SlideShare a Scribd company logo

Sql Server 2008 Security Enhanments

Eduardo Castro
Eduardo Castro

In this presentation we review the security enhancements in SQL Server 2008.

1 of 37
Ing. Eduardo Castro, Phd ecastro@mswindowscr.org http://comunidadwindows.org http://ecastrom.blogspot.com
Transparent Data Encryption Visual Entity Designer Backup Compression External Key Management Entity Aware Adapters MERGE SQL Statement Data Auditing SQL Server Change Tracking Data Profiling Pluggable CPU Synchronized Programming Model Star Join Transparent Client Redirect for Visual Studio Support Enterprise Reporting Database Mirroring SQL Server Conflict Detection Engine Database Mirroring Enhancements FILESTREAM data type Internet Report DBM: Auto Page Repair Integrated Full -Text Search Deployment Declarative Management Sparse Columns Block Computations Framework Large User-Defined Types Scale-out Analysis Server Group Management Date / Time Data Types BI Platform Management Streamlined Installation LOCATION data type Export to Word and Excel Enterprise System Management SPATIAL data type Author reports in Word, Performance Data Collection Excel Virtual Earth Integration System Analysis Report Builder Partitioned Table Parallelism Enhancements Data Compression Query Optimizations TABLIX Query Optimization Modes Persistent Lookups Rich Formatted Data Resource Governor Change Data Capture Personalized Entity Data Model Perspectives LINQ … and many more
Transparent data encryption – encrypt an entire database Backup encryption – compresses and secures the backup file Auditing – now monitors data access and modifications Policy-based Framework from Windows Server 2008 automates administrative tasks
Enterprise Data Platform Protect your information Transparent Data Encryption Encrypt your data without requiring an application re-write External Key Management Consolidate security keys within the data center Data Auditing Integrated auditing support Increase the reliability of your Pluggable CPU applications Add system resources without affecting your users Enhanced Database Mirroring Leverage database mirroring to increase reliability
In SQL Server 2000, 3rd party support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management
Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005
SQL Server 2005 − Built-in encryption functions − Key management in SQL Server − Encrypted File System (EFS) − Bit-Locker SQL Server 2008 − Extensible Key Management (EKM) − Transparent Data Encryption (TDE)
Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo − Grant required perms to normal login Never use the dbo schema − User-schema separation Applications should have own schema − Consider multiple schemas Leverage Flexible Database Roles − Facilitates role separation Consider Auditing user activity
Key storage, HSM management and encryption done by HSM module SQL EKM Provider DLL SQL EKM key is a proxy to HSM key SQL EKM Key SQL EKM Provider DLL (HSM key proxy) implements SQLEKM Data interface, calls into SQL Server HSM module
Security Data and keys are physically separated (keys are stored in HSM modules) Centralized key management and storage for enterprise Additional authentication layer Separation of duties between db_owner and data owner Performance Pluggable hardware encryption boards
HSM Symmetric key Asymmetric key EKM Symmetric key EKM Asymmetric key SQL Server Data Data Native TDE DEK key Symmetric key
Encryption/decryption SQL Server 2008 at database level DEK DEK is encrypted with: − Certificate − Key residing in a Hardware Security Encrypted data page Module (HSM) Client Application Certificate required to attach database files or restore a backup
Operating System Level Data Protection API (DPAPI) DPAPI encrypts Service Master Key SQL Server 2008 Instance Level Service Master Key Service Master Key encrypts Database Master Key SQL Server 2008 Master Database Database Master Key Password Database Master Key Certificate encrypts Certificate In Master Database SQL Server 2008 Master Database Certificate encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
Asymmetric Key resides on Hardware Security Module (HSM) the EKM device Asymmetric Key Asymmetric Key encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only
Operational Impact Storage replication at hardware level Background task to encrypt all pages At HW level, all pages get changed, i.e. all pages need to be replicated Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, Ensure that the mirror server has the master key and certificate as well Bottleneck isn’t throughput of pages Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity Possible Failover Issues Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. May want to consider disabling HA and perform resynchronization of your HA configuration
SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit
