155 Among the primary concerns of database administration is the security level provided by the developers who create the front-end applications. The front-end application is often referred to as the presentation layer. The application that interfaces with the database defines the connection to the database server. The database is only as secure as the connection options that are used in the front-end application. Database administrators should generally be concerned with two related areas. The first area of concern relates to the client tools supplied with SQL Server. Users who have the ability to install the client tools have access to both Enterprise Manager and SQL Query Analyzer. To prevent security violations from one of the client tools, you want to control the access each user has to the database. The client tools are interfaces that are created to manipulate both the configuration of SQL Server and its databases. A user can make significant changes to the database management system through the user-friendly client tools. The connection to SQL Server from the client tools is provided by the network libraries and is configured through the Client Network Utility and the Server Network Utility. The second area of concern is the applications that will be used by the clients to perform activity against the database. These applications could Implementing Front-End Application Security CHAPTER 7 CHAPTER either be a connection from a licensed product, like Microsoft Excel or Microsoft Access, or an application that is created by a developer to specif- ically interface with SQL Server. Typically the connections made through these applications to SQL Server are made via OLE DB or ODBC. The net- work library is included with the OLE DB provider or ODBC driver. Many of the security requirements are defined in the connection options through these interfaces. This chapter defines the security requirements for the OLE DB and ODBC drivers. The chapter first addresses the management of clients who are using the client tools of SQL Server. This section includes an in-depth description of the Net-Libraries, Client Network Utility, and Server Network Utility. The chapter then moves to the management of clients that are connecting to SQL Server from an application. This section describes OLE DB and ODBC in more depth and introduces connection options from Active Data Objects (ADO.NET). The security requirements for the connections from ADO are presented, and examples are provided for securing your connections to SQL Server. Managing Connections from the Client Tools SQL Server ships with a set of client tools that can be installed on SQL Server as well as on any other machine running a Windows operating sys- tem. The client tools are often installed on multiple machines within the network to facilitate remote administration and development on SQL Server. For security purposes, you should install the client tools only on the computers where SQL Server administration and development are neces- sary. You want to avoid having the tools installed by users who don’t need them. The client tools use a network library and network protocol to connect to the server to perform the necessary actions. This section describes the rela- tionship between the network library and the network protocol. This sec- tion then describes the network libraries that are available in SQL Server. Through these network libraries, you can configure security options such as Secure Sockets Layer (SSL) and an alternative port number for connectivity to SQL Server. Finally this section introduces the Client Network Utility and the Server Network Utility, which are used to configure the Net-Library that is used for the connection from the client tools to SQL Server. Client Net-Libraries and Network Protocols Microsoft SQL Server uses a dynamic-link library (DLL) called a Net- Library to communicate with a particular network protocol. A matching 156 Chapter 7 pair of Net-Libraries must be active on client and server computers to sup- port the desired network protocol. For example, to enable a client applica- tion to communicate with a specific instance of SQL Server across TCP/IP, the client TCP/IP Sockets Net-Library (DBNETLIB.dll) must be configured to connect to that server on the client computer, and the server TCP/IP Sock- ets Net-Library (SSNETLIB.dll) must be listening on the server computer. By themselves, a pair of Net-Libraries cannot support a client/server connection. Both the client and server also must be running a protocol stack supporting the Net-Libraries. For example, if the server TCP/IP Sockets Net-Library is listening on the server computer and the client TCP/IP Sockets Net-Library is configured to connect to that server on the client computer, the client can only connect to the server if a TCP/IP pro- tocol stack is installed on both computers. NOTE The Named Pipes and Multiprotocol Net-Libraries both support multiple network protocols (NW Link IPX/SPX, NetBEUI, and TCP/IP) and will select automatically any supported network protocol that is available. Using either of these Net-Libraries is useful if the client must connect to multiple servers running different network protocols and you do not want to create and manage configuration entries for each server-network protocol combination. Net-Libraries SQL Server supports the following Net-Libraries for the client connection to SQL Server: ■■ Named Pipes are used to create a virtual pipe between the client and server. The connection is based on shared memory addresses. Named Pipes supports multiple network protocols (NW Link IPX/SPX, NetBEUI, and TCP/IP.) Named Pipes connections are the least secure option. ■■ TCP/IP is used to create a socket connection from the client to the server. A socket is the combination of an IP Address and the SQL Server port number. The port number is used to identify the service within the