this file is full, another &'' me#ab+tes is allocate!- /f the
volume on which the lo# file is store! runs out of s)ace, SQL Server shuts !own until
sufficient s)ace is available or until the s+stem is manuall+ starte! without au!itin#-
2nsure that there is sufficient s)ace available before enablin# C& au!itin# an! )ut a
)roce!ure in )lace for archivin# the lo# files-
SQL Server &''* S$& allows confi#urin# an o)tion that )rovi!es three elements
re?uire! for Common Criteria com)liance- The Common Criteria re)resents the
outcome of efforts to !evelo) criteria for evaluation of /T securit+ that are wi!el+
useful within the international communit+- /t stems from a number of source criteria:
the e9istin# 2uro)ean, 4S, an! Cana!ian criteria 7/TS2C, TCS2C, an! CTC$2C
res)ectivel+8- The Common Criteria resolves the conce)tual an! technical !ifferences
between the source criteria- The three Common Criteria elements that can be
confi#ure! b+ usin# an instance confi#uration o)tion are:
Resi!ual /nformation $rotection, which overwrites memor+ with a known bit
)attern before it is reallocate! to a new resource-
The abilit+ to view lo#in statistics-
A column,level CRA"T !oes not overri!e table,level 2"5-
5ou can confi#ure an instance to )rovi!e these three elements for Common Criteria
com)liance b+ settin# the confi#uration o)tion common criteria compliance
ena#led as shown in the followin# co!e-
s&con'i#ure (s"ow advanced otions() 1Q
*+
RE%+-.I*UREQ
*+
s&con'i#ure (common criteria comliance ena!led() 1Q
*+
RE%+-.I*UREQ
*+
/n a!!ition to enablin# the Common Criteria o)tions in a SQL Server instance, +ou
can use lo#in tri##ers in SQL Server &''* S$& to limit lo#ins base! u)on time of !a+
or base! on an e9cessive number of e9istin# connections- The abilit+ to limit lo#ins
base! on these criteria is re?uire! for Common Criteria com)liance-
Best practices $or auditin"
Au!itin# is scenario,s)ecific- Balance the nee! for au!itin# with the overhea! of
#eneratin# a!!ition !ata-
Au!it successful lo#ins in a!!ition to unsuccessful lo#ins if +ou store hi#hl+
sensitive !ata-
Au!it L an! s)ecific server events b+ usin# trace events or event notifications-
%L must be au!ite! b+ usin# trace events-
4se W%/ to be alerte! of emer#enc+ events-
2nable C& au!itin# or Common Criteria com)liance onl+ if re?uire!-
%icrosoft Baseline Securit+ Anal+:er an! SQL
Server Best $ractices Anal+:er
%icrosoft Baseline Securit+ Anal+:er 7%BSA8 is a utilit+ that scans for common
insecurities in a SQL Server confi#uration- Run %BSA on a re#ularl+ sche!ule! basis,
either locall+ or across the network- %BSA scans for Win!ows o)eratin# s+stem,
securit+ )rinci)al, network, an! file s+stem insecurities an! tests for
SQL Server &''' an! %S2,s)ecific insecurities, but !oes not incor)orate
SQL Server &''*,s)ecific checks +et- /t will check to see if SQL Server &''* is
)atche! to the latest Service $ack version-
SQL Server &''* Best $ractices Anal+:er &-' CT$ has been release! in conjunction
with Service $ack &- 5ou can !ownloa! it from the %icrosoft ownloa! Center,
SQL Server &''* Best $ractices Anal+:er 70ebruar+ &''( CT$8 )a#e-
SQL Server &''* Best $ractices Anal+:er 7B$A8 #athers !ata from %icrosoft Win!ows
an! SQL Server confi#uration settin#s- Best $ractices Anal+:er uses a )re!efine! list
of SQL Server &''* recommen!ations an! best )ractices to !etermine if there are
)otential securit+ issues in the !atabase environment-
Best practice analysis utilities recommendations
Run B$A a#ainst SQL Server &''*-
Re#ularl+ run %BSA &-' to ensure latest SQL Server &''* )atch level
Re#ularl+ run %BSA &-' for SQL Server &''' instances
$atchin#
The best wa+ to ensure the securit+ of the server software an! to ensure the securit+
of SQL Server &''* is to install securit+ hotfi9es an! service )acks as soon as
)ossible- 4se manual u)!ates on an o)eratin# s+stem basis b+ usin# Win!ows
4)!ate or %icrosoft 4)!ate- 5ou can enable automatic u)!ates usin# Win!ows
4)!ate or %icrosoft 4)!ate as well, but u)!ates shoul! be teste! before the+ are
a))lie! to )ro!uction s+stems- SQL Server &''* incor)orates SQL Server hotfi9es
an! service )acks into Win!ows 4)!ate- All hotfi9es shoul! be installe! imme!iatel+
an! service )acks shoul! be teste! an! installe! as soon as )ossible- This
re?uirement cannot be em)hasi:e! enou#h- 0or su##estions on minimi:in# !owntime
when installin# hotfi9es an! service )acks, see $reventin# Reboots, /nstallin#
%ulti)le 4)!ates, an! %ore on %icrosoft Tech"et-
Best practices $or patchin" SQL Server
Alwa+s sta+ as current as )ossible-
2nable automatic u)!ates whenever feasible but test them before a))l+in# to
)ro!uction s+stems-
Conclusion
Securit+ is a crucial )art of an+ mission,critical a))lication- To im)lement securit+ for
SQL Server &''* in a wa+ that is not )rone to mistakes, securit+ setu) must be
relativel+ eas+ to im)lement- The @correct@ securit+ confi#uration shoul! be the
!efault confi#uration- This )a)er !escribes how it is a strai#htforwar! task to start
from the SQL Server &''* securit+ !efaults an! create a secure !atabase
confi#uration accor!in# to the Trustworth+ Com)utin# /nitiative #ui!elines-
8or more in$ormation
htt):<<www-microsoft-com<technet<)ro!technol<s?l<themes<securit+-ms)9
i! this )a)er hel) +ouP $lease #ive us +our fee!back- .n a scale of B 7)oor8 to *
7e9cellent8, how woul! +ou rate this )a)erP

SQ L 2005 Sec Best Pract

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SQ L 2005 Sec Best Pract

Uploaded by

Copyright:

Available Formats

SQL Server 2005 Security Best Practices -

Operational and Administrative Tasks

You might also like