File Security Event Log Audit Application Event Log File 0..1 system 0..1 Server audit specification DB audit specification per Audit object per database per Audit object Server Audit Database Audit Specification Components Database Audit Database Components Database Audit Components Audit Server Audit Action Specification Server Audit Action Server Audit Action Server Audit Action Database Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action CREATE SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION SvrAC AuditAC TO SERVER AUDIT PCI_Audit TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); ADD (SELECT ON Customers BY public) 18
Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)
Centralizing audit logs and reporting DB Servers Process Audit Information Use SSIS to process SQL2008 audit log data and store in its own SQL database. SSIS DB Server Transfer Logs SQL Audit DB Server File Server SQL 2008 DB Server o rts ep teR n era Ge SSRS 2008 Compliance Reports
Enterprise Data Platform Spend less time on ongoing operations Declarative Management Framework Manage via policies instead of scripts Define Enterprise wide data management policies Server Group Management Automated monitoring and enforcement of policies Simplify your installation and configuration Streamlined Installation Integrated with your enterprise system management Enterprise System Define Policies that are compliant with Management System Definition Model Manage your data and system infrastructure with Microsoft System Center
Facets Conditions Policies Targets Categories
• Provide auditors with assurance that SQL Server Compliance complies with all security and business guidelines • Complement All Actions Audited • Ensure peak performance Consistency • High levels of security & reliability • Drive strategic management initiative to control Costs costs • More efficient and proactive management
Defines the evaluation mode, target filters, and schedule of the conditions. Policy Specifies a set of allowed states of a managed target with regard to a facet Condition Set of related logical properties Facet
Server Restriction Category Policy Target Evaluation Mode
On Demand On Schedule • Evaluate a policy when specified by user • SQL Server 2008 only • Available through SSMS or Windows • SQL Server Agent job periodically PowerShell™ evaluates a policy • Option to force certain conditions to comply with policy • Supports down-level evaluation (depends on properties exposed) Evaluation modes On Change: Prevent On Change: Log Only • SQL Server 2008 only • SQL Server 2008 only • DDL triggers prevent policy violations • Event notification evaluates a policy when a relevant change is made
Windows PowerShell™ is a framework and runtime for executing management commands Cmdlets are instances of .NET classes that process input objects from the pipeline SQL Server Provider for Windows PowerShell™ encompasses SMO Invoke-PolicyEvaluation –Policy DatabaseStatus.xml, Trustworthy.xml -TargetServerName inst1 Invoke-SQLCMD –Query ”SELECT name FROM sys.Databases;” –ServerInstance “MyServerInstance”
Bringing It All Together policy results policy results policy results policy results policy results policy results
Bringing It All Together policy results policy results policy results policy results policy results policy results
Logically group instances based on business function(s) Centrally publish policies to groups of SQL Server 2008 instances Evaluate policies on-demand against a group of servers Filter by logical groups in Windows PowerShell™ scripts
Add Intelligence to Policies Place each policy in a category Define server restrictions for versions and editions where appropriate
Create Custom Server Groups in the CMS Run specific policies against a list of servers Examples: Production, Development, PCI Define Concurrent Jobs Define multiple concurrent executions based on Policy Category and/or logical Central Management Server group
Real-Time Enforcement and Reporting Monitor the event log through Alerting integration Advanced functionality and integration with SSMS Dependency, health states, subscriptions, history Scale Security Access to other rich features in SQL Server 2008
policy results policy results policy results syspolicy_policy_execution_history policy results syspolicy_policy_execution_history_details
Dynamic Development  Access your data from anywhere SQL Server Change Tracking  Store your data locally while disconnected from server  Synchronize Incremental changes Synchronized Programming between client and server Model  Detect conflicts during synchronization including deletes Visual Studio Support  Add disconnected scenarios without re-writing existing applications SQL Server Conflict Detection
Enterprise Policy Management Framework http://www.codeplex.com/EPMFramework Policy Based Management Blog http://blogs.msdn.com/sqlpbm/default.aspx
To learn more about the Windows PowerShell™ scripting Language http://www.microsoft.com/downloads/details.aspx?FamilyID=b4720b0 0-9a66-430f-bd56-ec48bfca154f&DisplayLang=en Windows PowerShell™ Blog http://blogs.msdn.com/powershell/ SQL Server PowerShell Overview http://msdn.microsoft.com/en-us/library/cc281954.aspx

