Security Enhancements (Database Engine)
Security enhancements in the SQL Server Database Engine include support for Extended Protection.
Because SQL Server 2008 R2 is a minor version upgrade of SQL Server 2008, we recommend that you also review the content in the SQL Server 2008 section.
Support for Extended Protection for Authentication by using channel binding and service binding is available for operating systems that support Extended Protection. For more information, see Connecting to the Database Engine Using Extended Protection.
Security enhancements in the Database Engine include new encryption functions, the addition of the transparent data encryption and the extensible key management features, and a clarification of DES algorithms.
Transparent Data Encryption
Transparent data encryption (TDE) introduces a new database option that encrypts the database files automatically, without needing to alter any applications. This prevents unauthorized users from accessing a database, even if they obtain the database files or database backup files. For more information about database encryption, see Understanding Transparent Data Encryption (TDE).
Extensible Key Management
The extensible key management (EKM) feature allows third-party enterprise key management and hardware security module (HSM) vendors to register their devices in SQL Server. Once registered, SQL Server users can use the encryption keys stored on these modules, as well as leveraging the advanced encryption features that these modules support, such as bulk encryption/decryption and many key management functions such as key aging and key rotation. This feature also allows data protection from database administrators (except members of the sysadmin group). Data can be encrypted and decrypted using Transact-SQL cryptographic statements, and SQL Server uses the external EKM device as the key store. For more information on extensible key management, see Understanding Extensible Key Management (EKM).
Clarification Regarding DES Algorithms
The DES algorithm names are clarified and TRIPLE_DES_3KEY is now available. For more information, see CREATE SYMMETRIC KEY (Transact-SQL).
Deprecation of the RC4 Algorithm
The RC4 algorithm is deprecated. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible. Use another algorithm such as AES. For more information, see CREATE SYMMETRIC KEY (Transact-SQL).
Books Online includes security checklists to help evaluate your Database Engine configuration and practices. For more information, see Security Checklists for the Database Engine.