-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path22_Security_1.sql
More file actions
326 lines (294 loc) · 9.01 KB
/
22_Security_1.sql
File metadata and controls
326 lines (294 loc) · 9.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
/**************************************************************
* SQL Server 2022 Enhanced Security Tutorial
* Description: This script demonstrates advanced security features
* in SQL Server 2022 including modern login and RBAC,
* Transparent Data Encryption (TDE), ledger tables,
* certificate management with enclave computations,
* Always Encrypted, dynamic data masking, row-level security,
* firewall rules, Azure Key Vault integration, temporal tables
* with security policies, encryption hierarchy, Query Store
* security, and audit specifications.
**************************************************************/
-------------------------------------------------
-- Region: 0. Server-Level Security Setup
-------------------------------------------------
/*
0.1 Use the master database for login and audit operations.
*/
USE master;
GO
/*
0.2 Create a modern login with enhanced password policies.
2022 enhancements include MUST_CHANGE and CHECK_EXPIRATION.
*/
CREATE LOGIN TestLogin
WITH PASSWORD = 'StrongPassword123!'
MUST_CHANGE,
CHECK_EXPIRATION = ON,
CHECK_POLICY = ON;
GO
/*
0.3 (Optional) Create an Azure AD login for hybrid environments.
-- CREATE LOGIN [user@domain.com] FROM EXTERNAL PROVIDER;
-- GO
*/
/*
0.4 Create a database scoped credential for Azure integration.
*/
CREATE DATABASE SCOPED CREDENTIAL AzureCredential
WITH IDENTITY = 'Managed Identity';
GO
/*
0.5 Create a server audit for security monitoring.
2022 enhancements include QUEUE_DELAY and ON_FAILURE options.
*/
CREATE SERVER AUDIT SecurityAudit
TO FILE (FILEPATH = 'C:\Audits\')
WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE);
GO
ALTER SERVER AUDIT SecurityAudit WITH (STATE = ON);
GO
-------------------------------------------------
-- Region: 1. Database-Level Security Setup
-------------------------------------------------
USE TestDB;
GO
/*
1.1 Create a database user mapped to the login using modern syntax.
*/
CREATE USER TestUser
FOR LOGIN TestLogin
WITH DEFAULT_SCHEMA = dbo;
GO
/*
1.2 Enable Ledger for the database (new 2022 feature).
*/
ALTER DATABASE TestDB SET LEDGER = ON;
GO
-------------------------------------------------
-- Region: 2. Ledger Table and Certificate Management
-------------------------------------------------
/*
2.1 Create a ledger-enabled table for immutable data tracking.
2022 enhancements include APPEND_ONLY and LEDGER_VIEW options.
*/
CREATE TABLE dbo.LedgerTable
(
ID INT PRIMARY KEY,
Data NVARCHAR(100)
)
WITH
(
LEDGER = ON
(
APPEND_ONLY = ON,
LEDGER_VIEW = [dbo].[LedgerTableView]
)
);
GO
/*
2.2 Create a certificate with enclave computations (2022 enhancements).
*/
CREATE CERTIFICATE TestCertificate
WITH SUBJECT = 'Test Certificate',
EXPIRY_DATE = '20251231',
ENCLAVE_COMPUTATIONS;
GO
/*
2.3 Backup the certificate with private key protection.
*/
BACKUP CERTIFICATE TestCertificate
TO FILE = 'C:\Certificates\TestCertificate.cer'
WITH PRIVATE KEY
(
FILE = 'C:\Certificates\TestCertificate.pvk',
ENCRYPTION_PASSWORD = 'StrongPassword123!'
);
GO
-------------------------------------------------
-- Region: 3. Always Encrypted and Dynamic Data Masking
-------------------------------------------------
/*
3.1 Create a column encryption key (placeholder for encrypted value).
Note: Replace 0x... with the actual encrypted value.
*/
CREATE COLUMN ENCRYPTION KEY TestCEK
WITH VALUES
(
COLUMN_MASTER_KEY = TestCertificate,
ALGORITHM = 'RSA_OAEP',
ENCRYPTED_VALUE = 0x...
);
GO
/*
3.2 Apply dynamic data masking on an existing table.
(Assuming dbo.Animals exists; adjust table/column names as needed.)
*/
ALTER TABLE dbo.Animals
ALTER COLUMN SSN ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",4)');
GO
-------------------------------------------------
-- Region: 4. Row-Level Security (RLS)
-------------------------------------------------
/*
4.1 Create a security predicate function for row-level security.
(Assuming a function that filters on UserID; adjust as necessary.)
*/
IF OBJECT_ID(N'dbo.fn_securitypredicate', N'IF') IS NOT NULL
DROP FUNCTION dbo.fn_securitypredicate;
GO
CREATE FUNCTION dbo.fn_securitypredicate(@UserID INT)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
SELECT 1 AS fn_Result
WHERE @UserID = CAST(SESSION_CONTEXT(N'UserID') AS INT);
GO
/*
4.2 Create a security policy on dbo.Animals using the predicate.
*/
CREATE SECURITY POLICY AnimalFilter
ADD FILTER PREDICATE dbo.fn_securitypredicate(UserID)
ON dbo.Animals
WITH (STATE = ON, SCHEMABINDING = ON);
GO
-------------------------------------------------
-- Region: 5. Modern Permissions and Firewall Rules
-------------------------------------------------
/*
5.1 Grant modern permissions using RBAC improvements.
*/
GRANT SELECT, INSERT, UPDATE, DELETE ON dbo.Animals TO TestUser;
GRANT SHOWPLAN TO TestUser; -- Granular permission for query plans.
