DevOps Database Administration

Slides:



Advertisements
Similar presentations
Stored procedures and views You can see definitions for stored procedures and views in the demo databases but you can’t change them. For views, expand.
Advertisements

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Chapter 9 Auditing Database Activities
System Administration Accounts privileges, users and roles
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.
Module 13 Automating SQL Server 2008 R2 Management.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
How a little code can help with support.. Chris Barba – Developer at Cimarex Energy Blog:
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
SCORCH – Fun Recipes for RunBooks MMS Minnesota 2014 Steve Jesok & Matthew #MMSSCOrch.
What to do for a Financial year end And When to do it.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Attacking Applications: SQL Injection & Buffer Overflows.
Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Module 15 Monitoring SQL Server 2008 R2 with Alerts and Notifications.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
SQL SERVER 2008 Installation Guide A Step by Step Guide Prepared by Hassan Tariq.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.
SQL Advanced Monitoring Using DMV, Extended Events and Service Broker Javier Villegas – DBA | MCP | MCTS.
17 Copyright © 2006, Oracle. All rights reserved. Information Publisher.
SQL Server Agent All the Knobs You Need to Know Taiob M Ali.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Defense In Depth: Minimizing the Risk of SQL Injection
SQL Database Management
SQL Server Agent All the Knobs You Need to Know
Microsoft SQL Server 2014 for Oracle DBAs Module 8
Dynamic SQL Writing Efficient Queries on the Fly
ArcGIS Workflow Manager: Advanced Workflows and Concepts
Outsourcing Database Administration
Policy Based Management: Introduction & implementation
DBA and IT Professional for ~9 years. Currently I am a Data Architect
Dynamic SQL: Writing Efficient Queries on the Fly
Access, Users, Permissions
SQL Server Security For Everyone
Developing Production Quality SQL Code
Deploying and Configuring SSIS Packages
Searching Business Data with MOSS 2007 Enterprise Search
Dynamic SQL Writing Efficient Queries on the Fly
Who Has What to Which? (The Permissions Superset)
Designing Database Solutions for SQL Server
Advanced Security Protecting Data from the DBA
DevOps Database Administration
Auditing in SQL Server 2008 DBA-364-M
Limiting SQL Server Exposure
Transactional Replication A Deeper Dive Drew Furgiuele, Senior DBA IGS
Searching Business Data with MOSS 2007 Enterprise Search
5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
Making PowerShell Useful
Dynamic SQL: Writing Efficient Queries on the Fly
SQL Server Security 101 How did you get in here, and
SQL Server Security For Everyone
Limiting SQL Server Exposure
DBA for ~4+years, IT Professional for 7.5 years.
Making PowerShell Useful
Intermediate Security Topics in SQL SERver
Outsourcing Database Administration
Net Report WMI Dashboard Summary
SQL Server Security 101 How did you get in here, and
DIY GP Maintenance Paul Johnson.
SSRS – Thinking Outside the Report
Presentation transcript:

DevOps Database Administration Repeatable, Automated, and Safe Framework SQL Saturday 714 Philadelphia

About Stephen.Mokszycki@outlook.com DBA and IT Professional for ~10 years. Currently I am a Senior DBA and .Net Developer at www.wayfair.com Worked with SQL 7.0/2000/2005/2008/2012/2014/2016 I have worked in a large environment: 500+ Instances, ~6000 databases, 10s TBs of data. I have worked in a small environments: 5 instances, 60 databases, 1TB of data Automation keeps me sane. https://www.linkedin.com/in/stephen-mokszycki-272b264a/ Currently building a system that generates over 45 million rows an hour Make a joke about Joining the Dark side.

Overview: DEVOPS! Outsourcing Database Administration to your Users Why and How do we enable self service? How do we secure it? How do we build it?

Why would you want to use a DEVOPS APproach? The little things are interruptive to the DBA(s). Empower the Devs safely, reducing time for both parties. DEVOPS! DBAs have more time for the hard problems. Reduce administrative errors. The two main keys are eliminating interruptions for all parties, and REDUCING ERRORS. Don’t, repeat yourself - DRY principle. AND LESS WORK!

The normal Request cycle Dev Needs Something Dev Submits a ticket Dev pings DBA DBA pauses, reviews request DBA request more info Dev sends more details DBA reviews again DBA executes DBA follows up with user confirms DBA Does Everything

Outsourcing the work: DEVOPS Self Service In order to create a self service option we have to grant people access. There are two ways to do this, the unsafe way and the safe way. Taking advantage of privilege escalation is the key idea.

Demo TIME! EXECUTE AS DEMO STEP 6.

How to make it SAFE Using existing tool sets: SQL and maybe powershell. Using role based permissions and schemas Using something scary: TRUSTWORTHY Database. Executing procedures as another login, or privilege escalation Passing parameters safely with QuoteName() and injection checks

A Trustworthy Database Is Dangerous Trustworthy lets the dbo do anything he can normally do outside of the database. Because of this we have to be careful with what we allow our users can do. We have to leverage Stored Procs and Role based permissions. We have to have safe repeatable code, with repeatable outcomes. Remember the goal: give the Devs some access into the admin world without compromising the integrity of our Server.

Trustworthy and DBO From the docs: The TRUSTWORTHY database property is used to indicate whether the instance of SQL Server trusts the database and the contents within it. DBO: The dbo, or database owner, is a user account that has implied permissions to perform all activities in the database. Members of the sysadmin fixed server role are automatically mapped to dbo. Start the EXEC as Demo

Your DBO user matters! What happens if my DBO is now SA? Can he do SA things? Give the demo of the SA User Not doing anything

Privilege Escalation: Execute AS OWNER In Combination with Trustworthy we can take advantage of our DBO User We can Break the outside of our database! Running as another account! What does this mean? What happens when the database owner is SA, the Database is Trustworthy, and We are executing things as Owner? Lets Find out!

The Two Options to Self Service Give the people direct access aka SA Give Devs Self Service via Controls Helpdesk Has SA HD tries to Fix things, drops Login DBA has no clue Wrong Login is dropped! Business is down! DBA scrambles to figure out what happened. DBA URLT HelpDesk executes proc Tries to Fix things, tries drop login Access is blocked! Event is logged! DBA notified Business as usual DBA follows up

Demo TIME!

SQL INJECTION! Watch out for injection! Verify your inputs. Encapsulate your string inputs with QUOTENAME() LOG LOG LOG! You need to know what happened.

Auditing, and Verification Auditing is hard when our sprocs are executed as owner….. ORIGINAL_LOGIN() LOG EVERYTHING! All Variables used Sproc name Who did it Date and Time Logs can drive alerts!

Recap: Our SQL Tools Tools in our Framework: A database, where users can ONLY execute a limited set of objects Via roles and schemas. TRUSTWORTHY and “sa” as the owner. EXECUTE AS OWNER An audit and SQL Injection Check ORIGINAL_LOGIN() QUOTENAME()

Demo TIME!

Expanding from here Increase your injection checks Add additional safety checks Add more to the log function and log tables. Raise eventlog errors Dump the users output somewhere, incase you need it later. Don’t copy paste, make a sproc or a function! Reusable code! Never write it twice! Make a WebAPI that the Devs can hit and access

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.