SQL Server Security. Marek

Transcription

1 SQL Server Security Marek Chmel Lead Database AT&T MVP: Data Platform MCSE: Data Management and Analytics MCT: Regional Lead Certified Ethical Hacker CEHv8

2 Motivation SQL Server is a major part of IT infrastructure SQL Server stores sensitive data Properly securing SQL Server is crucial for application and DBA team

3 Session Agenda Understanding Authentication Modes Server Level Security Database Level Security Security Audit Security Review

4 SQL Security Progress through the time Redefined Engineering security processes 2005 SQL no longer a windows admin 2005 CC EAL4+ for SQL 2005 SP2 T-SQL Encrypt/Decrypt functions 2005 Audit 2008 TDE 2008 EKM 2008 Support for Windows Core 2012 Separation of Duty 2014 Always Encrypted, RLS and more on 2016

5 Organizational Security & Compliance Data Protection Control Access User Defined Server Roles Default Schema for Groups Contained Database Authenticaton AAD Compliance SQL Server Audit w Resilience w User Defined w Filtering 3 rd party verified (Common Criteria)

6 Data Protection Known for the lowest vulnerabilities across major RDBMS Powerful Encryption Technologies AES256 for backups SHA512 for password hashes Built on Advanced Security Infrastructure Built-in cryptography hierarchy Transparent Data encryption Extensible Key Management Sing code modules

7 SQL Server Service Security Overview Startup accounts used to start and run SQL Server can be domain user accounts, local user accounts, managed service accounts, virtual accounts, or built-in system accounts default is virtual account gmsa - Auto managed Virtual account is a local managed account Can access network with credentials of computer account Can Register SPN Cannot be used for clustered instance

8 SPN, Kerberos and Extended Protection When SQL Server starts, it tries to automatically register its SPN with Active Directory. If the SQL Server service account doesn't have the right to do so, the SPN is not created and Kerberos authentication is not possible. SELECT auth_scheme, net_transport, client_net_address FROM sys.dm_exec_connections; Extended Protection for Authentication is providing two mechanisms: service binding and channel binding Service binding requires that the client adds to the authentication request a signed SPN Channel binding establishes a secure channel using Transport Layer Security

9 Games with TLS SQL Server can be configured to support TLS 1.2 from Requirments for TLS patch level Registry Private Key Security

10 DEMO Configuring TLS 1.2

11 SQL Security Framework What Are Principals? What Are Securables? SQL Server Permissions

12 SQL Principals Permissions Securables Principals Windows Windows Group Domain User Account Local User Account SQL Server SQL Server Login Server Role Database User Database Role Application Role

13 What Are Securables? Permissions Securables Windows Principals Windows Group Domain User Account Local User Account Files Registry Keys SQL Server SQL Server Login Server Role Server Database Database User Database Role Application Role Schema

14 SQL Server Permissions Server-Level Permissions Logins Credentials Server-Level Roles Database-Level Permissions Users Schemas Database Level Roles

15 Working with SQL Logins We need to understand the linkage between logins, users, credentials, proxies, linked server logins etc. Two types of logins Windows and SQL SQL Logins have a hashed password stored locally in master DB SQL hashbytes = 0x0200 fourbytesalt SHA512(utf16EncodedPassword+fourByteSalt) SQL 2008R2 and Older hashbytes = 0x0100 fourbytesalt SHA1(utf16EncodedPassword+fourByteSalt)

16 Local System Admins Local Windows Administrator has always access to SQL Server via several ways Up to 2008r2 local system account has SA rights SQL server writer has SA rights

17 SQL Authentication 2 Modes for authentication Windows SQL and Windows Authentication mode configured via SSMS or via registry Changing auth mode requires service restart

18 DEMO SQL SA

19 SQL Single User Mode There are several parameters which can be used to start the SQL Server Startup parameters f and m (single user and minimal configuration) With any of these parameters local windows admins are sysadmins for SQL No logon triggers apply with this configuration

20 DEMO Local System Admin

21 SQL Roles

22 Using SysAdmin for Information Gathering Sysadmin has unlimited access to information stored within SQL server Even while this information is encrypted Interesting sources of information Login PWD Linked Servers Credentials w Encrypted using AES (2012+) or 3DES

