Windows Enforcement of Authenticode Code Signing and Timestamping impact on SQL Server

Published Mar 23 2019 02:11 PM 215 Views
Microsoft
First published on MSDN on Jan 05, 2016

Windows Enforcement of Authenticode Code Signing and Timestamping has recently announced a change where Windows (version 7 and higher) and Windows Server will no longer trust any code that is signed with a SHA-1 code signing certificate and that contains a timestamp value greater than January 1, 2016. More information about this announcement is documented here .

Recently customers have asked about the impact of the above policy on SQL Server Products.  SQL server utilizes SHA-1 in the following places that are not affected by this windows policy:

  1. CREATE CERTIFICATE, creates a SHA-1 self-signed certificate intended for use within SQL only as a package for an Asymmetric Key. It’s SHA-1 signature is never validated by Windows during encryption, decryption, signing, and signature validations done via T-SQL DDL and is not impacted by the changes mentioned for Windows.
  2. The initial login packet uses a SHA-1 self-signed certificate to protect the user name and password where SSL/TLS is not used.  We recommend using a certificate issued by a trusted root authority and utilizing this external certificate with SQL Server for any authentication scenario such as SSL/TLS.
  3. All the SQL Server binaries are dual signed SHA-256/ SHA-1 digital signature. This is in compliance with the guidance provided in the windows article mentioned above.

If you are using secure communications between the client and the SQL Server instance, then we recommend using the guidelines mentioned in our documentation for using a certificate for encrypted communications. We are also exploring the option of moving to a self-signed certificate which does not use SHA-1.

%3CLINGO-SUB%20id%3D%22lingo-sub-384602%22%20slang%3D%22en-US%22%3EWindows%20Enforcement%20of%20Authenticode%20Code%20Signing%20and%20Timestamping%20impact%20on%20SQL%20Server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-384602%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20MSDN%20on%20Jan%2005%2C%202016%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EWindows%20Enforcement%20of%20Authenticode%20Code%20Signing%20and%20Timestamping%20has%20recently%20announced%20a%20change%20where%20Windows%20(version%207%20and%20higher)%20and%20Windows%20Server%20will%20no%20longer%20trust%20any%20code%20that%20is%20signed%20with%20a%20SHA-1%20code%20signing%20certificate%20and%20that%20contains%20a%20timestamp%20value%20greater%20than%20January%201%2C%202016.%20More%20information%20about%20this%20announcement%20is%20documented%20%3CA%20href%3D%22http%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20here%20%3C%2FA%3E%20.%3C%2FP%3E%0A%20%20%3CP%3ERecently%20customers%20have%20asked%20about%20the%20impact%20of%20the%20above%20policy%20on%20SQL%20Server%20Products.%26nbsp%3B%20SQL%20server%20utilizes%20SHA-1%20in%20the%20following%20places%20that%20are%20not%20affected%20by%20this%20windows%20policy%3A%3C%2FP%3E%0A%20%20%3COL%3E%0A%20%20%20%3CLI%3ECREATE%20CERTIFICATE%2C%20creates%20a%20SHA-1%20self-signed%20certificate%20intended%20for%20use%20within%20SQL%20only%20as%20a%20package%20for%20an%20Asymmetric%20Key.%20It%E2%80%99s%20SHA-1%20signature%20is%20never%20validated%20by%20Windows%20during%20encryption%2C%20decryption%2C%20signing%2C%20and%20signature%20validations%20done%20via%20T-SQL%20DDL%20and%20is%20not%20impacted%20by%20the%20changes%20mentioned%20for%20Windows.%3C%2FLI%3E%0A%20%20%20%3CLI%3EThe%20initial%20login%20packet%20uses%20a%20SHA-1%20self-signed%20certificate%20to%20protect%20the%20user%20name%20and%20password%20where%20SSL%2FTLS%20is%20not%20used.%26nbsp%3B%20We%20recommend%20using%20a%20certificate%20issued%20by%20a%20trusted%20root%20authority%20and%20utilizing%20this%20external%20certificate%20with%20SQL%20Server%20for%20any%20authentication%20scenario%20such%20as%20SSL%2FTLS.%3C%2FLI%3E%0A%20%20%20%3CLI%3EAll%20the%20SQL%20Server%20binaries%20are%20dual%20signed%20SHA-256%2F%20SHA-1%20digital%20signature.%20This%20is%20in%20compliance%20with%20the%20guidance%20provided%20in%20the%20windows%20article%20mentioned%20above.%3C%2FLI%3E%0A%20%20%3C%2FOL%3E%0A%20%20%3CP%3EIf%20you%20are%20using%20secure%20communications%20between%20the%20client%20and%20the%20SQL%20Server%20instance%2C%20then%20we%20recommend%20using%20the%20guidelines%20mentioned%20in%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms191192.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20our%20documentation%20%3C%2FA%3E%20for%20using%20a%20certificate%20for%20encrypted%20communications.%20We%20are%20also%20exploring%20the%20option%20of%20moving%20to%20a%20self-signed%20certificate%20which%20does%20not%20use%20SHA-1.%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-384602%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Jan%2005%2C%202016%20Windows%20Enforcement%20of%20Authenticode%20Code%20Signing%20and%20Timestamping%20has%20recently%20announced%20a%20change%20where%20Windows%20(version%207%20and%20higher)%20and%20Windows%20Server%20will%20no%20longer%20trust%20any%20code%20that%20is%20signed%20with%20a%20SHA-1%20code%20signing%20certificate%20and%20that%20contains%20a%20timestamp%20value%20greater%20than%20January%201%2C%202016.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-384602%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerTiger%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 23 2019 02:11 PM
Updated by: