MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins  Configuring Server Roles  Controlling Database Access and Administration  Managing Database Permissions  Security Enhancements in Sql Server 2005

MICROSOFT SQL SERVER 2005 SECURITY 1. Logins and Users : Login: A valid login name is required to connect to an SQL Server instance. A login could be: A Windows NT/2000 login that has been granted access to SQL Server An SQL Server login, that is maintained within SQL Server User: A valid user account within a database is required to access that database.

MICROSOFT SQL SERVER 2005 SECURITY 2. SQL Server 2005 Authentication Modes Authentication : During a new connection request, SQL Server verifies the login name supplied, to make sure, that login is authorized to access SQL Server. This verification is called Authentication. Two types of Authentication Modes : Windows Authentication Mode Mixed Mode (Windows Authentication and SQL Server Authentication)

MICROSOFT SQL SERVER 2005 SECURITY

3. Permissions GRANT: Grants the specific permission (Like SELECT, DELETE etc.) to the specified user or role in the current database Example : USE master; GRANT CONTROL SERVER TO TerryEminhizer; REVOKE: Removes a previously granted or denied permission from a user or role in the current database Example : USE master; REVOKE VIEW SERVER STATE FROM WanidaBenshoof; GO

MICROSOFT SQL SERVER 2005 SECURITY DENY: Denies a specific permission to the specified user or role in the current database Example USE master; DENY CONNECT SQL TO Annika CASCADE; GO

MICROSOFT SQL SERVER 2005 SECURITY 4. Roles you'll create and control groups of users using SQL Server roles. Two Types of Roles :  Server Roles  Database Roles SQL Server 2005 Server roles  Bulkadmin – can run bulk insert statement  Dbcreator – can create, alter, restore and drop database  Diskadmin – can manage the disk file  Processadmin – can terminate session connecting to your SQL server  Securityadmin – create & alter logins, reset password, provide access  Serveradmin – Alter SQL instance configuration, shutdown SQL service  Setupadmin – can add and remove linked server  Sysadmin – can do anything on the server

MICROSOFT SQL SERVER 2005 SECURITY SQL Server 2005 Database roles  db_accessadmin – Can add or remove access for a login.  db_backupoperator – Can back up the specified database.  db_datareader – Can read from every table in the database unless the access is explicitly denied.  db_datawriter – Explicitly grants user permission to run an UPDATE, DELETE or INSERT statement for the database.  db_ddladmin – Can run any DDL statement inside the database, including creating stored procedures or tables.  db_denydatareader – Explicitly prevents the user from reading data.  db_denydatawriter – Explicitly prevents user from running an UPDATE, DELETE or INSERT statement for the database.  db_owner – Is an administrator of the database and can perform any function.  db_securityadmin -- To create login and provide access

MICROSOFT SQL SERVER 2005 SECURITY Creating and Using roles : In Query Window, To create a new database role, type: sp_addrole 'rolename' To add a user to the role, use the command: sp_addrolemember 'rolename', 'username‘ To drop a user to the role, use the command: sp_droprolemember 'rolename', 'username‘ To drop a new database role, type: sp_droprole 'rolename'

MICROSOFT SQL SERVER 2005 SECURITY 5. Managing Server logins Types of Logins : Login types from earlier editions of SQL Server:  SQL Server login  Windows user login  Windows group login New login types for SQL Server 2005:  Login mapped to a certificate  Login mapped to an asymmetric key Creating Logins Syntax CREATE LOGIN name { WITH options | FROM source }

MICROSOFT SQL SERVER 2005 SECURITY Example: CREATE LOGIN TestLogin WITH PASSWORD = 'Ch4ng3M3!' MUST_CHANGE, DEFAULT_DATABASE = AdventureWorks, CHECK_EXPIRATION = ON, CHECK_POLICY = ON  Windows Logins CREATE LOGIN [BUILTIN\Users] FROM WINDOWS WITH DEFAULT_DATABASE = AdventureWorks  Deleting Logins DROP LOGIN name  Modifying Logins ALTER LOGIN name { status | WITH option [,...] }

MICROSOFT SQL SERVER 2005 SECURITY  Enabling and Disabling Logins ALTER LOGIN TestLogin DISABLE Setting Options  Resetting the password on the login  Setting the default database  Setting the default language  Changing the login name itself (renaming the login)  Setting whether or not to check the password policy  Setting whether or not to check password expiration  Setting a credential for the login (or unsetting a credential)

MICROSOFT SQL SERVER 2005 SECURITY  Resetting the Password ALTER LOGIN TestLogin WITH PASSWORD = 'MyNewP4ssw0rd!' UNLOCK 6. Configuring Server Roles  sp_addsrvrolemember  sp_dropsrvrolemember  sp_helpsrvrole  sp_helpsrvrolemember  sp_srvrolepermission Example EXEC sp_addsrvrolemember 'Corporate\HelenS', 'sysadmin';GO

MICROSOFT SQL SERVER 2005 SECURITY 7. Managing Database Access  sp_addrole  sp_addrolemember  sp_dbfixedrolepermission  sp_droprole  sp_helpdbfixedrole  sp_helprole  sp_helprolemember  sp_droprolemember

MICROSOFT SQL SERVER 2005 SECURITY Security Enhancements in SQL Server 2005  Impersonation  Surface Area Configuration tool  User – Schema Separation  Granular Permission Sets  Password Policies  Encryption  Limited Metadata Visibility  Security Catalog Views  DDL Triggers  Mapping Windows user credentials