Module 3 - Implement a Secure Environment

Question 1

What does AD and Azure AD Provide

Answer 1

Both provide Authentication services and ID Management

Question 2

What does AD use to provide Authentication and what is used for Querying AD

Answer 2

AD uses Kerberos to provide Authentication using tickets and queries via LDAP (Lightweight Directory Access Protocol)

Question 3

What Protocols does AZ AD use

Answer 3

HTTPS protocols like, SAML and OpenID Connect for Authentication along with OAUTH for Authorizaion

Question 4

How would you go about providing AZ AD services to an on-prem Windows Server

Answer 4

You would need to configure AZ AD Connect to connect AD IDs with AZ AD

Question 5

What are the modes of AuthN in SQL and which is considered most secure and why

Answer 5

Windows Mode and SQL Mode (Windows and Mixed)

Windows is more secure as SQL allows login info to be seen in plain text when passed over the network.

Question 6

Describe SQL Authentication

Answer 6

SQL logon stored in master DB (or user DB if using contained users)

Question 7

Describe Windows Authentication in the context of SQL Server

Answer 7

Connect to SQL using AD Credentials

Windows also allows for easier management of user turnover

Question 8

True or False - Azure SQL Database supports SQL AuthN and AZ AD AuthN giving users the ability to log into SQL with the same credentials as pother resources such as the Azure portal of O365

Answer 8

True

Question 9

How can you connect to on prem devices using the same AZ AD Credentials

Answer 9

AZ AD can be configured to sync with on-prem AD allowsing access to on-prem and AZ resources

Question 10

True or False AZ AD cannot provide MFA services

Answer 10

False

Question 11

What are the headlines around the Azure AD Admin Config within the portal for a DB resource

Answer 11

Allows admin access to all DBs in server
Best practice is to make this a group
Grants special sysadmin type access
Can be set via ARM using Portal, PowerShell or CLI - not at the DB level though

Question 12

What is a Security Principal

Answer 12

An entitiy that can request access which you can (usually) grant access to.

Question 13

Do security principals exist at the Server or DB level + are security principals individuals or collections

Answer 13

Security principals exist at either the server level or the database level and can be either individuals or collections

Question 14

What are the 3 scopes for securables

Answer 14

Server,
Database,
Schema

Question 15

What is a Schema

Answer 15

A schema is a collection of objects within a DB allowing objects to be grouped into seperate name spaces

Question 16

What is a securable

Answer 16

A securable is the resource (i.e. a table in a database)

Question 17

When no Schema is specified in a query which order will schemas be looked in

Answer 17

1st = users default schema
2nd = DBO
If not in either of those an error will be returned

Question 18

When writing queries best practice dictates to specify a schema.
If no schema is specified when creating a an object it will go where? And what happens if the user cannot create objects at that location

Answer 18

A create statement with no defined schema will go into the users default schema - if the user does not have permission for this access will be denied.

Question 19

Which DB are (SQL and Windows) Logins stored in

Answer 19

Master

Question 20

Where are contained users stored and What Authentication can they use?

Answer 20

Stored in the UserDB

AuthN with SQL Auth, Win Auth, AZ AD Auth

Question 21

What is the pre-requisite to using contained users and what is the default state of this for the DB Variants

Answer 21

Database must be configured for “Partial Containment”
Default in AZ,
Optional Setting in OnPrem/IaaS

Question 22

Why is it best practice in Azure SQL DB to use Contained users

Answer 22

These users only have access to the DB set up in

Question 23

What are some of the headlines on Database and Server Roles

Answer 23

Effectively Security groups sharing common permissions
Built in Roles are decided by Microsoft with ability to add custom roles at Server or DB level
Server Roles cannot be granted access to DB objects directly
Server Roles are only available in IaaS, On Prem and MI

Question 24

Describe Application Roles

Answer 24

A user is not a member of an App role, the app role is activated by using the password.
Once active app role permissions are applied to a user until de-activated

Question 25

What does the role db_accessadmin do

Answer 25

The db_accessadmin allows creation of other users in DB, no access to Schema, Tables of Data within database

Question 26

What does the role db_backupoperator do

Answer 26

The db_backupoperator role allows users to backup the Database (obviously not applicable with Azure SQL DB)

Question 27

What does the Role db_datareader do

Answer 27

The db_datareader rol;e allows read from every table/view in DB

Question 28

What does the role db_datawriter do

Answer 28

The db_datawriter role allows insert/update/delete to all tables and views in the DB

Question 29

What does the role db_ddladmin do

Answer 29

The db_ddladmin role allows the creation and modification of objects in the DB with no read/write access to the data itself

Question 30

What does the role db_denydatareader do

Answer 30

Prevents reading of any Db data when a user has had access through other roles or directly granted

Question 31

What does the role db_denydatawriter do

Answer 31

Prevents writing of any data to DB when a user has had access through other roles or directly granted.

