Professional Documents
Culture Documents
SQL Server:
Security and Order
SysAdmin Magazine May 2019
SysAdmin Contents
Magazine
48
03 6 SQL Server security basics every database admin should know
May ‘19
№
06 How to implement row and column level security in SQL Server
2
SysAdmin Magazine May 2019
every database
section. Server logins let users establish a connection to a SQL
•• Windows Authentication relies on Active Directory (AD) Server instance. Each server login is assigned one or more
to authenticate users before they connect to SQL Serv- server roles that enables it to perform specific actions on the
3
SysAdmin Magazine May 2019
3. Database Users, Schema and Roles curables, you could give a server login access to a specific 5. Data Encryption
table or function only, a level of granularity that isn’t possi-
SQL Server supports multiple encryption options:
When creating a user login, you need to specify the data- ble by assigning a role to a login.
base it will be associated with, a username and a default
•• Secure Sockets Layer (SSL) encrypts traffic as it travels
schema that will be applied to all objects that the user cre- Permissions are used to grant access to SQL Server se-
between the server instance and client application, much
ates if no other schema is specified. SQL Server schemas curables. You might grant permission to just view data or
like internet traffic is secured between browser and serv-
are collections of objects, like tables and views, logically just to modify data. The GRANT, DENY and REVOKE T-SQL
er. Additionally, the client can validate the server’s identi-
separated from other database objects, which makes it statements are used for configuring permissions.
ty using the server’s certificate.
easier to manage access and means there is no need to
use the schema name when running T-SQL commands However, permissions can be complicated. For example, •• Transparent Data Encryption (TDE) encrypts data on
against a database. setting DENY permissions on a securable prevents per- disk. More specifically, it encrypts the entire data and log
mission inheritance on lower-level objects. But the col- files. Client applications don’t need to be changed when
The default schema for user-defined objects is dbo. The umn-level GRANT permission overrides DENY at the object TDE is enabled.
other default schema is sys; it owns all system objects. level, so DENY permission set on a table is overridden by
•• Backup Encryption is similar to TDE but encrypts SQL
In the same way that server logins are assigned server GRANT permission on a column. Because permissions can
backups instead of the active data and log files.
roles, user logins are assigned database roles, which as- be complex, it’s always worth checking effective permis-
sign rights in databases. Server database roles include sions using T-SQL. The following command determines Jo- •• Column/Cell-Level Encryption makes sure that specif-
public, db accessadmin, db owner and db securityadmin. eB’s permissions granted on an object, in this case a table ic data is encrypted in the database and remains so even
called ‘employees’. when it is stored in memory. Data is decrypted using a func-
tion and requires changes to client applications to work.
4
SysAdmin Magazine May 2019
6. Row-Level Security
Row-Level Security (RLS) allows organizations to control
who can see rows in a database. For example, you could
restrict users to seeing only rows that contain informa-
tion about their clients.
Free Guide
RLS consists of three main parts: a predicate function,
a security predicate and a security policy. The predicate
function checks whether the user executing the database
query can access a row based on logic. For instance, you
could check if the username of the user running the que- SQL Server
ry matches a field in one of the row’s columns. A predi-
cate function and security predicate are defined together Security Best
Practices
in a function to either silently filter the results of a query
without raising errors or to block with an error if row ac-
cess is denied. Finally, a security policy binds the function
to a table.
Free Download
5
SysAdmin Magazine May 2019
row and column Before we can dive into rows and column security, we need to
review some SQL Server security basics. Basically, database
There are two ways to protect columns in SQL Server: col-
umn level permissions and column level encryption. The
SQL Server
principal, the actions they is allowed to take are their permis-
sions, and the data on which the actions are performed is a Column Level Permissions
securable — examples of securables include databases, ta-
Column level permissions provide a more granular level
bles, schemas, rows and columns.
of security for data in your database. You do not need to
execute a separate GRANT or DENY statements for each
Jeff Melnick Let’s take a look at the permissions that can be applied to
column; just name them all in a query:
IT Security Expert, Blogger securables:
•• SELECT — Principals requires this permission to get or GRANT SELECT ON data1.table (column1, co-
read data from the table. lumn2) TO user1;
GO
SQL Server includes a range of security features. Two of the •• INSERT — Principals need this permission to add new DENY SELECT ON data1.table (column3) TO
most valuable are column level security and row level se- rows to a table. user1;
curity, which enable you to granularly grant users access to GO
•• UPDATE — Principals need this permission to modify
rows and columns in a table. This article explains how to
data in a table.
implement these features in your environment.
