Oracle Advanced Security



Oracle Advanced Security (OAS)

  • Introduced in Oracle8i.
  • Combines (a) strong authentication with (b) encryption of data in storage and while being transferred to and from the database.
  • Includes Transparent Data Encryption (TDE), Wallet Management, Network Encryption, RADUIS, Kerberos, Secure Socket Layer (SSL) Authentication, etc.
  • Helps customers address regulatory compliance requirements, including
    • - Sarbanes-Oxley (?)
    • - Payment Card Industry Data Security Standard (PCI-DSS),
    • - Health Insurance Portability and Accountability Act (HIPAA), and numerous
    • - Breach notification laws.

OAS provides (transparent) data encryption and strong authentication services
- Protect sensitive data on the network, on storage media and within the database from unauthorized disclosure.
- Also protects against theft, loss, and improper decommissioning of storage media and database backups


 OAS Components
Transparent data Encryption (TDE)
  • Encrypts data before it is written to storage and
  • automatically decrypts data when reading it from storage without any changes to existing applications (no need for triggers, views, etc..)
  • Access controls that are enforced by the Oracle database still remain in effect. These include object grants, roles, virtual private database and Oracle Database Vault.
  • Two supported modes: TABLESPACE ENCRYPTION (11g only) and COLUMN ENCRYPTION (Introduced on 10g r2)
    • Tablespace Encryption: good for encrypting entire app tables
    • Column Encryption: good for individual data elements (credit cards, SSNs, etc).
    • Frequently accessed data blocks are cached in memory in the same manner as traditional nonencrypted data blocks

KEY Management
  • Two-tier key management architecture: MASTER encryption key + one or more DATA encryption keys.
  • TDE MASTER Encryption key (MEK): used to encrypt and protect the DATA encryption keys.
  • TDE MEK: can be stored in the Oracle Wallet.

Network encryption
  • Provides standards-based network encryption
  • Connections can be rejected from clients that have encryption turned off
  • No changes to existing applications are required

Strong Authentication
  • Kerberos, PKI or RADIUS
  • SSL-based authentication can make use of Smart Cards.

Encrypted database backups
  • RMAN backups encrypted data.
  • RMAN can call TDE during the backup process to encrypt the entire database (including SYSTEM and SYSAUX).
  • RMAN can COMPRESS and use TDE to ENCRYPT => compact and secure backups.
Posted by Minima-Imagem 0 comments
Labels: ,

Identity and Access Control: Authentication and Users


  • Access to a SQL Server database takes place through three levels of security.
  • In each one you need to have access and permissions configured independently.
  • You may need to:
    • (1) Login in to a Windows domain (level 1) (except for non-windows clients)
    • (2) The Windows login is then mapped to SQL Server Login (level 2)
    • (3) The SQL Server Login is mapped to a database user (level 3).

 Authentication Mode
  • Controls how application users connect to SQL Server
  • (a) Windows Authentication mode
    • Default and recommended
    • Only authenticated Windows users can access the SQL Server instance
    • Allowed connections:
      • by users who are authenticated through the Windows Active Directory service or
      • by the local user account databse on the SQL Server machine.
    • A Windows Login(within SQL Server) has to be created for each Windows user or group that needs acess to the SQL instance.

  • (b) Mixed Mode Authentication
    • Windows users can be mapped to SQL Server Windows logins or
    • SQL Logins can be created directly in SQL Server.
    • This mode is required when non-Windows clients need to access the server.
    • SQL Logins are not considered as secure as Windows Logins.
    • While Windows uses Kerberos authentication, SQL Logins store username/passwd in the master database.
    • If the use of SQL Logins is a requirement, you should also use some form of lower-layer network encryption (i.e. IPSec or SSL).

