www.it-ebooks.info Microsoft SQL Server 2012 Security Cookbook Over 70 practical, focused recipes to bullet-proof your SQL Server database and protect it from hackers and security threats Rudi Bruchez BIRMINGHAM - MUMBAI www.it-ebooks.info Microsoft SQL Server 2012 Security Cookbook Copyright © 2012 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: September 2012 Production Reference: 1140912 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-84968-588-7 www.packtpub.com Cover Image by Asher Wishkerman (a.wishkerman@mpic.de) www.it-ebooks.info Credits Author Rudi Bruchez Reviewers Raunak T Jhawar Nauzad Kapadia Allan Mitchell Acquisition Editor Dilip Venkatesh Lead Technical Editor Susmita Panda Technical Editors Arun Nadar Devdutt Kulkarni Lubna Shaikh Copy Editor Laxmi Subramanian Project Coordinator Yashodhan Dere Proofreader Aaron Nash Indexer Rekha Nair Graphics Aditi Gajjar Production Coordinator Shantanu Zagade Cover Work Shantanu Zagade www.it-ebooks.info About the Author Rudi Bruchez is an Independent Consultant and Trainer based in Paris, France. He has 15 years of experience with SQL Server. He has worked as a DBA for CNET Channel, a subsidiary of CNET, at the Mediterranean Shipping Company (MSC) headquarters in Geneva and at Promovacances, an online travel company in Paris. Since 2006, he has been providing consulting and audits as well as SQL Server training. As SQL Server is evolving into a more complex solution, he tries to make sure that developers and administrators keep mastering the fundamentals of the relational database and the SQL language. He has co-authored one of the best-selling books about the SQL language in French, which was published in 2008 and is the only French book about SQL Server optimization. He can be contacted at http://www.babaluga.com/. www.it-ebooks.info About the Reviewers Raunak T Jhawar is a Computer Engineer by vocation and works as a Business Intelligence and Data Warehousing professional. He is procient with Microsoft Technologies such as SQL Server Integration Services, SQL Server Analysis Services, and SQL Server Reporting Services. In his spare time, he blogs and also enjoys driving his car. Nauzad Kapadia is an independent professional and founder of Quartz Systems, and provides training and consulting services for the entire Microsoft .NET and SQL Server stack. Nauzad has over 17 years of industry experience and has been a regular speaker at events such as TechED, DevCon, DevDays, and user group events. Nauzad has been a Microsoft Most Valuable Professional (MVP) for six years on technologies ranging from C# and ASP.NET, to SQL Server. Whenever he is not working on his computer, he enjoys rock music, photography, and reading. Allan Mitchell is the joint owner of Copper Blue Consulting Ltd. in the U.K. He has written books on SSIS in both SQL Server 2005 and SQL Server 2008. He has been a Technical Editor on other books about Replication in SQL Server as well as Master Data Services and DBA duties. www.it-ebooks.info www.PacktPub.com Support les, eBooks, discount offers and more You might want to visit www.PacktPub.com for support les and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub les available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@ packtpub.com for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt’s online digital book library. Here, you can access, read and search across Packt’s entire library of books. Why Subscribe? f Fully searchable across every book published by Packt f Copy and paste, print and bookmark content f On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access. Instant Updates on New Packt Books Get notied! Find out when new books are published by following @PacktEnterprise on Twitter, or the Packt Enterprise Facebook page. www.it-ebooks.info Table of Contents Preface 1 Chapter 1: Securing Your Server and Network 7 Introduction 8 Choosing an account for running SQL Server 8 Managing service SIDs 13 Using a managed service account 15 Using a virtual service account 19 Encrypting the session with SSL 20 Conguring a rewall for SQL Server access 24 Disabling SQL Server Browser 27 Stopping unused services 31 Using Kerberos for authentication 32 Using extended protection to prevent authentication relay attacks 37 Using transparent database encryption 39 Securing linked server access 41 Conguring endpoint security 44 Limiting functionalities – xp_cmdshell and OPENROWSET 46 Chapter 2: User Authentication, Authorization, and Security 51 Introduction 51 Choosing between Windows and SQL authentication 52 Creating logins 53 Protecting your server against brute-force attacks 62 Limiting administrative permissions of the SA account 66 Using xed server roles 68 Giving granular server privileges 70 Creating and using user-dened server roles 74 Creating database users and mapping them to logins 76 www.it-ebooks.info ii Table of Contents Preventing logins and users to see metadata 81 Creating a contained database 84 Correcting user to login mapping errors on restored databases 90 Chapter 3: Protecting the Data 93 Introduction 93 Understanding permissions 94 Assigning column-level permissions 102 Creating and using database roles 104 Creating and using application roles 109 Using schemas for security 111 Managing object ownership 116 Protecting data through views and stored procedures 118 Conguring cross-database security 121 Managing execution-plan visibility 123 Using EXECUTE AS to change the user context 124 Chapter 4: Code and Data Encryption 129 Introduction 129 Using service and database master keys 131 Creating and using symmetric encryption keys 135 Creating and using asymmetric keys 139 Creating and using certicates 141 Encrypting data with symmetric keys 146 Encrypting data with asymmetric keys and certicates 150 Creating and storing hash values 151 Signing your data 153 Authenticating stored procedure by signature 156 Using module signatures to replace cross-database ownership chaining 161 Encrypting SQL code objects 163 Chapter 5: Fighting Attacks and Injection 167 Introduction 167 Dening Code Access Security for .NET modules 168 Protecting SQL Server against Denial of Service 172 Protecting SQL Server against SQL injection 