Question 32

What does the role db_owner do

Answer 32

Allows user to perform any action in database and cannot be denied

Question 33

What does the role db_security admin do

Answer 33

Grants access to other users - no access to data itself but can grant access to tables

Question 34

What does the public database role do?

Answer 34

Default role without permissions unless you assign some to it - however all users including guest (if enabled) have access to this role.

Question 35

What should you do if you have more granular security requirements than the fixed database roles provide

Answer 35

Use Custom Database roles

Question 36

What 2 additional database roles does Azure SQL DB have and where are they stored

Answer 36

DBManager Login Manager Both stored in Master DB

Question 37

What does the Azure SQL DB role DBManager allow?

Answer 37

Allows members to create DBs (similar to the dbcreator fixed server role)

Question 38

What does the Azure SQL DB role LoginManager allow?

Answer 38

Allows creation of additional logins at th eserver level (Similar to the security admin fixed server role)

Question 39

What does the fixed server role SysAdmin allow

Answer 39

Sysadmin allows member to perform any action on server

Question 40

What does the fixed server role ServerAdmin allow

Answer 40

ServerAdmin allows member to change server wide config and shutdown the server

Question 41

What does the fixed server role SecurityAdmin allow

Answer 41

SecurityAdmin allows the management of logins and well as grand and revoke of Server and DB level permissions

Question 42

What does the fixed server role ProcessAdmin allow

Answer 42

ProccessAdmin allows member to kill processes in SQL Server

Question 43

What does the fixed server role SetupAdmin allow

Answer 43

SetupAdmin allows Add and Remove of linked servers via T-SQL

Question 44

What does the fixed server role BulkAdmin allow

Answer 44

BulkAdmin allows member to run BULK INSERT T-SQL

Question 45

What does the fixed server role DiskAdmin allow

Answer 45

DiskAdmin allows management of Backup devices in SQl

Question 46

What does the fixed server role DBCreator allow

Answer 46

DBCreator allows creation, restore, alter and drop of any DB

Question 47

What does the fixed server role PUBLIC do

Answer 47

Public is a fixed server role that everyone belongs to - this can be granted, denied or revoked permissions.

Question 48

What are the 4 basic permissions within a DBMS

Answer 48

SELECT, UPDATE, INSERT, DELETE

Question 49

Which takes precidence, GRANT or DENY?

Answer 49

DENY

Question 50

What is EXECUTE AS USER in SQL Server and Where is it availbale

Answer 50

Allwos for user context to be change | Availble in OnPrem, IaaS and MI

Question 51

True or False - You cannot restrict columns available to a security principal

Answer 51

False - you can restrict columns to a security principal

Question 52

The 4 main permissions on tables and views are, Select, Insert, Update, Delete - what additional permissions are there for Azure SQL DB and Managed Instance

Answer 52

CONTROL and REFERENCES

Question 53

What do the Control and References permissions do with regards to table permissions in Azure SQL DB and MI

Answer 53

Control - Grants rights to all objects, can perform any action on an object References - Allows the viewing of FK on an object (also available in MySQL and PostgreSQL in Azure)

Question 54

What are the 3 permissions of Stored Procs and Functions and what do they do

Answer 54

Alter - Change the defnition of an object Control - Grants all rights to an object Execute - Allows execution of an object

Question 55

What does View Change Tracking and View Definition control

Answer 55

View Change Tracking - Allows viewing of the change tracking settings View Definition - Allows viewing of the definitions

Question 56

What does ownership chaining allow and what are the 2 caveats

Answer 56

Ownership chaining allows users to inherit permissions from other objects (such as a user that has no access to a certain table but can get the data via executing a Stored proc that can get the data from the table) Caveat 1 - Owners of all the objects in question need to be the same Caveat 2 - Does not work with Dynamic SQL

Question 57

Describe TDE

Answer 57

TDE = Transparent Data Encryption Encrypts all the data in a database, with data being encrypted as data written to the page and decrypted as being read into memory. Prevents underlying data and log files being attached elsewhere No decryption is done when taking backups so backups end up encrypted New Azure SQL DBs and MI have this on by default (can be turned off via the portal) Azure SQL DB allows use of MS key and BYOK If TDE Certificate is lost you will be unable to restore you DB elsewhere

Question 58

What are the Steps to enable TDE via T-SQL

Answer 58

Create Master Key in MasterDB Create Cert in MasterDB used for encryption Create Database Key in target DB using the Cert Alter Database Statement to enable TDE

Question 59

What does SQL do once you enable TDE

Answer 59

Starts to encrypt all the pages which can take some time, overhead is kept to a minimum as this is deemed a low priority task by SQL

Question 60

TDE is not available on Azure MySQL or PostgreSQL - what can you do instead?

