Security and Encryption

tips for a simpler way to work

SQL Security Introduction
Microsoft SQL Server provides several built in features that enable security, including encrypted
communication over SSL/TLS, the Windows Data Protection API (DPAPI) used to encrypt data at rest,
authentication and authorization. It is up to each database administrator to configure these features, or use
additional security measures as needed, to address the security and compliance requirements of their data
and applications.

SQL Server security is based on several hierarchical entities:

Server—representing the entire SQL Server instance.

Database—each server can have multiple databases. A database is a collection of securable objects.

Securable object—data stored in a database, which requires associated permissions.

Principal—a person, group, or process that needs to access data. Privileges granted to principals are managed
by the SQL Server security framework.
 Logins

Two types of authentication

Window authentication

SQL Authentication
In Windows authentication, the user should first authenticate himself within Active Directory. SQL Server
authenticates users through the Windows principal token in the OS. With that, SQL Server does not ask for a
password for identity validation. Therefore, Windows confirms users’ identities for authentication. SQL Server does
not store the credentials in the Windows authentication. The connection using Windows authentication is called a
trusted or integrated connection.
Creating login
Server Roles
Server-level roles help manage permissions for the entire SQL Server instance. SQL Server provides several
built in server roles, but you should add your own specific roles if possible. Fixed server roles cannot be
changed.
You can also assign server-level principals (Windows groups and accounts, and SQL server logins) to these
roles. Fixed server roles allow members to add other users to the same role, but this is not so for user-defined
server roles.
SQL Server provides the following fixed server roles, starting with least privileged roles:
public—default role for server principals who do not have specific securable object permissions. Only assign
public permissions to objects that can be made available to all users. You cannot revoke public permission
from any server role.
dbcreator—can alter, create, drop, or restore databases.
diskadmin—can manage disk files.
bulkadmin—can execute BULK INSERT
setupadmin—can add/remove linked servers and run Transact-SQL
processadmin—can end running processes in the SQL server instance.
securityadmin—can administer logins, can reset SQL server login passwords, and grant, deny or revoke
server-level permissions or database-level permissions
serveradmin—can alter server configuration and shut it down
sysadmin—can perform all server activities.
 Database Roles
SQL server defines roles that enable management of database-wide permissions. You can use the ALTER
ROLE statement to add and remove users to database roles.
Like server-level roles, there are fixed database-level roles built into SQL Server, and you can create
additional roles, customizing them using the GRANT, DENY, and REVOKE statements.
Fixed roles exist independently for each database within your SQL Server instance. The db-owner server role
is allowed to manage membership of fixed database roles.
Microsoft SQL Server provides the following fixed database roles:
db_owner—allowed to perform all maintenance and configuration activities on the database, as well as
dropping the database
db_securityadmin—can modify custom role memberships and manage permissions. Monitor this role
closely as it has the ability to escalate privileges.
db_accessadmin—can add/remove database access for Windows groups and logins, as well as SQL Server
logins
db_backupoperator—can perform database backups
DDL – Create, alter, truncate,
db_ddladmin—can run data definition language (DDL) commands
drop, rename
db_datawriter—can add, change, or delete any user table data.
db_datareader—limited to reading data from user tables
db_denydatawriter—are not allowed to add, modify or delete user table data
db_denydatareader—cannot read any of the data in a user table
In addition to database-level roles, SQL Server also enables defining permissions at the row level.
 Audit
We can completely or partially automated (using server level DDL triggers, alerts, third party tools etc.)
Audit Specification
Statements
Extended events

SQL Server Extended Events were introduced with SQL Server 2008 as a light weight way to create
customized monitoring of SQL Server.

Many people view SQL Server Extended Events as a replacement for Profiler/Server Side Trace.
Extended Events are a lot more than that. Extended Events provide a set of methods for collecting
different events from SQL Server and correlating those different events within a single tool. It’s
possible to grab:

Deadlocks + waits

Waits + lock graph

TempDB spill + query plan

Encryption
Encryption
There are two kinds of keys used in encryption:
•Symmetric Key – In Symmetric cryptography system, the sender and the receiver of a message share
a single, common key that is used to encrypt and decrypt the message. This is relatively easy to
implement, and both the sender and the receiver can encrypt or decrypt the messages.
•Asymmetric Key – Asymmetric cryptography, also known as Public-key cryptography, is a system in
which the sender and the receiver of a message have a pair of cryptographic keys – a public key and a
private key – to encrypt and decrypt the message. This is a relatively complex system where the sender
can use his key to encrypt the message but he cannot decrypt it. The receiver, on the other hand, can
use his key to decrypt the message but he cannot encrypt it. This intricacy has turned it into a resource-
intensive process.
How encryption configure /* Create Database Master Key */
1 Create a master key with password USE EncryptTest
GO
2 Create a certificate with subject
/* /* Decrypt
CREATE
Update the
binary data
MASTER
columnofKEY
the SecondCol
encrypted*/data created
withENCRYPTION
3 Create Symmetric key with algorithm by /* Encrypt Data
USE using = Key
EncryptTest
BY PASSWORD and Certificate
‘SQLTEST1'
by certificate and key */
certificate Add Columns which will holdGOGO the encrypted data in binary */
USE EncryptTest
4 Alter table add column with varbinary OPEN SYMMETRIC KEY USETestTableKey
EncryptTest DECRYPTION
GO
BYSYMMETRIC
CERTIFICATEKEY GO
EncryptTestCert
OPEN TestTableKey DECRYPTION
5 open symmetric key decryption by ALTER TABLE TestTable
SELECT EncryptTestCert
BY CERTIFICATE
certificate- update second column with ADD EncryptSecondCol
/* Create Symmetric VARBINARY(256)
Key */
CONVERT(VARCHAR(50),DECRYPTBYKEY(EncryptSecondCol
UPDATE TestTable
encrypted key USE
)) ASSET GO
EncryptTest
DecryptSecondCol
EncryptSecondCol =
GO
FROM TestTable
ENCRYPTBYKEY(KEY_GUID('TestTableKey'),SecondCol)
6 Run the select command - all data is CREATE SYMMETRIC GO GO KEY TestTableKey
encrypted /* Create Encryption
WITH ALGORITHM Certificate
= TRIPLE_DES */
ENCRYPTION
USE EncryptTest
BY CERTIFICATE EncryptTestCert
7 Open symmetric key - GO
GO
CREATE CERTIFICATE EncryptTestCert
WITH SUBJECT = 'SQLAuthority'
GO
Always Encrypted in SQL Server 2016
The Always Encrypted feature was available only on the Enterprise and Developer editions of SQL Server 2016.
Later, this feature was made available on all editions, with SQL Server 2016 SP1. Always Encrypted has the
ability to encrypt data even at the column level.
Always Encrypted feature is a handshake mechanism used to encrypt and decrypt data. Encryption here is
achieved using certificates, and can be done only by users with access to the relevant certificates. To make a
database column Always Encrypted, you must specify the encryption algorithm and the cryptographic keys
that are used to protect the data. Always Encrypted needs two keys:
1.Column Encryption Key (CEK)
2.Column Master Key (CMK)
A Column Encryption Key is used to protect and encrypt data in a column. A Column Master Key is used to
protect the (one or more) column encryption keys. The information about the Column Master Key is stored
in external key stores like:
•Azure Key Vault: A key vault used to safeguard and manage cryptographic keys and secrets used for
encryption and decryption of sensitive data within Microsoft Azure.
•Windows Certificate Store: A certificate container built into Windows that stores and manages the
certificates.
•Hardware Security Module (HSM): A hardware device specially designed to securely store sensitive data
End of Security