176 Securing dynamic SQL from injections 183 Using a SQL rewall or Web Application Firewall 187 www.it-ebooks.info iii Table of Contents Chapter 6: Securing Tools and High Availability 193 Introduction 193 Choosing the right account for SQL Agent 194 Allowing users to create and run their own SQL Agent jobs 196 Creating SQL Agent proxies 198 Setting up transport security for Service Broker 201 Setting up dialog security for Service Broker 208 Securing replication 212 Securing SQL Server Database Mirroring and AlwaysOn 216 Chapter 7: Auditing 221 Introduction 221 Using the proler to audit SQL Server access 222 Using DML trigger for auditing data modication 230 Using DDL triggers for auditing structure modication 234 Conguring SQL Server auditing 238 Auditing and tracing user-congurable events 244 Conguring and using Common Criteria Compliance 247 Using System Center Advisor to analyze your instances 251 Using the SQL Server Best Practice Analyzer 253 Using Policy Based Management 255 Chapter 8: Securing Business Intelligence 261 Introduction 261 Conguring Analysis Services access 262 Managing Analysis Services HTTP client authentication 265 Securing Analysis Services access to SQL Server 271 Using Role-Based Security in Analysis Services 276 Securing Reporting Services Server 281 Managing permissions in Reporting Services with roles 285 Dening access to data sources in reporting services 288 Managing Integration Services password encryption 292 Index 297 www.it-ebooks.info [...]... www.it-ebooks.info Preface Microsoft SQL Server is becoming a more mature, more feature-rich, and more secure database management system with each new version SQL Server 2012 is an enterprise-class relational database server Sometimes, it might not look like it to the staff whose responsibilities are to deploy it, to create databases and write T -SQL code, and to administer it Since, SQL Server is a Microsoft product,... Firewall, and the SQL Server service accounts Chapter 2, User Authentication, Authorization, and Security, covers authentication and authorization at the server and database levels There is a precise hierarchy of authorization in SQL Server, based on server- level logins, database-level users, database schemas, and server and database users We will also talk about the new SQL Server 2012 contained databases... have their own security needs In this chapter, we will cover securing SQL Server Agent, Service Broker, SQL Server Replication, and the mirroring and AlwaysOn functionalities Chapter 7, Auditing, is dedicated to keeping track of what happens on your server You will learn what is available to keep track of what happens on the server and with your data, with triggers, SQL Server Trace, or SQL Server Auditing... com/support and register to have the files e-mailed directly to you Here, mssql $sql2 012 is the name of the SQL server service, the service name for the SQL 2012 named instance The name of the service of a default instance is mssqlserver Your result should look similar to the following: [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: mssqlserver SERVICE_SID_TYPE: UNRESTRICTED The SERVICE_SID_TYPE can have three... tab 3 If your SQL Server instance is already installed, you can access the service account properties using SQL Server Configuration Manager, found in the Configuration Tools menu under Microsoft SQL Server 2012 8 www.it-ebooks.info Chapter 1 4 In SQL Server Configuration Manager, select the SQL Server Services page, and double-click on the service you want to configure The Properties dialog box opens... stack of SQL Server These tools have a simpler security model and this chapter gives enough detail for you to effectively secure SQL Server Analysis Services, Integration Services, and Reporting Services 2 www.it-ebooks.info Preface What you need for this book This book covers Microsoft SQL Server 2012 All recipes dealing with interactions with the operating system assume that you are using Windows Server. .. certificate to be seen by SQL Server, it must be installed using the same account running the SQL Server service Or, if the SQL Server service is run by a Windows system account, a managed, or a virtual account, then you must install the certificate under an account having administrator privileges on the server 21 www.it-ebooks.info Securing Your Server and Network How to do it 1 Open SQL Server Configuration... want SQL Server to be visible from the outside, then select Public Click on Next and give a name to the rule, for example, SQL Server How it works The recipe describes how to open the port for the default instance of SQL Server, which is TCP 1433 Named instances use a dynamic port that might change each time the SQL Server service is restarted This port is communicated to the client by the SQL Server. .. New-ADServiceAccount -Name SQL- SRV1 -Enabled $true Here, SQL- SRV1 is the name of the account to be created If you get an "Access is denied" error, please refer to the How it works in section of this recipe 16 www.it-ebooks.info Chapter 1 4 Now, associate the account with your SQL Server computer: Add-ADComputerServiceAccount -Identity SQL1 -ServiceAccount SQLSRV1 Here, SQL1 is the name of your SQL Server 5 The managed... specify more options An example of a more complete command is as follows: New-ADServiceAccount -name SQL- SRV1 -AccountPassword (ConvertToSecureString -AsPlainText "MyPassword" -Force) -Enabled $true -Path "CN=Managed Service Accounts,DC=SQLCOOKBOOK,DC=COM" -ServicePrincipalNames "MSSQLSVC/SQLCOOKBOOK -SQL1 .SQLCOOKBOOK.COM:1433" -Credential $PSCredential Access is denied error You could get an "Access is . using SQL Server Conguration Manager, found in the Conguration Tools menu under Microsoft SQL Server 2012. www.it-ebooks.info Chapter 1 9 4. In SQL Server Conguration Manager, select the SQL Server. www.it-ebooks.info Microsoft SQL Server 2012 Security Cookbook Over 70 practical, focused recipes to bullet-proof your SQL Server database and protect it from hackers and security threats . Warehousing professional. He is procient with Microsoft Technologies such as SQL Server Integration Services, SQL Server Analysis Services, and SQL Server Reporting Services. In his spare time,