Recommended

Sql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetSql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheet
Klaudiia Jacome
 
11 necto installation_ready
11 necto installation_ready11 necto installation_ready
11 necto installation_ready
www.panorama.com
 
SQLCAT - Data and Admin Security
SQLCAT - Data and Admin SecuritySQLCAT - Data and Admin Security
SQLCAT - Data and Admin Security
Denny Lee
 
Building applications using sql azure
Building applications using sql azureBuilding applications using sql azure
Building applications using sql azure
pedrojcj
 
Sql Server 2012
Sql Server 2012Sql Server 2012
Sql Server 2012
Performics.Convonix
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
MICTT Palma
 
SQL Sevrer 2008 R2 Overview
SQL Sevrer 2008 R2 OverviewSQL Sevrer 2008 R2 Overview
SQL Sevrer 2008 R2 Overview
Mark Kromer
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
 

Recommended

Sql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetSql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheet
Klaudiia Jacome
 
11 necto installation_ready
11 necto installation_ready11 necto installation_ready
11 necto installation_ready
www.panorama.com
 
SQLCAT - Data and Admin Security
SQLCAT - Data and Admin SecuritySQLCAT - Data and Admin Security
SQLCAT - Data and Admin Security
Denny Lee
 
Building applications using sql azure
Building applications using sql azureBuilding applications using sql azure
Building applications using sql azure
pedrojcj
 
Sql Server 2012
Sql Server 2012Sql Server 2012
Sql Server 2012
Performics.Convonix
 
Ad ds ws2008 r2
Ad ds ws2008 r2Ad ds ws2008 r2
Ad ds ws2008 r2
MICTT Palma
 
SQL Sevrer 2008 R2 Overview
SQL Sevrer 2008 R2 OverviewSQL Sevrer 2008 R2 Overview
SQL Sevrer 2008 R2 Overview
Mark Kromer
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
 
Sql server 2012 roadshow masd overview 003
Sql server 2012 roadshow masd overview 003Sql server 2012 roadshow masd overview 003
Sql server 2012 roadshow masd overview 003
Mark Kromer
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
01 qmds2005 session01
01 qmds2005 session0101 qmds2005 session01
01 qmds2005 session01
Niit Care
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
Raj Solanki
 
Unit 05: Physical Architecture Design
Unit 05: Physical Architecture DesignUnit 05: Physical Architecture Design
Unit 05: Physical Architecture Design
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
SANKAR_PRASAD_SAHU_SQL_DBA
SANKAR_PRASAD_SAHU_SQL_DBASANKAR_PRASAD_SAHU_SQL_DBA
SANKAR_PRASAD_SAHU_SQL_DBA
Sankar Sahu
 
CTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and Citrix
CTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and CitrixCTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and Citrix
CTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and Citrix
Spiffy
 
WINDOWS SERVER 2008
WINDOWS SERVER 2008WINDOWS SERVER 2008
WINDOWS SERVER 2008
Tawose Olamide Timothy
 
SQL Server R2 Sunumu
SQL Server R2 SunumuSQL Server R2 Sunumu
SQL Server R2 Sunumu
ÇözümPARK
 
Sql azure data services OData
Sql azure data services ODataSql azure data services OData
Sql azure data services OData
Eduardo Castro
 
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloudKoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
Tobias Koprowski
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
webhostingguy
 
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Principled Technologies
 
お手軽に使おう Alibaba Cloud - OSS 編 -
お手軽に使おう Alibaba Cloud - OSS 編 -お手軽に使おう Alibaba Cloud - OSS 編 -
お手軽に使おう Alibaba Cloud - OSS 編 -
Naoya Nakazawa
 
Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Microsoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 BertucciMicrosoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 Bertucci
Mark Ginnebaugh
 
What's new in SQL Server 2012 for philly code camp 2012.1
What's new in SQL Server 2012 for philly code camp 2012.1What's new in SQL Server 2012 for philly code camp 2012.1
What's new in SQL Server 2012 for philly code camp 2012.1
Mark Kromer
 
Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...
Vskills
 
End-to-End Integrated Management with System Center 2012
End-to-End Integrated Management with System Center 2012End-to-End Integrated Management with System Center 2012
End-to-End Integrated Management with System Center 2012
wwwally
 
The Art & Sience of Optimization
The Art & Sience of OptimizationThe Art & Sience of Optimization
The Art & Sience of Optimization
Hertzel Karbasi
 
