Presentation is loading. Please wait.

Presentation is loading. Please wait.

We Need To Talk Security

Published byBlaise Quinn Modified over 5 years ago

Similar presentations

Presentation on theme: "We Need To Talk Security"— Presentation transcript:

1 We Need To Talk Security
Joe Gavin

2 Thank you to our SQL Saturday #892 Sponsors

3 Physical Security Joe Gavin

4 Security Patches Joe Gavin

5 Backup Security Joe Gavin

6 Authentication Joe Gavin

7 Windows Authentication
Active Directory AD, a valid login was entered, may I have a security token? Here’s your token. Checks for valid AD login You’re connected SQL Server PC Joe Gavin

8 SQL Server Authentication
Checks if valid login and password entered You’re connected SQL Server PC Joe Gavin

9 SQL Server Logins SQL Server Login Joe Gavin

10 Login Roles Joe Gavin

11 Login Roles Role Description Bulkadmin Run the BULK INSERT statement
Dbcreator Create and drop databases Diskadmin Manage disk files Processadmin Kill processes Public Every login is part of public Securityadmin Can make themselves sysadmin Serveradmin Change server-wide configuration options and shut down the server Setupadmin Add and remove linked servers  Sysadmin Only logins that are used to manage the SQL Server should be in this group Joe Gavin

12 Database Users User Databases Login SQL Server Joe Gavin Joe Gavin
@joseph_a_gavin

13 Joe Gavin

14 Database Level Roles Role Description db_accessadmin
Add or remove access to the database db_backupoperator Back up the database db_datareader Read any table db_datawriter Write to any table db_ddladmin Create or delete any object(s) db_denydatareader Cannot read any data db_denydatawriter Cannot add, modify, or delete any data db_owner Highly privileged db_securityadmin Modify users public Every user is in public Joe Gavin

15 Logins and Users Joe Gavin

16 SQL Agent Proxy Joe Gavin

17 Credentials Joe Gavin

18 Schemas Joe Gavin

19 Login Auditing Joe Gavin

20 Troubleshooting With Login Auditing
Joe Gavin

21 Troubleshooting With Login Auditing
Message in X:\Program Files\Microsoft SQL Server\MSSQLxx\MSSQL\Log\ERRORLOG Explanation Could not find a login matching the name provided An attempt was made to log in with either a Windows or SQL Authentication login that doesn’t exist on the SQL Server Password did not match that for the login provided SQL Authentication login exists but wrong password entered An attempt to login using SQL authentication failed. Server is configured for Windows authentication only User is trying to connect to the SQL Server with a SQL Authentication login and password Failed to open the explicitly specified database Logged in successfully but there is no user in specified database or database doesn’t exist or is offline [CLIENT: <xxx.xxx.xxx.xxxx>] Ping –a xxx.xxx.xxx.xxxx to resolve DNS name of calling machine will indicate DNS name of machine initiating login attempt Joe Gavin

22 Gaining access to a SQL Server as Sysadmin
How easy is it to get access? Have some else with sysadmin access add you Let’s look at another way Joe Gavin

23 Gaining access to a SQL Server as Sysadmin
Joe Gavin

24 Gaining access to a SQL Server as Sysadmin
It’s easy to gain access sp_helpsrvrolemember – produces list of all logins in server level roles Joe Gavin

25 Gaining access to a SQL Server as Sysadmin
Joe Gavin

26 SSL (Secure Socket Layer) Encryption
Data encrypted between network endpoints, E.g., Web Server and SQL Server Uses certificate installed on machine hosting SQL Server Joe Gavin

27 TDE (Transparent Data Encryption)
Data files are encrypted at page level Pages are encrypted when written to disk and decrypted when read from disk Enabling TDE ALTER DATABASE [DbName] SET ENCRYPTION ON; Backup is also encrypted Joe Gavin

28 Backup Encryption SQL Server 2014 Backup file is encrypted Joe Gavin

29 Column Level Encryption
Encryption is applied on specific columns Data remains encrypted in memory Requires code changes to use EncryptByKey and DecryptByKey functions Joe Gavin

30 Always Encrypted SQL Server 2016 SP1 - all editions Column level
‘At Rest’ or ‘In Transit” encryption Encrypt / decrypt done at client with driver No code changes Data remains encrypted over the network, in memory, and on the drive Can obfuscate data even from sysadmin Joe Gavin

31 References Introduction to SQL Server Security Server Roles
Database Roles Connect to SQL Server When Administrator is Locked Out Great trick to connect to a SQL Server as sysadmin without a restart Getting Sysadmin Access to SQL Server When Locked Out that shows how to wrap Jason Brimhall’s method in an .xml file Joe Gavin

32 Joe Gavin

33 Joe Gavin joe@joegavin.net www.linkedin.com/in/joegavin
@joseph_a_gavin Joe Gavin

Download ppt "We Need To Talk Security"

Similar presentations

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.

Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.
SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,

SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
ITN270.001 Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.

ITN Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.

Similar presentations

Ads by Google