Securing Integration Services Packages In This Chapter c Digitally Signing the Package c Excluding Sensitive Information from the Package c Encrypting Sensitive Information in the Pa
Trang 1This page intentionally left blank
Trang 2Securing Integration Services Packages
In This Chapter
c Digitally Signing the
Package
c Excluding Sensitive
Information from the
Package
c Encrypting Sensitive
Information in the Package
c Encrypting All the
Information in the Package
c Using Integration Services
Fixed Database-Level Roles
c Considerations for Different
Storage Areas
c Summary
Trang 32 7 0 H a n d s - O n M i c r o s o f t S Q L S e r v e r 2 0 0 8 I n t e g r a t i o n S e r v i c e s
Security in SQL Server 2008 Integration Services has been enhanced a great deal
compared to DTS 2000 DTS uses package password protection, SQL Server Security, and SQL Server Agent service security, while Integration Services provides the features used by DTS and a lot more to enhance data security SSIS provides the ability to secure data and connections from various perspectives, depending upon the situation By design, Integration Services will communicate with SQL Server only over an encrypted channel to protect sensitive data In Integration Services the
sensitive information means the passwords used in connection strings, any property of
the custom-built components that has the sensitive attribute set, or any variable tagged with the sensitive attribute
Integration Services secures your packages and data by providing the facilities to do the following:
Digitally sign the package
c Exclude sensitive information from the package
c Encrypt sensitive information in the package
c Encrypt all the contents of the package
c Control access to the package by using database-level roles
c Secure storage areas
c
Let’s take a detailed look at these options and what they offer in terms of securing Integration Services packages and the metadata used in them
Digitally Signing the Package
Development of a complex Integration Services solution involves several developers who create many smaller packages to join as modules and form a complex solution for the business problem During development phase, a package that has been tested successfully to perform a part of the function can be deployed while it is still under development for additional functionality In such a scenario, you need to avoid the deployment of modified packages while they are still under testing For example, you may be working to solve a complex scenario for which you have proposed a solution that can be developed and deployed in multiple stages While development is still underway and many developers have access to SSIS packages, the last thing you would want to do is to run an untested package in the production environment
Trang 4You also want to make sure that you run packages only from trusted sources
To identify the source of a package and guarantee the integrity of packages, you can
digitally sign a package with a certificate and configure Integration Services to check for the presence and validity of the digital signatures So, each time the package is loaded,
it is verified for digital signatures and hence altered packages wouldn’t be loaded You
need to have a digital certificate installed on the server to digitally sign your packages
Once you have that in place, all you need to do is follow these instructions:
1 Using Business Intelligence Development Studio (BIDS), open the package you
want to digitally sign
2 On the menu bar, click the SSIS menu and choose Digital Signing This will open
a Digital Signing dialog box displaying a message “This package is not signed.”
3 Click the Sign button Select a certificate to sign the package and click OK
4 After signing the package, right-click anywhere on the blank surface of the designer
and choose Properties from the context menu Locate the CheckSignatureOnLoad
property and set it to True This will require that the digital signature on the
package be checked every time the package is loaded
Excluding Sensitive Information from the Package
Integration Services provides a facility to developers to mark certain information as
sensitive data This sensitive data is handled in a more secure way than the other
metadata of the package The examples of sensitive data are passwords, connection
strings, or any other information marked as sensitive by a developer in a custom-built
component Once the components have been deployed, Integration Services identifies
the sensitive properties automatically and doesn’t let users change any of the sensitive
attributes This applies to the standard built-in components as well
Integration Services provides a set of options to secure the information in a package
using the ProtectionLevel package property shown in Figure 7-1 You can opt not to
save sensitive data in the package When you select the DontSaveSensitive option, the
sensitive information is removed from the package while saving and is unavailable for
future executions of the package So each time you want to execute the package, you
have to provide the required information in order for the package to run successfully
If you change this option to any other option later on, the sensitive information is
populated with blank data and you will have to provide the sensitive information—
i.e., passwords and so on—in the relevant place to make this information available in
the package
Trang 52 7 2 H a n d s - O n M i c r o s o f t S Q L S e r v e r 2 0 0 8 I n t e g r a t i o n S e r v i c e s
Encrypting Sensitive Information in the Package
