SQL Server 2000 Security
Content
SQL Server 2000 Security Basics
Within a security system there are two major aspects
Authentication
Authorization
There are times when people confuse the two
Authentication should be centralized
Authorization is resource-respective
Authentication
Validates username and password and assures (to some degree) that the person is who
they say they are
Authorization
Check whether or not a user has permissions to perform a given task
There are many aspects of security in SQL Server. We will look at:
One account for each user
Password Expirations
Password Length and Content
Number of Login Attempts
Storing the User ID and Password
One Account Per User
Each individual user of the application should have their own login account. This
allows
Individual Access Permissions
Non-repudiation
(Assuming they don’t give their password out)
Which should be a direct security offense
One Account Per User
Do not create global user accounts
If you have a need for security, spend the extra time and precision
By separating user accounts (one per user) you allow the ability to audit suspicious
accounts (individually)
Password Expirations
Automatic password expiration allows you to make the user change their password every
so often
If their password has been compromised it will no longer be so
This is not possible in (Native) SQL Server 2000
We can build this into the application or use Windows Authentication (more later)
DELL
1
Password Expiration
At first glance it appears that there is no down-side to using password expiration
There are two major down-sides:
Tech support calls go WAY up (users forget passwords when they change very often)
Users will start using incredibly predictable passwords (opening a security hole)
Password Length
This can only be handled by making your (front-end) application the single entry point of
the database
You can set the minimum password length for all passwords within the system
For each additional alphanumeric character the password is increased exponentially by a
factor of 36
Minimum lengths greater than 5 or 6 characters will make users very unhappy
Password Content
If you have a password that is at least four characters long there are over 1,000,000
possibilities
To make things harder for an attacker (to avoid dictionary attacks) you can require that
users enter at least one character and one number
(Also not available but could be implemented through an application)
Number of Login Attempts
To avoid dictionary attacks you should provide a maximum number of login attempts
For example three unsuccessful attempts will cause the account to be disabled (requiring
an administrator to enable it)
Using Windows Authentication there is a policy for this
Storing User ID and Password
Usernames and passwords should never be hard-coded into the application
If you choose to store the information on a physical disk (most common)…ENCRYPT it
There will be a day that your system is compromised (usually by internal staff)
Storing User ID and Password
There are some options available for encryption
You can use a Hash function (MD5)
You can use a symmetrical algorithm (AES)
You can use smart cards or an asymmetrical algorithm (RSA)
As for storing this information always choose the most secure way possible
Storing User ID and Password
Security is expensive if you have a small budget you can use the free hash and symmetric
algorithms available to you
If you have the budget, always go with the more secure asymmetric - smart card
combination. There are other ways as well
DELL
2
Security Options
SQL Server provides some built-in security options.
Built-in authentication methods in SQL Server 2000 include:
Windows Authentication
SQL Server 2000 Authentication
Mixed Authentication
Windows Authentication
The user logs into a windows machine (or domain)
A trusted connection is established using NTLM (NT Lan Manager)
The user is not required to log in to SQL Server at all (single sign-on)
You can assign (grant) rights to users of a Domain or Computer
The type of things you can define include:
The right to login
The right to access a particular database
The right to perform tasks on the objects of the particular database
DELL
3
Within a security system there are two major aspects
Authentication
Authorization
There are times when people confuse the two
Authentication should be centralized
Authorization is resource-respective
Authentication
Validates username and password and assures (to some degree) that the person is who
they say they are
Authorization
Check whether or not a user has permissions to perform a given task
There are many aspects of security in SQL Server. We will look at:
One account for each user
Password Expirations
Password Length and Content
Number of Login Attempts
Storing the User ID and Password
One Account Per User
Each individual user of the application should have their own login account. This
allows
Individual Access Permissions
Non-repudiation
(Assuming they don’t give their password out)
Which should be a direct security offense
One Account Per User
Do not create global user accounts
If you have a need for security, spend the extra time and precision
By separating user accounts (one per user) you allow the ability to audit suspicious
accounts (individually)
Password Expirations
Automatic password expiration allows you to make the user change their password every
so often
If their password has been compromised it will no longer be so
This is not possible in (Native) SQL Server 2000
We can build this into the application or use Windows Authentication (more later)
DELL
1
Password Expiration
At first glance it appears that there is no down-side to using password expiration
There are two major down-sides:
Tech support calls go WAY up (users forget passwords when they change very often)
Users will start using incredibly predictable passwords (opening a security hole)
Password Length
This can only be handled by making your (front-end) application the single entry point of
the database
You can set the minimum password length for all passwords within the system
For each additional alphanumeric character the password is increased exponentially by a
factor of 36
Minimum lengths greater than 5 or 6 characters will make users very unhappy
Password Content
If you have a password that is at least four characters long there are over 1,000,000
possibilities
To make things harder for an attacker (to avoid dictionary attacks) you can require that
users enter at least one character and one number
(Also not available but could be implemented through an application)
Number of Login Attempts
To avoid dictionary attacks you should provide a maximum number of login attempts
For example three unsuccessful attempts will cause the account to be disabled (requiring
an administrator to enable it)
Using Windows Authentication there is a policy for this
Storing User ID and Password
Usernames and passwords should never be hard-coded into the application
If you choose to store the information on a physical disk (most common)…ENCRYPT it
There will be a day that your system is compromised (usually by internal staff)
Storing User ID and Password
There are some options available for encryption
You can use a Hash function (MD5)
You can use a symmetrical algorithm (AES)
You can use smart cards or an asymmetrical algorithm (RSA)
As for storing this information always choose the most secure way possible
Storing User ID and Password
Security is expensive if you have a small budget you can use the free hash and symmetric
algorithms available to you
If you have the budget, always go with the more secure asymmetric - smart card
combination. There are other ways as well
DELL
2
Security Options
SQL Server provides some built-in security options.
Built-in authentication methods in SQL Server 2000 include:
Windows Authentication
SQL Server 2000 Authentication
Mixed Authentication
Windows Authentication
The user logs into a windows machine (or domain)
A trusted connection is established using NTLM (NT Lan Manager)
The user is not required to log in to SQL Server at all (single sign-on)
You can assign (grant) rights to users of a Domain or Computer
The type of things you can define include:
The right to login
The right to access a particular database
The right to perform tasks on the objects of the particular database
DELL
3