TCP/IP protocol. If your connection is coming from the Internet, the port number is key in negotiating firewall security. The firewall has to be configured to allow passage of network packets that have identified the port defined by your SQL instance. ■■ Multiprotocol is used to create a connection based on remote proce- dure calls (RPC). Multiprotocol can be used with the same network protocols as Named Pipes and can be used to enforce data encryption over the network through Secure Sockets Layer (SSL.) More Implementing Front-End Application Security 157 information on configuring SSL can be found in Chapter 15, “Manag- ing Internet Security.” Implementing SSL can be used to secure con- nection credentials as they are passed from the client to SQL Server. ■■ NWLink IPX/SPX is used for the connection to a machine running the IPX/SPX protocol. This is common in a Novell network. ■■ AppleTalk is used to connect via the AppleTalk protocol. This is beneficial in some Macintosh networks. ■■ Banyan VINES is used to connect to a Banyan VINES network. NOTE Many Macintosh and Novell networks now run on TCP/IP. If this is the scenario, the NWLink and AppleTalk Net-Libraries do not have to be configured. The client Net-Libraries are installed during SQL Server setup. You define which client Net-Libraries are used to connect to particular instances of SQL Server using the Client Network Utility. You can specify a default Net-Library for all connections and also define the use of specific Net-Libraries for connecting to specific instances of SQL Server. TCP/IP is the default protocol on clients running the Windows NT 4.0, Windows 2000, and the Windows 9x operating systems. SQL Server can listen simultaneously on any combination of server Net- Libraries. Use SQL Server Network Library Configuration during or after the Setup program to choose the server Net-Libraries to be activated. For computers running Windows NT 4.0 or Windows 2000, the default server Net-Libraries are TCP/IP sockets and Named Pipes. For computers running Windows 9x, the default server Net-Libraries are TCP/IP sockets. When you install SQL Server client utilities on a workstation, SQL Server setup installs TCP/IP as the default client protocol. If most of the servers to which you will be connecting are not configured to support the current default client protocol, you can change the default to another protocol. The port number used for the instance is automatically defined. The first instance of SQL Server is assigned port 1433. The subsequent instances are assigned different port numbers. You will need to get this information passed to both the developers who are accessing SQL Server and your fire- wall administrator. The port number is used to guarantee a secure connec- tion to SQL Server. The firewall should be configured to allow as few ports through as possible to decrease the chance of an attack from the Internet. 158 Chapter 7 Client Network Utility The Client Network Utility is used to manage the client Net-Libraries and define server alias names. It can also be used to set the default options used by DB-Library applications. Most users will never need to use the Client Network Utility. The default settings are appropriate for most connections. To connect to SQL Server 2000, users can specify only the network name of the server on which SQL Server is running and, optionally, the name of the instance of SQL Server. The user will also have to supply security credentials. This can either be the user’s current Windows account information or a SQL account. In some cases, an instance of SQL Server may be configured to listen on an alternative network port number. This may be done to increase security. Many attacks on SQL Server 2000 from the Internet are focused on port 1433 because 1433 is the default port number. While changing this port number requires a small amount of administrative overhead, it may decrease the risk of attack. If the port number is changed, client applications connecting to that instance must explicitly specify the alternative port number. While applications could specify the alternative addresses on each connection request, it is easier to use the Client Network Utility to set up an alias spec- ifying the alternative addresses. Applications can then specify the alias name in place of the server network name in their connection requests. The alias configuration and the port number configuration are performed from the Client Network Utility. You can alter the currently configured Net- Libraries by performing the following steps: 1. From the Microsoft SQL Server program group, click Client Net- work Utility to open the SQL Server Client Network Utility shown in Figure 7.1. 2. Click the General tab. 3. From the Disabled Protocols pick list, click the Net-Library you want to enable. 4. Click the Enable button. The Net-Library that you selected appears in the Enabled Protocols by Order pick list. 5. After you have configured the appropriate Net-Libraries, click OK to close the SQL Server Client Network Utility. Implementing Front-End Application Security 159 Figure 7.1 The SQL Server Client Network Utility configures the Net-Libraries with which the client can connect to SQL Server. Server Network Utility The Server Network Utility is used to manage the server Net-Libraries. This utility is used to specify the following list of information: ■■ The network protocol stacks on which an instance of SQL Server 2000 listens for client requests ■■ The sequence in which server Net-Libraries are considered when establishing connections from applications ■■ New network addresses that an instance of Microsoft SQL Server 2000 listens on ■■ Data encryption through Secure Sockets Layer (SSL) to ensure secure transmission of data ■■ The TCP port number that the SQL Server instance is listening on Most administrators will never need to use the Server Network Utility. They will specify during setup the server Net-Libraries on which SQL Server listens. If you need to increase the default security, you can use this tool to change the port number of SQL Server and configure SSL. Both of these options can help prevent unwanted attacks against your server. After you have performed the installation, you can alter the Net-Libraries that the server is using by performing the following steps: 1. From the Microsoft SQL Server program group, click the Server Network Utility to open the SQL Server Network Utility shown in Figure 7.2. 