 Principals
  • Principals: Entities (individuals, groups, processes) that can request SQL Server resources.
  • Securables: the server, databases, and objects within databases.
  • Principals can be arranged in a hierarchy
  • Scope of influence of a principal depends on:
    • (a) its definition scope: Windows -> Server -> database
    • (b) whether principal is indivisible (i.e. windows login, SQL Logins) or collection (i.e windows group)
  • Every principal has a security indentifier (SID)



Windows-level principals
  • Windows group
  • Windows domain login
  • Windows local login

SQL Server-level principals
  • SQL Server Login
    • The sa login is created when instance is installed.
    • sa default database: master.
    • Server-level principals for internal use: names enclosed with '##' (certificate-based)
  • Fixed Server Role:
    • sysadmin, serveradmin, securityadmin, processadmin,
    • setupadmin, bulkadmin, diskadmin, dbcreator, public

Database-level principals
  • Database User
    • Every database includes information_schema and sys.
    • These entities appear as users, BUT information_schema and sys ARE NOT principals. Cannot be dropped.
    • The guest user is created by default in every user database.
    • The guest user cannot be dropped, but can be disabled (revoke CONNECT), except in master and tempdb.
  • Fixed | Flexible Database Role
    • (i.e. public. every database user belongs to the public db role.)
  • Application Role

Types of SQL Server Logins:
(neither of which are mapped to an OS user)
  • Windows Logins
  • SQL Server Logins

Creating a SQL Server Login
(a) Create a SQL Server login that uses Windows Authentication
-- domain/user have to be a valid/existing Windows user
Create Login [domain/user] from windows;


-- domain/group has to be a valid Windows group
create login [domain_name/group_name] from windows;

(b) create a SQL Server Login that uses SQL Server authentication
CREATE LOGIN [test_SQLAuth_1] WITH PASSWORD=***, 
     DEFAULT_DATABASE=[Books], 
     DEFAULT_LANGUAGE=[us_english], 
     CHECK_EXPIRATION=ON, 
     CHECK_POLICY=ON
GO

ALTER LOGIN [test_SQLAuth_1] DISABLE
GO

Drop login test_SQLAuth_1;
Check the created SQL Server Login
(a) use sys.server_principals

select name, type_desc, default_database_name
from sys.server_principals;
name type_desc default_database_name
----------------------------------------------
sa SQL_LOGIN master
public SERVER_ROLE NULL
...
NT AUTHORITY\SYSTEM WINDOWS_LOGIN master
NT SERVICE\MSSQL$SQLSERVER08 WINDOWS_GROUP master
iranmr-PC\iranmr WINDOWS_LOGIN master
NT SERVICE\SQLAgent$SQLSERVER08 WINDOWS_GROUP master
..
test_SQLAuth_1 SQL_LOGIN Books

(b) use sys.sql_logins
select name, type_desc, default_database_name
from sys.sql_logins;
name type_desc default_database_name
-----
sa SQL_LOGIN master
...
test_SQLAuth_1 SQL_LOGIN Books

Server-Level Roles (Fixed Server Roles)
  • SQL Server-level Logins can be managed using fixed server roles.
  • There are 9 Server-level roles.
    • sysadmin, serveradmin, securityadmin, processadmin, setupadmin, bulkadmin, diskadmin, dbcreator, public
  • Roles are similar to Windows OS groups
  • Server-level roles: also called fixed server roles (because cannot be created by users)
  • Have server-wide scope.
  • You can assign SQL Server logins, Windows accounts, and Windows groups to server-level roles.
Information about Server-Level Roles:
exec sp_helpsrvrole;
ServerRole Description
-----
sysadmin System Administrators
securityadmin Security Administrators
serveradmin Server Administrators
setupadmin Setup Administrators
processadmin Process Administrators
diskadmin Disk Administrators
dbcreator Database Creators
bulkadmin Bulk Insert Administrators

exec sp_helpsrvrolemember;
ServerRole MemberName MemberSID
-----
sysadmin sa
sysadmin NT AUTHORITY\SYSTEM 
sysadmin NT SERVICE\MSSQL$SQLSERVER08
sysadmin iranmr-PC\iranmr
sysadmin NT SERVICE\SQLAgent$SQLSERVER08


Adding/Dropping a Server Login to a Server-level Role
exec sp_addsrvrolemember test_SQLAuth_1, sysadmin;

exec sp_helpsrvrolemember;
ServerRole MemberName MemberSID
-----
sysadmin sa
sysadmin NT AUTHORITY\SYSTEM 
sysadmin NT SERVICE\MSSQL$SQLSERVER08
sysadmin iranmr-PC\iranmr
sysadmin NT SERVICE\SQLAgent$SQLSERVER08
sysadmin        test_SQLAuth_1

exec sp_dropsrvrolemember test_SQLAuth_1, sysadmin;


