Security for SQL Server Database Engine and Azure SQL Database

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW)

This page provides links to help you locate the information that you need about security and protection in the SQL Server Database Engine and Azure SQL Database.

Legend

Authentication: Who are you?

Feature	Link
Who Authenticates? Windows Authentication SQL Server Authentication Microsoft Entra ID (formerly Azure Active Directory)	Who Authenticates? (Windows or SQL Server) Choose an Authentication Mode Connect to Azure SQL with Microsoft Entra authentication
Where Authenticated? At master Database: Logins and DB Users At User Database: Contained DB Users	Authenticate at the master database (Logins and database users) Create a SQL Server Login Managing Databases and Logins in Azure SQL Database Create a Database User Authenticate at a user database Contained Database Users - Making Your Database Portable
Using Other Identities Credentials Execute as Another Login Execute as Another Database User	Credentials (Database Engine) Execute as Another Login Execute as Another Database User

Authorization: What can you do?

Feature	Link
Granting, Revoking, and Denying Permissions Securable Classes Granular Server Permissions Granular Database Permissions	Permissions Hierarchy (Database Engine) Permissions Securables Getting Started with Database Engine Permissions
Security by Roles Server Level Roles Database Level Roles	Server-Level Roles Database-Level Roles
Restricting Data Access to Selected Data Elements Restrict Data Access With Views/Procedures Row-Level Security Dynamic Data Masking Signed Objects	Restrict Data Access Using Views and Procedures Row-Level Security (SQL Server) Row-Level Security (Azure SQL Database) Dynamic Data Masking (SQL Server) Dynamic Data Masking (Azure SQL Database) Signed Objects

Encryption: Storing Secret Data

Feature	Link
Encrypting Files BitLocker Encryption (Drive Level) NTFS Encryption (Folder Level) Transparent Data Encryption (File Level) Backup Encryption (File Level)	BitLocker (Drive Level) NTFS Encryption (Folder Level) Transparent Data Encryption (File Level) Backup Encryption (File Level)
Encrypting Sources Extensible Key Management Module Keys Stored in the Azure Key Vault Always Encrypted	Extensible Key Management Module Keys Stored in the Azure Key Vault Always Encrypted
Column, Data, & Key Encryption Encrypt by Certificate Encrypt by Symmetric Key Encrypt by Asymmetric Key Encrypt by Passphrase	Encrypt by Certificate Encrypt by Asymmetric Key Encrypt by Symmetric Key Encrypt by Passphrase Encrypt a Column of Data

Connection Security: Restricting and Securing

Feature	Link
Firewall Protection Windows Firewall Settings Azure Service Firewall Settings Database Firewall Settings	Configure a Windows Firewall for Database Engine Access Azure SQL Database Firewall Settings Azure Service Firewall Settings
Encrypting Data in Transit Forced SSL Connections Optional SSL Connections	Enable Encrypted Connections to the Database Engine Enable Encrypted Connections to the Database Engine, Network security TLS 1.2 support for Microsoft SQL Server

Auditing: Recording Access

Feature	Link
Automated Auditing SQL Server Audit (Server and DB Level) SQL Database Audit (Database Level) Detect threats	SQL Server Audit (Database Engine) SQL Database Auditing Get started with SQL Database Advanced Threat Protection SQL Database Vulnerability Assessment
Custom Audit Triggers	Custom Audit Implementation: Creating DDL Triggers and DML Triggers
Compliance Compliance	SQL Server: Common Criteria SQL Database: Microsoft Azure Trust Center: Compliance by Feature

SQL Injection

SQL injection is an attack in which malicious code is inserted into strings that are later passed to the Database Engine for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. All database systems have some risk of SQL Injection, and many of the vulnerabilities are introduced in the application that is querying the Database Engine. You can thwart SQL injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users. For more information, see SQL Injection.

Additional links for application programmers:

• Application Security Scenarios in SQL Server

• Writing Secure Dynamic SQL in SQL Server

• How To: Protect From SQL Injection in ASP.NET

See Also

Getting Started with Database Engine Permissions
Securing SQL Server
Principals (Database Engine)
SQL Server Certificates and Asymmetric Keys
SQL Server Encryption
Surface Area Configuration
Strong Passwords
TRUSTWORTHY Database Property
Database Engine Features and Tasks
Protecting Your SQL Server Intellectual Property

Get help

• Ideas for SQL: Have suggestions for improving SQL Server?
• Microsoft Q & A (SQL Server)
• DBA Stack Exchange (tag sql-server) - ask SQL Server questions
• Stack Overflow (tag sql-server) - also has some answers about SQL development
• Reddit - general discussion about SQL Server
• Microsoft SQL Server License Terms and Information
• Support options for business users
• Contact Microsoft