TechEd 2011 | Microsoft SQL Server Private Cloud
TechEd 2011 | Microsoft SQL Server Private CloudTechEd 2011 | Microsoft SQL Server Private Cloud
TechEd 2011 | Microsoft SQL Server Private Cloud
sqlserver1
 
SQL Server 2014 Hybrid Cloud Features
SQL Server 2014 Hybrid Cloud FeaturesSQL Server 2014 Hybrid Cloud Features
SQL Server 2014 Hybrid Cloud Features
Guillermo Caicedo
 

More Related Content

What's hot

Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
01 qmds2005 session01
01 qmds2005 session0101 qmds2005 session01
01 qmds2005 session01
Niit Care
 
SANKAR_PRASAD_SAHU_SQL_DBA
SANKAR_PRASAD_SAHU_SQL_DBASANKAR_PRASAD_SAHU_SQL_DBA
SANKAR_PRASAD_SAHU_SQL_DBA
Sankar Sahu
 
SQL Server R2 Sunumu
SQL Server R2 SunumuSQL Server R2 Sunumu
SQL Server R2 Sunumu
ÇözümPARK
 
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloudKoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
Tobias Koprowski
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
webhostingguy
 
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Principled Technologies
 
The Art & Sience of Optimization
The Art & Sience of OptimizationThe Art & Sience of Optimization
The Art & Sience of Optimization
Hertzel Karbasi
 

What's hot (20)

Sql server 2012 roadshow masd overview 003
Sql server 2012 roadshow masd overview 003Sql server 2012 roadshow masd overview 003
Sql server 2012 roadshow masd overview 003
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
01 qmds2005 session01
01 qmds2005 session0101 qmds2005 session01
01 qmds2005 session01
 
Server 2008 r2 ppt
Server 2008 r2 pptServer 2008 r2 ppt
Server 2008 r2 ppt
 
Unit 05: Physical Architecture Design
Unit 05: Physical Architecture DesignUnit 05: Physical Architecture Design
Unit 05: Physical Architecture Design
 
SANKAR_PRASAD_SAHU_SQL_DBA
SANKAR_PRASAD_SAHU_SQL_DBASANKAR_PRASAD_SAHU_SQL_DBA
SANKAR_PRASAD_SAHU_SQL_DBA
 
CTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and Citrix
CTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and CitrixCTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and Citrix
CTU June 2011 - Enterprise Desktop Virtualisation with Microsoft and Citrix
 
WINDOWS SERVER 2008
WINDOWS SERVER 2008WINDOWS SERVER 2008
WINDOWS SERVER 2008
 
SQL Server R2 Sunumu
SQL Server R2 SunumuSQL Server R2 Sunumu
SQL Server R2 Sunumu
 
Sql azure data services OData
Sql azure data services ODataSql azure data services OData
Sql azure data services OData
 
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloudKoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
KoprowskiT_SQLSat230_Rheinland_SQLAzure-fromPlantoBackuptoCloud
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
 
お手軽に使おう Alibaba Cloud - OSS 編 -
お手軽に使おう Alibaba Cloud - OSS 編 -お手軽に使おう Alibaba Cloud - OSS 編 -
お手軽に使おう Alibaba Cloud - OSS 編 -
 
Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)Unit 07: Design Patterns and Frameworks (2/3)
Unit 07: Design Patterns and Frameworks (2/3)
 
Microsoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 BertucciMicrosoft SQL Server Distributing Data with R2 Bertucci
Microsoft SQL Server Distributing Data with R2 Bertucci
 
What's new in SQL Server 2012 for philly code camp 2012.1
What's new in SQL Server 2012 for philly code camp 2012.1What's new in SQL Server 2012 for philly code camp 2012.1
What's new in SQL Server 2012 for philly code camp 2012.1
 
Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...Vskills certified enterprise applications integration specialist with micros...
Vskills certified enterprise applications integration specialist with micros...
 
End-to-End Integrated Management with System Center 2012
End-to-End Integrated Management with System Center 2012End-to-End Integrated Management with System Center 2012
End-to-End Integrated Management with System Center 2012
 
The Art & Sience of Optimization
The Art & Sience of OptimizationThe Art & Sience of Optimization
The Art & Sience of Optimization
 

Viewers also liked

SQL Server 2014 Hybrid Cloud Features
SQL Server 2014 Hybrid Cloud FeaturesSQL Server 2014 Hybrid Cloud Features
SQL Server 2014 Hybrid Cloud Features
Guillermo Caicedo
 
Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...
Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...
Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...
Microsoft Private Cloud
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
sunitkanyan
 
Microsoft SQL Server internals & architecture
Microsoft SQL Server internals & architectureMicrosoft SQL Server internals & architecture
Microsoft SQL Server internals & architecture
Kevin Kline
 

Viewers also liked (11)

TechEd 2011 | Microsoft SQL Server Private Cloud
TechEd 2011 | Microsoft SQL Server Private CloudTechEd 2011 | Microsoft SQL Server Private Cloud
TechEd 2011 | Microsoft SQL Server Private Cloud
 
SQL Server 2014 Hybrid Cloud Features
SQL Server 2014 Hybrid Cloud FeaturesSQL Server 2014 Hybrid Cloud Features
SQL Server 2014 Hybrid Cloud Features
 
Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...
Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...
Microsoft India - Total Economic Impact of Microsoft SQL Server 2008 Upgrade ...
 
Sql Server Security
Sql Server SecuritySql Server Security
Sql Server Security
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
SQL Server Security And Encryption
SQL Server Security And EncryptionSQL Server Security And Encryption
SQL Server Security And Encryption
 
SQL Server Security
SQL Server SecuritySQL Server Security
SQL Server Security
 
Sql Server 2014 In Memory
Sql Server 2014 In MemorySql Server 2014 In Memory
Sql Server 2014 In Memory
 
Transparent Data Encryption
Transparent Data EncryptionTransparent Data Encryption
Transparent Data Encryption
 
Using In-Memory Encrypted Databases on the Cloud
Using In-Memory Encrypted Databases on the CloudUsing In-Memory Encrypted Databases on the Cloud
Using In-Memory Encrypted Databases on the Cloud
 
Microsoft SQL Server internals & architecture
Microsoft SQL Server internals & architectureMicrosoft SQL Server internals & architecture
Microsoft SQL Server internals & architecture
 

Similar to Sql Server 2008 Security Enhanments

SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
Michael Noel
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Michael Noel
 
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
Michael Noel
 
SQL Server 2008 Security Overview
SQL Server 2008 Security OverviewSQL Server 2008 Security Overview
SQL Server 2008 Security Overview
ukdpe
 
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael NoelSPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
Michael Noel
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
Michael Noel
 
Transparent Data Encryption for SharePoint Content Databases
Transparent Data Encryption for SharePoint Content DatabasesTransparent Data Encryption for SharePoint Content Databases
Transparent Data Encryption for SharePoint Content Databases
Michael Noel
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
Tobias Koprowski
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohn
sqlserver.co.il
 
Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...
Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...
Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...
Michael Noel
 

Similar to Sql Server 2008 Security Enhanments (20)

SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
 
SQL Server 2008 Highlights
SQL Server 2008 HighlightsSQL Server 2008 Highlights
SQL Server 2008 Highlights
 
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
 
Day2
Day2Day2
Day2
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012
 
SQL Server 2008 Security Overview
SQL Server 2008 Security OverviewSQL Server 2008 Security Overview
SQL Server 2008 Security Overview
 
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael NoelSPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Transparent Data Encryption for SharePoint Content Databases
Transparent Data Encryption for SharePoint Content DatabasesTransparent Data Encryption for SharePoint Content Databases
Transparent Data Encryption for SharePoint Content Databases
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohn
 
Seguridad en SQL Server 2012
Seguridad en SQL Server 2012Seguridad en SQL Server 2012
Seguridad en SQL Server 2012
 
The Evolution of SQL Server as a Service - SQL Azure Managed Instance
The Evolution of SQL Server as a Service - SQL Azure Managed InstanceThe Evolution of SQL Server as a Service - SQL Azure Managed Instance
The Evolution of SQL Server as a Service - SQL Azure Managed Instance
 
Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...
Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...
Protecting Your SharePoint Content Databases using SQL Transparent Data Encry...
 
benefits of SQL Server 2008 R2 Enterprise Edition
benefits of SQL Server 2008 R2 Enterprise Editionbenefits of SQL Server 2008 R2 Enterprise Edition
benefits of SQL Server 2008 R2 Enterprise Edition
 
Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016
 
Sql Server 2016 Always Encrypted
Sql Server 2016 Always EncryptedSql Server 2016 Always Encrypted
Sql Server 2016 Always Encrypted
 

