SQL Server Security 101 How did you get in here, and

Slides:



Advertisements
Similar presentations
Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
Advertisements

MySQL Access Privilege System
Managing User, Computer and Group Accounts
Logins, Roles and Credentials Lesson 14. Skills Matrix.
System Administration Accounts privileges, users and roles
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Security and Integrity
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
Module 14 Configuring Security for SQL Server Agent.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
INTRO TO SQL SERVER SECURITY By Robert Biddle
Esri UC 2014 | Technical Workshop | Administering Your Microsoft SQL Server Geodatabase Shannon Shields Chet Dobbins.
Chapter 13Introduction to Oracle9i: SQL1 Chapter 13 User Creation and Management.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
SQL Server Administration. Overview  Security  Server roles  Database roles  Object permissions  Application roles  Managing data  Backups  Restoration.
Stored Procedures / Session 4/ 1 of 41 Session 4 Module 7: Introducing stored procedures Module 8: More about stored procedures.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
Taming the Beast How a SQL DBA can keep Kerberos under control David Postlethwaite 29/08/2015David Postlethwaite.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
19 Copyright © 2008, Oracle. All rights reserved. Security.
Defense In Depth: Minimizing the Risk of SQL Injection
SQL Implementation & Administration
Administrating a Database
Module 1: SQL Server Overview
Effective T-SQL Solutions
# 66.
CollegeSource Security Application &
Controlling User Access
Controlling User Access
Securing Data with SQL Server 2016
Get to know SQL Manager SQL Server administration done right 
Access, Users, Permissions
SQL Server Security For Everyone
Active Directory Administration
Introduction to SQL Server 2000 Security
Who Has What to Which? (The Permissions Superset)
Designing Database Solutions for SQL Server
DevOps Database Administration
Limiting SQL Server Exposure
Principles of report writing
The Dirty Business of Auditing
DevOps Database Administration
5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
SQL Server Security from the ground up
SQL Server Security 101 How did you get in here, and
SQL Server Security For Everyone
Intermediate Security Topics in SQL SERver
Copyright © 2013 – 2018 by Curt Hill
Administrating a Database
SQL Server Security from the ground up
We Need To Talk Security
Presentation transcript:

SQL Server Security 101 How did you get in here, and Who said you could do that? Presented by: Pat Phelan DBA Mentor at Involta, LLC.

Presenter confessions This is a “101” presentation, it is not a deep dive into internals! Wikipedia citations This presentation cites Wikipedia Academia doesn’t support those citations Wikipedia makes definitions and additional information freely accessible Wikipedia makes most of those available in many human languages. Feedback request This presentation is evolving Constructive comments and suggestions are welcome!

Session Overview We will cover (built into this presentation) AD/Windows basics SQL Server Logins Database users Permissions We might cover (based on audience interest) SQL 2000-2012 security Pre-SQL 2000 security Principle of least privilege Other information sources Non-SQL Server kinds of security

AD/Windows features used by SQL AD - Active Directory Often includes a number suffix that ties AD to a Windows Server version Directory of Windows Objects Computers Users Groups Printers

Kerberos https://en.wikipedia.org/wiki/Kerberos_(protocol) AD security component since Windows 2000 AD uses a Kerberos subset Kerberos provides authentication of client and server Kerberos encourages encrypted communication for all traffic Kerberos requires encrypted communication for inital identification

SPN - Service Principal Names Associates multiple AD/Windows objects within Kerberos Computer address (usually Ethernet IP address and port) Service name AD/Windows account for this SPN SETSPN.EXE Requires Domain Administrator privilege to run Lists and modifies SPNs FCI (SQL Server Failover Cluster Instance) notes SPNs are why FCIs are so much easier for Domain Adminis to install! Default security doesn’t permit non-Domain Admin to install FCI

SID – Windows Security Identifier Always authoritative if an object has a SID, then the SID defines the object’s identity Defined to be variable length Usually a GUID under the covers

