290 likes | 304 Views
Learn SQL Server security principles, logins/users, roles, certificates, asymmetric keys, and their creation and usage. Understand user roles, permissions, context switching, encryption types, hashing algorithms, and more.
E N D
SQL Server SECURITY
Principals • logins/users • roles • certificate • assymetric key
Login Types • Standard SQL Server login • Windows login • Windows group • Certificate • Asymmetric Key
Loginایجاد • CREATE LOGIN loginName { WITH <option_list1> | FROM <sources> } • <option_list1> ::= PASSWORD = { 'password' | hashed_password HASHED } [ MUST_CHANGE ] [ , <option_list2> [ ,... ] ]
<option_list2> ::= SID = sid | DEFAULT_DATABASE = database | DEFAULT_LANGUAGE = language | CHECK_EXPIRATION = { ON | OFF} | CHECK_POLICY = { ON | OFF} | CREDENTIAL = credential_name • <sources> ::= WINDOWS [ WITH <windows_options> [ ,... ] ] | CERTIFICATE certname | ASYMMETRIC KEY asym_key_name • <windows_options> ::= DEFAULT_DATABASE = database | DEFAULT_LANGUAGE = language
Fixed Server Roles • bulkadmin • dbcreator • diskadmin • processadmin • securityadmin • serveradmin • setupadmin • sysadmin
Login Creation • CREATE LOGIN TestLogin WITH PASSWORD = '<specifystrongpassword>', CHECK_POLICY = ON, CHECK_EXPIRATION = ON GO
User Creation • CREATE USER user_name [ { { FOR | FROM } { LOGIN login_name | CERTIFICATE cert_name | ASYMMETRIC KEY asym_key_name} | WITHOUT LOGIN ] [ WITH DEFAULT_SCHEMA = schema_name ]
Fixed Database Roles • db_accessadmin • db_backupoperator • db_datareader / db_datawriter • db_ddladmin • db_ddladmin • db_denydatareader / db_denydatawriter • db_owner • db_securityadmin • public
Impersonation (Context Switching) • { EXEC | EXECUTE ] AS <context_specification> • <context_specification>::= { LOGIN | USER } = 'name' [ WITH NO REVERT ] | CALLER
Permissions • SELECT • INSERT • UPDATE • DELETE • EXECUTE • REFERENCES • CONTROL • ALTER • VIEW DEFINITION • TAKE OWNERSHIP
Grant Example • GRANT EXECUTE ON Customers.asp_submitorder TO SubmitOrdersRole
Security Context Switching • SELECT USER_NAME() • GO • EXECUTE AS USER = 'TestUser' • GO • SELECT USER_NAME() • GO • EXEC Customers.asp_submitorder 1, '1-2RB1-4RO', 5 • GO • SELECT OrderID, CustomerID, OrderDate, SubTotal, TaxAmount, ShippingAmount, GrandTotal, FinalShipDate FROM Orders.OrderHeader SELECT OrderDetailID, OrderID, SKU, Quantity, UnitPrice, ShipDate FROM Orders.OrderDetail • GO • REVERT
Grant Premission Sample • GRANT SELECT ON DATABASE::SQL2008SBS TO TestLogin GO • DENY VIEW DEFINITION ON DATABASE::SQL2008SBS TO TestLogin GO
Security Context Switching • EXECUTE AS USER = 'TestLogin‘ • GO • SELECT * FROM sys.objects • GO • SELECT OrderID, CustomerID, OrderDate, SubTotal, TaxAmount, ShippingAmount, GrandTotal, FinalShipDate FROM Orders.OrderHeader • GO • REVERT
.NET Assemblies Security • SAFE • EXTERNAL_ACCESS • UNSAFE
Encryption Types • 1-Sided – Hashs: MD2,MD4,MD5, SHA,SHA1 • 2-Sided: Symetric Keys (Best Performance), Asymetric Keys(Strong),Certificates
Data Encryption • Service Master Key • Database Master Key • CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'password'
When Backing up • OPEN MASTER KEY DECRYPTION BY PASSWORD ='password' • BACKUP MASTER KEY TO FILE ='path_to_file' ENCRYPTION BY PASSWORD ='password‘ • RESTORE MASTER KEY FROM FILE ='path_to_file' DECRYPTION BY PASSWORD =‘pwd' ENCRYPTION BY PASSWORD =‘pwd' • CLOSE MASTER KEY
Hashing Algorithms • DECLARE @HashValue varchar(100) • SELECT @HashValue = 'SQL Server‘ • SELECT HashBytes('MD5', @HashValue) • SELECT @HashValue = 'SQL Server‘ • SELECT HashBytes('SHA1', @HashValue)
Hashing Tips • Hash Algorithms are Case-Sensitive • MD2, MD4,SHA is also available • Remember to Salt Hashs
Symmetric Keys • CREATE SYMMETRIC KEY MySymmetricKey WITH ALGORITHM = RC4 ENCRYPTION BY PASSWORD = ‘pwd’ • GO • SELECT * FROM sys.symmetric_keys • GO • CREATE TABLE SymmetricKeyDemo (ID int IDENTITY(1,1), PlainText varchar(30) NOT NULL, EncryptedText varbinary(80) NOT NULL) • GO • OPEN SYMMETRIC KEY MySymmetricKey DECRYPTION BY PASSWORD = ‘pwd’ • GO
Encryption by Symmetric Key • INSERT INTO SymmetricKeyDemo (PlainText, EncryptedText) VALUES('SQL Server', EncryptByKey( Key_GUID('MySymmetricKey'),'SQL Server')) • GO • SELECT ID, PlainText, EncryptedText, cast(DecryptByKey(EncryptedText) AS varchar(30)) FROM SymmetricKeyDemo • GO • CLOSE SYMMETRIC KEY MySymmetricKey
Create Self-Signed Certificate • CREATE CERTIFICATE MyCert AUTHORIZATION dbo WITH SUBJECT = 'Test certificate‘ • GO
Certificate Creation • CREATE CERTIFICATE certificate_name [ AUTHORIZATION user_name ] { FROM <existing_keys> | <generate_new_keys> <existing_keys> ::= ASSEMBLY assembly_name | { [ EXECUTABLE ] FILE = 'path_to_file' [ WITH PRIVATE KEY ( <private_key_options> ) ] }
<generate_new_keys> ::= [ ENCRYPTION BY PASSWORD = 'password'] WITH SUBJECT = 'certificate_subject_name' [ ,<date_options> [,...n ] ] • <private_key_options> ::= FILE = 'path_to_private_key' [ , DECRYPTION BY PASSWORD = 'password' ] [ , ENCRYPTION BY PASSWORD = 'password' ] <date_options> ::= START_DATE = 'mm/dd/yyyy' | EXPIRY_DATE = 'mm/dd/yyyy'
Using Certificate for Encryption • CREATE TABLE CertificateDemo • (ID int IDENTITY(1,1), • PlainText varchar(30) NOT NULL, • EncryptedText varbinary(500) NOT NULL) • GO • CREATE CERTIFICATE MyCert AUTHORIZATION dbo WITH SUBJECT = 'Test certificate'
Certificate Encryption/Decryption • GO • SELECT * FROM sys.certificates • GO • INSERT INTO CertificateDemo • (PlainText, EncryptedText) • VALUES('SQL Server',EncryptByCert(Cert_ID('MyCert'), 'SQL Server')) • GO • SELECT ID, PlainText, EncryptedText, CAST(DecryptByCert(Cert_Id('MyCert'), • EncryptedText) AS varchar(max)) • FROM CertificateDemo