If you execute a DENY statement at table level to a column
•• DELETE — Principals need this permission to remove
for a user, and after that you execute a GRANT statement
rows from a table.
on the same column, the DENY permission is removed and
•• REFERENCES — Principals need this permission to create the user can have access to that column. Similarly, if you
a foreign key to a table if they have no other permissions execute GRANT and then DENY, the DENY permission will
on the table. be in force.
6
SysAdmin Magazine May 2019
Column Level Encryption 1.First, we create the database master key to encrypt our 3. Next, we need to add a column to our table to store en-
symmetric key. This can be done using the CREATE MAS- crypted data.
Column level encryption is a direct encryption of data in a
TER KEY command and the ENCRYPTION BY PASSWORD
column. It requires code changes because it can be applied
argument, which defines the password to encrypt the key: USE DB;
only while programming the database. It is a granular way
GO
of encrypting data so only specific columns, or parts of col-
ALTER TABLE Testtable
umns, can be encrypted. You can even use different en- CREATE MASTER KEY ENCRYPTION BY PASSWORD =
ADD EncryptedColumn varbinary(MAX )NULL
cryption keys for different columns. Column level encryp- 'P@$$w0rd'
GO
tion requires binary columns to store encrypted data. Also, GO
In order to keep your keys safe, you can use SQL permis- CREATE CERTIFICATE SelfSignedCertificate WITH
5. Once the symmetric key is open, we need to update the table.
sions to limit access to them to only trusted user accounts. SUBJECT = 'Column Encryption';
7
SysAdmin Magazine May 2019
6. The encrypted column has been created; it contains the Block predicate — This limits write operations (IN- 2. Next, we create a security policy by executing the follow-
encrypted data of the columnwithsensitivedata column. To SERT) on the row. There are four types of BLOCK ing script, which adds the predicate function we just created
achieve our SQL Server security goal, we should drop the predicates: AFTER INSERT, BEFORE UPDATE, AFTER as a filter predicate on our test table.
existing plain text columnwithsensitivedata column using UPDATE and BEFORE DELETE operations.
the DROP command and retain only the encrypted column. CREATE SECURITY POLICY PrivacyPolicy
•• Security policy — This is a collection of security predi- ADD FILTER PREDICATE
cates grouped in a single new object. dbo.NewPredicateFunction(privilegeuser) ON
dbo.testtable
WITH (STATE = ON)
The logic is simple: A predicate function defines whether to
SQL Server Row Level Security allow or block rows a user can access based on certain pa-
rameters, and then the function is applied to a table with a
Row-level security (RLS) allows developers to control user That’s all. Our security policy is active in our SQL database
security policy and becomes active. Let’s take a close look to
access rights to information on a row by row basis; each and will allow users to access only their row while allowing
this process:
user can see only that rows that they have access to. This the ADMIN account to access all rows.
security feature has high level set of permissions because
1. First, we need to create a filter predicate function. For
it bypasses existing SQL Server security access lists. It con-
this example, we will allow access to a row for a user if it is
sists of three parts:
matches the privilegeuser column of that row or if the user
•• Predicate function — This is a schema function that name is ADMIN.
regulates whether a user account executing the query
has access to the row. CREATE FUNCTION dbo.NewPredicateFunction
( @privilegeuser AS SYSNAME )
•• Security predicate — A security predicate binds a pred- RETURNS TABLE
icate function to the table. There are two types of secu- WITH SCHEMABINDING
rity predicates: AS
RETURN SELECT 1 AS AccessRight
Filter predicate — This limits read operations (SE-
WHERE @privilegeuser = USER_NAME() OR
LECT) on the row. This filtering is done silently with-
USER_NAME() = 'ADMIN'
out any event logs. GO
8
SysAdmin Magazine May 2019
Everything you
data as it travels across the network, but, unlike most of the TDE, you must back up the certificate and the private key as-
other forms of encryption in SQL Server, SSL is available in all sociated with the certificate. You will need to restore or attach
supported versions of SQL Server and in all editions. the database on a different SQL Server. The tempdb system
want to know Before enabling SSL, you’ll need to install a certificate on the
database is also encrypted if you enable TDE on any other
SQL Server database. If you disable TDE, you should keep the
encryption up clients so that they trust the certificates that it issues. A SQL database master key (DMK) is a symmetric key that
protects the private keys of certificates and asymmetric keys
stored in databases. TDE requires a database encryption key
SQL Server Transparent Data (DEK), which is a symmetric key that is protected using a cer-
tificate stored in the master database or an asymmetric key
Russell Smith
Data Security Expert, IT Consultant Encryption (TDE) protected by Extensible Key Management (EKM), like Micro-
soft Azure Key Vault. Backup files of TDE-enabled databases
Transparent Data Encryption (TDE) in SQL Server protects
are encrypted using the DEK, so during restore operations,
data at rest by encrypting database data and log files on
Microsoft SQL Server supports 5 different kinds of encryp- the certificate protecting the DEK must be available.
