Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Published byJane Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011."— Presentation transcript:

1 Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011

2 Mike Fal - www.mikefal.net Working with SQL Server since MSSQL 7. Experience with different industries and auditing. Currently supporting 100+ servers with varying requirements. New blog – www.mikefal.netwww.mikefal.net Twitter - @Mike_Fal Mike Fal

3 Mike Fal - www.mikefal.net Primary goal – Protecting the data! Security – Tools that control access to the data. Risk – Can someone gain unauthorized access? How likely is it? The importance of security

4 Mike Fal - www.mikefal.net How do we manage access? – Authentication types – Server roles – Database roles How can we audit login access? – Views – Queries Scope

5 Mike Fal - www.mikefal.net Getting Access How do we control database logins?

6 Mike Fal - www.mikefal.net Windows pass-through – Uses Active Directory accounts – Passwords controlled by domain policy Direct Database Login – Accounts used only by SQL Server. – Passwords controlled by local computer policy – Can override policy and expiration enforcement Authentication Types

7 Mike Fal - www.mikefal.net Local Policy Editor Administrative tools -> Local Security Policy Editing Password Policies

8 Mike Fal - www.mikefal.net What is a strong password? http://en.wikipedia.org/wiki/Password_strength “The strength of a password is a function of length, complexity, and unpredictability.” http://www.us-cert.gov/cas/tips/ST04-002.html – Don't use passwords that are based on personal information that can be easily accessed or guessed. – Don't use words that can be found in any dictionary of any language. – Develop a mnemonic for remembering complex passwords. – Use both lowercase and capital letters. – Use a combination of letters, numbers, and special characters. Password Policies

9 Mike Fal - www.mikefal.net Use the GUI: Security->Users->Right Click, New User… T-SQL: – CREATE LOGIN FROM WINDOWS – CREATE LOGIN WITH PASSWORD ‘ ’ Creating a User

10 Mike Fal - www.mikefal.net Use sys.server_principals and sys.sql_logins views select sp.name, sp.type_desc, sp.default_database_name, sl.is_policy_checked, sl.is_expiration_checked from sys.server_principals sp left join sys.sql_logins sl on (sp.principal_id = sl.principal_id) where sp.type not in ('R','C') order by name Query Logins

11 Mike Fal - www.mikefal.net Controlling Access How do you stop the monkey business?

12 Mike Fal - www.mikefal.net Understand your business needs. Keep access as restrictive as possible. GRANT ON TO WITH GRANT option allows the account to grant permission to other principals Managing Access

13 Mike Fal - www.mikefal.net Server Level – Start/stop services – Grant access – Create databases – Perform bulk operations Database Level – Query and modify data – Create objects Access Levels

14 Mike Fal - www.mikefal.net SYSADMIN – Perform any action on the server. SECURITYADMIN – Manage server level permissions. SERVERADMIN – Manage server configurations and start/stop services. PROCESSADMIN – Kill processes running on the instance. SETUPADMIN – Add/remove linked servers. BULKADMIN – Able to run BULK INSERT and execute bulk operations. DISKADMIN – Manage server disk files. DBCREATOR – Create, alter, drop, and restore databases. PUBLIC – Generic role that all users are a member of. http://msdn.microsoft.com/en-us/library/ms188659.aspx Server Roles

15 Mike Fal - www.mikefal.net Access can be granted via individual GRANTs or roles. SYSADMIN and SECURITYADMIN are the critical server roles. SQL 11 allows you to make custom server roles. Add logins to roles either by GUI or sp_addsrvrolemember select r.name [Server Role], u.name [Login], u.type_desc [User Type] from (select name,principal_id from sys.server_principals where type = 'R') r join sys.server_role_members rm on (r.principal_id = rm.role_principal_id) join (select name,type_desc,principal_id from sys.server_principals where type != 'R') u on (rm.member_principal_id = u.principal_id) Server Roles

16 Mike Fal - www.mikefal.net DB_OWNER - Perform all activities on the database. DB_SECURITYADMIN – Manages role membership and permissions on the database. DB_ACCESSADMIN – Manages login access to the database. DB_BACKUPOPERATOR – Can backup the database. DB_DDLADMIN – Able to run any DDL command. DB_DATAWRITER – Able to modify data in all user tables. DB_DATAREADER – Able to read data in all user tables. DB_DENYDATAWRITER – Denied the ability to modify data in all user tables. DB_DENYDATAREADER – Denied the ability to modify data in all user tables. Database Roles

17 Mike Fal - www.mikefal.net Access can be granted via individual GRANTs or roles. Custom roles can be created within a database. Add users to roles using GUI or sp_addrolemember. select r.name role_name, u.name db_login, u.type_desc from (select name,principal_id from sys.database_principals where type = 'R') r join sys.database_role_members rm on (r.principal_id = rm.role_principal_id) join (select name,type_desc,principal_id from sys.database_principals where type != 'R') u on (rm.member_principal_id = u.principal_id ) Database Roles

18 Mike Fal - www.mikefal.net Auditing Monitoring user access

19 Mike Fal - www.mikefal.net Create some basic reports – Excel or Reporting Services. Watch out for escalating permissions (DBO and SA versus other roles). Nested permissions: – AD groups and changing members – xp_logininfo General Practices

20 Mike Fal - www.mikefal.net Server and Database Role queries. – sys.server_principals and sys.server_role_members for Server Roles – sys.database_principals and sys. database_role_members for Database Roles Auditing Role Access

21 Mike Fal - www.mikefal.net sys.database_permissions to show individual object grants select pr.name, pe.type, o.name, o.type_desc, pe.permission_name, state_desc from sys.database_principals pr join sys.database_permissions pe on (pr.principal_id = pe.grantee_principal_id) join sys.objects o on (pe.major_id = o.object_id) where pe.state in ('W','G') and o.type = 'U' order by pr.name Auditing Specific Access

22 Mike Fal - www.mikefal.net Types of authentication – Windows pass through and Direct Database Login. Roles – Tools to manage access Auditing – Perform regular reviews of your security Summary

23 Mike Fal - www.mikefal.net HUH? www.mikefal.net @Mike_Fal Questions

Download ppt "Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011."

Similar presentations

CREATE LOGIN James WITH PASSWORD = 'A' Answer: SQL 2005 and 2008 can enforce the password policy of the operating system. CREATE LOGIN James WITH PASSWORD.

CREATE LOGIN James WITH PASSWORD = 'A' Answer: SQL 2005 and 2008 can enforce the password policy of the operating system. CREATE LOGIN James WITH PASSWORD.
Understand Database Security Concepts

Understand Database Security Concepts
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,

SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Administering Your.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Guide to MCSE 70-290, Enhanced 1 Activity 4-1: Creating and Adding Members to Global Groups Objective: Use Active Directory Users and Computers to create.

Guide to MCSE , Enhanced 1 Activity 4-1: Creating and Adding Members to Global Groups Objective: Use Active Directory Users and Computers to create.
Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.

Using Security Best Practices to Lockdown Your Databases and Applications K. Brian Kelley Charlotte SQL Server User Group 17 February 2009.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Security Planning and Administrative Delegation Lesson 6.

Security Planning and Administrative Delegation Lesson 6.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Similar presentations

Ads by Google