SQL Server Security For Everyone

Slides:



Advertisements
Similar presentations
Understand Database Security Concepts
Advertisements

Logins, Roles and Credentials Lesson 14. Skills Matrix.
System Administration Accounts privileges, users and roles
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Top Free Tools for Tuning SQL Statements Kevin Kline & Aaron Bertrand SQL Sentry, Inc.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
How to Use Parameters Like a Pro …and Boost Performance Guy Glantser, CEO, Madeira.
INTRO TO SQL SERVER SECURITY By Robert Biddle
Esri UC 2014 | Technical Workshop | Administering Your Microsoft SQL Server Geodatabase Shannon Shields Chet Dobbins.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
October 15-18, 2013 Charlotte, NC Being the DBA of the Future A World of On-Premises and Cloud Dandy Weyn, Snr. Technical Marketing Product Manager Microsoft.
October 15-18, 2013 Charlotte, NC SQL Server Index Internals Tim Chapman Premier Field Engineer.
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Using abstract data layers in Microsoft SQL Server Speaker:Uwe Ricken (db Berater GmbH)
Date Dimension: Past & Future in One Script Steve Wake, BI Developer, Chipotle.
Defense In Depth: Minimizing the Risk of SQL Injection
SQL Database Management
SQL Implementation & Administration
Administrating a Database
Securing SQL Server Processes with Certificates
R; One Ring to Rule Them All
Microsoft SQL Server 2014 for Oracle DBAs Module 8
Best Practices for Dynamics NAV Administration and Security
Securing Data with SQL Server 2016
Outsourcing Database Administration
Policy Based Management: Introduction & implementation
6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Access, Users, Permissions
Solving the Hard Problems
SQL Server Security For Everyone
Common Security Mistakes
Designing Database Solutions for SQL Server
SQL Server Security Mistakes Everyone Makes
DevOps Database Administration
Limiting SQL Server Exposure
Principles of report writing
The Dirty Business of Auditing
DevOps Database Administration
5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
SQL Server Security from the ground up
or: How I Learned to Stop Using EXECUTE AS and Love Certificates
SQL Server Security 101 How did you get in here, and
Limiting SQL Server Exposure
Intermediate Security Topics in SQL SERver
Indexing For Optimal Performance
Outsourcing Database Administration
SQL .. An overview lecture3.
Summit Nashville /3/2019 1:48 AM
Copyright © 2013 – 2018 by Curt Hill
PT2520 Unit 8: Database Security I
SQL Server Security 101 How did you get in here, and
Administrating a Database
SQL Server Security from the ground up
We Need To Talk Security
Presentation transcript:

SQL Server Security For Everyone Starting with a good foundation Kenneth Fisher, Sr. DBA, Aegon

Kenneth Fisher @sqlstudent144 sqlstudent144@gmail.com www.sqlstudies.com

Please silence cell phones

Explore Everything PASS Has to Offer FREE ONLINE WEBINAR EVENTS FREE 1-DAY LOCAL TRAINING EVENTS VOLUNTEERING OPPORTUNITIES LOCAL USER GROUPS AROUND THE WORLD ONLINE SPECIAL INTEREST USER GROUPS PASS COMMUNITY NEWSLETTER FREE ONLINE RESOURCES BUSINESS ANALYTICS TRAINING BA INSIGHTS NEWSLETTER

Why are we here? The challenges of security. What security isn’t It's not high profile like HA, DR, and performance tuning. There is no praise, only blame. What security is Typically very complex. It’s very easy to make mistakes.

Why are we here? The importance of security. Identity theft More than 10 million victims a year. Not just financial identity theft but medical as well. Data breaches Impossible to accurately know but from one source more than half a billion individual records lost in 2014.

Why are we here? Basics sessions are a great way to get started for newer DBAs and a great review for more senior DBAs. Why basics? We all start out at the beginning. It’s important to have a good foundation in any subject. A large portion of our work revolves around the basics. We tend to cause ourselves extra work if we don't understand the basics.

What are we doing? Definitions Using the GUI. Some best practices. What are talking about? Using the GUI. Where can we find security in the GUI? Using the GUI to learn to script. Some best practices. Guidelines from some really smart people.

Definitions Principals Securables Permissions

Permissions A permission is what the principal is allowed to do to the securable. Tables & Views SELECT INSERT UPDATE DELETE SPs & Functions EXECUTE SPs, Functions & Views VIEW DEFINITION Databases CONNECT BACKUP CREATE PROCEDURE VIEW DATABASE STATE

Securables A securable is an object that a principal wants access to. Database Schema Schema Stored Procedure Function View Table Column

Securables A securable is an object that a principal wants access to. Instance

Principals A principal is something requesting permissions to a securable. Server Database SQL login Server role Windows login Login mapped to a certificate User mapped to an asymmetric key Windows group Application role Login mapped to an asymmetric key Windows user SQL user Windows group User mapped to a certificate Database role

Principals A principal is something requesting permissions to a securable. Server Database Logins Users SQL login SQL user Roles AD\Windows login AD\Windows login Server role Database role AD\Windows group AD\Windows group Application role Login mapped to a certificate User mapped to a certificate Login mapped to an asymmetric key User mapped to an asymmetric key

Principals A role is a special type of principal that is designed to contain other principals and transfer permissions to them. Built in roles User defined roles Server and Database level roles that come with SQL Server most of which can’t be granted or denied permissions. Roles created by a user and can be granted/denied permissions. User defined server roles are new as of SQL Server 2012.

