Skip to main content
Security Center for SQL Server Database Engine and Azure SQL Database

Updated: May 3, 2016

Applies To: SQL Server 2016

THIS TOPIC APPLIES TO: yesSQL Server (starting with 2008) yesAzure SQL Database yesAzure SQL Data Warehouse yesParallel Data Warehouse

This page provides links to help you locate the information that you need about security and protection in the SQL Server Database Engine and Azure SQL Database.



Who Authenticates?

  security-center-both Windows Authentication

  security-center-both SQL Server Authentication
Who Authenticates? (Windows or SQL Server)

  Choose an Authentication Mode

  Connecting to SQL Database By Using Azure Active Directory Authentication
Where Authenticated?

  security-center-both At master Database: Logins and DB Users

  security-center-both At User Database: Contained DB Users
Authenticate at the master database (Logins and database users)

  Create a SQL Server Login

  Managing Databases and Logins in Azure SQL Database

  Create a Database User


Authenticate at a user database

  Contained Database Users - Making Your Database Portable
Using Other Identities

  security-center-both Credentials

  security-center-sqlserver Execute as Another Login

  security-center-both Execute as Another Database User
Credentials (Database Engine)

  Execute as Another Login

  Execute as Another Database User
Granting, Revoking, and Denying Permissions

  security-center-both Securable Classes

  security-center-sqlserver Granular Server Permissions

  security-center-both Granular Database Permissions
Permissions Hierarchy (Database Engine)



  Getting Started with Database Engine Permissions
Security by Roles

  security-center-sqlserver Server Level Roles

  security-center-both Database Level Roles
Server-Level Roles

  Database-Level Roles
Restricting Data Access to Selected Data Elements

  security-center-both Restrict Data Access With Views/Procedures

  security-center-both Row-Level Security

  security-center-both Dynamic Data Masking

  security-center-both Signed Objects
Restrict Data Access Using Views and Procedures

  Row-Level Security (SQL Server)

  Row-Level Security (Azure SQL Database)

  Dynamic Data Masking (SQL Server)

  Dynamic Data Masking (Azure SQL Database)

  Signed Objects
Encrypting Files

  security-center-sqlserver BitLocker Encryption (Drive Level)

  security-center-sqlserver NTFS Encryption (Folder Level)

  security-center-both Transparent Data Encryption (File Level)

  security-center-both Backup Encryption (File Level)
BitLocker (Drive Level)

  NTFS Encryption (Folder Level)

  Transparent Data Encryption (File Level)

  Backup Encryption (File Level)
Encrypting Sources

  security-center-sqlserver Extensible Key Management Module

  security-center-sqlserver Keys Stored in the Azure Key Vault

  security-center-both Always Encrypted
Extensible Key Management Module

  Keys Stored in the Azure Key Vault

  Always Encrypted
Column, Data, & Key Encryption

  security-center-both Encrypt by Certificate

  security-center-both Encrypt by Symmetric Key

  security-center-both Encrypt by Asymmetric Key

  security-center-both Encrypt by Passphrase
Encrypt by Certificate

  Encrypt by Asymmetric Key

  Encrypt by Symmetric Key

  Encrypt by Passphrase

  Encrypt a Column of Data
Firewall Protection

  security-center-sqlserver Windows Firewall Settings

  security-center-sqldb Azure Service Firewall Settings

  security-center-sqldb Database Firewall Settings
Configure a Windows Firewall for Database Engine Access

  Azure SQL Database Firewall Settings

  Azure Service Firewall Settings
Encrypting Data in Transit

  security-center-both Forced SSL Connections

  security-center-sqlserver Optional SSL Connections
Secure Sockets Layer for the Database Engine

  Secure Sockets Layer for SQL Database

  TLS 1.2 support for Microsoft SQL Server
Automated Auditing

  security-center-sqlserver SQL Server Audit (Server and DB Level)

  security-center-sqldb SQL Database Audit (Database Level)

  security-center-sqldb Threat Detection
SQL Server Audit (Database Engine)

  SQL Database Auditing

  Get started with SQL Database Threat Detection
Custom Audit

  security-center-both Triggers
Custom Audit Implementation: Creating DDL Triggers and DML Triggers

  security-center-both Compliance
SQL Server:
                         Common Criteria

SQL Database:
                         Microsoft Azure Trust Center: Compliance by Feature

SQL injection is an attack in which malicious code is inserted into strings that are later passed to the Database Engine for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. All database systems have some risk of SQL Injection, and many of the vulnerabilities are introduced in the application that is querying the Database Engine. You can thwart SQL injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users. For more information, see SQL Injection.

Additional links for application programmers:

Getting Started with Database Engine Permissions
Securing SQL Server
Principals (Database Engine)
SQL Server Certificates and Asymmetric Keys
SQL Server Encryption
Surface Area Configuration
Strong Passwords
TRUSTWORTHY Database Property
Database Engine Features and Tasks