More from Eduardo Castro

More from Eduardo Castro (20)

Introducción a polybase en SQL Server
Introducción a polybase en SQL ServerIntroducción a polybase en SQL Server
Introducción a polybase en SQL Server
 
Creando tu primer ambiente de AI en Azure ML y SQL Server
Creando tu primer ambiente de AI en Azure ML y SQL ServerCreando tu primer ambiente de AI en Azure ML y SQL Server
Creando tu primer ambiente de AI en Azure ML y SQL Server
 
Seguridad en SQL Azure
Seguridad en SQL AzureSeguridad en SQL Azure
Seguridad en SQL Azure
 
Azure Synapse Analytics MLflow
Azure Synapse Analytics MLflowAzure Synapse Analytics MLflow
Azure Synapse Analytics MLflow
 
SQL Server 2019 con Windows Server 2022
SQL Server 2019 con Windows Server 2022SQL Server 2019 con Windows Server 2022
SQL Server 2019 con Windows Server 2022
 
Novedades en SQL Server 2022
Novedades en SQL Server 2022Novedades en SQL Server 2022
Novedades en SQL Server 2022
 
Introduccion a SQL Server 2022
Introduccion a SQL Server 2022Introduccion a SQL Server 2022
Introduccion a SQL Server 2022
 
Machine Learning con Azure Managed Instance
Machine Learning con Azure Managed InstanceMachine Learning con Azure Managed Instance
Machine Learning con Azure Managed Instance
 
Novedades en sql server 2022
Novedades en sql server 2022Novedades en sql server 2022
Novedades en sql server 2022
 
Sql server 2019 con windows server 2022
Sql server 2019 con windows server 2022Sql server 2019 con windows server 2022
Sql server 2019 con windows server 2022
 
Introduccion a databricks
Introduccion a databricksIntroduccion a databricks
Introduccion a databricks
 
Pronosticos con sql server
Pronosticos con sql serverPronosticos con sql server
Pronosticos con sql server
 
Data warehouse con azure synapse analytics
Data warehouse con azure synapse analyticsData warehouse con azure synapse analytics
Data warehouse con azure synapse analytics
 
Que hay de nuevo en el Azure Data Lake Storage Gen2
Que hay de nuevo en el Azure Data Lake Storage Gen2Que hay de nuevo en el Azure Data Lake Storage Gen2
Que hay de nuevo en el Azure Data Lake Storage Gen2
 
Introduccion a Azure Synapse Analytics
Introduccion a Azure Synapse AnalyticsIntroduccion a Azure Synapse Analytics
Introduccion a Azure Synapse Analytics
 
Seguridad de SQL Database en Azure
Seguridad de SQL Database en AzureSeguridad de SQL Database en Azure
Seguridad de SQL Database en Azure
 
Python dentro de SQL Server
Python dentro de SQL ServerPython dentro de SQL Server
Python dentro de SQL Server
 
Servicios Cognitivos de de Microsoft
Servicios Cognitivos de de Microsoft Servicios Cognitivos de de Microsoft
Servicios Cognitivos de de Microsoft
 
Script de paso a paso de configuración de Secure Enclaves
Script de paso a paso de configuración de Secure EnclavesScript de paso a paso de configuración de Secure Enclaves
Script de paso a paso de configuración de Secure Enclaves
 
Introducción a conceptos de SQL Server Secure Enclaves
Introducción a conceptos de SQL Server Secure EnclavesIntroducción a conceptos de SQL Server Secure Enclaves
Introducción a conceptos de SQL Server Secure Enclaves
 