Tying it all together Unsurprisingly all of this data is available through system views. Instance Database sys.server_principals sys.server_permissions sys.server_role_members sys.database_principals sys.database_permissions sys.database_role_members These six contain just the core data. There are several more views and functions with a variety of additional information!

Tying it all together How are server principals and database principals related? SID SQL Login  0x014EA8886B841C4CA1F7ED32489BBF62 AD Login 0x010500000000000515000000AA70DE8DE24F4D68F572D916EB8C0100 AD Group 0x010500000000000515000000AA70DE8DE24F4D68F572D91623FF0300 Certificate 0x01060000000000090100000069EE6684FF55FDC676DE368D07C2C200FE155810 Principal_ID Server Principals Database Principals Name SID

Tying it all together Orphaned Users Server Database Principals SID SQL Login  0x014EA8886B841C4CA1F7ED32489BBF62 AD Login 0x010500000000000515000000AA70DE8DE24F4D68F572D916EB8C0100 AD Group 0x010500000000000515000000AA70DE8DE24F4D68F572D91623FF0300 Certificate 0x01060000000000090100000069EE6684FF55FDC676DE368D07C2C200FE155810 Server Principals Database Principals

Tying it all together Orphaned Users – Windows Authenticated Server A Server B CREATE LOGIN [Domain\Dopey] FROM WINDOWS Logins Logins Users Users

Tying it all together Orphaned Users – SQL Authenticated Server A Server B CREATE LOGIN Dopey WITH PASSWORD = 'MyPass'; Logins Logins EXEC sp_change_users_login 'auto_fix','DOPEY'; or ALTER USER Dopey WITH LOGIN = Dopey; Users Users

Tying it all together Orphaned Users – SQL Authenticated Server A Server B Logins Logins EXEC sp_change_users_login 'auto_fix','DOPEY'; or ALTER USER Dopey WITH LOGIN = Dopey; Users Users

Tying it all together Orphaned Users – SQL Authenticated Server A Server B Logins Logins EXEC sp_change_users_login 'auto_fix','DOPEY'; or ALTER USER Dopey WITH LOGIN = Dopey; Users Users

Tying it all together Orphaned Users – SQL Authenticated Server A Server B CREATE LOGIN Dopey WITH PASSWORD = 'MyPass', SID = 0x014EA8886B841C4CA 1F7ED32489BBF62 Logins Logins Users Users

Tying it all together <> Orphaned Users – Exceptions Roles Contained Databases Server and database roles have no relation to each other. The database principals in a contained database have all of the information needed to connect to the server and database. Server A Server A Server B <> Login User Login User Roles Roles

Tying it all together How do we apply a permission to a principal? DENY GRANT A permission cannot be allowed. Allow a permission REVOKE Remove a GRANT or DENY.

Administrative Principals and Permissions There are six special principals/permissions. These are the super users and deserve special attention. Each of these principals and permissions have complete control over their associated securable. Single User Role Permission Instance sa sysadmin control server Database dbo db_owner control database

Where can we find everything? Most people start out using the GUI to find what permissions a principal has. But where in the GUI is everything? Principals Securables

Where can we find security info? And using SSMS to help us learn to script.

Best Practices! Least Maintenance Least Surface Area Least Privileges

Best Practices! Least Maintenance Make your life as easy as possible. Don’t make permissions more granular than you have to. (Don’t grant permissions at a table level if granting them at a Schema or even better the database level will work) Using Roles and AD/Windows groups. Be consistent.

Best Practices! Least Surface Area Reduce the number of places an attack can come from. If you don’t need it either disable it (SSIS, SSAS, etc) or don’t install it (external apps, drivers, etc). Don’t create “extra” databases in production. (AdventureWorks for example) Disable unused SQL Server Protocols. (TCP\IP, Named Pipes, VIA, shared memory)

Best Practices! Least Privilege If they don't need to do then they shouldn’t be able to. Don’t add a developer to the db_Owner role, even on a development database. Grant permissions to views, SPs etc. rather than the underlying tables. Granting permissions at lowest level possible. (Don’t grant permissions at a database level if granting it at a Schema or even better an Object level will work.)

Best Practices! Security is all give and take. Security is a balance between granting sufficient permissions to allow users to get their job done and limiting those permissions to avoid mistakes and discourage malicious activities. To make security workable you also have to balance the risks of granting too many permissions against the maintenance cost of granting permissions at the minimum level.

It's a big scary world out there. Physical Security Network Security Social Engineering Server Security SQL Server Security

Session Evaluations ways to access Your feedback is important and valuable. Submit by 5pm Friday November 6th to WIN prizes Go to passSummit.com Download the GuideBook App and search: PASS Summit 2015 Follow the QR code link displayed on session signage throughout the conference venue and in the program guide

Thank You

The Quiz!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.