Database users
Database users are principals at the database level.
A database user needs to be created for each login that needs to access the database.
When a login that does not have a user mapped to it tries to access a database, it is logged as the guest database user.
However, this only happens if the guest user has been granted CONNECT to the database.
(a) Create database used mapped to an existing SQL Server Login
USE [Books]
GO

CREATE USER [test_auth_dbbooks1] FOR LOGIN [test_SQLAuth_1] 
       WITH DEFAULT_SCHEMA=[dbo]
GO


 
(b) Check the created database user among the database principals


use Books;
go
select name, type_desc, default_schema_name
from sys.database_principals;
name type_desc default_schema_name
-------
public DATABASE_ROLE NULL
dbo WINDOWS_USER dbo
guest SQL_USER guest
INFORMATION_SCHEMA SQL_USER NULL
sys SQL_USER NULL
test_auth_dbbooks1 SQL_USER dbo
...

Fixed | Flexible Database Roles
  • Roles are security principals that group other principals.
  • Can be used to group database users with similar access privileges.
  • You can create new (flexible) database roles to define groups based on business requisites.
  • You can nest roles (add role into other role)
  • Create new role: CREATE ROLE role_name
  • Add user to role: exec sp_addrolemember role_name, user_name.
  • Fixed roles exist in all databases:
    • db_onwer, db_securityadmin, db_accessadmin, db_backupoperator, db_ddladmin, db_datawriter, db_datareader, db_denydatawriter, db_denydatareader


Application Role
  • Is a database principal that enables an application to run with its own, user-like permissions.
  • Can be used to enable access to specific data only to users connecting through a specific application.
  • Application roles contain no members.
  • How it works:
    • (1) Client application connects to SQL Server as a database user.
    • (2) Client application executes sp_setapprole.
    • (3) If validated, a context switch occurs and the application assumes the permission of the application role.
CREATE APPLICATION ROLE weekly_receipts 
    WITH PASSWORD = '987G^bv876sPY)Y5m23', 
    DEFAULT_SCHEMA = Sales;
GO


Managing Schemas
  • Schemas are collections of database objects that form a single namespace.
  • Starting in SQL Server 2005, schemas and database users are separate entities.
  • User name is no longer part of the object name.
  • Each schema is now a distinct namespace that exists independently of the database user who created it.
  • Each schema is owned either by a user or a role.
  • If you need to drop a user, you need to transfer the schema ownership to someone else first.
  • You can define a default schema for a user.
  • Implications of the separation of ownership:
    • Ownership of schemas is now transferable
    • Objects can be moved between schemas.
    • Multiple database users can share a single default schema.
    • Improved object-permission management.
    • Schema can be owned by any database principal: user, database role, application role.

Checking schemas
use Books;
go
select * from sys.schemas;

name                schema_id   principal_id
------------------  ----------  ------------
dbo                 1          1
guest 2 2
INFORMATION_SCHEMA 3 3
sys 4 4
db_owner 16384 16384
db_accessadmin 16385 16385
db_securityadmin 16386 16386
db_ddladmin 16387 16387
db_backupoperator 16389 16389
db_datareader 16390 16390
db_datawriter 16391 16391
db_denydatareader 16392 16392
db_denydatawriter 16393 16393


Using SQL Server and Database Principals, Schemas, application roles and context switching
(a) Create a SQL Server login, database user and schema.
(b) Create application role associated with the new schema
(c) Activate the new application role, switching user context
(d) Return to previous context.
-- Using database books

USE books;
GO

(1) Create a SQL Server login user1

CREATE login user1 WITH password = ***;
(2) Create a [books] database user user1. 
     -- user1 is created in the [books] database,
     --      is associated with user1 SQL Server principal (login)
     --      has schema1 as default schema.

