DATABASE SECURITY DATABASE SECURITY ................................................................................................... 3 Authentication vs Authorization ..................................................................................... 3 Authentication ................................................................................................................. 3 Authorization .................................................................................................................. 4 Role-based Security .................................................................................................... 4 Principals..................................................................................................................... 6 Securable ..................................................................................................................... 6 Permissions ................................................................................................................. 6 Using Views as Security Mechanisms ........................................................................ 7 SQL Injection .................................................................................................................. 8 DATABASE SECURITY Security is a major concern for the modern age systems, network, and database administrators. It is natural for an administrator to worry about hackers and external attacks while implementing security. But there is more to it. It is essential to first I implement security within the organization, to make sure the right people have access to the right data. Without these security measures in place, you might find someone destroying your valuable data, or selling your company's secrets to your competitors, or someone invading the privacy of others. Primarily, a security plan must identify which users in the organization can see which data and perform which activities in the database. Authentication vs Authorization Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authentication is equivalent to showing your drivers license at the ticket counter at the airport. Authentication systems provide answers to the questions: Who is the user? Is the user really who he/she represents himself to be? Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secure resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the database, while giving other individuals the ability to change data. Authorization systems provide answers to the questions: Is user X authorized to access resource R? Is user X authorized to perform operation P? Is user X authorized to perform operation P on resource R? Authentication and authorization are somewhat tightly-coupled mechanisms authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources. Authentication SQL Server supports two authentication modes: Windows Authentication Mode: With Windows authentication, you do not have to specify a login name and password to connect to SQL Server. Instead, your access to SQL Server is controlled by your Windows NT/2000 account (or the group to which your account belongs to), that you used to login to the Windows operating system on the client computer or workstation. A DBA must specify to SQL Server all the Microsoft Windows NT/2000 accounts or groups that can connect to SQL Server. This authentication mode is used by default because of its inherent better security. When it is used, Windows NT is responsible for managing users’ connections to the SQL Server through the user’s account name or group membership. SQL Server Authentication: When a user connects with a specified login name and password, SQL Server performs the authentication itself by checking to see if a SQL Server login account has been set up and if the specified password matches the one previously recorded. If SQL Server does not have a login account set, authentication fails and the user receives an error message. Windows authentication is the recommended security mode, as it is more secure and you don't have to send login names and passwords over the network. You should avoid mixed mode, unless you have a non-Windows NT/2000 environment, or when your SQL Server is installed on Windows 95/98, or for backward compatibility with your existing applications. Authorization Role-based Security Role-based security is a form of user-level security where a server doesn't focus on the individual user's identity but rather on a logical role he is in. A role is nothing but a group to which individual logins and users can be added, so that the permissions can be applied to a group, instead of applying the permissions to all the individual logins and users. There are three types of roles in SQL Server 7.0 and 2000: Fixed server roles Fixed database roles Application roles Fixed Server Roles Fixed server roles are server-wide roles. Logins can be added to these roles to gain the associated administrative permissions of the role. Fixed server roles cannot be altered and new server roles cannot be created. Here are the fixed server roles and their associated permissions in SQL Server 2000: Fixed Server Role Descriptions sysadmin: Can perform any activity in SQL Server serveradmin: Can set server-wide configuration options, shut down the server setupadmin: Can manage linked servers and startup procedures securityadmin: Can manage logins and CREATE DATABASE permissions, also read error logs and change passwords processadmin: Can manage processes running in SQL Server dbcreator: Can create, alter, and drop databases diskadmin: Can manage disk files bulkadmin: Can execute BULK INSERT statements Fixed Database Roles Each database has a set of fixed database roles, to which database users can be added. These fixed database roles are unique within the database. While the permissions of fixed database roles cannot be altered, new database roles can be created. Here are the fixed database roles and their associated permissions in SQL Server 2000: Fixed Database Role Description db_owner: Has all permissions in the database db_accessadmin: Can add or remove user IDs db_securityadmin: Can manage all permissions, object ownerships, roles and role memberships db_ddladmin: Can issue ALL DDL, but cannot issue GRANT, REVOKE, or DENY statements db_backupoperator: statements db_datareader: Can select all data from any user table in the database db_datawriter: Can modify any data in any user table in the database db_denydatareader: Cannot select any data from any user table in the database db_denydatawriter: Cannot modify any data in any user table in the database Can issue DBCC, CHECKPOINT, and BACKUP Principals These are objects (for example a user login, a role, or an application) that may be granted permission to access particular database objects. SQL Server divides principals into three classes: Windows principals: These represent authenticated using Windows security. Windows user accounts or groups, SQL Server principals: These are server-level logins or groups that are authenticated using SQL Server security. Database principals: These include database users, groups, and roles, as well as application Roles. Securable Securable are objects (a table or view, for example) to which access can be controlled. These are the resources to which the DBMS authorization system regulates access. Some securable can be contained within others, creating nested hierarchies called "scopes" that can themselves be secured. The securable scopes are server, database, and schema. Here are few examples: Server level securable Login Database Database level securable User Role Schema Schema level securable Tables Views Constraints Type Procedures Permissions These are individual rights, granted (or denied) to a principal, to access a securable object. The following T-SQL commands are used to manage permissions at the user and role level. GRANT: Grants the specific permission (SELECT, DELETE etc.) to the specified user or role in the current database REVOKE: Removes a previously granted or denied permission from a user or role in the current database DENY: Denies a specific permission to the specified user or role in the current database Using the above commands, permissions can be granted, denied, or revoked to users and roles on all database objects. There is no way to manage permissions at the row level. That is, in a given table, you can't grant SELECT permission on a specific row to User1 and deny SELECT permission on another row to User2. This kind of security can be implemented by creating user specific views and granting SELECT permission on these views to users. Using Views as Security Mechanisms Views can serve as security mechanisms by restricting the data available to users. Some data can be accessible to users for query and modification, while the rest of the table or database is invisible and inaccessible. Permission to access the subset of data in a view must be granted, denied, or revoked, regardless of the set of permissions in force on the underlying table(s). For example, the salary column in a table contains confidential employee information, but the rest of the columns contain information that should be available to all users. You can define a view that includes all of the columns in the table with the exception of the sensitive salary column. By defining different views and granting permissions selectively on them, users, groups, or roles can be restricted to different subsets of data. For example: Access can be restricted to a subset of the rows of a base table. For example, define a view that contains only rows for business and psychology books and keep information about other types of books hidden from users. Access can be restricted to a subset of the columns of a base table. For example, define a view that contains all the rows of the titles table but omits the royalty and advance columns because this information is sensitive. Access can be restricted to a row-and-column subset of a base table. Access can be restricted to the rows that qualify for a join of more than one base table. For example, define a view that joins the titles, authors, and titleauthor tables to display the names of authors and books they have written. This view hides personal data about the authors, and financial information about the books. Access can be restricted to a statistical summary of data in a base table. For example, define a view that contains only the average price of each type of book. Access can be restricted to a subset of another view or of some combination of views and base tables. SQL Injection SQL injection is a technique whereby an intruder enters data that causes your application to execute SQL statements you did not intend it to. SQL injection is possible as soon there is dynamic SQL which is handled carelessly, be that SQL statements sent from the client or dynamic SQL generated in T-SQL stored procedures. SQL injection may be possible if input is not filtered for escape characters and is then passed into a SQL statement. This result in the potential manipulation of the statements performed on the database by the end user of the application. The following line of code illustrates this vulnerability: statement := "SELECT * FROM users WHERE name = '" + userName + "';" This SQL code is designed to pull up the records of a specified username from its table of users, however, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as a' or 't'='t renders this SQL statement by the parent language: SELECT * FROM users WHERE name = 'a' OR 't'='t'; If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of 't'='t' is always true. On some SQL servers such as MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "data" table (in essence revealing the information of every user): a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% This input renders the final SQL statement as follows: SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%'; Other SQL implementations won't execute multiple commands in the same SQL query as a security measure. This prevents crackers from injecting entirely separate queries, but doesn't stop them from modifying queries.