SQL Server Security Distilled, Second Edition ISBN:1590592190 by Morris Lewis Apress © 2004 (352 pages) This book takes an in-depth look at what you can do to secure data in SQL Server, shows how to authenticate access to data on the server, and authorizes what users can and can't do with that data, in versions 6.5, 7.0, and 2000 Table of Contents SQL Server Security Distilled, Second Edition Additional Information Introduction Chapter 1 - A Security Roadmap Chapter 2 - Authenticating Logins Chapter 3 - Database Security in SQL Server 6.5 Database Security in SQL Server 7.0 and Chapter 4 2000 Chapter 5 - Securing Data on the Network Chapter 6 - Designing Security for Applications Chapter 7 - Securing Data Transformation Services Chapter 8 - Replication Security Chapter 9 - Managing Security for SQL Server CE Appendix A - References Index List of Figures List of Tables List of Listings Back Cover SQL Server is the dominant relational database in the Windows market and data security is a huge and growing concern for all businesses Securing SQL Server is one of the most important responsibilities of the SQL Server professional SQL Server Distilled, Second Edition is a very carefully researched, clearly explained book on securing SQL Server, by an author who knows SQL Server inside and out If you follow the practical guidelines that are clearly set out in this book, then you stand a very good chance of making sure that the data stored in your database is secure and that the conversation between your applications and the database is secure (preventing SQL injection attacks, etc.) For example, any DBA who implemented the security precautions detailed in the book would not have been affected by the infamous Slammer virus This second edition offers practical advice on how to implement good practices that will ward off future viruses before they are even created, and it contains new content that reflects all updates to SQL Server's security mechanisms About the Author Morris Lewis has been smitten with Structured Query Language since the first time his professor wrote SELECT * FROM AUTHORS on the chalkboard 14 years ago He has worked with no other database server since he first installed SQL Server 4.21a on his 16MHZ, Intel 386 computer with all of the 32 megabytes of RAM running Windows NT 3.51 more than 8 years ago With the mantra "It is OK to worry if they really are out to get you," he has focused on all aspects of securing Windows and SQL Server since he connected his first server to the Internet, 6 years ago Now, he runs a training and consulting company, Holistech Inc., that focuses on helping clients create better and more secure database applications, and teaching them how to avoid the mistakes that can lead to problems in the future SQL Server Security Distilled, Second Edition MORRIS LEWIS Copyright © 2004 by Morris Lewis All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher ISBN (pbk): 1-59059-219-0 Printed and bound in the United States of America 12345678910 Trademarked names may appear in this book Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark Technical Reviewers: Victoria Hudgson, Sarah Larder, Craig Weldon Editorial Board: Steve Anglin, Dan Appleman, Gary Cornell, James Cox, Tony Davis, John Franklin, Chris Mills, Steve Rycroft, Dominic Shakeshaft, Julian Skinner, Jim Sumser, Karen Watterson, Gavin Wray, John Zukowski Lead Editor: Tony Davis Assistant Publisher: Grace Wong Project Manager: Beth Christmas Copy Editors: Nicole LeClerc and Nancy Depper Production Manager: Kari Brooks Production Editor: Kelly Winquist Proofreader: Thistle Hill Publishing Services, LLC Compositor: Kinetic Publishing Services, LLC Indexer: John Collins Artist: Kinetic Publishing Services, LLC Cover Designer: Kurt Krames Manufacturing Manager: Tom Debolski Distributed to the book trade in the United States by Springer-Verlag New York, Inc., 175 Fifth Avenue, New York, NY, 10010 and outside the United States by Springer-Verlag GmbH & Co KG, Tiergartenstr 17, 69112 Heidelberg, Germany In the United States: phone 1-800-SPRINGER, email , or visit http://www.springerny.com Outside the United States: fax +49 6221 345229, email , or visit http://www.springer.de For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley, CA 94710 Phone 510-549-5930, fax 510-549-5939, email , or visit http://www.apress.com The information in this book is