---
title: "Security documentation for SQL Server & Azure SQL Database"
description: A reference of security and protection-related content for SQL Server and Azure SQL Database.
ms.custom: seo-lt-2019
ms.date: "09/27/2017"
ms.prod: sql
ms.prod_service: "database-engine, sql-database, sql-data-warehouse, pdw"
ms.reviewer: ""
ms.technology: security
ms.topic: conceptual
f1_keywords:
- "Security [SQL Server]"
helpviewer_keywords:
- "SQL Server, security"
- "security [SQL Server]"
- "database security [SQL Server]"
- "databases [SQL Server], security"
ms.assetid: dfb39d16-722a-4734-94bb-98e61e014ee7
author: VanMSFT
ms.author: vanto
monikerRange: ">=aps-pdw-2016||=azuresqldb-current||=azure-sqldw-latest||>=sql-server-2016||=sqlallproducts-allversions||>=sql-server-linux-2017||=azuresqldb-mi-current"
---
# Security Center for SQL Server Database Engine and Azure SQL Database
[!INCLUDE[appliesto-ss-asdb-asdw-pdw-md](../../includes/appliesto-ss-asdb-asdw-pdw-md.md)]
This page provides links to help you locate the information that you need about security and protection in the [!INCLUDE[ssDEnoversion](../../includes/ssdenoversion-md.md)] and [!INCLUDE[ssSDSFull](../../includes/sssdsfull-md.md)].
**Legend**
## Authentication: Who are you?
|||
|-|-|
|**Who Authenticates?**
 Windows Authentication
 [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] Authentication
 Azure Active Directory|Who Authenticates? (Windows or [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)])
[Choose an Authentication Mode](../../relational-databases/security/choose-an-authentication-mode.md)
[Connecting to SQL Database By Using Azure Active Directory Authentication](https://azure.microsoft.com/documentation/articles/sql-database-aad-authentication/)|
|**Where Authenticated?**
 At master Database: Logins and DB Users
 At User Database: Contained DB Users|Authenticate at the master database (Logins and database users)
[Create a SQL Server Login](../../relational-databases/security/authentication-access/create-a-login.md)
[Managing Databases and Logins in Azure SQL Database](https://msdn.microsoft.com/library/ee336235.aspx)
[Create a Database User](../../relational-databases/security/authentication-access/create-a-database-user.md)
Authenticate at a user database
[Contained Database Users - Making Your Database Portable](../../relational-databases/security/contained-database-users-making-your-database-portable.md)|
|**Using Other Identities**
 Credentials
 Execute as Another Login
 Execute as Another Database User|[Credentials (Database Engine)](../../relational-databases/security/authentication-access/credentials-database-engine.md)
[Execute as Another Login](../../t-sql/statements/execute-as-transact-sql.md)
[Execute as Another Database User](../../t-sql/statements/execute-as-transact-sql.md)|
## Authorization: What can you do?
|||
|-|-|
|**Granting, Revoking, and Denying Permissions**
 Securable Classes
 Granular Server Permissions
 Granular Database Permissions|[Permissions Hierarchy (Database Engine)](../../relational-databases/security/permissions-hierarchy-database-engine.md)
[Permissions](../../relational-databases/security/permissions-database-engine.md)
[Securables](../../relational-databases/security/securables.md)
[Getting Started with Database Engine Permissions](../../relational-databases/security/authentication-access/getting-started-with-database-engine-permissions.md)|
|**Security by Roles**
 Server Level Roles
 Database Level Roles|[Server-Level Roles](../../relational-databases/security/authentication-access/server-level-roles.md)
[Database-Level Roles](../../relational-databases/security/authentication-access/database-level-roles.md)|
|**Restricting Data Access to Selected Data Elements**
 Restrict Data Access With Views/Procedures
 Row-Level Security
 Dynamic Data Masking
 Signed Objects|Restrict Data Access Using [Views](../../relational-databases/views/views.md) and [Procedures](../../relational-databases/stored-procedures/stored-procedures-database-engine.md)
[Row-Level Security (SQL Server)](../../relational-databases/security/row-level-security.md)
[Row-Level Security (Azure SQL Database)](https://msdn.microsoft.com/library/azure/dn765131.aspx)
[Dynamic Data Masking (SQL Server)](../../relational-databases/security/dynamic-data-masking.md)
[Dynamic Data Masking (Azure SQL Database)](https://azure.microsoft.com/documentation/articles/sql-database-dynamic-data-masking-get-started/)
[Signed Objects](../../t-sql/statements/add-signature-transact-sql.md)|
## Encryption: Storing Secret Data
|||
|-|-|
|**Encrypting Files**
 BitLocker Encryption (Drive Level)
 NTFS Encryption (Folder Level)
 Transparent Data Encryption (File Level)
 Backup Encryption (File Level)|[BitLocker (Drive Level)](https://support.microsoft.com/kb/2855131)
[NTFS Encryption (Folder Level)](https://msdn.microsoft.com/library/dd163562.aspx)
[Transparent Data Encryption (File Level)](../../relational-databases/security/encryption/transparent-data-encryption.md)
[Backup Encryption (File Level)](../../relational-databases/backup-restore/backup-encryption.md)|
|**Encrypting Sources**
 Extensible Key Management Module
 Keys Stored in the Azure Key Vault
