This page intentionally left blank
Securing Integration
Services Packages
Chapter 7
In This Chapter
c
Digitally Signing the
Package
c
Excluding Sensitive
Information from the
Package
c
Encrypting Sensitive
Information in the Package
c
Encrypting All the
Information in the Package
c
Using Integration Services
Fixed Database-Level Roles
c
Considerations for Different
Storage Areas
c
Summary
270 Hands-On Microsoft SQL Server 2008 Integration Services
S
ecurity in SQL Server 2008 Integration Services has been enhanced a great deal
compared to DTS 2000. DTS uses package password protection, SQL Server
Security, and SQL Server Agent service security, while Integration Services

provides the features used by DTS and a lot more to enhance data security. SSIS
provides the ability to secure data and connections from various perspectives, depending
upon the situation. By design, Integration Services will communicate with SQL Server
only over an encrypted channel to protect sensitive data. In Integration Services the
sensitive information means the passwords used in connection strings, any property of
the custom-built components that has the sensitive attribute set, or any variable tagged
with the sensitive attribute.
Integration Services secures your packages and data by providing the facilities to do
the following:
Digitally sign the package.
c
Exclude sensitive information from the package. c
Encrypt sensitive information in the package. c
Encrypt all the contents of the package. c
Control access to the package by using database-level roles. c
Secure storage areas. c
Let’s take a detailed look at these options and what they offer in terms of securing
Integration Services packages and the metadata used in them.
Digitally Signing the Package
Development of a complex Integration Services solution involves several developers
who create many smaller packages to join as modules and form a complex solution
for the business problem. During development phase, a package that has been tested
successfully to perform a part of the function can be deployed while it is still under
development for additional functionality. In such a scenario, you need to avoid the
deployment of modified packages while they are still under testing. For example, you
may be working to solve a complex scenario for which you have proposed a solution
that can be developed and deployed in multiple stages. While development is still
underway and many developers have access to SSIS packages, the last thing you would
want to do is to run an untested package in the production environment.
Chapter 7: Securing Integration Services Packages 271

You also want to make sure that you run packages only from trusted sources.
To identify the source of a package and guarantee the integrity of packages, you can
digitally sign a package with a certificate and configure Integration Services to check for
the presence and validity of the digital signatures. So, each time the package is loaded,
it is verified for digital signatures and hence altered packages wouldn’t be loaded. You
need to have a digital certificate installed on the server to digitally sign your packages.
Once you have that in place, all you need to do is follow these instructions:
1. Using Business Intelligence Development Studio (BIDS), open the package you
want to digitally sign.
2. On the menu bar, click the SSIS menu and choose Digital Signing. This will open
a Digital Signing dialog box displaying a message “This package is not signed.”
3. Click the Sign button. Select a certificate to sign the package and click OK.
4. After signing the package, right-click anywhere on the blank surface of the designer
and choose Properties from the context menu. Locate the CheckSignatureOnLoad
property and set it to True. This will require that the digital signature on the
package be checked every time the package is loaded.
Excluding Sensitive Information from the Package
Integration Services provides a facility to developers to mark certain information as
sensitive data. This sensitive data is handled in a more secure way than the other
metadata of the package. The examples of sensitive data are passwords, connection
strings, or any other information marked as sensitive by a developer in a custom-built
component. Once the components have been deployed, Integration Services identifies
the sensitive properties automatically and doesn’t let users change any of the sensitive
attributes. This applies to the standard built-in components as well.
Integration Services provides a set of options to secure the information in a package
using the ProtectionLevel package property shown in Figure 7-1. You can opt not to
save sensitive data in the package. When you select the DontSaveSensitive option, the
sensitive information is removed from the package while saving and is unavailable for
future executions of the package. So each time you want to execute the package, you
have to provide the required information in order for the package to run successfully.

