This page intentionally left blank Securing Integration Services Packages Chapter 7 In This Chapter c Digitally Signing the Package c Excluding Sensitive Information from the Package c Encrypting Sensitive Information in the Package c Encrypting All the Information in the Package c Using Integration Services Fixed Database-Level Roles c Considerations for Different Storage Areas c Summary 270 Hands-On Microsoft SQL Server 2008 Integration Services S ecurity in SQL Server 2008 Integration Services has been enhanced a great deal compared to DTS 2000. DTS uses package password protection, SQL Server Security, and SQL Server Agent service security, while Integration Services provides the features used by DTS and a lot more to enhance data security. SSIS provides the ability to secure data and connections from various perspectives, depending upon the situation. By design, Integration Services will communicate with SQL Server only over an encrypted channel to protect sensitive data. In Integration Services the sensitive information means the passwords used in connection strings, any property of the custom-built components that has the sensitive attribute set, or any variable tagged with the sensitive attribute. Integration Services secures your packages and data by providing the facilities to do the following: Digitally sign the package. c Exclude sensitive information from the package. c Encrypt sensitive information in the package. c Encrypt all the contents of the package. c Control access to the package by using database-level roles. c Secure storage areas. c Let’s take a detailed look at these options and what they offer in terms of securing Integration Services packages and the metadata used in them. Digitally Signing the Package Development of a complex Integration Services solution involves several developers who create many smaller packages to join as modules and form a complex solution for the business problem. During development phase, a package that has been tested successfully to perform a part of the function can be deployed while it is still under development for additional functionality. In such a scenario, you need to avoid the deployment of modified packages while they are still under testing. For example, you may be working to solve a complex scenario for which you have proposed a solution that can be developed and deployed in multiple stages. While development is still underway and many developers have access to SSIS packages, the last thing you would want to do is to run an untested package in the production environment. Chapter 7: Securing Integration Services Packages 271 You also want to make sure that you run packages only from trusted sources. To identify the source of a package and guarantee the integrity of packages, you can digitally sign a package with a certificate and configure Integration Services to check for the presence and validity of the digital signatures. So, each time the package is loaded, it is verified for digital signatures and hence altered packages wouldn’t be loaded. You need to have a digital certificate installed on the server to digitally sign your packages. Once you have that in place, all you need to do is follow these instructions: 1. Using Business Intelligence Development Studio (BIDS), open the package you want to digitally sign. 2. On the menu bar, click the SSIS menu and choose Digital Signing. This will open a Digital Signing dialog box displaying a message “This package is not signed.” 3. Click the Sign button. Select a certificate to sign the package and click OK. 4. After signing the package, right-click anywhere on the blank surface of the designer and choose Properties from the context menu. Locate the CheckSignatureOnLoad property and set it to True. This will require that the digital signature on the package be checked every time the package is loaded. Excluding Sensitive Information from the Package Integration Services provides a facility to developers to mark certain information as sensitive data. This sensitive data is handled in a more secure way than the other metadata of the package. The examples of sensitive data are passwords, connection strings, or any other information marked as sensitive by a developer in a custom-built component. Once the components have been deployed, Integration Services identifies the sensitive properties automatically and doesn’t let users change any of the sensitive attributes. This applies to the standard built-in components as well. Integration Services provides a set of options to secure the information in a package using the ProtectionLevel package property shown in Figure 7-1. You can opt not to save sensitive data in the package. When you select the DontSaveSensitive option, the sensitive information is removed from the package while saving and is unavailable for future executions of the package. So each time you want to execute the package, you have to provide the required information in order for the package to run successfully. If you change this option to any other option later on, the sensitive information is populated with blank data and you will have to provide the sensitive information— i.e., passwords and so on—in the relevant place to make this information available in the package. 