GRANT VIEW SERVER STATE TO TestUser;
GRANT IMPERSONATE ANY LOGIN TO TestUser WITH GRANT OPTION;
GO
/*
5.2 Create a database-level firewall rule.
2022 enhancement for IP-based access control.
*/
CREATE DATABASE FIREWALL RULE ClientAppRule
WITH START_IP = '192.168.1.100',
END_IP = '192.168.1.100';
GO
-------------------------------------------------
-- Region: 6. Azure Key Vault Integration
-------------------------------------------------
/*
6.1 Create a cryptographic provider for Azure Key Vault.
*/
CREATE CRYPTOGRAPHIC PROVIDER AzureKeyVaultProvider
FROM FILE = 'C:\Providers\AzureKeyVault.dll';
GO
/*
6.2 Create a credential for Azure Key Vault.
*/
CREATE CREDENTIAL AzureKeyVaultCredential
WITH IDENTITY = 'https://testvault.vault.azure.net/',
SECRET = 'AzureADCredential';
GO
-------------------------------------------------
-- Region: 7. Temporal Table with Security Enhancements
-------------------------------------------------
/*
7.1 Create a system-versioned temporal table with security.
*/
CREATE TABLE dbo.SecureTemporal
(
ID INT PRIMARY KEY,
Data NVARCHAR(100),
ValidFrom DATETIME2 GENERATED ALWAYS AS ROW START,
ValidTo DATETIME2 GENERATED ALWAYS AS ROW END,
PERIOD FOR SYSTEM_TIME (ValidFrom, ValidTo)
)
WITH (SYSTEM_VERSIONING = ON (HISTORY_TABLE = dbo.SecureTemporalHistory));
GO
/*
7.2 Create a security predicate function for the temporal table.
*/
IF OBJECT_ID(N'dbo.fn_temporal_security', N'IF') IS NOT NULL
DROP FUNCTION dbo.fn_temporal_security;
GO
CREATE FUNCTION dbo.fn_temporal_security(@ValidFrom DATETIME2)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
SELECT 1 AS result
WHERE @ValidFrom > DATEADD(YEAR, -1, GETUTCDATE());
GO
/*
7.3 Create a security policy for temporal data access.
*/
CREATE SECURITY POLICY TemporalSecurityPolicy
ADD FILTER PREDICATE dbo.fn_temporal_security(ValidFrom)
ON dbo.SecureTemporal,
ADD BLOCK PREDICATE dbo.fn_temporal_security(ValidFrom)
ON dbo.SecureTemporal AFTER INSERT;
GO
-------------------------------------------------
-- Region: 8. Modern Encryption Hierarchy and Query Store Security
-------------------------------------------------
/*
8.1 Create a column master key integrated with Azure Key Vault.
*/
CREATE COLUMN MASTER KEY TestCMK
WITH (KEY_STORE_PROVIDER_NAME = 'AZURE_KEY_VAULT',
KEY_PATH = 'https://testvault.vault.azure.net/keys/TestCMK');
GO
/*
8.2 Configure Query Store with enhanced security options.
*/
ALTER DATABASE TestDB SET QUERY_STORE = ON
(QUERY_CAPTURE_MODE = AUTO,
MAX_PLANS_PER_QUERY = 200,
WAIT_STATS_CAPTURE_MODE = ON);
GO
-------------------------------------------------
-- Region: 9. Audit Specifications
-------------------------------------------------
/*
9.1 Create a database audit specification for tracking schema and data changes.
*/
CREATE DATABASE AUDIT SPECIFICATION DataChanges
FOR SERVER AUDIT SecurityAudit
ADD (SCHEMA_OBJECT_CHANGE_GROUP),
ADD (DATABASE_OBJECT_CHANGE_GROUP),
ADD (SELECT, INSERT, UPDATE, DELETE ON dbo.Animals BY public);
GO
-------------------------------------------------
-- Region: 10. Security Verification and Ledger Checks
-------------------------------------------------
/*
10.1 Verify object permissions using HAS_PERMS_BY_NAME.
*/
SELECT
name,
HAS_PERMS_BY_NAME(name, 'OBJECT', 'SELECT') AS has_select,
HAS_PERMS_BY_NAME(name, 'OBJECT', 'UPDATE') AS has_update
FROM sys.objects
WHERE type = 'U';
GO
/*
10.2 Check ledger integrity using the ledger verification stored procedure.
*/
EXEC sp_generate_ledger_verification
@database_name = N'TestDB',
@table_name = N'dbo.LedgerTable';
GO
-------------------------------------------------
-- Region: 11. Cleanup
-------------------------------------------------
/*
Clean up security objects using modern DROP syntax.
*/
DROP SECURITY POLICY IF EXISTS AnimalFilter;
DROP SECURITY POLICY IF EXISTS TemporalSecurityPolicy;
DROP USER IF EXISTS TestUser;
DROP LOGIN IF EXISTS TestLogin;
DROP CERTIFICATE IF EXISTS TestCertificate CASCADE;
GO
-------------------------------------------------
-- Region: End of Script
-------------------------------------------------