SQL Server Security Basics Starting with a good foundation Kenneth Fisher

Slides:



Advertisements
Similar presentations
Where to Put Your Package Okay, stop giggling – this is SQL Server!
Advertisements

Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Login dan Permission dfd, Jenis Login dfd, 2012 SQL Server Authentication Membutuhkan password Windows Authentication Mode Tidak membutuhkan password.
Understand Database Security Concepts
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Database Application Security Models
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
CSCI 3140 Module 6 – Database Security Theodore Chiasson Dalhousie University.
Securing SQL Server 2005 Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
INTRO TO SQL SERVER SECURITY By Robert Biddle
Esri UC 2014 | Technical Workshop | Administering Your Microsoft SQL Server Geodatabase Shannon Shields Chet Dobbins.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
SQL Server Administration. Overview  Security  Server roles  Database roles  Object permissions  Application roles  Managing data  Backups  Restoration.
1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
SQL Server Permissions and Security Principals William Assaf Sparkhound, Inc. SQLSAT CLUTCH CITY 2015.
Introduction to SQL Server for Windows Administrators Presented to WiNSUG 02/05/09 Bret Stateham Owner, Net Connex Blogs.netconnex.com.
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
7.5 Using Stored-Procedure and Triggers NAME MATRIC NUM GROUP Muhammad Azwan Bin Khairul Anwar CS2305A Muhammad Faiz Bin Badrol Shah CS2305B.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
SQL Implementation & Administration
Administrating a Database
Microsoft SQL Server 2014 for Oracle DBAs Module 8
# 66.
Securing Data with SQL Server 2016
Access, Users, Permissions
SQL Server Security For Everyone
Introduction to SQL Server 2000 Security
OER- UNIT 3 Authorization
Designing Database Solutions for SQL Server
Limiting SQL Server Exposure
The Dirty Business of Auditing
5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
SQL Server Security from the ground up
or: How I Learned to Stop Using EXECUTE AS and Love Certificates
SQL Server Security 101 How did you get in here, and
SQL Server Security For Everyone
Limiting SQL Server Exposure
Implementing Database Roles in the Enterprise Geodatababse
Intermediate Security Topics in SQL SERver
SQL .. An overview lecture3.
Copyright © 2013 – 2018 by Curt Hill
PT2520 Unit 8: Database Security I
SQL Server Security 101 How did you get in here, and
Administrating a Database
SQL Server Security from the ground up
We Need To Talk Security
Presentation transcript:

SQL Server Security Basics Starting with a good foundation Kenneth Fisher

What security isn't – It's not high profile like HA, DR, and performance tuning. – There is no praise, only blame. What it is – Typically very complex. – It’s very easy to make mistakes. Why are we here?

Identity theft – More than 10 million victims a year. – Not just financial identity theft but medical as well. Data breaches – Impossible to accurately know but from one source more than half a billion individual records lost in Why are we here?

Why the basics? – We all start out at the beginning. – It’s important to have a good foundation in any subject. – A large portion of our work revolves around the basics. – We tend to cause ourselves extra work if we don't understand the basics. Why are we here?

Definitions: What are Principals, Securables and Permissions? Where can we find everything? (using the GUI) Some best practices. What are we doing?

Principals Securables Permissions Definitions

A permission is what the principal is allowed to do to the securable. Permissions Tables & Views SELECT INSERT UPDATE DELETE SPs & Functions EXECUTE SPs, Functions & Views VIEW DEFINITION Database CONNECT BACKUP CREATE PROCEDURE VIEW DATABASE STATE

A securable is an object that a principal wants access to. Securables Database Schema Table Column Stored Procedure Function View

A securable is an object that a principal wants access to. Securables Instance

Principals A principal is something requesting permissions to a securable. Server Database SQL login Windows login Windows group Server role Login mapped to a certificate Login mapped to an asymmetric key SQL user Windows user Windows group Application role Database roleUser mapped to a certificate User mapped to an asymmetric key

Principals A principal is something requesting permissions to a securable. Server Database SQL login AD\Windows login AD\Windows group Server role Login mapped to a certificate Login mapped to an asymmetric key SQL user AD\Windows login AD\Windows group Application role Database role User mapped to a certificate User mapped to an asymmetric key UsersLogins Roles

A role is a special type of principal that is designed to contain other principals and transfer permissions to them. Principals Built in roles Server and Database level roles that come with SQL Server and can’t be granted or revoked permissions. User defined roles Roles created by a user and can be granted permissions. User defined server roles are new as of SQL Server 2012.