Sql Server 2008 Security Enhanments

  • 1. Ing. Eduardo Castro, Phd ecastro@mswindowscr.org http://comunidadwindows.org http://ecastrom.blogspot.com
  • 2. Transparent Data Encryption Visual Entity Designer Backup Compression External Key Management Entity Aware Adapters MERGE SQL Statement Data Auditing SQL Server Change Tracking Data Profiling Pluggable CPU Synchronized Programming Model Star Join Transparent Client Redirect for Visual Studio Support Enterprise Reporting Database Mirroring SQL Server Conflict Detection Engine Database Mirroring Enhancements FILESTREAM data type Internet Report DBM: Auto Page Repair Integrated Full -Text Search Deployment Declarative Management Sparse Columns Block Computations Framework Large User-Defined Types Scale-out Analysis Server Group Management Date / Time Data Types BI Platform Management Streamlined Installation LOCATION data type Export to Word and Excel Enterprise System Management SPATIAL data type Author reports in Word, Performance Data Collection Excel Virtual Earth Integration System Analysis Report Builder Partitioned Table Parallelism Enhancements Data Compression Query Optimizations TABLIX Query Optimization Modes Persistent Lookups Rich Formatted Data Resource Governor Change Data Capture Personalized Entity Data Model Perspectives LINQ … and many more
  • 3. Transparent data encryption – encrypt an entire database Backup encryption – compresses and secures the backup file Auditing – now monitors data access and modifications Policy-based Framework from Windows Server 2008 automates administrative tasks
  • 4. Enterprise Data Platform Protect your information Transparent Data Encryption Encrypt your data without requiring an application re-write External Key Management Consolidate security keys within the data center Data Auditing Integrated auditing support Increase the reliability of your Pluggable CPU applications Add system resources without affecting your users Enhanced Database Mirroring Leverage database mirroring to increase reliability
  • 5. In SQL Server 2000, 3rd party support required Since SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in SQL Server 2008 Transparent Data Encryption Extensible Key Management
  • 6. Support for full SSL Encryption since SQL Server 2000 Clients: MDAC 2.6 or later Force encryption from client or server Login packet encryption Used regardless of encryption settings Supported since 2000 Self-generated certificates avail since 2005
  • 7. SQL Server 2005 − Built-in encryption functions − Key management in SQL Server − Encrypted File System (EFS) − Bit-Locker SQL Server 2008 − Extensible Key Management (EKM) − Transparent Data Encryption (TDE)
  • 8. Follow principal of least privilege! Avoid using sysadmin/sa and db_owner/dbo − Grant required perms to normal login Never use the dbo schema − User-schema separation Applications should have own schema − Consider multiple schemas Leverage Flexible Database Roles − Facilitates role separation Consider Auditing user activity
  • 9. Key storage, HSM management and encryption done by HSM module SQL EKM Provider DLL SQL EKM key is a proxy to HSM key SQL EKM Key SQL EKM Provider DLL (HSM key proxy) implements SQLEKM Data interface, calls into SQL Server HSM module
  • 10. Security Data and keys are physically separated (keys are stored in HSM modules) Centralized key management and storage for enterprise Additional authentication layer Separation of duties between db_owner and data owner Performance Pluggable hardware encryption boards
  • 11. HSM Symmetric key Asymmetric key EKM Symmetric key EKM Asymmetric key SQL Server Data Data Native TDE DEK key Symmetric key
  • 12. Encryption/decryption SQL Server 2008 at database level DEK DEK is encrypted with: − Certificate − Key residing in a Hardware Security Encrypted data page Module (HSM) Client Application Certificate required to attach database files or restore a backup
  • 13. Operating System Level Data Protection API (DPAPI) DPAPI encrypts Service Master Key SQL Server 2008 Instance Level Service Master Key Service Master Key encrypts Database Master Key SQL Server 2008 Master Database Database Master Key Password Database Master Key Certificate encrypts Certificate In Master Database SQL Server 2008 Master Database Certificate encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
  • 14. Asymmetric Key resides on Hardware Security Module (HSM) the EKM device Asymmetric Key Asymmetric Key encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database
  • 15. Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next VLF boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only
  • 16. Operational Impact Storage replication at hardware level Background task to encrypt all pages At HW level, all pages get changed, i.e. all pages need to be replicated Need to test if your hardware replication can handle this throughput When using Database Mirroring or Log Shipping, Ensure that the mirror server has the master key and certificate as well Bottleneck isn’t throughput of pages Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity Possible Failover Issues Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up. May want to consider disabling HA and perform resynchronization of your HA configuration
  • 17. SQL Server 2005 SQL Trace DDL/DML Triggers Third-party tools to read transaction logs No management tools support SQL Server 2008 SQL Server Audit