CREATE USER  user1 FOR login user1 WITH default_schema = schema1;
(3) Query sys.sql_logins to check that the SQL Server principal was created

SELECT name, type_desc, default_database_name
    FROM sys.sql_logins;
name           type_desc default_database_name
-------------- --------- ---------------  
sa             SQL_LOGIN master
...
test_SQLAuth_1 SQL_LOGIN Books
user1          SQL_LOGIN master

(4) Query books.sys.database_principals to check that databse user user1 was created

SELECT name, principal_id, type_desc, default_schema_name
    FROM sys.database_principals;
name                principal_id  type_desc     default_schema_name
------------------- ------------- ------------- ---------------  
public              0             DATABASE_ROLE NULL
dbo                 1             SQL_USER      dbo
guest               2             SQL_USER      guest
INFORMATION_SCHEMA  3             SQL_USER      NULL
sys                 4             SQL_USER      NULL
user1            6             SQL_USER      schema1
db_owner            16834         DATABASE_ROLE NULL
...

(5) Query books.sys.schemas to check that the schema1 DOES NOT yet exist.

SELECT name, schema_id, principal_id
    FROM sys.schemas;
name            schema_id  principal_id
-----------------  ---------  --------
dbo                1          1
guest              2          2
INFORMATION_SCHEMA 3          3
sys                4          4
db_owner           16384      16384
...


(6) Create schema books.schema1, owned by user1

USE Books;
GO
CREATE SCHEMA schema1 AUTHORIZATION user1;
(7) Query sys.schemas to check schema1 was created.

SELECT name, schema_id, principal_id
    FROM sys.schemas;
name            schema_id  principal_id
-----------------  ---------  --------
dbo                1          1
guest              2          2
INFORMATION_SCHEMA 3          3
sys                4          4
schema1         5          6             --  <= owner: user1
db_owner           16384      16384
...

(8) Create table emp_sch1 in schema1, and insert one row.

CREATE TABLE schema1.emp_sch1 (id INT, name VARCHAR(20));
INSERT INTO books.schema1.emp_sch1 
        VALUES (1, 'John');
(9) Query books.schema1.emp_sch1 to check the inserted row.

SELECT * 
    FROM books.schema1.emp_sch1;
id  name
--  ----
1   John


(10) Create application role approle_sch1, with default schema schema1. Grant select on schema1 to approle_sch1.

USE Books;
GO
CREATE application role approle_sch1
            WITH password = 'p4sswd',
            default_schema = schema1;
            GRANT 
SELECT ON schema::schema1 TO approle_sch1;
(11) Query the current user  (should return 'dbo')

SELECT USER_NAME() AS USER_NAME;
user_name
---------
dbo

(12) Switch context to approle_sch1 using sp_setapprole. Use cookies to save orginal context information.

DECLARE @cookie VARBINARY(8000);
EXEC sp_setapprole 'approle_sch1', 'p4sswd',
    @fCreateCookie = true,
    @cookie = @cookie OUTPUT;
SELECT USER_NAME() AS USER_NAME;
    -- should return approle_sch1
SELECT * 
    FROM emp_sch1;
    -- should return one row
EXEC sp_unsetapprole @cookie;
GO

user_name
----------
approle_sch1

id name
-- ----
1  John

(13) Revert to the original context using sp_unsetapprole.  

SELECT USER_NAME() AS USER_NAME;
user_name
----------
dbo



Posted by Minima-Imagem 0 comments
Labels: , ,

SQL Server: the data dictionary


Distribution of catalog information:
  • What is stored in the master database? What is kept in the user databases?
  • Base metadata tables are stored in the resource database. Metadata views are available in the master database (system-wide information) and in each user database (db specific and some system-wide information).
  • Metadata information can be obtained through catalog views, information schema views, system stored procedures and functions, as well as OLE DB schema rowsets and ODBC catalog funtions.