160 Chapter 7 Figure 7.2 The SQL Server Network Utility configures the Net-Libraries on which SQL Server allows connections. 2. Select the SQL Server instance you want to configure by using the drop-down Instances on this Server Field pick list. 3. Click the Net-Library you would like to configure from the Disabled Protocols pick list. 4. Click the Enable button. The selection you made in the previous step appears in the Enabled Protocols pick list. 5. When you have completed the configuration, click OK to close the SQL Server Network Utility dialogue box. NOTE The SQL Server Network utility is used to configure the port that SQL Server listens on and Secure Sockets Layer encryption. Both of these features facilitate secure communication over the Internet and through firewall infrastructures. For more information on configuring these features, refer to Chapter 15, “Managing Internet Security.” Application Connections Discounting certain proprietary access protocols such as VBSQL, the Visual Basic interface to DB-Library, an application will most likely estab- lish a connection with SQL Server through ODBC or OLE DB. Implementing Front-End Application Security 161 ODBC, or Open Database Connectivity, is a database-neutral application programming interface (API). In other words, an application can access the ODBC API and connect to different relational data sources simply by pro- viding an appropriate ODBC database driver. Should you wish to change the database supporting the application, you would simply switch ODBC database drivers and the application would continue to function properly. The application’s database backend is transparent to the application. OLE DB is the foundation of Microsoft’s newest data access technology, Universal Data Access. Like ODBC, it provides a database-neutral connec- tion interface for applications. It was developed and introduced by Microsoft to permit access to not only the relational data sources accessible through ODBC but also to nonrelational data sources. The need for this extension was driven by intranet and Internet application data demands. In addition to OLE DB, the Universal Data Access platform also includes certain providers (similar in purpose to ODBC drivers) plus a programmer- friendly interface to OLE DB called Active Data Objects, or ADO. Connection Security Obviously if your SQL Server database data has any value, access to it must be secured. Setting up and maintaining security is the responsibility of the database administrator. Each user is granted or denied permission to various database objects. These permissions may range from a single field in a single table to the entire database. Generally, users should be granted permissions to only those database objects they require. This is most effec- tively accomplished by granting read and update access through views and stored procedures rather than by direct access to the underlying tables. Whether an application is a user or reusable component, before the application, can gain access to SQL Server, it must be authenticated. This is accomplished by passing the user’s login identification and password to the database server at the time the connection is requested. This informa- tion is typically part of the connection string the application uses to con- nect to a database. The login ID and the password must have been previously created by the system administrator so the database server can match the connection-string user information to the database server’s data and thus authenticate the user. The login ID can be hard coded in the application’s connection string or it can be passed from the Windows operating system via a trusted network connection. A trusted network connection, not to be confused with a data- base connection, is established when users log on to their computer and are authenticated through a Windows domain. In essence, the operating system 162 Chapter 7 has already authenticated the user’s access to the database server. This is referred to as Integrated Security. Alternatively, the connection string may hard code a surrogate login ID and password that most likely is unknown to the user. All users accessing the application essentially log in as the same user. This presumes, of course, the application implements adequate front-end security measures to assure that only authorized users may access the database security through this surrogate login ID, and that the back-end database is not con- cerned about specific user activity. Additionally, the application may display its own dialogue box to obtain the login ID and password directly from the user and incorporate it in the connection string. When a database client is not part of a trusted connec- tion, this method permits specific user authentication when required. Additionally, it allows the application developer control over how the information is collected without subjecting the user or the developer to the default prompting behaviors of ODBC or OLE DB when login information is absent from the connection string. Creating Connections with ODBC As noted earlier, ODBC is a database-neutral interface that applications can use to access relational data sources. ODBC enables a database to become an integral part of an application. SQL statements can be incorporated into the application, allowing the application to read and update data from