  • 18. File Security Event Log Audit Application Event Log File 0..1 system 0..1 Server audit specification DB audit specification per Audit object per database per Audit object Server Audit Database Audit Specification Components Database Audit Database Components Database Audit Components Audit Server Audit Action Specification Server Audit Action Server Audit Action Server Audit Action Database Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action CREATE SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION SvrAC AuditAC TO SERVER AUDIT PCI_Audit TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); ADD (SELECT ON Customers BY public) 18
  • 19. Leverages high performance eventing infrastructure to generate audits Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)
  • 20. Centralizing audit logs and reporting DB Servers Process Audit Information Use SSIS to process SQL2008 audit log data and store in its own SQL database. SSIS DB Server Transfer Logs SQL Audit DB Server File Server SQL 2008 DB Server o rts ep teR n era Ge SSRS 2008 Compliance Reports
  • 21. Enterprise Data Platform Spend less time on ongoing operations Declarative Management Framework Manage via policies instead of scripts Define Enterprise wide data management policies Server Group Management Automated monitoring and enforcement of policies Simplify your installation and configuration Streamlined Installation Integrated with your enterprise system management Enterprise System Define Policies that are compliant with Management System Definition Model Manage your data and system infrastructure with Microsoft System Center
  • 22. Facets Conditions Policies Targets Categories
  • 23. • Provide auditors with assurance that SQL Server Compliance complies with all security and business guidelines • Complement All Actions Audited • Ensure peak performance Consistency • High levels of security & reliability • Drive strategic management initiative to control Costs costs • More efficient and proactive management
  • 24. Defines the evaluation mode, target filters, and schedule of the conditions. Policy Specifies a set of allowed states of a managed target with regard to a facet Condition Set of related logical properties Facet
  • 25. Server Restriction Category Policy Target Evaluation Mode
  • 26. On Demand On Schedule • Evaluate a policy when specified by user • SQL Server 2008 only • Available through SSMS or Windows • SQL Server Agent job periodically PowerShell™ evaluates a policy • Option to force certain conditions to comply with policy • Supports down-level evaluation (depends on properties exposed) Evaluation modes On Change: Prevent On Change: Log Only • SQL Server 2008 only • SQL Server 2008 only • DDL triggers prevent policy violations • Event notification evaluates a policy when a relevant change is made
  • 27. Windows PowerShell™ is a framework and runtime for executing management commands Cmdlets are instances of .NET classes that process input objects from the pipeline SQL Server Provider for Windows PowerShell™ encompasses SMO Invoke-PolicyEvaluation –Policy DatabaseStatus.xml, Trustworthy.xml -TargetServerName inst1 Invoke-SQLCMD –Query ”SELECT name FROM sys.Databases;” –ServerInstance “MyServerInstance”
  • 28. Bringing It All Together policy results policy results policy results policy results policy results policy results
  • 29. Bringing It All Together policy results policy results policy results policy results policy results policy results
  • 30. Logically group instances based on business function(s) Centrally publish policies to groups of SQL Server 2008 instances Evaluate policies on-demand against a group of servers Filter by logical groups in Windows PowerShell™ scripts
  • 31. Add Intelligence to Policies Place each policy in a category Define server restrictions for versions and editions where appropriate
  • 32. Create Custom Server Groups in the CMS Run specific policies against a list of servers Examples: Production, Development, PCI Define Concurrent Jobs Define multiple concurrent executions based on Policy Category and/or logical Central Management Server group
  • 33. Real-Time Enforcement and Reporting Monitor the event log through Alerting integration Advanced functionality and integration with SSMS Dependency, health states, subscriptions, history Scale Security Access to other rich features in SQL Server 2008
  • 34. policy results policy results policy results syspolicy_policy_execution_history policy results syspolicy_policy_execution_history_details
  • 35. Dynamic Development  Access your data from anywhere SQL Server Change Tracking  Store your data locally while disconnected from server  Synchronize Incremental changes Synchronized Programming between client and server Model  Detect conflicts during synchronization including deletes Visual Studio Support  Add disconnected scenarios without re-writing existing applications SQL Server Conflict Detection
  • 36. Enterprise Policy Management Framework http://www.codeplex.com/EPMFramework Policy Based Management Blog http://blogs.msdn.com/sqlpbm/default.aspx
  • 37. To learn more about the Windows PowerShell™ scripting Language http://www.microsoft.com/downloads/details.aspx?FamilyID=b4720b0 0-9a66-430f-bd56-ec48bfca154f&DisplayLang=en Windows PowerShell™ Blog http://blogs.msdn.com/powershell/ SQL Server PowerShell Overview http://msdn.microsoft.com/en-us/library/cc281954.aspx