distributed on an "as is" basis, without warranty Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work The source code for this book is available to readers at http://www.apress.com in the Downloads section This book is dedicated to Dr Donald Fairbairn, for introducing me to programming over 25 years ago; to Dr Dennis Hood, for introducing me to Structured Query Language; and to Dr.William Hooper, for being a good friend, teacher, and mentor while I finished my bachelor's degree I would not be where I am were it not for their tutelage I wish everyone were blessed to have such people in their lives This book is also dedicated to my wife, Lisa, for so many, many things it would take another book to list them all About the Author Morris Lewis has been smitten with Structured Query Language since the first time his professor wrote SELECT * FROM AUTHORS on the chalkboard 14 years ago He has worked with no other database server since he first installed SQL Server 4.21a on his 16 MHz Intel 386 computer with all of 32 megabytes of RAM running Windows NT 3.51, more than 8 years ago With the mantra "It is OK to worry if they really are out to get you," he has focused on all aspects of securing Windows and SQL Server since he connected his first server to the Internet, 6 years ago Now, he runs a training and consulting company, Holistech Incorporated (http://www.holistech.com), that focuses on helping clients create better and more secure database applications, and on teaching them how to avoid the mistakes that can lead to problems in the future He can be contacted at if you need help keeping the bad guys out of your applications Acknowledgments First, I need to tell my family and friends I am sincerely grateful for all the patience they had with me for the last 6 months I saw a lot of my office and too little of them, but they were always supportive and encouraging I am sure they all will be glad to see the grumpy, old bear who growled at anyone entering his den go into hibernation for awhile Second, I want to thank Richard Waymire for encouraging me to do this book when I first mentioned it to him and for sharing freely his insight into how SQL Server works under the hood In many cases, I could set up tests to determine what SQL Server was doing, but Richard often helped me understand why it was doing it This book would not be as complete without his help Next, I want to thank the folks at VMware (http:/www.vmware.com) for creating their GSX Server product At one point I had eleven virtual machines with a combination of two different server operating systems, all three versions of SQL Server, and clients running Windows NT and 2000 Using physical hardware would have taken significantly more resources and time, and it would have been difficult to verify how all the different versions interacted with each other I probably could have written this book without GSX Server, but it would have been much harder Finally, I want to thank the giants who have worked and written on SQL Server security before me, for letting me hitch a ride on their shoulders Many books have been indispensable in teaching me how Windows networks and SQL Server work, and they should be your starting point for delving deeper into the intricacies of securing data in a Windows NT or 2000 network Appendix A collects the references made throughout this book together, for easy reference Additional Information Morris has created a web site to accompany this book, http://www.WinNetSecurity.com Because securing SQL Server often involves securing Windows, this site covers all topics relating to securing Windows 2000 networks and all versions of SQL Server The site will also preview changes to security coming in the next version of SQL Server Be sure to visit and register so you can stay up to date on the latest techniques for keeping your data secure Note All the code used in this book and any errata are available in the Downloads section on the Apress site at http://www.apress.com Introduction Let's face it, as SQL Server professionals, we know that individual security options can appear simple on the surface—assign a user here, create a role there But as the number of users increases, the need for finer control over them snowballs, making unexpected difficulties in the assignation of roles And the more interconnected your network, the more opportunities there are for a hacker to