Secure the Data Connection between SecureAuth IdP and the SQL Datastore
Introduction
This document provides best practices on how to securely deploy a SecureAuth IdP realm using a Microsoft SQL Server data store.
Refer to the relevant SQL Server Configuration Guide (listed in the References section below) for full configuration steps.
Applies to
SecureAuth IdP Version | OS Version |
|---|---|
7.x+ |
|
Discussion
SQL Server Best Practices
When using Microsoft SQL Server as a data store, there is a wealth of sensitive identity information contained within the server, which makes it a high value target for an intruder looking to gain unauthorized access on the network. With this in mind, it is critical to create and implement an effective security plan to secure the server. Before selecting or deploying a SQL Server, SecureAuth recommends to review the following Microsoft support documents and ensure that the best practices for securing the product are followed:
Warning
SecureAuth does not support the deployment of Microsoft SQL Server on IdP appliances
Stored Procedure (SP) Best Practices
To help protect the IdP from SQL Injection attacks, SecureAuth IdP uses a stored procedure (SP) to insert and query data. Because the stored procedure has access to sensitive credential information, it is important that proper permissions are in place around it.
Refer to the Microsoft documentation, Managing Permissions with Stored Procedures in SQL Server to ensure that security best practices are being followed.
Connection Best Practices
Microsoft SQL Server can use Secure Sockets Layer (SSL) to encrypt data that is transmitted across a network between an instance of SQL Server and SecureAuth IdP
Keeping the credential information secure while in transit is strongly recommended; however, there is a performance penalty for using SSL that must be taken into consideration. SecureAuth recommends testing this configuration before deployment into the production environment.
For more information about configuring an SSL connection refer to the Microsoft support document, TechNet: Encrypting Connections to SQL Server.
SecureAuth IdP Configuration Best Practices
Enable Password Encryption
When using the SQL Server Datastore type, the default behavior is to store passwords in clear text. SecureAuth recommends changing the Password Format setting to encrypted so that user credentials are protected at rest. To change the setting:
In the SecureAuth IdP Web Admin, open the realm(s) that is integrated with a SQL Data Store
Click on the Data tab and locate the Password Format setting in the Membership Connection Settings section
Change the setting to Encrypted and click the Save button
Tip
The field names may differ from SecureAuth IdP versions, but the steps are the same
Notice
The ASPNETDB Datastore type encrypts passwords by default
Disallowed Keywords
SecureAuth IdP enables the restriction of certain keywords being used in the product input fields. In the case of a SQL-integrated realm, this can be used to prevent SQL statements from being passed and to provide another layer of protection against SQL Injection attacks. To enable this functionality:
In the SecureAuth IdP Web Admin, open the realm(s) that is integrated with a SQL Data Store
Click the System Info tab and locate to the User Input Restriction section
In the Disallowed Keywords field, enter the following SQL Keywords, separated by commas: SELECT INSERT UPDATE DROP DELETE
Click the Save button
Tip
The field names may differ from SecureAuth IdP versions, but the steps are the same