Edit

Share via


Security for SQL Server Database Engine and Azure SQL Database

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW)

This page provides links to help you locate the information that you need about security and protection in the SQL Server Database Engine and Azure SQL Database.

Legend

Screenshot of the legend that explains the feature availability icons.

Authentication: Who are you?

Feature Link
Who Authenticates?

Windows Authentication
SQL Server Authentication
Microsoft Entra ID (formerly Azure Active Directory)
Who Authenticates? (Windows or SQL Server)
Choose an authentication mode
Connect to Azure SQL with Microsoft Entra authentication
Where Authenticated?

At master database: Logins and Database Users
At User Database: Contained DB Users
Authenticate at the master database (Logins and database users)
Create a login
Managing Databases and Logins in Azure SQL Database
Create a database user
Authenticate at a user database
Make your database portable by using contained databases
Using Other Identities

Credentials
Execute as Another Login
Execute as Another Database User
Credentials (Database Engine)
EXECUTE AS
EXECUTE AS

Authorization: What can you do?

Feature Link
Granting, Revoking, and Denying Permissions

Securable Classes
Granular Server Permissions
Granular Database Permissions
Permissions Hierarchy (Database Engine)
Permissions (Database Engine)
Securables
Get started with Database Engine permissions
Security by Roles

Server Level Roles
Database Level Roles
Server-level roles
Database-level roles
Restricting Data Access to Selected Data Elements

Restrict Data Access With Views/Procedures
Row-Level Security
Dynamic Data Masking
Signed Objects
Restrict Data Access Using Views and Stored procedures (Database Engine)
Row-level security
Row-level security
Dynamic data masking
Dynamic Data Masking (Azure SQL Database)
ADD SIGNATURE

Encryption: Storing Secret Data

Feature Link
Encrypting Files

BitLocker Encryption (Drive Level)
NTFS Encryption (Folder Level)
Transparent Data Encryption (File Level)
Backup Encryption (File Level)
BitLocker (Drive Level)
NTFS Encryption (Folder Level)
Transparent data encryption (TDE)
Backup encryption
Encrypting Sources

Extensible Key Management Module
Keys Stored in the Azure Key Vault
Always Encrypted
Extensible Key Management (EKM)
Extensible Key Management Using Azure Key Vault (SQL Server)
Always Encrypted
Column, Data, & Key Encryption

Encrypt by Certificate
Encrypt by Symmetric Key
Encrypt by Asymmetric Key
Encrypt by Passphrase
ENCRYPTBYCERT
ENCRYPTBYASYMKEY
ENCRYPTBYKEY
ENCRYPTBYPASSPHRASE
Encrypt a Column of Data

Connection Security: Restricting and Securing

Feature Link
Firewall Protection

Windows Firewall Settings
Azure Service Firewall Settings
Database Firewall Settings
Configure Windows Firewall for Database Engine access
sp_set_database_firewall_rule (Azure SQL Database)
sp_set_firewall_rule (Azure SQL Database)
Encrypting Data in Transit

Forced TLS/SSL Connections
Optional SSL Connections
Configure SQL Server Database Engine for encrypting connections
Configure SQL Server Database Engine for encrypting connections, Network security
TLS 1.2 support for Microsoft SQL Server

Auditing: Recording Access

Feature Link
Automated Auditing

SQL Server Audit (Server and DB Level)
SQL Database Audit (Database Level)
Detect threats

SQL Server Audit (Database Engine)
SQL Database Auditing
Get started with SQL Database Advanced Threat Protection
SQL Database Vulnerability Assessment
Custom Audit

Triggers
Custom Audit Implementation: Creating DDL Triggers and DML Triggers
Compliance

Compliance
SQL Server:
Common Criteria
SQL Database:
Microsoft Azure Trust Center: Compliance by Feature

SQL Injection

SQL injection is an attack in which malicious code is inserted into strings that are later passed to the Database Engine for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. All database systems have some risk of SQL Injection, and many of the vulnerabilities are introduced in the application that is querying the Database Engine. You can thwart SQL injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users. For more information, see SQL injection.

Additional links for application programmers:

Get help