272 Hands-On Microsoft SQL Server 2008 Integration Services Encrypting Sensitive Information in the Package The next scenario could be that you want to save sensitive information in the package and also want to protect this information. For this, Integration Services provides two options to encrypt this information in the ProtectionLevel package property— EncryptSensitiveWithUserKey and EncryptSensitiveWithPassword. These options are used to encrypt the sensitive information in the package using a user key or using a password. The Microsoft Data Protection API (DPAPI), which is a cryptography API, is used to fulfill the encryption needs of ProtectionLevel options that use a user key for encryption, while a Triple DES cipher algorithm with a 192-bit key length is used to fulfill the encryption needs of ProtectionLevel options that use a password for encryption. EncryptSensitiveWithUserKey is the default encryption level for a package. This means that the sensitive information in a package is, by default, encrypted using the current user key, which has been created based on the user profile. Only the current user Figure 7-1 ProtectionLevel property options of a package Chapter 7: Securing Integration Services Packages 273 using the same profile can load this package. If another user tries to load the package, the sensitive information fields are populated with the blank data and the package will fail to execute, unless the user trying to run the package provides the sensitive information. The EncryptSensitiveWithPassword package protection level allows you to save the sensitive information in the package and encrypt it using a password, supplied in the PackagePassword property. By using a password as an encryption key for the sensitive information, you can let other developers open the package by supplying a password and hence make the package accessible to all members of the development team. Each time the package is loaded or the ProtectionLevel option is changed, the user must provide the package password. If the package password is not provided, the package is opened without the sensitive information. So to sum up, you will use the EncryptSensitiveWithUserKey option to encrypt the packages that you probably will not share with anybody else and the EncryptSensitiveWithPassword option when you want to share the package with others. Encrypting All the Information in the Package Two options are available for encrypting the whole package: EncryptAllWithUserKey and EncryptAllWithPassword. These options use a user key or a package password, respectively, to encrypt all the information in a package. Select the EncryptAllWithUserKey option to encrypt all the information in a package using a user key. As the user key is generated based on the user profile, only the user who created or exported the package using the same profile can open or load the package. Select the EncryptAllWithPassword option to encrypt all the information in a package using a password specified in the PackagePassword property. You can use this option to secure the contents of the package yet allow the development team to work on it; a custom-developed package for your application that includes an intellectual property is a good example for this. A package encrypted in such a way can be opened only by providing the password. You cannot load the package if you fail to provide the password. Hands-On: Working with Package Protection Levels This Hands-On exercise is designed to enhance the understanding of package protection levels. Method In this exercise, we will use each package protection level in turn to see how it works and the effects it has on the security of the package. We will use the Downloading zipped files package, as it requires a password to connect to an FTP server, to see the effects of using it with various protection levels. 274 Hands-On Microsoft SQL Server 2008 Integration Services Note that if you want to use the Downloading zipped files package that has been provided with this book, you will receive an error when opening the package. When you click OK on the pop-up error message, the package will load properly but without the connection string in the FTP task. This is because, by default, the sensitive information (passwords, connection strings, and so on) in the package get encrypted using the user key, and when another user tries to open the package, an error will occur and the sensitive information will be removed from the package. However, if you open the Downloading zipped files package that you developed yourself in Chapter 5, you will not get any such error. In addition, this package requires a connection to an FTP server. If you’ve skipped building this package in Chapter 5, you should find an FTP server and build the package to complete this Hands-On exercise. The provided package may not be of much help as it is pointing to a computer used in the lab setup for this book, which is obviously not accessible to you. Better to use the package that you have created yourself. Exercise (Excluding Sensitive Information from the Package) After this exercise, you will be able to exclude sensitive information from the package using the DontSaveSensitive option of the ProtectionLevel property. 