If you change this option to any other option later on, the sensitive information is
populated with blank data and you will have to provide the sensitive information—
i.e., passwords and so on—in the relevant place to make this information available in
the package.
272 Hands-On Microsoft SQL Server 2008 Integration Services
Encrypting Sensitive Information in the Package
The next scenario could be that you want to save sensitive information in the package
and also want to protect this information. For this, Integration Services provides
two options to encrypt this information in the ProtectionLevel package property—
EncryptSensitiveWithUserKey and EncryptSensitiveWithPassword. These options
are used to encrypt the sensitive information in the package using a user key or using
a password. The Microsoft Data Protection API (DPAPI), which is a cryptography
API, is used to fulfill the encryption needs of ProtectionLevel options that use a user
key for encryption, while a Triple DES cipher algorithm with a 192-bit key length is
used to fulfill the encryption needs of ProtectionLevel options that use a password for
encryption.
EncryptSensitiveWithUserKey is the default encryption level for a package. This
means that the sensitive information in a package is, by default, encrypted using the
current user key, which has been created based on the user profile. Only the current user
Figure 7-1 ProtectionLevel property options of a package
Chapter 7: Securing Integration Services Packages 273
using the same profile can load this package. If another user tries to load the package, the
sensitive information fields are populated with the blank data and the package will fail to
execute, unless the user trying to run the package provides the sensitive information.
The EncryptSensitiveWithPassword package protection level allows you to save
the sensitive information in the package and encrypt it using a password, supplied
in the PackagePassword property. By using a password as an encryption key for the
sensitive information, you can let other developers open the package by supplying a
password and hence make the package accessible to all members of the development
team. Each time the package is loaded or the ProtectionLevel option is changed, the

user must provide the package password. If the package password is not provided,
the package is opened without the sensitive information. So to sum up, you will use
the EncryptSensitiveWithUserKey option to encrypt the packages that you probably
will not share with anybody else and the EncryptSensitiveWithPassword option when
you want to share the package with others.
Encrypting All the Information in the Package
Two options are available for encrypting the whole package: EncryptAllWithUserKey
and EncryptAllWithPassword. These options use a user key or a package password,
respectively, to encrypt all the information in a package.
Select the EncryptAllWithUserKey option to encrypt all the information in a package
using a user key. As the user key is generated based on the user profile, only the user who
created or exported the package using the same profile can open or load the package.
Select the EncryptAllWithPassword option to encrypt all the information in a package
using a password specified in the PackagePassword property. You can use this option
to secure the contents of the package yet allow the development team to work on it; a
custom-developed package for your application that includes an intellectual property
is a good example for this. A package encrypted in such a way can be opened only by
providing the password. You cannot load the package if you fail to provide the password.
Hands-On: Working with Package Protection Levels
This Hands-On exercise is designed to enhance the understanding of package
protection levels.
Method
In this exercise, we will use each package protection level in turn to see how it works
and the effects it has on the security of the package. We will use the Downloading
zipped files package, as it requires a password to connect to an FTP server, to see the
effects of using it with various protection levels.
274 Hands-On Microsoft SQL Server 2008 Integration Services
Note that if you want to use the Downloading zipped files package that has been
provided with this book, you will receive an error when opening the package. When
you click OK on the pop-up error message, the package will load properly but without

the connection string in the FTP task. This is because, by default, the sensitive
information (passwords, connection strings, and so on) in the package get encrypted
using the user key, and when another user tries to open the package, an error will occur
and the sensitive information will be removed from the package. However, if you open
the Downloading zipped files package that you developed yourself in Chapter 5, you
will not get any such error.
In addition, this package requires a connection to an FTP server. If you’ve skipped
building this package in Chapter 5, you should find an FTP server and build the
package to complete this Hands-On exercise. The provided package may not be of
much help as it is pointing to a computer used in the lab setup for this book, which is
obviously not accessible to you. Better to use the package that you have created yourself.
Exercise (Excluding Sensitive Information from the Package)
After this exercise, you will be able to exclude sensitive information from the package
using the DontSaveSensitive option of the ProtectionLevel property.
1. Open BIDS and create a new Integration Services project with the name
Downloading zipped files in the location C:\SSIS\Projects. In the Solution
Explorer window, delete the Package.dtsx package file. Right-click the SSIS
Packages node and choose Add Existing Package from the context menu. In
the Add Copy Of Existing Package window, choose File System in the Package
location field and type C:\SSIS\Projects\Control Flow Tasks\Downloading
zipped files.dtsx in the Package path field. Click OK to add this package in your
project. Double-click the Downloading zipped files.dtsx package to open it.
2. Right-click anywhere on the blank surface of the Designer and choose Properties
from the context menu. In the Properties window, you can view the properties
in two ways—Categorized view or Alphabetical view. These views can be set
using the two buttons provided in the command bar on the top of the Properties
window. In the Categorized view, the properties are grouped together on the
category basis, while the Alphabetical view simply lists the properties using
alphabetical sort order. Use Categorized view.
3. Scroll down in the Properties window and locate the Security section. Note that