a database. ODBC enables applications to access a variety of data sources, including a wide range of relational databases and local file-based data stores. ODBC supports applications in all Windows operating environments. An applica- tion can access any ODBC-compliant data source by selecting the appro- priate ODBC driver for the specific data source. Also, many ODBC drivers can be configured as read-only, which can be a valuable security tool. If the user that is accessing your data only needs to read the data, a read-only ODBC driver can limit the user to read-only access to the data. SQL Server programs that are written using the ODBC API communicate with SQL Server through C function calls. The SQL Server-specific versions of the ODBC functions are implemented in a SQL Server ODBC driver. The driver passes SQL statements to SQL Server and returns the results of the statements to the application. ODBC applications are also interoperable with drivers for heterogeneous data sources. Most ODBC drivers provide options for you to define the connection credentials for accessing the server. When accessing SQL Server, you have the option of using Windows Authentication. Implementing Front-End Application Security 163 [...]... regardless of the current login security mode at the server Any login ID or password supplied will be ignored The SQL Server system administrator must have associated your Windows login with a SQL Server login ID Implementing Front-End Application Security Figure 7 .5 Create a New Data Source to SQL Server is the security screen for creating a SQL Server data source With SQL Server Authentication Using... query an SQL data source For SQL Server, the following types of OLE DB providers can be used: II Microsoft OLE DB Provider for SQL Server (SQLOLEDB), which maps OLE DB interfaces and methods over SQL Server data sources II Microsoft OLE DB Provider for ODBC (MSDASQL), which maps OLE DB interfaces and methods to ODBC APIs OLE DB consumers connect to an instance of SQL Server using the SQL Server ODBC... the SQL Server driver obtains initial settings from SQL Server for the options on the screens of the wizard that follow The SQL Server driver connects to the SQL Server named in the Server box on the first screen When no server is named, the driver uses standard defaults as the initial settings for the options on the screens that follow in the wizard Login ID text box Specifies the login ID that the SQL. .. Specifies that the SQL Server ODBC driver not request a secure (or trusted) connection to SQL Server When selected, SQL Server uses standard login security to establish connections using this data source You must specify a SQL Server login ID and password for all connection requests Client Configuration button Starts the Add New Network Library Configuration dialogue box of the SQL Server Client Configuration... Security (ADOX), which includes objects SQL Server database object creation and modification, and security Best Practices I I Only install the client tools for SQL Server on the computers where the user has to administer or develop using SQL Server The client tools should not be available to all users I I Use the Client and Server Network Utilities to configure the NetLibraries with which the SQL Server. .. DB API directly Some of these features include: I I The interface to the SQL Server bulk-copy component I I The interface to get SQL Server- specific information from messages and errors I I Catalog information from the linked servers used in SQL Server distributed queries OLE DB also supports the XML functionality of SQL Server 2000 This provides an easy migration path for Internet applications coded... DB applications to access the data in SQL Server In SQL Server version 6 .5 and earlier, OLE DB applications had to use the OLE DB Provider for ODBC layered over the SQL Server ODBC driver While OLE DB applications can still use the OLE DB Provider for ODBC with the SQL Server ODBC driver, it is more efficient to use only the OLE DB Provider for SQL Server OLE DB as a low-level API is recommended for... portion of the wizard shown in Figure 7 .5 8 On this second screen of the wizard, select among the following list of options: With Windows NT Authentication Using the Network Login ID button Specifies that the SQL Server ODBC driver request a secure (or trusted) connection to a SQL Server running on Windows NT or Windows 2000 When selected, SQL Server uses integrated login security to establish connections... that the SQL Server driver uses when connecting to SQL Server if With SQL Server Authentication Using a Login ID and Password Entered by the User is selected This only applies to the connection made to determine the server default settings; it does not apply to subsequent connections made using the data source after it has been created Password text box Specifies the password the SQL Server uses when... driver as an intermediary layer The native OLE DB provider, SQLOLEDB, is installed with SQL Server 2000 and is recommended when developing new applications The OLE DB provider for ODBC—MSDASQL—is provided for backward compatibility Active Data Objects (ADO) is a data access interface used to communicate with OLE DB-compliant data sources, such as SQL Server Data consumer applications can use ADO to connect . communicate with SQL Server through C function calls. The SQL Server- specific versions of the ODBC functions are implemented in a SQL Server ODBC driver. The driver passes SQL statements to SQL Server. connections. To connect to SQL Server 2000, users can specify only the network name of the server on which SQL Server is running and, optionally, the name of the instance of SQL Server. The user will. button. Specifies that the SQL Server ODBC driver request a secure (or trusted) connection to a SQL Server running on Windows NT or Windows 2000. When selected, SQL Server uses integrated login security to