Obtaining metadata information can be done by using either:
  • (a) System Stored Procedures (T-SQL)
    • Catalog stored procedures
  • (b) System views:
    • Object Catalog views
    • Dynamic Management Views and Functions
    • Information Schema Views

Catalog Stored Procedures and Object Catalog views

 sp_columns, sys.columns, and information_schema.columns
sp_columns
USE AdventureWorks2008r2;
GO
EXEC sp_columns department;
Returns 19 columns..
TABLE_QUALIFIER       TABLE_OWNER     TABLE_NAME  COLUMN_NAME ... TYPE_NAME         PRECISION LENGTH
--------------------  --------------  ---------   ------------      ----------------- ---------- ------
AdventureWorks2008R2  HumanResources  Department  DepartmentID      smallint identity 5         2
AdventureWorks2008R2  HumanResources  Department  Name              Name              50        100
AdventureWorks2008R2  HumanResources  Department  GroupName         Name              50        100
AdventureWorks2008R2  HumanResources  Department  ModifiedDate      datetime          23        16

(or)

USE AdventureWorks2008r2;
GO
EXEC sp_columns department, @column_name= 'name';
TABLE_QUALIFIER       TABLE_OWNER     TABLE_NAME  COLUMN_NAME ... TYPE_NAME         PRECISION LENGTH
--------------------  --------------  ---------   ------------      ----------------- ---------- ------
AdventureWorks2008R2  HumanResources  Department  Name              Name              50        100

(for column information, you may also use:)

EXEC sp_help 'HumanResources.department';

sys.columns
Returns a row for each column of an object that has columns (system, internal and user tables, views, table-valued sql function, inline table-valued sql function, table-valued assembly functions).
SELECT name, system_type_id, is_nullable
    FROM sys.columns
    WHERE OBJECT_NAME(OBJECT_ID)= 'Department';
name          system_type_id  is_nullable
------------  --------------  ------------
DepartmentID  52              0
Name          231             0
GroupName     231             0
ModifiedDate  61              0



SELECT o.name table_name, c.name column_name, t.name data_type,
            t.length length, t.prec precision
    FROM syscolumns c
            INNER JOIN sysobjects o ON o.id = c.id
            LEFT JOIN  systypes t   ON t.xtype = c.TYPE
    WHERE o.TYPE = 'U'
        AND o.name = 'Department'
    ORDER BY o.name, c.name;
table_name  column_name  data_type  length precision
----------  -----------  ---------  ------ -------- 
Department  DepartmentID smallint   2      5
Department  GroupName    NULL       NULL   NULL
Department  ModifiedDate datetime   8      23
Department  Name         NULL       NULL   NULL

information_schema.columns
Information schema views provide a system table-independent view of the SQL Server metadata.
The idea is that it provides an interface that remains unchanged even after significant changes have been made to the underlying system tables.
USE AdventureWorks2008R2;
GO
SELECT TABLE_NAME, COLUMN_NAME,
            COLUMNPROPERTY(OBJECT_ID(TABLE_SCHEMA + '.' + TABLE_NAME), COLUMN_NAME, 'ColumnID') AS COLUMN_ID
    FROM INFORMATION_SCHEMA.COLUMNS
    WHERE TABLE_NAME = 'Department';
TABLE_NAME  COLUMN_NAME  COLUMN_ID
----------  -----------  --------
Department  DepartmentID 1
Department  Name         2
Department  GroupName    3
Department  ModifiedDate 4

sp_column_privileges and information_schema.column_privileges
sp_column_privileges
USE AdventureWorks2008R2;
GO
EXEC sp_column_privileges 'Employee',
    @table_owner='HumanResources',
    @column_name = 'SalariedFlag';
TABLE_QUALIFIER       TABLE_OWNER     TABLE_NAME COLUMN_NAME  GRANTOR GRANTEE PRIVILEGE  IS_GRANTABLE
--------------------  --------------  ---------- ------------ ------- ------- ---------  ---------
AdventureWorks2008R2  HumanResources  Employee   SalariedFlag dbo     dbo     INSERT     YES
AdventureWorks2008R2  HumanResources  Employee   SalariedFlag dbo     dbo     REFERENCES YES
AdventureWorks2008R2  HumanResources  Employee   SalariedFlag dbo     dbo     SELECT     YES
AdventureWorks2008R2  HumanResources  Employee   SalariedFlag dbo     dbo     UPDATE     YES
information_schema.column_privileges

