SQL Server Security Mistakes Everyone Makes

Slides:



Advertisements
Similar presentations
PASS Summit 2013 My Experiences. Who is PASS? Professional Association for SQL Server Co-founded by CA & Microsoft in 1999 Independent not-for-profit.
Advertisements

Automating Common DBA Tasks
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Case Study: Designing a Global Scaled-out Architecture Robert L Davis
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
SQL Server Security By Mattias Lind For PASS Security VC.
October 1-2 Ølensvåg. AppFrame SQL – Security Session Code: SQL-201-Security Speaker(s): Jekaterina Golouchova.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
O PASS – M ARCH 8, 2012 K. Brian Kelley MCSE, CISA, Security+, MVP-SQL Server The Dirty Business of Auditing Auditing SQL Server (2000 – 2008R2)
INTRO TO SQL SERVER SECURITY By Robert Biddle
Esri UC 2014 | Technical Workshop | Administering Your Microsoft SQL Server Geodatabase Shannon Shields Chet Dobbins.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
SQL Server Permissions and Security Principals William Assaf Sparkhound, Inc. SQLSAT CLUTCH CITY 2015.
Licensing SQL Server on a Virtual Platform Robert L Davis
PASS Business Analytics Virtual Chapter Website: Chapter Leader: Melissa Demcsak.
Strategies for Working with Texas-sized Databases Robert L Davis Database Engineer
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
James Serra Data Platform Solution Architect Microsoft JamesSerra.com.
Rolling Upgrades, The Easy Way Argenis Fernandez Senior Database Engineer,
Business Continuity Management. Rick Taylor, MCSE, MCT – Principal Architect for Summit 7 Systems – –
New Instance… Now What? Presented by: James Donahoe Senior Solutions Engineer – TeleTracking Technologies MCSA: SQL Server 2012.
10 Things All BI Administrators Should Know Robert L Davis Database Engineer
Taming the Beast How a SQL DBA can keep Kerberos under control David Postlethwaite 29/08/2015David Postlethwaite.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Carlos Bossy Quanta Intelligence SQL Server MCTS, MCITP BI CBIP, Data Mining Real-time Data Warehouse and Reporting Solutions.
Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP.
Become a Microsoft Certified Professional of SQL Server Frank Qin Sacramento SQL User Group Meeting Feb. 4, 2015.
Securing SQL Server Processes with Certificates
Effective T-SQL Solutions
Enhancing your career: Building your personal brand
Visual Studio 2010 Database Projects
Achieve more in less time using the new SQL PowerShell
Outsourcing Database Administration
SQL Server Security For Everyone
Exploiting SQL Server Security Holes
Performance Tuning 101: Parallelism
Contained DB? Did it do something wrong?
Visual Studio 2010 Database Projects
Who Has What to Which? (The Permissions Superset)
Designing Database Solutions for SQL Server
Troubleshooting SQL Server Connection Issues
Code-Less Securing of SQL Server
DevOps Database Administration
Troubleshooting Service Broker
How to Lose Your Job in 3 Easy Steps
SQLSaturday 393- May 16, Redmond, WA
The Dirty Business of Auditing
5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
SQL Server Security from the ground up
SQL Server Mythconceptions And Mythteries
Securing SQL Server Processes with Certificates
New Paradigm for Performance Tuning in SQL Server 2016
SQL Server Performance Tuning Nowadays
SQLCmd Mode The T-SQL Easy Button
SQL Server Mythconceptions And Mythteries
SQL Server Security 101 How did you get in here, and
SQL Server Security For Everyone
Copyright © 2013 – 2018 by Curt Hill
PASS Business Analytics Virtual Group & Vijay Krishnan
SQL Server Security 101 How did you get in here, and
Denis Reznik SQL Server 2017 Hidden Gems.
SQL Server Security from the ground up
The Ins and Outs of Indexes
Presentation transcript:

SQL Server Security Mistakes Everyone Makes Robert L Davis Database Engineer @SQLSoldier www.sqlsoldier.com

Robert L Davis @SQLSoldier PASS Security Virtual Chapter Microsoft Certified Master Data Platform MVP @SQLSoldier www.sqlsoldier.com Database Engineer BlueMountain Capital Management 16+ years working with SQL Server PASS Security Virtual Chapter http://security.sqlpass.org Volunteers needed Database Engineer at BlueMountain Capital Management Foremer Principal Database Architect at DB Best Technologies www.dbbest.com Former Principal DBA at Outerwall, Inc Former Sr. Product Consultant with Idera Software Former Program Manager for SQL Server Certified Master program in Microsoft Learning Former Sr. Production DBA / Operations Engineer at Microsoft (CSS) Microsoft Certified Master: SQL Server 2008 / MCSM Charter: Data Platform Co-founder of the SQL PASS Security Virtual Chapter MCITP: Database Developer: SQL Server 2005 and 2008 MCITP: Database Administrator: SQL Server 2005 and 2008 MCSE: Data Platform MVP 2014 Co-author of Pro SQL Server 2008 Mirroring Former Idera ACE (Advisors & Community Educators) 2 time host of T-SQL Tuesday Guest Professor at SQL University, summer 2010, spring/summer 2011 Speaker at SQL PASS Summit 2010, 2011, and 2012 including a pre-con in 2012 Speaker/Pre-con at SQLRally 2012 16+ years working with SQL Server Writer for SQL Server Pro (formerly SQL Server Magazine) Member: Mensa Dog picture: Maggie and Woody SQLCruise instructor: Seattle to Alaska 2012 Speaker at SQL Server Intelligence Conference in Seattle 2012 Blog: http://www.sqlsoldier.com Twitter: http://twitter.com/SQLSoldier

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?”

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.”

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.” “Right?”

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all';

SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all'; Demo

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database

SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database Demo

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Select D.name As DBName, P.name As DBOwnerLogin, SUSER_SNAME(D.owner_sid) As DBOwnerWindowsAccount From sys.databases As D Left Join sys.server_principals As P On P.sid = D.owner_sid; *Query included in session demo files

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database

SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database: The server principal <login> is not able to access the database <database> under the current security context.

SQL Server Security Mistakes Everyone Makes Q & A

Thank you for attending! Thanks! Thank you for attending! My blog: www.sqlsoldier.com Twitter: twitter.com/SQLSoldier