Professional Documents
Culture Documents
The SQL server provides hierarchical encryption structure, as shown in the image below:
The top key, i.e. service master key is encrypted with windows Data Protection API
(DPAPI). And at database level we have Database Master Key that is encrypted with the
Service Master Key. So the encryption in SQL Server is layered where the upper layer
encrypts the layer below it. Data is encrypted by keys, Symmetric (Public key) or
Asymmetric (public, private key pair) and these keys get encrypted by certificates, which
are encrypted by database master key. Data can also be directly encrypted by certificates that
have more information than keys like the name of issuing authority, subject and expiry date.
Data can be encrypted, and the keys and certificates are in the database. But what if the
backup file or mdf file gets stolen?
For that we have Transparent Database Encryption (TDE), which is a real-time IO encryption
that uses certificates and Database encryption key. This is done for encrypting the database,
so in case the backup or mdf file is stolen, it cannot be used fully without the certificate.
Auditing
just applying the security is not enough. Auditing also holds huge significance. SQL server provides
SQL Server Audit for auditing purpose. SQL Server Audit can track and log events that occur at the
server level or the database level automatically. With SQL server audits, several server and database
level actions can be tracked. These include failed login attempts, modification in structure of
database or table etc. These can then be logged in Windows event log or a file system file.
Encryption:
These best practices assume the SQL Server will be installed in a production environment
requiring some security.
Encrypt sensitive data. If you can't use TDE in SQL 2008, consider the encryption
options in SQL 2005.
o Credit card data
o Passwords
o PII (Personally Identifiable Information).
Don't write your own encryption algorithms.
o SQL Server, Windows and .Net provide strong encryption algorithms you can
use.
Do not embed SQL Server logons and passwords in code.
o .Net code can be easily viewed with tools like Reflector unless obfuscation is
used; but obfuscation is often not an option. Embedded logons are more
difficult to change. If you create applications for resale under no circumstance
should you embed logons and require clients to implement those logons on
SQL Server. Doing so provides the software provider, and other clients that
run the same application, knowledge that can be used for unauthorized access
to SQL Server.
o In September 2010 a researcher exposed a problem similar to this in OAuth,
specifically in the twitter client for Android.
Use Windows Authentication for Connection strings.
o Questions to ask about database connection strings:
Windows administrators are responsible for many of the steps taken to secure SQL Servers.
Windows administrators should work with SQL Server administrators to:
Network administrators play a vital role to secure servers ultimately accessed by the Internet.
Security administrators and network administrators should work together to:
Physical Security
Lock the server room.
o Require card swipes, PINs, two-factor authentication, etc. for server room
access
Log every entry and exit of the server room.
Maintain a list of people authorized to the server room. Review the list occasionally.
Use video cameras to record activity in the server room.
Prey is one tool to assist you in tracking down stolen computers. It is free.
o http://preyproject.com
More to consider
What, if any, additional security concerns exist for SQL Server Integration Services
(SSIS) ?
What, if any, additional security concerns exist for Reporting Server?
What, if any, additional security concerns exist for SQL Server in Sharepoint ?
What, if any, additional security concerns exist for mobile applications?
o Is data in transit secure?
o Is data on the devices secure?
What, if any, additional security concerns exist for data on clusters?
o Do all the security and auditing features you need work on clustered servers?
Microsoft SQL Server Compact Edition 4.0
o A file-based version of SQL Server. No services required. Good for hosting
small web sites. A single user DBMS.
SQL Server in the cloud (SQL Azure)
o What new considerations for SQL Azure? If industry or government
regulations apply to your SQL Server, can they be applied and audited on SQL
Server in the cloud?
o Do you need to keep the data within the continental United States for
compliance?
Brad McGehee is working on a Security Checklist
o http://www.bradmcgehee.com/2010/09/sql-server-security-checklist/#more-
1800
SQL Server security blogs from Microsoft: http://blogs.msdn.com/sqlsecurity
SQL Server security newsgroups: http://social.msdn.microsoft.com/forums/en-
US/sqlsecurity/threads/