1. Open BIDS and create a new Integration Services project with the name Downloading zipped files in the location C:\SSIS\Projects. In the Solution Explorer window, delete the Package.dtsx package file. Right-click the SSIS Packages node and choose Add Existing Package from the context menu. In the Add Copy Of Existing Package window, choose File System in the Package location field and type C:\SSIS\Projects\Control Flow Tasks\Downloading zipped files.dtsx in the Package path field. Click OK to add this package in your project. Double-click the Downloading zipped files.dtsx package to open it. 2. Right-click anywhere on the blank surface of the Designer and choose Properties from the context menu. In the Properties window, you can view the properties in two ways—Categorized view or Alphabetical view. These views can be set using the two buttons provided in the command bar on the top of the Properties window. In the Categorized view, the properties are grouped together on the category basis, while the Alphabetical view simply lists the properties using alphabetical sort order. Use Categorized view. 3. Scroll down in the Properties window and locate the Security section. Note that the ProtectionLevel field shows EncryptSensitiveWithUserKey selected. 4. Press - to open the Solution Explorer. Right-click the Downloading zipped files.dtsx package under SSIS packages folder and choose View Code from the context menu. The package code in XML will be shown in a new tab in BIDS. Chapter 7: Securing Integration Services Packages 275 5. Press - and find Password in the XML document. You will be taken to the ServerPassword property that is immediately after ServerUserName in the XML document and is listed here: <DTS:Property DTS:Name="ServerUserName">administrator </DTS:Property> <DTS:Property DTS:Name="ServerPassword" Sensitive="1" Encrypted="1">AQAAANC Mnd8BFdERjHoAwE/Cl+sBAAAAgp969y9CpkO6k07L3IdJGwAAAAAIAAAARABUAFMAAAADZgAAqA AAABAAAABhZumzf3dqV1SXY5667BryAAAAAASAAACgAAAAEAAAAMW+xn039fmW+00yN32EHG4YA AAAAE5rsrl9TvzImKtVSb+UWoZbYuJXBwtLFAAAAMTOWe+5xETOTECqeJbMTSIq/c9e </DTS:Property> In this node, note that the ServerPassword property is attributed as sensitive data and is set for encryption. Also note that data in this node is all encrypted. This encryption is due to the default EncryptSensitiveWithUserKey setting. 6. Switch to the Designer tab of the package and choose the DontSaveSensitive option in the ProtectionLevel field in the Properties window. 7. Switch to Code view and search for Password. This time you will see the same XML node with no encryption attribute and no data in it: <DTS:Property DTS:Name="ServerPassword" Sensitive="1"> </DTS:Property> This is because the password has been removed from the package. 8. Press 5 to run the package. The package will fail. Stop debugging and click the Execution Results tab. You will see the following error declaring that the password was not allowed: [Connection manager "FTP Connection Manager"] Error: An error occurred in the requested FTP operation. Detailed error description: The password was not allowed. 9. Each time you start debugging a package, the package is saved using ProtectionLevel option; in this case, it won’t save the password and hence is not executing. To execute this package, we have to provide a value to the ServerPassword property. You can do this by setting this value at run time either using Package Configurations or using a script task. We will cover both these methods in the later chapters when we cover scripting and package configurations in Chapter 11 and Chapter 13. For now, just keep in mind that a package that has been saved without the sensitive information can be run by supplying the sensitive (password) information. Exercise (Encrypting Sensitive Information Using a User Key) When you use a user key to encrypt the package, the package encryption gets associated with the user profile. We will use a test user account, ISUser01, to log on and open a package that has already been encrypted using a user key by another user, and we will 276 Hands-On Microsoft SQL Server 2008 Integration Services establish that the sensitive information is replaced when a different user tries to load the package. This package can be executed successfully only by providing the sensitive information in the package. You have already created this user account in Chapter 6. 10. Double-click the FTP Connection Manager in the Connection Managers area in the Designer and provide a password to connect to the FTP server in the Credentials section of the FTP Connection Manager Editor window. Click OK to close it. 11. Open the Properties windows and change the ProtectionLevel property value to EncryptSensitiveWithUserKey. Switch to the XML code for the package and search for Password to see that it has been encrypted, like the one shown in the preceding exercise. 