Answer 60

Instead of TDE you can encrypt the disks you databases are stored on.

Question 61

Azure Key Vault configuration is easy for Azure Resources and can be done for VMs at creation or a later date, what information is required when configuring Azure Key Vault

Answer 61

Key vault URL Principal Name Principal Secret Credential Name

Question 62

What are the steps to configure Azure Key Vault within SQL Server?

Answer 62

Create SQL Login at instance Create and Map credential to login ---Use the name of the key vault for the identity of the credential ---Use the ApplicationID in the key vault for the credential secret Then... Create an Asymmetric Key in Key Vault Create an Asymmetric Key in SQL DB which maps to key vault using "CREARE ASYMMETRIC KEY ... FROM PROVIDER" Syntax The Asymmetric key can then be used for Backups, TDE Always Encrypted etc

Question 63

What does Azure Disk Encryption do

Answer 63

Encrypts disks of Azure VMs for extra level of protection as an ADDITION to any SQL Level encryption you implement

Question 64

What is Azure Key Vault and How would you typically access it

Answer 64

Azure Key Vault is a tool for storing secrets and is typically accessed programatically

Question 65

What's special about the Azure Key Vault RBAC policies

Answer 65

Azure Key Vault RBAC policies are seperate from the subscription so a subscription admin doesn't nessecairly have access to Azure Key Vault secrets

Question 66

Describe Always Encrypted

Answer 66

Encrypts data within columns Allows encryption of data at the Client App based on the column settings within SQL Server Based on Master + Column Encryption Keys (columns can be encyrpted with different keys for additional protection

Question 67

Describe the process of using Always Encrypted

Answer 67

In AE Wizard Choose Columns to encrypt, the encryption type to use and configure the column encryption key Generate or Select the master encryption key

Question 68

Where must an AE Master Encryption Key be stored

Answer 68

In a keystore such as Azure Key Vault or Windows Certificate Store or a Hardware Security Module

Question 69

What is the difference between deterministic and randomized encryption

Answer 69

``` Deterministic = Source data always encrypts to same encrypted value Randomized = Identical source data will have different encrypted values ```

Question 70

What are the requirements to decrypt AE encrypted data?

Answer 70

App needs to connect via a driver that supports AE App needs access to the key store App can then retrieve data, any data written back is encrypted at the client driver level.

Question 71

What does the applications connection string need to include to use AE

Answer 71

App connection string needs to include "Column Encryption Setting = Enabled" to be able to use AE

Question 72

Where can further adjustments to the metadata queries for AE be adjusted

Answer 72

SQLCommandColumnEncryptionSetting

Question 73

For the Metadata queries in AE define, Disabled, Enabled and ResultSet

Answer 73

``` Disabled = No meta data queries Enabled = All meta data queries ResultSet = Only queries values in the SELECT statement (i.e. not the where clause etc) ```

Question 74

What is a Secure Enclave

Answer 74

Secure portion of memory in SQL Server for processing encrypted data A black box that you cannot view any data or code within - even with a debugger

Question 75

What benefit does Secure Enclave bring

Answer 75

Allows pattern matching and range comparisons on Randomized Encryption columns

Question 76

Define Dynmaic Data Masking

Answer 76

Allows viewing of secure data whilst masking part of the value Presentation layer feature

Question 77

How can DDM be implemented

Answer 77

Via the Azure Portal (for PaaS) or via T-SQL using the ALTER TABLE _ ALTER COLUMN Command

Question 78

What does the mask option default do?

Answer 78

Displays X's for strings, 0 for numbers and 01/01/1900 for dates

Question 79

What does the mask option Credit Card do

Answer 79

Displays xxxx-xxxx-xxxx-1234

Question 80

What does the mask option Social Security Number do?

Answer 80

Displays xxx-xx-1234

Question 81

What does the mask option Random Number do

Answer 81

Displays a random number - should only be used for number columns

Question 82

What does the Custom Text Mask option allow

Answer 82

Custom rules to be set up

Question 83

Give a good use case for Dynamic Data Masking

Answer 83

When exporting a prod DB to dev, do so with an account that does not have (UNMASK PERMISSIONS) to persist the maskings in the dev environment.