the ProtectionLevel field shows EncryptSensitiveWithUserKey selected.
4. Press - to open the Solution Explorer. Right-click the Downloading zipped
files.dtsx package under SSIS packages folder and choose View Code from the
context menu. The package code in XML will be shown in a new tab in BIDS.
Chapter 7: Securing Integration Services Packages 275
5. Press - and find Password in the XML document. You will be taken to the
ServerPassword property that is immediately after ServerUserName in the
XML document and is listed here:
<DTS:Property DTS:Name="ServerUserName">administrator </DTS:Property>
<DTS:Property DTS:Name="ServerPassword" Sensitive="1" Encrypted="1">AQAAANC
Mnd8BFdERjHoAwE/Cl+sBAAAAgp969y9CpkO6k07L3IdJGwAAAAAIAAAARABUAFMAAAADZgAAqA
AAABAAAABhZumzf3dqV1SXY5667BryAAAAAASAAACgAAAAEAAAAMW+xn039fmW+00yN32EHG4YA
AAAAE5rsrl9TvzImKtVSb+UWoZbYuJXBwtLFAAAAMTOWe+5xETOTECqeJbMTSIq/c9e
</DTS:Property>
In this node, note that the ServerPassword property is attributed as sensitive
data and is set for encryption. Also note that data in this node is all encrypted.
This encryption is due to the default EncryptSensitiveWithUserKey setting.
6. Switch to the Designer tab of the package and choose the DontSaveSensitive
option in the ProtectionLevel field in the Properties window.
7. Switch to Code view and search for Password. This time you will see the same
XML node with no encryption attribute and no data in it:
<DTS:Property DTS:Name="ServerPassword" Sensitive="1"> </DTS:Property>
This is because the password has been removed from the package.
8. Press 5 to run the package. The package will fail. Stop debugging and click
the Execution Results tab. You will see the following error declaring that the
password was not allowed:
[Connection manager "FTP Connection Manager"] Error: An error
occurred in the requested FTP operation. Detailed error description:
The password was not allowed.
9. Each time you start debugging a package, the package is saved using ProtectionLevel

option; in this case, it won’t save the password and hence is not executing.
To execute this package, we have to provide a value to the ServerPassword
property. You can do this by setting this value at run time either using Package
Configurations or using a script task. We will cover both these methods in the
later chapters when we cover scripting and package configurations in Chapter 11
and Chapter 13. For now, just keep in mind that a package that has been saved
without the sensitive information can be run by supplying the sensitive (password)
information.
Exercise (Encrypting Sensitive Information Using a User Key)
When you use a user key to encrypt the package, the package encryption gets associated
with the user profile. We will use a test user account, ISUser01, to log on and open a
package that has already been encrypted using a user key by another user, and we will
276 Hands-On Microsoft SQL Server 2008 Integration Services
establish that the sensitive information is replaced when a different user tries to load
the package. This package can be executed successfully only by providing the sensitive
information in the package. You have already created this user account in Chapter 6.
10. Double-click the FTP Connection Manager in the Connection Managers area
in the Designer and provide a password to connect to the FTP server in the
Credentials section of the FTP Connection Manager Editor window. Click OK
to close it.
11. Open the Properties windows and change the ProtectionLevel property value to
EncryptSensitiveWithUserKey. Switch to the XML code for the package and
search for Password to see that it has been encrypted, like the one shown in the
preceding exercise.
12. Press 5 to make sure that the package executes successfully.
13. Save all the files, and then close all the applications and log off and log back on
(or switch the user) as ISUser01 with the assigned password.
14. Start Business Intelligence Development Studio and open the Downloading
zipped files.sln from the C:\SSIS\projects\downloading zipped files folder.
15. Open the Downloading zipped files.dtsx package. When BIDS tries to load the