12. Press 5 to make sure that the package executes successfully. 13. Save all the files, and then close all the applications and log off and log back on (or switch the user) as ISUser01 with the assigned password. 14. Start Business Intelligence Development Studio and open the Downloading zipped files.sln from the C:\SSIS\projects\downloading zipped files folder. 15. Open the Downloading zipped files.dtsx package. When BIDS tries to load the package, you will see an error on the screen informing you that the package could not be loaded due to errors and prompts you to see the Error List for details. 16. Click OK to close the error and the package will be loaded despite the errors. If you don’t see the Error List window open in the lower left-hand corner of the BIDS, you can open it from View menu. In the Error List window, you will see the detailed error message explaining that the encryption key is not valid: "Error loading Downloading zipped files.dtsx: Failed to decrypt protected XML node "DTS:Property" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available." 17. Press 5 to run the package. The package will fail. Press -5 to stop debugging. Go to the Execution Results page and read the error message, which states that the FTP password was not allowed. This establishes that the FTP password was removed when we tried to load the package as a different user. 18. Double-click the FTP Connection Manager in the Connection Managers area in the Designer and provide the password to connect to the FTP server in the Credentials section of the FTP Connection Manager Editor window. Click OK. 19. Press 5 to run the package; this time the package will succeed. This certifies that when the package is encrypted with another user key you can still load the package and use it if you know the sensitive information and can supply the correct password. Chapter 7: Securing Integration Services Packages 277 Exercise (Encrypting Sensitive Information Using the Package Password) When you opt to encrypt a package using EncryptSensitiveWithPassword option, you then provide an encryption password using the PackagePassword property in the Security section of the Properties window. Here you will learn that if you encrypt the sensitive information in a package using a password, other users can access the sensitive information by specifying the PackagePassword. However, if other users try to load the package without specifying the PackagePassword, the sensitive information is replaced with blanks. You will be performing these steps while still logged on as ISUser01. In the following steps, you will use a package password to encrypt the sensitive information in the package. 20. Open the properties for the package and change the ProtectionLevel property to EncryptSensitiveWithPassword and specify a password bB12345cC in the PackagePassword field. 21. Open the XML code for the package. In XML code, if you try to find the word Password in the document, you will not get any result, because this word doesn’t exist in the document. Instead, find the ServerUserName property, as you know that the ServerPassword property existed immediately after it. You will see something like this in the XML code view: <DTS:Property DTS:Name="ServerUserName">administrator </DTS:Property> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Salt="oOBw/ g9GpA==" IV="5YsCDRU2aMM=" xmlns="http://www.w3.org/2001/04/xmlenc#"><Enc ryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/ ><CipherData><CipherValue>5YsCDRU2aMM9jrGvOlsQSXNFzBG13LDuBBBI/tK07k/Z1BX BYNSQEOWFYD3WgRhEDQ56TKlATw2Tvi7UU7OAJfDXDSnnoYPAwtmgTj3d/Qk72HJwlzNjqJ/ FiGjC+2sfN4VNzpLSVGQCkV27tDchXriytPz/2pTI1EY58wui1LPAkulpSbunbg==</ CipherValue></CipherData></EncryptedData> The data in the package has been encrypted using TripleDES with CBC algorithm. 22. Press -- to save all the items in the package. Close all the applications and log off. Log back on using the administrator user account. 23. Run BIDS and load the Downloading zipped files solution. You may have to double-click the Downloading zipped files.dtsx package in the Solution Explorer to load the package on the Designer. When BIDS loads the package, you will see the Package Password prompt to provide the password (Figure 7-2). 24. If you provide the correct package password, the package will load and you can run the package successfully. However, we will observe the behavior in case someone tries to load the package without the password. Click Cancel to load the package without the password. . Using Integration Services Fixed Database-Level Roles c Considerations for Different Storage Areas c Summary 270 Hands-On Microsoft SQL Server 2008 Integration Services S ecurity in SQL Server. Server 2008 Integration Services has been enhanced a great deal compared to DTS 2000. DTS uses package password protection, SQL Server Security, and SQL Server Agent service security, while Integration. requires a password to connect to an FTP server, to see the effects of using it with various protection levels. 274 Hands-On Microsoft SQL Server 2008 Integration Services Note that if you want to