The next scenario could be that you want to save sensitive information in the package and also want to protect this information For this, Integration Services provides two options to encrypt this information in the ProtectionLevel package property— EncryptSensitiveWithUserKey and EncryptSensitiveWithPassword These options are used to encrypt the sensitive information in the package using a user key or using
a password The Microsoft Data Protection API (DPAPI), which is a cryptography API, is used to fulfill the encryption needs of ProtectionLevel options that use a user key for encryption, while a Triple DES cipher algorithm with a 192-bit key length is used to fulfill the encryption needs of ProtectionLevel options that use a password for encryption
EncryptSensitiveWithUserKey is the default encryption level for a package This means that the sensitive information in a package is, by default, encrypted using the current user key, which has been created based on the user profile Only the current user
Figure 7-1 ProtectionLevel property options of a package
Trang 6using the same profile can load this package If another user tries to load the package, the
sensitive information fields are populated with the blank data and the package will fail to
execute, unless the user trying to run the package provides the sensitive information
The EncryptSensitiveWithPassword package protection level allows you to save
the sensitive information in the package and encrypt it using a password, supplied
in the PackagePassword property By using a password as an encryption key for the
sensitive information, you can let other developers open the package by supplying a
password and hence make the package accessible to all members of the development
team Each time the package is loaded or the ProtectionLevel option is changed, the
user must provide the package password If the package password is not provided,
the package is opened without the sensitive information So to sum up, you will use
the EncryptSensitiveWithUserKey option to encrypt the packages that you probably
will not share with anybody else and the EncryptSensitiveWithPassword option when
you want to share the package with others
Encrypting All the Information in the Package
Two options are available for encrypting the whole package: EncryptAllWithUserKey
and EncryptAllWithPassword These options use a user key or a package password,
respectively, to encrypt all the information in a package
Select the EncryptAllWithUserKey option to encrypt all the information in a package
using a user key As the user key is generated based on the user profile, only the user who
created or exported the package using the same profile can open or load the package
Select the EncryptAllWithPassword option to encrypt all the information in a package
using a password specified in the PackagePassword property You can use this option
to secure the contents of the package yet allow the development team to work on it; a
custom-developed package for your application that includes an intellectual property
is a good example for this A package encrypted in such a way can be opened only by
providing the password You cannot load the package if you fail to provide the password
Hands-On: Working with Package Protection Levels
This Hands-On exercise is designed to enhance the understanding of package
protection levels
Method
In this exercise, we will use each package protection level in turn to see how it works
and the effects it has on the security of the package We will use the Downloading
zipped files package, as it requires a password to connect to an FTP server, to see the
effects of using it with various protection levels
Trang 72 7 4 H a n d s - O n M i c r o s o f t S Q L S e r v e r 2 0 0 8 I n t e g r a t i o n S e r v i c e s
Note that if you want to use the Downloading zipped files package that has been provided with this book, you will receive an error when opening the package When you click OK on the pop-up error message, the package will load properly but without the connection string in the FTP task This is because, by default, the sensitive information (passwords, connection strings, and so on) in the package get encrypted using the user key, and when another user tries to open the package, an error will occur and the sensitive information will be removed from the package However, if you open the Downloading zipped files package that you developed yourself in Chapter 5, you will not get any such error
In addition, this package requires a connection to an FTP server If you’ve skipped building this package in Chapter 5, you should find an FTP server and build the package to complete this Hands-On exercise The provided package may not be of much help as it is pointing to a computer used in the lab setup for this book, which is obviously not accessible to you Better to use the package that you have created yourself
Exercise (Excluding Sensitive Information from the Package)
After this exercise, you will be able to exclude sensitive information from the package using the DontSaveSensitive option of the ProtectionLevel property
1 Open BIDS and create a new Integration Services project with the name
Downloading zipped files in the location C:\SSIS\Projects In the Solution
Explorer window, delete the Package.dtsx package file Right-click the SSIS Packages node and choose Add Existing Package from the context menu In the Add Copy Of Existing Package window, choose File System in the Package
location field and type C:\SSIS\Projects\Control Flow Tasks\Downloading
zipped files.dtsx in the Package path field Click OK to add this package in your
