In this article i will explain how to protect your SQL Server against Luring attack and spoofing by enabling extra protection feature. This security feature can be enabled at two levels: Service Binding and the stricter Channel Binding level.
What is Service Binding, what are its prerequisites, and how is it enabled?
Service Binding is used to counter Luring Attacks. This type of attack occurs when an attacker impersonates the database server, and the client’s transactions intended for the real database server are instead sent to the attacker’s server. After enabling this feature on your SQL Server, clients must include the Signed SPN of the target SQL Server within their connection to the server (including the SPN in the connection is optional, and if users do not provide this information, they can still connect to the database server without any issues but will not be protected against Luring attacks). When the server observes a connection request containing an SPN, it first checks whether Extended Protection is enabled. If it is enabled, the server compares the incoming SPN with its own SPN (otherwise, it ignores this parameter). If the submitted SPN matches the SQL Server’s own SPN, the SQL Server validates the connection request. The overhead of this check occurs once per authentication and is so minimal that it can be completely ignored. No prerequisites are needed to set up this feature.
To enable Service Binding, Extended Protection must be set to either Allowed or Required.
What is Channel Binding, what are its prerequisites, and how is it enabled?
Channel Binding is used to counter both Luring Attacks and Spoofing. To use this feature, the connection between the client and SQL Server must be secure, meaning that TLS must be enabled on the database server (it does not need to be set to required, but for non-secure connections, this feature has no effect).
To enable Channel Binding, in addition to setting Extended Protection to either Allowed or Required, Force Encryption must be set to True to establish Channel Binding; otherwise, only Service Binding will be available.
This feature can be configured via SQL Server Configuration Manager or Windows Registry:
Open SQL Server Configuration Manager > SQL Server Network Configuration > get properties and go to “Advanced” tab then set one of the following values for Extended Protection property:
- Off Mode: Extended Protection is disabled.
- Allowed Mode: This mode is used when your environment consists of a mix of operating systems (prior to Windows 7 and Windows 2008 R2) and applications that are not yet ready to establish connections with Extended Protection.
- Required Mode: In this mode, the server only allows connections that support Extended Protection at the operating system and application level, but it does not protect other connections.
You can also define multiple valid SPNs by separating them with a semicolon (;) and introducing them to the system.
In addition you can also configure this feature by setting the following Registry Keys:
Service Binding: The permissible DWORD values for this key are 0 for Off, 1 for Allowed, and 2 for Required.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.NODE\MSSQLServer\SuperSocketNetLib\ExtendedProtection
And to define accepted SPNs vie registery:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.NODE\MSSQLServer\SuperSocketNetLib\AcceptedSPNs
Database administration is an exciting job combining knowledge, art and experience; you must live with it to love it, despite all the difficulties.
Currently I'm working as a Microsoft SQL Server DBA and BI consultant.