Question 84

What are firewalls used for

Answer 84

To prevent unautorized access to protected resources

Question 85

Fill in the Blanks Each Azure SQL DB maps to a [blank 1] [blank 2] hosted by Microsoft. Each Azure Region will have one of more [blank 3] [blank 4] where you can reach you [blank 5] [blank 6], which will take you to your DB

Answer 85

``` 1. Public 2 IP 3 Public 4 IP 5 Database 6 Gateway ```

Question 86

Azure provides built in firewall to limit access, it has 2 sets of firewall rules what are these

Answer 86

Server Firewall rules | Database Firewall rules

Question 87

What do the Azure Firewall rules use to govern Authentication

Answer 87

Azure Firewalls use IP Rules instead of SQL Logins, this allows all users at same location access

Question 88

What does a server level firewall allow

Answer 88

Access to MasterDB and all user DBS

Question 89

What does a database level firewall allow

Answer 89

Access to a specific DB

Question 90

How can Server level firewalls be configured

Answer 90

Via Azure Portal or T-SQL

Question 91

How can Database level firewalls be configured

Answer 91

Via T-SQL only

Question 92

Describe the steps Azure SQL DB takes (in terms of firewalls) when a user is making a connection?

Answer 92

Upon Connection Azure SQL DB looks for a server firewall rule in master. If a DB is specified in connection string will look to the database level firewall If either exist the connection complete. If neither exist and User is connection via SSMS or Azure Data Studio they will be prompted to create a firewall rule

Question 93

Describe Virtual Network Endpoints

Answer 93

Allow traffic from a specific Azure vNet Rules apply at server level not just DB level Service endpoint applies to only one region (the underlying endpoints region) Added concern is that Azure DB must have outbound access to the Public IP address for Azure SQL DB - can be configured with tags

Question 94

Describe Private Link

Answer 94

Allows you to connect to Azure SQL DB (and other PaaS offerrings) via a private endpoint over the Azure Backbone and not via the Public Internet Provide Private IP Address on your vNet Allows for Express Route connections through that circuit Also allows for Cross-Region private connectivity and protection against data leakage by only allows connections to specific resources

Question 95

Confidential data should be classified as such, data classification allows apps and users to know the sensitivity of data - at what level does this happen

Answer 95

Data classification is done on a column by column basis.

Question 96

Where is sensitivity meta data for data classification stored as of SQL 2019

Answer 96

In the DMV, sys.sensitivity_classification (previously in extended properties)

Question 97

Data classification can be managed from where

Answer 97

Data classification can be managed from Azure Portal (for PaaS) and via SSMS

Question 98

You should verify classification suggestions by the Classification Engine...why?

Answer 98

You should verify classification suggestions by the Classification Engine as it scans based on Column name

Question 99

You can add Sensitivity classifications to columns via T-SQL, why is this practice good for users and DBA

Answer 99

It allows users to make better desicions on how to handle data It gives DBAs a good idea on which columns to encrypt.

Question 100

Describe Advanced Threat Protection

Answer 100

Advanced Threat Protection offers a suite of protections Configured via the Az

Question 101

What does Advanced Threat Protection monitor

Answer 101

Advanced Threat Protection Monitors Connections and Queries being executed

Question 102

Where is Advanced Threat Protection managed from

Answer 102

Advanced Threat protection is managed via the AZure Portal

Question 103

What should you do to get maximum benefit from Advanced Threat Protection

Answer 103

To get maximum benefit from Advanced Threat protection you should enable Auditing as this allows for deeper investigations

Question 104

What alerts does Advanced Threat Protection have

Answer 104

Vulnerability to SQL injection (checks for things like a SP not sanitizing user input. Potential SQL Injection (when a user is actively trying to carry out a SQL injection attack) Access from Unusual location Access from Unusual Azure Data Centre Access from Unfamiliar principal (when user or app uses a DB they havent before) Access from potentially harmful application BruteForce of SQL Credentials

Question 105

Describe SQL Injection

Answer 105

Common Method for data breaches | Attacker appens SQL Code via user entry form in attempt to execute there own SQL

Question 106

What is the Best way to combat SQL injection

Answer 106

Best way to combat SQL injection is to check input is the correct data type is of correct length etc and contains no Binary data Whilst Fixing Application should be top priority - Advanced Threat Protection can help protect you as a backup