project Double-click the Downloading zipped files.dtsx package to open it
2 Right-click anywhere on the blank surface of the Designer and choose Properties from the context menu In the Properties window, you can view the properties
in two ways—Categorized view or Alphabetical view These views can be set using the two buttons provided in the command bar on the top of the Properties window In the Categorized view, the properties are grouped together on the category basis, while the Alphabetical view simply lists the properties using alphabetical sort order Use Categorized view
3 Scroll down in the Properties window and locate the Security section Note that the ProtectionLevel field shows EncryptSensitiveWithUserKey selected
4 Press ctrl-r to open the Solution Explorer Right-click the Downloading zipped files.dtsx package under SSIS packages folder and choose View Code from the context menu The package code in XML will be shown in a new tab in BIDS
Trang 85 Press ctrl-f and find Password in the XML document You will be taken to the
ServerPassword property that is immediately after ServerUserName in the
XML document and is listed here:
<DTS:Property DTS:Name="ServerUserName">administrator </DTS:Property>
<DTS:Property DTS:Name="ServerPassword" Sensitive="1" Encrypted="1">AQAAANC
Mnd8BFdERjHoAwE/Cl+sBAAAAgp969y9CpkO6k07L3IdJGwAAAAAIAAAARABUAFMAAAADZgAAqA
AAABAAAABhZumzf3dqV1SXY5667BryAAAAAASAAACgAAAAEAAAAMW+xn039fmW+00yN32EHG4YA
AAAAE5rsrl9TvzImKtVSb+UWoZbYuJXBwtLFAAAAMTOWe+5xETOTECqeJbMTSIq/c9e
</DTS:Property>
In this node, note that the ServerPassword property is attributed as sensitive
data and is set for encryption Also note that data in this node is all encrypted
This encryption is due to the default EncryptSensitiveWithUserKey setting
6 Switch to the Designer tab of the package and choose the DontSaveSensitive
option in the ProtectionLevel field in the Properties window
7 Switch to Code view and search for Password This time you will see the same
XML node with no encryption attribute and no data in it:
<DTS:Property DTS:Name="ServerPassword" Sensitive="1"> </DTS:Property>
This is because the password has been removed from the package
8 Press f5 to run the package The package will fail Stop debugging and click
the Execution Results tab You will see the following error declaring that the
password was not allowed:
[Connection manager "FTP Connection Manager"] Error: An error
occurred in the requested FTP operation Detailed error description:
The password was not allowed.
9 Each time you start debugging a package, the package is saved using ProtectionLevel option; in this case, it won’t save the password and hence is not executing
To execute this package, we have to provide a value to the ServerPassword
property You can do this by setting this value at run time either using Package
Configurations or using a script task We will cover both these methods in the
later chapters when we cover scripting and package configurations in Chapter 11
and Chapter 13 For now, just keep in mind that a package that has been saved
without the sensitive information can be run by supplying the sensitive (password) information
Exercise (Encrypting Sensitive Information Using a User Key)
When you use a user key to encrypt the package, the package encryption gets associated with the user profile We will use a test user account, ISUser01, to log on and open a
package that has already been encrypted using a user key by another user, and we will
Trang 92 7 6 H a n d s - O n M i c r o s o f t S Q L S e r v e r 2 0 0 8 I n t e g r a t i o n S e r v i c e s
establish that the sensitive information is replaced when a different user tries to load the package This package can be executed successfully only by providing the sensitive information in the package You have already created this user account in Chapter 6
10. Double-click the FTP Connection Manager in the Connection Managers area
in the Designer and provide a password to connect to the FTP server in the Credentials section of the FTP Connection Manager Editor window Click OK
to close it
11. Open the Properties windows and change the ProtectionLevel property value to EncryptSensitiveWithUserKey Switch to the XML code for the package and
search for Password to see that it has been encrypted, like the one shown in the
preceding exercise
12. Press f5 to make sure that the package executes successfully
13. Save all the files, and then close all the applications and log off and log back on (or switch the user) as ISUser01 with the assigned password
14. Start Business Intelligence Development Studio and open the Downloading zipped files.sln from the C:\SSIS\projects\downloading zipped files folder
15. Open the Downloading zipped files.dtsx package When BIDS tries to load the package, you will see an error on the screen informing you that the package could not be loaded due to errors and prompts you to see the Error List for details
16. Click OK to close the error and the package will be loaded despite the errors If you don’t see the Error List window open in the lower left-hand corner of the BIDS, you can open it from View menu In the Error List window, you will see the detailed error message explaining that the encryption key is not valid:
"Error loading Downloading zipped files.dtsx: Failed to decrypt protected XML node "DTS:Property" with error 0x8009000B "Key not valid for use in specified state." You may not be authorized
to access this information This error occurs when there is a cryptographic error Verify that the correct key is available."