disk. It works transparently to client existing applications,
tion for protecting data. This article explains each of them
so they don’t need to be changed when TDE is enabled. TDE
and where they should be used. Symmetric keys use the same password to encrypt and de-
uses real-time encryption at the page level. Pages are en-
crypt data. Asymmetric keys use one password to encrypt
crypted before they are written to disk, without increasing
data (public key) and a different password to decrypt data
the size of your data and log files, and pages are decrypted
SSL Transport Encryption when read into memory. TDE is available only in Enterprise
(private key). You can use the CREATE CERTIFICATE com-
mand to create certificates, and the CREATE SYMMETRIC KEY
editions of SQL Server. It also works for Azure SQL Database,
Like websites that secure traffic between browser and serv- and CREATE ASYMMETRIC KEY Transact-SQL commands to
Azure SQL Data Warehouse and Parallel Data Warehouse.
er, SQL Server can be configured to use Secure Sockets Layer create database encryption keys.
(SSL) to encrypt traffic as it travels between the server instance
SQL Server can generate certificates for use with TDE or you
and client application. Additionally, the client can validate the RIC KEY and CREATE ASYMMETRIC KEY Transact-SQL com-
can request a certificate from a CA. If you decide to enable
server’s identity using the server’s certificate. SSL only protects mands to create database encryption keys.
9
SysAdmin Magazine May 2019
Backup Encryption it. Therefore, although the SQL data is encrypted, it is not Always Encrypted
secure beyond simply using a function in the user context
Backup Encryption works like TDE but encrypts SQL back- Always Encrypted encrypts sensitive data in client appli-
to decrypt it. Additionally, because a function is needed to
ups instead of the active data and log files. Backup En- cations without revealing the encryption keys to the data-
decrypt the data, client applications must be modified to
cryption is available in SQL Server 2014 and later. You can base engine, providing separation between data owners
work with cell-level encryption.
specify AES 128, AES 192, AES 256 or Triple DES encryption, and data managers. For example, with Always Encrypted
and use either a certificate or asymmetric key stored in enabled, you can be sure that your database administra-
EKM. Additionally, it is possible to enable TDE and Backup Encryption Key Management tors won’t be able to read sensitive data. As the name sug-
Encryption simultaneously, although you should use dif- gests, data is encrypted at rest and if used in a third-party
As with TDE, you need to create a master key (DMK) before
ferent certificates or keys. system, such as Azure.
using cell-level encryption. There are four options for en-
crypting information using cell-level encryption:
Just as with TDE, if you enable Backup Encryption, you Always Encrypted can be configured for individual data-
must also back up the certificate or key. Backups can also base columns. Two kinds of keys are used: column encryp-
•• You can use a passphrase to encrypt and decrypt the
be encrypted when using SQL Server Managed Backup to tion keys and column master keys. Column encryption
data, but you must encrypt stored procedures and
Microsoft Azure. keys protect data in a column and column master keys are
functions; otherwise, the passphrase can be accessed
‘key-protecting keys’ that encrypt one or more column en-
in the metadata.
It’s worth noting that if you are using a certificate to en- cryption keys. Column master keys are stored in external
crypt backups, you must have the original certificate when •• Asymmetric keys provide strong security but can have trusted key stores, like Azure Key Vault.
restoring data. That means the certificate must have the an impact on performance.
same thumbprint as when the backup was created. The encryption process is transparent to client applica-
•• Symmetric keys are usually strong enough and provide
tions but requires a special driver on client computers. Al-
a good balance between security and performance.
ways Encrypted is available in SQL Server 2016 and later,
•• Certificates also provide a good balance between secu- but only in Enterprise editions. Because of the extra cli-
Column/Cell-Level Encryption rity and performance, and they can be associated with ent-side requirements, Always Encrypted is best suited to
a database user. situations in which separation of data owners and manag-
Available in all editions of SQL Server, cell-level encryption
ers is a primary requirement.