23 Locating SQL Server instances MS SQL Server identification, through TCP/UDP port scanning, can be performed with tools such as Nmap, Nessus, SQLping3, OSQL/SQLCMD, MSF s mssql_ping module and PowerUpSQL msf > use auxiliary/scanner/mssql/mssql_ping msf auxiliary(mssql_ping) > set RHOSTS Target_IP_or_CIDR_identifier msf auxiliary(mssql_ping) > run

24 Escalating the priviledge escalating privileges within SQL Server is unauthenticated user / local user / domain user -> SQL login Get-SQLInstanceDomain Invoke-SQLAuditWeakLoginPw

25 DEMO Locating SQL Instances

26 What Are Credentials? Contain windows authentication information Allow SQL Accounts to connect to non-sql resources SQL Logins can only map to one credential Created automatically. Associated with specific endpoints

27 DEMO Credential passwords Linked server passwords

28 Managing Users Create a login Create a database scope user Assign permissions to the user

29 Special Users DBO The sa login and members of sysadmin role are mapped to dbo account Guest This user account allows logins without user accounts to access a database

30 SQL Server Cryptography Architecture

31 When to Use Keys and Certificates When to use Certificates To secure communication in database mirroring To sign packets To encrypt data or connections When to use Keys To help secure data To sign plaintext To secure symmetric keys

32 Auditing Security What Is Auditing? Security Auditing with Profiler Auditing with DDL Triggers Introducing SQL Server Audit SQL Server Audit Action Groups and Actions

33 Auditing with triggers DDL Triggers Prevent certain changes in your database schema You want something to occur in the database in response to a change in your database schema You want to record changes or events in the database schema Start, stop, pause and modify the trace results Replay the trace results Logon Triggers CREATE TRIGGER tr_logon_checkip ON ALL SERVER FOR LOGON

34 Introducing SQL Server Audit SQL Server Auditing Tracks and logs events that occur on the system Can track changes on the server or database level Can be managed with Transact-SQL

35 DEMO SQL Audit

36 Row Level Security Fine-grained access control over specific rows in a database table Help prevent unauthorized access when multiple users share the same tables, or to implement connection filtering in multitenant applications Administer via SQL Server Management Studio or SQL Server Data Tools Enforcement logic inside the database and schema bound to the table.

37 Benefits of row-level security Fine-grained access control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized security logic Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity.

38 DEMO Row Level Security

39 Dynamic Data Masking Regulatory Compliance Sensitive Data Protection

40 Minimal Impact on Existing Apps No need to modify existing application queries Complimentary to other data protection features

41 DEMO Dynamic Data Masking

42 Transparent Database Encryption Entire database is protected Applications do not need to explicitly encrypt/decrypt data! No restrictions with indexes or data types (except FILESTREAM) Performance cost is small Backups are unusable without key Can be used with Extensible Key Management

43 Transparent Data Encryption: Mechanism Very simple: Database pages are encrypted before being written to disk Page protection (e.g. checksums) applied after encryption Page protection (e.g. checksums) checked before decryption Database pages are decrypted when read into memory When TDE is enabled, initial encryption of existing pages happens as a background process Similar mechanism for disabling TDE The process can be monitored using the encryption_state column of sys.dm_database_encryption_keys w Encryption state 2 means the background process has not completed w Encryption state 3 means the database is fully encrypted

44 Transparent Data Encryption: Backups A backup of a TDE encrypted database is also encrypted using the database encryption key To restore the backup OR attach the database, the DEK must be available! There is no way around this if you lose the DEK, you lose the ability to restore the backup (that s the point!) Maintain backups of server certificates too

45 DEMO Transparent Data Encyption

46 Always Encrypted Allows customers to store sensitive data outside of their trust boundary. Data remains protected from high-privileged, yet unauthorized users incl. rouge admins & hackers.

47 Encryption Types Two types of encryption available Randomized encryption uses a method that encrypts data in a less predictable manner Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value Randomized encryption Encrypt(' ') = 0x17cfd50a Repeat: Encrypt(' ') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt(' ') = 0x85a55d3f Repeat: Encrypt(' ') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by

48 How It Works

49 DEMO Always Encrypted

50 Q&A Marek Chmel MVP: Data Platform MCSE: Data Management and Analytics MCT: Regional Lead CEH