17. Press f5 to run the package The package will fail Press shift-f5 to stop debugging Go to the Execution Results page and read the error message, which states that the FTP password was not allowed This establishes that the FTP password was removed when we tried to load the package as a different user
18. Double-click the FTP Connection Manager in the Connection Managers area
in the Designer and provide the password to connect to the FTP server in the Credentials section of the FTP Connection Manager Editor window Click OK
19. Press f5 to run the package; this time the package will succeed This certifies that when the package is encrypted with another user key you can still load the package and use it if you know the sensitive information and can supply the correct password
Trang 10Exercise (Encrypting Sensitive Information
Using the Package Password)
When you opt to encrypt a package using EncryptSensitiveWithPassword option,
you then provide an encryption password using the PackagePassword property in the
Security section of the Properties window Here you will learn that if you encrypt
the sensitive information in a package using a password, other users can access the
sensitive information by specifying the PackagePassword However, if other users try
to load the package without specifying the PackagePassword, the sensitive information
is replaced with blanks You will be performing these steps while still logged on as
ISUser01 In the following steps, you will use a package password to encrypt the
sensitive information in the package
20. Open the properties for the package and change the ProtectionLevel property
to EncryptSensitiveWithPassword and specify a password bB12345cC in the
PackagePassword field
21. Open the XML code for the package In XML code, if you try to find the word
Password in the document, you will not get any result, because this word doesn’t
exist in the document Instead, find the ServerUserName property, as you know
that the ServerPassword property existed immediately after it You will see
something like this in the XML code view:
<DTS:Property DTS:Name="ServerUserName">administrator </DTS:Property>
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" Salt="oOBw/
g9GpA==" IV="5YsCDRU2aMM=" xmlns="http://www.w3.org/2001/04/xmlenc#"><Enc
ryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/
><CipherData><CipherValue>5YsCDRU2aMM9jrGvOlsQSXNFzBG13LDuBBBI/tK07k/Z1BX
BYNSQEOWFYD3WgRhEDQ56TKlATw2Tvi7UU7OAJfDXDSnnoYPAwtmgTj3d/Qk72HJwlzNjqJ/
FiGjC+2sfN4VNzpLSVGQCkV27tDchXriytPz/2pTI1EY58wui1LPAkulpSbunbg==</
CipherValue></CipherData></EncryptedData>
The data in the package has been encrypted using TripleDES with CBC algorithm.
22. Press ctrl-shift-s to save all the items in the package Close all the applications
and log off Log back on using the administrator user account
23. Run BIDS and load the Downloading zipped files solution You may have to
double-click the Downloading zipped files.dtsx package in the Solution Explorer
to load the package on the Designer When BIDS loads the package, you will see
the Package Password prompt to provide the password (Figure 7-2)
24. If you provide the correct package password, the package will load and you can run
the package successfully However, we will observe the behavior in case someone
tries to load the package without the password Click Cancel to load the package
without the password