SELECT table_name, column_name,column_name, privilege_type, is_grantable
    FROM INFORMATION_SCHEMA.COLUMN_PRIVILEGES
    WHERE TABLE_NAME = 'Department';

 sp_special_columns
sp_special_columns
Returns the optimal set of columns that uniquely identify a row in the table.
Returns columns automatically updated when any value in the row is updated.
USE AdventureWorks2008R2;
GO
EXEC sp_special_columns 'Department',
    @table_owner='HumanResources';
SCOPE COLUMN_NAME    DATA_TYPE  TYPE_NAME         PRECISION LENGTH SCALE PSEUDO_COLUMN
----- -------------- ---------  ----------------- --------- ------ ----- ------------
1     DepartmentID   5          smallint identity 5         2       0    1

sp_stored_procedures, sp_sproc_columns, sys.procedures and information_schema.routines
sp_stored_procedures
USE AdventureWorks2008R2;
GO
EXEC sp_stored_procedures;
PROCEDURE_QUALIFIER  PROCEDURE_OWNER PROCEDURE_NAME ...
-------------------  --------------  -----------------
AdventureWorks2008R2 dbo             ufnGetAccountingEndDate;0
...
AdventureWorks2008R2 HumanResources  uspUpdateEmployeeHireInfo;1
..
AdventureWorks2008R2 sys             sp_spaceused;1

(also)

USE AdventureWorks2008R2;
GO
EXECUTE sp_stored_procedures @sp_owner = N'dbo';

sp_sproc_columns
Returns column information for a stored procedure or user-defined function.
USE AdventureWorks2008R2;
GO
EXEC sp_sproc_columns @procedure_name = 'uspLogError';
PROCEDURE_QUALIFIER  PROCEDURE_OWNER PROCEDURE_NAME COLUMN_NAME   ... TYPE_NAME ... IS_NULLABLE
-------------------  --------------- -------------- -----------       ---------     -----------
AdventureWorks2008R2 dbo             uspLogError;1  @RETURN_VALUE     int           NO
AdventureWorks2008R2 dbo             uspLogError;1  @ErrorLogID       int           YES

sys.procedures
Returning all stored procedures in a given database;
USE AdventureWorks2008R2;
GO
SELECT name procedure_name,
            SCHEMA_NAME(schema_id) AS schema_name,
            type_desc,
            create_date,
            modify_date
    FROM sys.procedures;

information_schema.routines
Returns the stored procedures and functions that can be accessed by the current user in the current database.
SELECT ROUTINE_SCHEMA, ROUTINE_NAME, ROUTINE_TYPE, ROUTINE_BODY, ROUTINE_DEFINITION
    FROM INFORMATION_SCHEMA.routines;

 sp_databases, sys.databases
sp_databases
Lists databases in an instance.
USE MASTER;
GO
EXEC sp_databases;
DATABASE_NAME        DATABASE_SIZE  REMARKS
-------------------- ------------   --------
AdventureWorks2008R2 186240         NULL
master               5120           NULL
model                1792           NULL
msdb                 20288          NULL
MyDB                 10240          NULL
tempdb               8704           NULL
sys.databases
USE MASTER;
GO
SELECT name, create_date, compatibility_level, user_access_desc,
            state_desc, recovery_model_desc
    FROM sys.databases;
name                 create_date             compat_level user_access_desc state_desc rec_model_desc
-------------------  ----------------------- ------------ ---------------- ---------- --------------
master               2003-04-08 09:13:36.390 100          MULTI_USER       ONLINE     SIMPLE
...
model                2003-04-08 09:13:36.390 100          MULTI_USER       ONLINE     FULL
TESTSQL              2009-06-08 10:43:13.347 100          MULTI_USER       ONLINE     BULK_LOGGED
AdventureWorks2008R2 2009-06-05 17:40:24.250 100          MULTI_USER       ONLINE     SIMPLE
Other database information views: sys.database_files, sys.database_mirroring, sys.database_recovery_status, sys.master_files


 sp_statistics

sp_fkeys


sp_pkeys

sp_table_privileges

sp_server_info

sp_tables








Posted by Minima-Imagem 0 comments
Labels: ,
Subscribe to: Posts (Atom)