can be enabled on columns that contain sensitive data. The
data is encrypted on disk and remains encrypted in mem-
ory until the DECRYPTBYKEY function is used to decrypt
10
SysAdmin Magazine May 2019
How to enable
•• SQL Trace Common Criteria Compliance is a newer standard that su-
persedes C2 auditing. It was developed by the European
•• Extended Events
Union and can be enabled in Enterprise and Datacenter
11
SysAdmin Magazine May 2019
Common Criteria compliance in SQL Server, you are en- Enabling SQL Server Audit
abling CC Compliance EAL1. It is possible to configure SQL
SQL Server auditing can be enabled instead of C2 auditing;
Server manually for EAL4+.
you can also choose to enable both. SQL Server Audit ob-
jects can be configured to collect events at the server level
Enabling CC Compliance changes SQL Server behavior.
or the SQL Server database level.
For example, table-level DENY permissions will take prece-
dence over column-level GRANTs, and both successful and
failed logins will be audited. In addition, Residual Informa-
Create Server Audit Object
tion Protection (RIP) is enabled, which over-writes memory
allocations with a pattern of bits before they are used by a Let’s create a server-level SQL Server audit object:
new resource.
1. In the Object Explorer panel on the left, expand Security.
8. Click OK.
2. Right-click Audits and select New Audit… from the menu.
9. Based on the selected options, you might be prompt- This will create a new SQL Server Audit object for serv-
ed to restart SQL Server. If you get this message, click OK er-level auditing.
Figure 1. Configuring access auditing
in the warning dialog. If you enabled C2 Common Criteria
Compliance, reboot the server. Otherwise, right-click your 3. In the Create Audit window, give the audit settings a
6. Check Enable C2 audit tracing under Options. SQL Server instance in Object Explorer again and select name in the Audit name field.
Restart from the menu. In the warning dialog, click Yes to
7. If you want to enable C2 Common Criteria Compliance confirm that you want to restart SQL Server. 4. Specify what should happen if SQL Server auditing fails us-
auditing, check Enable Common Criteria compliance. ing the On Audit Log Failure option. You can choose Continue
or choose to shut down the server or stop database opera-
Common Criteria (CC) Compliance is a flexible standard tions that are audited. If you select Fail operation, database
that can be implemented with different Evaluation Assur- operations that are not audited will continue to work.
ance Levels (EALs), from 1 to 7. Higher EALs have a more
demanding verification process. When you check Enable
12
SysAdmin Magazine May 2019
6. Click OK.
Create Database Audit Object 3. In the Properties window under Actions, use the dropdown
menus to configure one or more audit action types, selecting
To create a SQL Server audit object for database-level audit-
the statements you want to audit (such as DELETE or INSERT),
ing, the process is a little different and you need to create at
the object class on which the action is performed, and so on.
least one server-level audit object first.
Figure 2. Creating a server-level SQL Server audit object
4. When you’re done, click OK and then enable the audit ob-
1. Expand Databases in Object Explorer and expand the da-
ject by right-clicking it and selecting Enable Database Audit
5. In the Audit destination dropdown menu, you can choose tabase on which you want to configure auditing.
Specification.
to write the SQL audit trail to a file or to audit events in
the Windows Security log or Application event log. If you 2. Expand the Security folder, right click Database Audit
choose a file, you must specify a path for the file. Specifications and select New Database Audit Specifica-
tion… from the menu.
Note that if you want to write to the Windows Security
event log, SQL Server will need to be given permission. For
13
SysAdmin Magazine May 2019
SQL Server
1. In SQL Server Management Studio, in the Object Explor-
er panel, expand Security and Audit.
4. At the top of Log File Viewer, you can click Filter to cus-
tomize which log entries are displayed. SQL Server file logs
are saved in .sqlaudit format and are not readable, so Log
File Explorer allows you to click Export to save logs to a
comma-delimited .log file format.
14
SysAdmin Magazine May 2019
Freeware that keeps you informed about changes and logons to your Microsoft SQL Server.
Tool of the Month Stay on top of what’s happening inside your database server by detecting logons and changes made to SQL Server objects
and permissions, including server instances, roles, databases, tables, stored procedures and more.
Activity Summary
Free Community Edition
Removed 1
Modified 1
15
SysAdmin Magazine May 2019
16
[On-Demand Webinar]
How to Conduct If your server is not properly secured, this critical data is an easy target for hackers as well as disgruntled employees.
To ensure the security and availability of your data, you need to track all changes and detect all failed logon attempts
Auditing
• What is the name of each removed object?
• When did each modification occur?
Adam Stetson
Systems Engineer, Security Expert Watch Now
Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.