Unsurprisingly all of this data is stored in system views. sys.server_principals sys.server_permissions sys.server_role_members sys.database_principals sys.database_permissions sys.database_role_members Instance Database These six contain just the core data. There are quite a few more views with a variety of additional information! Tying it all together

How are server principals and database principals related? Database Principals Server Principals Principal_ID Name SID SQL Login 0x014EA8886B841C4CA1F7ED32489BBF62 AD Login 0x AA70DE8DE2 4F4D68F572D916EB8C0100 AD Group 0x AA70DE8DE2 4F4D68F572D91623FF0300 Certificate 0x EE6684FF 55FDC676DE368D07C2C200FE155810

Tying it all together Orphaned Users SID SQL Login 0x014EA8886B841C4CA1F7ED32489BBF62 AD Login 0x AA70DE8DE2 4F4D68F572D916EB8C0100 AD Group 0x AA70DE8DE2 4F4D68F572D91623FF0300 Certificate 0x EE6684FF 55FDC676DE368D07C2C200FE Database Principals Server Principals

Tying it all together Orphaned Users – Windows Authenticated Users Logins Users CREATE LOGIN [Domain\Dopey] FROM WINDOWS Server AServer B

Tying it all together Orphaned Users – SQL Authenticated Users Logins Users CREATE LOGIN Dopey WITH PASSWORD = 'MyPass'; EXEC sp_change_users_login 'auto_fix','DOPEY'; or ALTER USER Dopey WITH LOGIN = Dopey; Server AServer B

Tying it all together Orphaned Users – SQL Authenticated Users Logins Users CREATE LOGIN Dopey WITH PASSWORD = 'MyPass'; EXEC sp_change_users_login 'auto_fix','DOPEY'; or ALTER USER Dopey WITH LOGIN = Dopey; Server AServer B

Tying it all together Orphaned Users – SQL Authenticated Users Logins Users CREATE LOGIN Dopey WITH PASSWORD = 'MyPass'; EXEC sp_change_users_login 'auto_fix','DOPEY'; or ALTER USER Dopey WITH LOGIN = Dopey; Server AServer B

Tying it all together Orphaned Users – SQL Authenticated Users Logins Users CREATE LOGIN Dopey WITH PASSWORD = 'MyPass', SID = 0x014EA8886B841C4CA 1F7ED32489BBF62 Server AServer B

Tying it all together Orphaned Users – Exceptions Roles Server A Login User Login User Server AServer B RolesContained Databases Server and database roles have no relation to each other. The database principals in a contained database have all of the information needed to connect to the server and database. Roles <>

How do we apply a permission to a principal? Tying it all together GRANT DENY REVOKE Allow a permission A permission cannot be allowed. Remove a GRANT or DENY.

There are six special principals/permissions. These are the super users and deserve special attention. Each of these principals and permissions have complete control over their associated securable. Administrative Principals and Permissions sa dbo Instance Single UserRole sysadmin db_owner Database control server control database Permission

Most people start out using the GUI to find what permissions a principal has. But where in the GUI is everything? Where can we find everything? PrincipalsSecurables

DEMO – Finding the security data in SSMS object explorer. Where can we find everything?

Best Practices! Least Maintenance Least Surface Area Least Privileges

Make your life as easy as possible. Best Practices! Don’t make permissions more granular than you have to. (Don’t grant at a table level if a Schema or even better the DB level will work) Using Roles and AD/Windows groups. Be consistent. Least Maintenance

Reduce the number of places an attack can come from. Best Practices! Don’t install it if you won’t be using it, or if you do then disable it. (SSIS, SSAS etc.) Don’t create “extra” databases in production. (AdventureWorks for example) Disable unused SQL Server Protocols. (TCP\IP, Named Pipes, VIA, shared memory) Least Surface Area

If they don't need to do it don't let them. Best Practices! Adding a developer to the db_Owner role, even on a development database. Grant permissions to views, SPs etc. rather than the underlying tables. Granting permissions at lowest level possible. (Don’t grant at a DB level if a Schema or even Object level will work) Least Privilege

Security is a balance between granting sufficient permissions to allow users to get their job done and limiting those permissions to avoid mistakes and discourage malicious activities. To make security workable you also have to balance the risks of granting too many permissions against the maintenance cost of granting permissions at the minimum level. Best Practices! Security is all give and take.

It's a big scary world out there. Physical Security Network Security Server Security SQL Server Security Social Engineering

Questions Kenneth Fisher Thank You!

The Quiz!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.