MSDN Documentation

T-SQL Security

This section covers the essential aspects of security within Transact-SQL (T-SQL) for SQL Server. Securely managing your data is paramount, and T-SQL provides robust mechanisms to achieve this.

Core Security Concepts

Understanding the fundamental building blocks of SQL Server security is crucial:

• Authentication: Verifying the identity of users trying to connect to the database. This can be done via Windows Authentication or SQL Server Authentication.
• Authorization: Determining what authenticated users are allowed to do within the database. This involves permissions and roles.
• Auditing: Tracking and recording database activities to monitor for suspicious behavior and ensure compliance.
• Encryption: Protecting sensitive data at rest and in transit using various encryption techniques.

Principals (Logins and Users)

Principals are entities that can request access to SQL Server resources. They are broadly categorized into:

• Logins: Server-level principals used to authenticate to an instance of SQL Server.
• Users: Database-level principals that are mapped to server logins and are granted permissions within a specific database.

Creating and Managing Principals

-- Creating a SQL Server Login
CREATE LOGIN [MyLogin] WITH PASSWORD = 'StrongPassword123!';
GO

-- Creating a Database User mapped to a Login
USE MyDatabase;
GO
CREATE USER [MyUser] FOR LOGIN [MyLogin];
GO
                

Permissions

Permissions grant or deny access to specific securable objects, such as tables, views, stored procedures, and even the server itself. Permissions can be:

• Statement Permissions: Control the ability to execute specific T-SQL statements (e.g., CREATE TABLE, BACKUP DATABASE).
• Object Permissions: Control access to objects like tables, views, and stored procedures (e.g., SELECT, INSERT, EXECUTE).

Granting and Revoking Permissions

-- Granting SELECT permission on a table to a user
GRANT SELECT ON dbo.Customers TO [MyUser];
GO

-- Denying DELETE permission on a table to a user
DENY DELETE ON dbo.Orders TO [MyUser];
GO

-- Revoking all permissions for a user on a table
REVOKE ALL ON dbo.Products TO [MyUser];
GO
                

Roles

Roles are collections of permissions that simplify the management of access control. Users are assigned to roles, and the role's permissions are then inherited by the users.

• Fixed Server Roles: Predefined roles with server-level permissions (e.g., sysadmin, securityadmin).
• Fixed Database Roles: Predefined roles with database-level permissions (e.g., db_owner, db_datareader, db_datawriter).
• User-Defined Roles: Roles created by users to group specific permissions for custom access management.

Adding Users to Roles

-- Adding a user to a fixed database role
ALTER ROLE db_datareader ADD MEMBER [MyUser];
GO

-- Creating a custom role and adding permissions
CREATE ROLE [AppReaderRole];
GO
GRANT SELECT ON dbo.Orders TO [AppReaderRole];
GO
ALTER ROLE AppReaderRole ADD MEMBER [MyUser];
GO
                

Auditing

SQL Server Audit allows you to monitor and audit database events. This is critical for security compliance and investigating security-related incidents.

Key features include:

• Defining audit specifications to capture specific events.
• Storing audit logs in files or the Windows Application log.
• Analyzing audit data to identify unauthorized access or modifications.

Encryption

SQL Server offers several encryption features:

• Transparent Data Encryption (TDE): Encrypts data files and log files at rest, protecting the entire database.
• Always Encrypted: Encrypts sensitive data within columns, protecting it from unauthorized access even by database administrators.
• Column-level Encryption: Encrypts individual columns using T-SQL functions like EncryptByKey and DecryptByKey.
• Data Masking: Masks sensitive data to prevent non-privileged users from seeing it while still allowing it to be used by applications.

Example of Data Masking

Dynamic Data Masking can be applied to columns to mask data based on user privileges.

-- Applying a data mask to an email column
ALTER TABLE dbo.Users
ALTER COLUMN Email ADD MASKED WITH (FUNCTION = 'email()');
GO
                

Best Practices

• Implement the principle of least privilege.
• Use strong, unique passwords for SQL Server logins.
• Regularly review permissions and role memberships.
• Enable and configure SQL Server Audit for critical events.
• Encrypt sensitive data using TDE or Always Encrypted.
• Keep SQL Server updated with the latest security patches.