Names in Windows Names are easy and decorative for security communication. Names are for humans, rarely used inside of Windows Names come in many varieties Object usually have multiple names “Friendly” name Canonocial name Fully qualified name Applications can usually find a SID from a name

Windows Security-speak People usually use names Windows almost always uses SIDs SPNs are critically important for services to access AD AD is Window’s authoritative source for security information Users Computers Groups

SQL Logins Logins authenticate a connection to the server Logins divide into two types… At least a dozen ways! Server login Contained Login SQL Authenticated Login Windows Authenticated Login

Contained SQL Logins Especially important in DaaS, such as Azure or Cosmos DB Highly scalable Only database user association No server level permissions Can not be sysadmin Can not create new databases Limited access to other databases No cross database joins Limited access to system databases (master, msdb)

SQL Server Logins Can have server level permissions (such as sysadmin) Can access multiple databases Cross database joins System databases (master and msdb) Can stop the SQL Server Windows authenticated users can have Service level permissions too

Database User No Authentication Inherits its identity from Login Nearly all object permissions are granted to Users, not Logins

Authentication Types SQL Authentication Windows Authentication Login name Password Windows Authentication Kerberos ticket grants SID access AD/Windows User AD/Windows Group

Security notes Login returned by SUser_SName() User returned by User_Name() Impersonation SETUSER EXECUTE AS

EXECUTE xp_logininfo Relies on SPN and Kerberos for AD/Windows information My definitive answer for “What access does <blank> have to this SQL Server?” Parameters @option = ‘all’ Enumerates all of the access paths that a given login can use to get access as a result set @option = ‘members’ Enumerates the members of an AD/Windows Group as a result set!

SQL Server permissions Great presenters can cover SQL permissions in about 30 hours I’m not that great We only have an hour Let’s give it a shot anyway! Full discussion starts at: https://docs.microsoft.com/en-us/sql/relational- databases/security/permissions-database-engine Pretty SQL Security poster PDF at: http://go.microsoft.com/fwlink/?LinkId=229142

SQL Permission related commands GRANT Give permission DENY Forbid ever* getting permission REVOKE Drop previous GRANT or DENY *Note that there is a specific exception where an identity is: Denied access to a table Granted access to a column within that table

How Identity (Login or User) matches work Exact match for your identity Match for a SQL Role that includes your identity Recursive Match for an AD/Windows Group that includes your AD User Usually recursive

How permissions are checked If the Identity is a sysadmin, it has permission If the Identity owns any container (database, schema, etc.), it has permission If the Identity is DENIED, it can’t get permission There can be an exception for a GRANT on a column created after a DENY on the associated object. If the Identity is GRANTED permission, it has permission By default, no permission (except sysadmin and owner)

Database Permissions Keyword Permission to: EXECUTE Execute code (function or stored procedure) SELECT Retrieve information INSERT Add new data (usually rows) to an object UPDATE Change data in an object DELETE Remove data from an object

Historical SQL Server permissions SysAdmin Ability to do anything that SQL can do SecurityAdmin Ability to add logins and grant permissions ServerAdmin “Power User” able to manage much of SQL Server others

Modern SQL Server permissions SysAdmin still exists, almost unchanged Much more granular permissions 237 in SQL 2017 / Azure 230 in SQL 2016 219 in SQL 2014 214 in SQL 2012

Evaluation Request Please fill out the evaluation forms If you have specific comments or questions, please email me Comments and questions are how I learn to present better. If you want me to give better presentations, you need to give me feedback! No comment is small or insignificant. I read them all. Thanks!

SQL Security 101 How did you get in here, and who said that you could do that? Quad City PASS Local User Group 2018-02-21 Davenport, Iowa http://qcpass.sqlpass.org Pat Phelan DBA Mentor at Involta, LLC. Pat@YetAnotherSQL.com Twitter: @YetAnotherSQL Edit 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.