Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Security for SQL Server Database Engine and Azure SQL Database
Applies to: 👁 Image
SQL Server 👁 Image
Azure SQL Database 👁 Image
Azure SQL Managed Instance 👁 Image
Azure Synapse Analytics 👁 Image
Analytics Platform System (PDW)
This page provides links to help you locate the information that you need about security and protection in the SQL Server Database Engine and Azure SQL Database.
Legend
Authentication: Who are you?
| Feature | Link |
|---|---|
| Who Authenticates? 👁 Image Windows Authentication 👁 Image SQL Server Authentication 👁 Image Microsoft Entra ID (formerly Azure Active Directory) |
Who Authenticates? (Windows or SQL Server) Choose an authentication mode Connect to Azure SQL with Microsoft Entra authentication |
| Where Authenticated? 👁 Image At master database: Logins and Database Users👁 Image At User Database: Contained DB Users |
Authenticate at the master database (Logins and database users)Create a login Managing Databases and Logins in Azure SQL Database Create a database user Authenticate at a user database Make your database portable by using contained databases |
| Using Other Identities 👁 Image Credentials 👁 Image Execute as Another Login 👁 Image Execute as Another Database User |
Credentials (Database Engine) EXECUTE AS EXECUTE AS |
Authorization: What can you do?
| Feature | Link |
|---|---|
| Granting, Revoking, and Denying Permissions 👁 Image Securable Classes 👁 Image Granular Server Permissions 👁 Image Granular Database Permissions |
Permissions Hierarchy (Database Engine) Permissions (Database Engine) Securables Get started with Database Engine permissions |
| Security by Roles 👁 Image Server Level Roles 👁 Image Database Level Roles |
Server-level roles Database-level roles |
| Restricting Data Access to Selected Data Elements 👁 Image Restrict Data Access With Views/Procedures 👁 Image Row-Level Security 👁 Image Dynamic Data Masking 👁 Image Signed Objects |
Restrict Data Access Using Views and Stored procedures (Database Engine) Row-level security Row-level security Dynamic data masking Dynamic Data Masking (Azure SQL Database) ADD SIGNATURE |
Encryption: Storing Secret Data
| Feature | Link |
|---|---|
| Encrypting Files 👁 Image BitLocker Encryption (Drive Level) 👁 Image NTFS Encryption (Folder Level) 👁 Image Transparent Data Encryption (File Level) 👁 Image Backup Encryption (File Level) |
BitLocker (Drive Level) NTFS Encryption (Folder Level) Transparent data encryption (TDE) Backup encryption |
| Encrypting Sources 👁 Image Extensible Key Management Module 👁 Image Keys Stored in the Azure Key Vault 👁 Image Always Encrypted |
Extensible Key Management (EKM) Extensible Key Management Using Azure Key Vault (SQL Server) Always Encrypted |
| Column, Data, & Key Encryption 👁 Image Encrypt by Certificate 👁 Image Encrypt by Symmetric Key 👁 Image Encrypt by Asymmetric Key 👁 Image Encrypt by Passphrase |
ENCRYPTBYCERT ENCRYPTBYASYMKEY ENCRYPTBYKEY ENCRYPTBYPASSPHRASE Encrypt a Column of Data |
Connection Security: Restricting and Securing
| Feature | Link |
|---|---|
| Firewall Protection 👁 Image Windows Firewall Settings 👁 Image Azure Service Firewall Settings 👁 Image Database Firewall Settings |
Configure Windows Firewall for Database Engine access sp_set_database_firewall_rule (Azure SQL Database) sp_set_firewall_rule (Azure SQL Database) |
| Encrypting Data in Transit 👁 Image Forced TLS/SSL Connections 👁 Image Optional SSL Connections |
Configure SQL Server Database Engine for encrypting connections Configure SQL Server Database Engine for encrypting connections, Network security TLS 1.2 support for Microsoft SQL Server |
Auditing: Recording Access
| Feature | Link |
|---|---|
| Automated Auditing 👁 Image SQL Server Audit (Server and DB Level) 👁 Image SQL Database Audit (Database Level) 👁 Image Detect threats |
SQL Server Audit (Database Engine) SQL Database Auditing Get started with SQL Database Advanced Threat Protection SQL Database Vulnerability Assessment |
| Custom Audit 👁 Image Triggers |
Custom Audit Implementation: Creating DDL Triggers and DML Triggers |
| Compliance 👁 Image Compliance |
SQL Server: Common Criteria SQL Database: Microsoft Azure Trust Center: Compliance by Feature |
SQL Injection
SQL injection is an attack in which malicious code is inserted into strings that are later passed to the Database Engine for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. All database systems have some risk of SQL Injection, and many of the vulnerabilities are introduced in the application that is querying the Database Engine. You can thwart SQL injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users. For more information, see SQL injection.
Additional links for application programmers:
Related content
- Get started with Database Engine permissions
- Securing SQL Server
- Principals (Database Engine)
- SQL Server Certificates and Asymmetric Keys
- SQL Server encryption
- Surface area configuration
- Strong Passwords
- TRUSTWORTHY database property
- What's new in SQL Server 2019
- Protecting Your SQL Server Intellectual Property
👁 Image
Get help
- Ideas for SQL: Have suggestions for improving SQL Server?
- Microsoft Q & A (SQL Server)
- DBA Stack Exchange (tag sql-server) - ask SQL Server questions
- Stack Overflow (tag sql-server) - also has some answers about SQL development
- Reddit - general discussion about SQL Server
- Microsoft SQL Server License Terms and Information
- Support options for business users
- Contact Microsoft
Feedback
Was this page helpful?