 Always Encrypted|[Extensible Key Management Module](../../relational-databases/security/encryption/extensible-key-management-ekm.md)
[Keys Stored in the Azure Key Vault](../../relational-databases/security/encryption/extensible-key-management-using-azure-key-vault-sql-server.md)
[Always Encrypted](../../relational-databases/security/encryption/always-encrypted-database-engine.md)|
|**Column, Data, & Key Encryption**
 Encrypt by Certificate
 Encrypt by Symmetric Key
 Encrypt by Asymmetric Key
 Encrypt by Passphrase|[Encrypt by Certificate](../../t-sql/functions/encryptbycert-transact-sql.md)
[Encrypt by Asymmetric Key](../../t-sql/functions/encryptbyasymkey-transact-sql.md)
[Encrypt by Symmetric Key](../../t-sql/functions/encryptbykey-transact-sql.md)
[Encrypt by Passphrase](../../t-sql/functions/encryptbypassphrase-transact-sql.md)
[Encrypt a Column of Data](../../relational-databases/security/encryption/encrypt-a-column-of-data.md)|
## Connection Security: Restricting and Securing
|||
|-|-|
|**Firewall Protection**
 Windows Firewall Settings
 Azure Service Firewall Settings
 Database Firewall Settings|[Configure a Windows Firewall for Database Engine Access](../../database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access.md)
[Azure SQL Database Firewall Settings](../../relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database.md)
[Azure Service Firewall Settings](../../relational-databases/system-stored-procedures/sp-set-firewall-rule-azure-sql-database.md)|
|**Encrypting Data in Transit**
 Forced SSL Connections
 Optional SSL Connections|[Secure Sockets Layer for the Database Engine](../../database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine.md)
[Secure Sockets Layer for SQL Database](https://msdn.microsoft.com/library/azure/ff394108.aspx)
[TLS 1.2 support for Microsoft SQL Server](https://support.microsoft.com/kb/3135244)|
## Auditing: Recording Access
|||
|-|-|
|**Automated Auditing**
 [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] Audit (Server and DB Level)
 [!INCLUDE[ssSDS](../../includes/sssds-md.md)] Audit (Database Level)
 Detect threats|
[SQL Server Audit (Database Engine)](../../relational-databases/security/auditing/sql-server-audit-database-engine.md)
[SQL Database Auditing](https://azure.microsoft.com/documentation/articles/sql-database-auditing-get-started/)
[Get started with SQL Database Advanced Threat Protection](https://azure.microsoft.com/documentation/articles/sql-database-threat-detection-get-started/)
[SQL Database Vulnerability Assessment](https://docs.microsoft.com/azure/sql-database/sql-vulnerability-assessment) |
|**Custom Audit**
 Triggers|Custom Audit Implementation: Creating [DDL Triggers](../../relational-databases/triggers/ddl-triggers.md) and [DML Triggers](../../relational-databases/triggers/dml-triggers.md)|
|**Compliance**
 Compliance|SQL Server:
[Common Criteria](https://go.microsoft.com/fwlink/?LinkId=616319)
SQL Database:
[Microsoft Azure Trust Center: Compliance by Feature](https://azure.microsoft.com/support/trust-center/services/)|
## SQL Injection
SQL injection is an attack in which malicious code is inserted into strings that are later passed to the [!INCLUDE[ssDE](../../includes/ssde-md.md)] for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] will execute all syntactically valid queries that it receives. All database systems have some risk of SQL Injection, and many of the vulnerabilities are introduced in the application that is querying the [!INCLUDE[ssDE](../../includes/ssde-md.md)]. You can thwart SQL injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users. For more information, see [SQL Injection](../../relational-databases/security/sql-injection.md).
Additional links for application programmers:
- [Application Security Scenarios in SQL Server](/dotnet/framework/data/adonet/sql/application-security-scenarios-in-sql-server)
- [Writing Secure Dynamic SQL in SQL Server](/dotnet/framework/data/adonet/sql/writing-secure-dynamic-sql-in-sql-server)
- [How To: Protect From SQL Injection in ASP.NET](https://msdn.microsoft.com/library/ff648339.aspx)
## See Also
[Getting Started with Database Engine Permissions](../../relational-databases/security/authentication-access/getting-started-with-database-engine-permissions.md)
[Securing SQL Server](../../relational-databases/security/securing-sql-server.md)
[Principals (Database Engine)](../../relational-databases/security/authentication-access/principals-database-engine.md)
[SQL Server Certificates and Asymmetric Keys](../../relational-databases/security/sql-server-certificates-and-asymmetric-keys.md)
[SQL Server Encryption](../../relational-databases/security/encryption/sql-server-encryption.md)
[Surface Area Configuration](../../relational-databases/security/surface-area-configuration.md)
[Strong Passwords](../../relational-databases/security/strong-passwords.md)
[TRUSTWORTHY Database Property](../../relational-databases/security/trustworthy-database-property.md)
[Database Engine Features and Tasks](https://msdn.microsoft.com/library/d9efe145-3306-4d61-bd77-e2af43e19c34)
[Protecting Your SQL Server Intellectual Property](../../relational-databases/security/protecting-your-sql-server-intellectual-property.md)
[!INCLUDE[get-help-security](../../includes/get-help-security.md)]