Presentation is loading. Please wait.

Presentation is loading. Please wait.

WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations

Published byLaurel Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations"— Presentation transcript:

1 WELCOME! SQL Server Security

2 Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations SQLScottGleason@Gmail.com

3 This is what were talking about

4 Please don’t use SA SA allows the server to be crashed and recovered. It is more difficulty to tell two things: Who did it (service account? NT Service\MSSQLSERVER) Should *that* have really happened

5 System Administrator (sa) Login SQL Server 2000 New Information - SQL Server 2000 SP3. System administrator (sa) is a special login provided for backward compatibility. By default, it is assigned to the sysadmin fixed server role and cannot be changed. Although sa is a built-in administrator login, do not use it routinely. Instead, make system administrators members of the sysadmin fixed server role, and have them log on using their own logins. Use sa only when there is no other way to log in to an instance of Microsoft® SQL Server™ (for example, when other system administrators are unavailable or have forgotten their passwords).

6 Database Connections

7 SQL Authentication Mixed Mode (allows SQL Logins) Used when applications can’t connect using windows authentication or connecting from non trusted domains Windows Authentication Domain controller Easy to change passwords here!

8 Server Logins. What are they?

9 Server Roles

10 Fixed server-level roleDescription Sysadmin (AKA SA) Members of the sysadmin fixed server role can perform any activity in the server. serveradminMembers of the serveradmin fixed server role can change server-wide configuration options and shut down the server. securityadminMembers of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins. Security Note The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equivalent to the sysadmin role. DbcreatorMembers of the dbcreator fixed server role can create, alter, drop, and restore any database.

11 Fixed server-level roleDescription publicEvery SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Only assign public permissions on any object when you want the object to be available to all users. You cannot change membership in public. processadminMembers of the processadmin fixed server role can end processes that are running in an instance of SQL Server. setupadminMembers of the setupadmin fixed server role can add and remove linked servers by using Transact-SQL statements. (sysadmin membership is needed when using Management Studio.) bulkadminMembers of the bulkadmin fixed server role can run the BULK INSERT statement.

12 Viewing Server Role Membership

13 Multiple Databases in Server

14 Database Users

15 Database Roles

16 Database-level role nameDescription db_ownerMembers of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database. db_securityadminMembers of the db_securityadmin fixed database role can modify role membership and manage permissions. Adding principals to this role could enable unintended privilege escalation. db_accessadminMembers of the db_accessadmin fixed database role can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins. db_backupoperatorMembers of the db_backupoperator fixed database role can back up the database. db_ddladminMembers of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. MAKE NEW STUFF (Tables/Stored Procs/Functions)

17 Database-level role nameDescription db_datawriterMembers of the db_datawriter fixed database role can add, delete, or change data in all user tables. db_datareaderMembers of the db_datareader fixed database role can read all data from all user tables. db_denydatawriterMembers of the db_denydatawriter fixed database role cannot add, modify, or delete any data in the user tables within a database. db_denydatareaderMembers of the db_denydatareader fixed database role cannot read any data in the user tables within a database.

18 Orphaned user Troubleshoot Orphaned Users (SQL Server) Find out which users are orphans Exec sp_change_users_login @Action='Report'; Fix Them Exec sp_change_users_login @Action='update_one', @UserNamePattern=' ', @LoginName=' ';

19 SSIS / SQL Agent / sp_send_dbmail

20 MSDB Roles (make it stop)

21 SSIS RoleRead actionWrite action db_ssisadmin or Sysadmin (Windows administrators) <- can view running packages and stop them. Enumerate own packages. Enumerate all packages. View own packages. View all packages. Execute own packages. Execute all packages. Export own packages. Export all packages. Execute all packages in SQL Server Agent. Import packages. Delete own packages. Delete all packages. Change own package roles. Change all package roles. db_ssisltduserEnumerate own packages. Enumerate all packages. View own packages. Execute own packages. Export own packages. Import packages. Delete own packages. Change own db_ssisoperatorEnumerate all packages. View all packages. Execute all packages. Export all packages. Execute all packages in SQL Server Agent. Non

22 SQL Agent Roleaction SQLAgentUserRoleThe least privileged of the SQL Server Agent fixed database roles. It has permissions on only operators, local jobs, and job schedules. Members of SQLAgentUserRole have permissions on only local jobs and job schedules that they own. SQLAgentReaderRoleincludes all the SQLAgentUserRole permissions. Members of this role can also view the list of all available jobs and job schedules and their properties, not just those jobs and job schedules that they own. SQLAgentReaderRole members cannot change job ownership to gain access to jobs that they do not already own. SQLAgentOperatorRoleis the most privileged of the SQL Server Agent fixed database roles. It includes all the permissions ofSQLAgentUserRole and SQLAgentReaderRole. Members of this role can also view properties for operators and proxies, and enumerate available proxies and alerts on the server.

23 Send mail

24 Bigger

25 Hey.. What about execute? Need to run stored procs? Yea.. MSFT never gave us that.. and they had a reason for doing so. So you CAN create new roles (server & database) and you can grant execute on DBO(schema) to your new role name db_data_execute But.. Let the devs do that.

26 Auditing aka WHO DONE DID IT ? DEMO

27 SQL Job Demo a Jobby-Job

28 SQLScottGleason@Gmail.com Kinda knows what he is talking about Might really have a few years of exp Did I leave the Iron on? Kindly nudge the person next to you and let them know the session is over and it is time to wake up.

Download ppt "WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations"

Similar presentations

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Prepared by : Intesar G Ali - IT DepartmentPalestinian Land Authority 1 SQL Server 2005 Security Date :13-3-2011.

Prepared by : Intesar G Ali - IT DepartmentPalestinian Land Authority 1 SQL Server 2005 Security Date :
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,

SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |

Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Week 7 Lecture 1 Database Roles. Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how.

Week 7 Lecture 1 Database Roles. Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how.

Similar presentations

Ads by Google