package, you will see an error on the screen informing you that the package could
not be loaded due to errors and prompts you to see the Error List for details.
16. Click OK to close the error and the package will be loaded despite the errors. If
you don’t see the Error List window open in the lower left-hand corner of the
BIDS, you can open it from View menu. In the Error List window, you will see
the detailed error message explaining that the encryption key is not valid:
"Error loading Downloading zipped files.dtsx: Failed to decrypt
protected XML node "DTS:Property" with error 0x8009000B "Key not
valid for use in specified state.". You may not be authorized
to access this information. This error occurs when there is a
cryptographic error. Verify that the correct key is available."
17. Press 5 to run the package. The package will fail. Press -5 to stop
debugging. Go to the Execution Results page and read the error message, which
states that the FTP password was not allowed. This establishes that the FTP
password was removed when we tried to load the package as a different user.
18. Double-click the FTP Connection Manager in the Connection Managers area
in the Designer and provide the password to connect to the FTP server in the
Credentials section of the FTP Connection Manager Editor window. Click OK.
19. Press 5 to run the package; this time the package will succeed. This certifies
that when the package is encrypted with another user key you can still load the
package and use it if you know the sensitive information and can supply the
correct password.
Chapter 7: Securing Integration Services Packages 277
Exercise (Encrypting Sensitive Information
Using the Package Password)
When you opt to encrypt a package using EncryptSensitiveWithPassword option,
you then provide an encryption password using the PackagePassword property in the
Security section of the Properties window. Here you will learn that if you encrypt
the sensitive information in a package using a password, other users can access the
sensitive information by specifying the PackagePassword. However, if other users try

to load the package without specifying the PackagePassword, the sensitive information
is replaced with blanks. You will be performing these steps while still logged on as
ISUser01. In the following steps, you will use a package password to encrypt the
sensitive information in the package.
20. Open the properties for the package and change the ProtectionLevel property
to EncryptSensitiveWithPassword and specify a password bB12345cC in the
PackagePassword field.
21. Open the XML code for the package. In XML code, if you try to find the word
Password in the document, you will not get any result, because this word doesn’t
exist in the document. Instead, find the ServerUserName property, as you know
that the ServerPassword property existed immediately after it. You will see
something like this in the XML code view:
<DTS:Property DTS:Name="ServerUserName">administrator </DTS:Property>
<EncryptedData Type=" Salt="oOBw/
g9GpA==" IV="5YsCDRU2aMM=" xmlns="
ryptionMethod Algorithm="
><CipherData><CipherValue>5YsCDRU2aMM9jrGvOlsQSXNFzBG13LDuBBBI/tK07k/Z1BX
BYNSQEOWFYD3WgRhEDQ56TKlATw2Tvi7UU7OAJfDXDSnnoYPAwtmgTj3d/Qk72HJwlzNjqJ/
FiGjC+2sfN4VNzpLSVGQCkV27tDchXriytPz/2pTI1EY58wui1LPAkulpSbunbg==</
CipherValue></CipherData></EncryptedData>
The data in the package has been encrypted using TripleDES with CBC algorithm.
22. Press -- to save all the items in the package. Close all the applications
and log off. Log back on using the administrator user account.
23. Run BIDS and load the Downloading zipped files solution. You may have to
double-click the Downloading zipped files.dtsx package in the Solution Explorer
to load the package on the Designer. When BIDS loads the package, you will see
the Package Password prompt to provide the password (Figure 7-2).
24. If you provide the correct package password, the package will load and you can run
the package successfully. However, we will observe the behavior in case someone
tries to load the package without the password. Click Cancel to load the package

without the password.