find a weakness in your defenses These options that seemed simple to implement close up suddenly look a lot more involved when taken together In this book, I show you what is really going on under the hood of SQL Server when you log in: the network packets, the system tables, and the relationship between users, roles, and permissions If you already know how to assign a user to a group, but you really want to understand the nuts and bolts of SQL Server security, this is the book for you You should already have a working knowledge of SQL Server; I do not explain concepts such as DTS or replication, and expect you to already understand these subjects I discuss a number of basic Windows network administration concepts that you should also be familiar with: Windows domains, network protocols, NTLM authentication, Kerberos security, NTFS permissions, and share-level security Chapter 9: Managing Security for SQL Server CE Figure 9-1: The data synchronization architecture Figure 9-2: The test network for SQL Server CE Figure 9-3: Creating a virtual directory that points to the location of the SQL Server CE Server Agent Figure 9-4: Using the SimpleRDA program to test connectivity to the Windows CE device Figure 9-5: Using RDA to pull a list of tables Figure 9-6: The SQL Server CE Relay Agent architecture List of Tables Chapter 1: A Security Roadmap Table 1-1: Sample Output from the sysusers Table Chapter 2: Authenticating Logins Table 2-1: Schema Definition Table 2-2: Syslogins View Table 2-3: Example Output Table 2-4: Xstatus Column Table 2-5: Server Roles Chapter 3: Database Security in SQL Server 6.5 Table 3-1: The sysusers Table Schema Table 3-2: The sysalternates Table Table 3-3: The sysobjects System Table Table 3-4: The sysprotects System Table Chapter 4: Database Security in SQL Server 7.0 and 2000 Table 4-1: The sysusers Table Table 4-2: Bit Values and Their Corresponding Roles Table 4-3: The sysprotects Table Table 4-4: Permissions Belonging to the "Junior DBO" roles in SQL Server 7.0 and 2000 Table 4-5: Permissions Belonging to the db_datareader and db_datawriter Roles Table 4-6: Permissions Belonging to the db_denydatareader and db_denydatawriter Roles Table 4-7: The sysusers Table in SQL Server 2000 Chapter 5: Securing Data on the Network Table 5-1: TCP/IP Port Rules for a Firewall Chapter 6: Designing Security for Applications Table 6-1: Comparison of Functionality Chapter 7: Securing Data Transformation Services Table 7-1: Stored Procedures for Restricting Access to DTS Packages Table 7-2: Basic Command Line Switches Chapter 8: Replication Security Table 8-1: System Stored Procedures Used in Replication Chapter 9: Managing Security for SQL Server CE Table 9-1: Useful Connection String Properties for SQL Server CE List of Listings Chapter 5: Securing Data on the Network Listing 5-1: Partial Listing of an Authentication Packet Listing 5-2: A Simple, Single-byte XOR Operation Listing 5-3: Viewing Data in Network Packets Listing 5-4: Network Traffic Encrypted with SSL Listing 5-5: A SELECT Query in Plain Text Listing 5-6: The Same SELECT Query Encrypted Using IPSec Chapter 6: Designing Security for Applications Listing 6-1: Forms Authentication Login Validation Listing 6-2: Forms Authentication Using SQL Server Logins Listing 6-3: Simple Hashing Example Listing 6-4: Login Validation Using Hashed Passwords Listing 6-5: Encryption Using the AES Algorithm Listing 6-6: Utility Functions for Encryption/Decryption Listing 6-7: Encrypting Data in INSTEAD OF Triggers Listing 6-8: INSTEAD OF Trigger Using RSA Encryption Listing 6-9: Decryption Function Using AES Encryption Listing 6-10: Reading Encrypted Data Using a Function ... scenarios that are possible with SQL Server 6.5, 7.0, and 2000 running on Windows NT and 2000: SQL Server 6.5 on Windows NT SQL Server 7.0 on Windows NT SQL Server 2000 on Windows NT SQL Server 7.0 on Windows 2000 SQL Server 2000 on Windows 2000... What You Need to Use this Book One of the following SQL Servers is required: SQL Server 6.5 Service Pack 5a with the post 5a hotfix SQL Server 7.0 Service Pack 4 SQL Server 2000 Service Pack 2 SQL Server CE 2.0 (Chapter 8 only)... Server is one of the most important responsibilities of the SQL Server professional SQL Server Distilled, Second Edition is a very carefully researched, clearly explained book on securing SQL Server, by an author who knows SQL Server inside and