Presentation is loading. Please wait.

Presentation is loading. Please wait.

INTRO TO SQL SERVER SECURITY By Robert Biddle

Published byAustin Long Modified over 9 years ago

Similar presentations

Presentation on theme: "INTRO TO SQL SERVER SECURITY By Robert Biddle"— Presentation transcript:

1 INTRO TO SQL SERVER SECURITY By Robert Biddle http://xkcd.com/327/

2 About Me  Data Architect with Hilton Grand Vacations  Working with SQL Server for 8 years  Certified  MCITP Database Administrator  MCITP Database Developer  Blog: http://robbiddle@wordpress.comhttp://robbiddle@wordpress.com  Twitter: @robert_biddle  Email: rob.biddle@gmail.comrob.biddle@gmail.com

3 Agenda  Intended for Software Developers  Cover the basics  Logins, Users, Roles, Schemas, Permissions  SQL Injection  What is it?  How to prevent it?

4 Authentication  SQL Authentication  Requires Username and Password  Info stored on Database Server  Windows Authentication  Requires Username or Group  Info stored in Active Directory  Generates a Token for access  Integrated Security  Trusted Connection

5 Logins  SA (sysadmin)  Used for Server-level access  Fixed Server Roles  sysadmin  serveradmin  securityadmin  processadmin  setupadmin  bulkadmin  diskadmin  dbcreator  public

6 Users  dbo, guest, INFORMATION_SCHEMA, sys  Used for database-level access  Fixed Database Roles  db_owner  db_accessadmin  db_datareader  db_datawriter  db_ddladmin  db_securityadmin  db_backupoperator  db_denydatareader  db_denydatawriter

7 Tying Logins to Users  Every User (database-level) must tie to a Login (server-level)

8 Database Owner  Go to Properties >> Files.  Maps the user to dbo, which has db_owner rights.  Use SA or a Service Account.

9 Schemas  One level under database-level  Essentially a Namespace or Organizational Unit  Prefixed before Table name  Sales.SalesOrderDetail  dbo.ErrorLog  Person.Contact  [MyDomain\MyUsername].MycreatedTable

10 Permissions Hierarchy

11 Permissions  Permissions are applied to Securables  Granular control  Can be Granted, Denied, or Revoked  ALTER  CONTROL  DELETE  EXECUTE  INSERT  SELECT  UPDATE  VIEW DEFINITION

12 Dynamic SQL  Dynamic SQL – Dynamically building a string and executing that string.  Why is it good?  Gives more flexibility than using Stored Procedures.  Generally good performance.  Why is it bad?  Vulnerable to attacks.

13 Resources  SQL Server Security Cribsheet by Robyn Page  www.simple-talk.com (Under SQL Database Administration) www.simple-talk.com  The Curse and Blessings of Dynamic SQL by Erland Sommarskog  www.sommarskog.se/dynamic_sql.html www.sommarskog.se/dynamic_sql.html  Contact Info  Blog: http://robbiddle.wordpress.comhttp://robbiddle.wordpress.com  Twitter: @robert_biddle  Email: rob.biddle@gmail.com

Download ppt "INTRO TO SQL SERVER SECURITY By Robert Biddle"

Similar presentations

Prepared by : Intesar G Ali - IT DepartmentPalestinian Land Authority 1 SQL Server 2005 Security Date :13-3-2011.

Prepared by : Intesar G Ali - IT DepartmentPalestinian Land Authority 1 SQL Server 2005 Security Date :
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,

SQL Server Basics for non-DBAs Anil Desai. Speaker Information Anil Desai –Independent consultant (Austin, TX) –Author of several SQL Server books –Instructor,
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,

Security & Auditing on SQL Server 2008 R2 Antonios Chatzipavlis Software Architect Evangelist, IT Consultant MCT, MCITP, MCPD, MCSD, MCDBA, MCSA, MCTS,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Introduction to R By Robert Biddle. About Me Data Professional with over 10 years experience. Hilton Grand Vacations, Orlando Data Architect MCITP Database.

Introduction to R By Robert Biddle. About Me Data Professional with over 10 years experience. Hilton Grand Vacations, Orlando Data Architect MCITP Database.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Intro to SQL Server Performance Tuning By Robert Biddle.

Intro to SQL Server Performance Tuning By Robert Biddle.
Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |

Course Topics Administering SQL Server 2012 Jump Start 01 | Install and Configure SQL Server04 | Manage Data 02 | Maintain Instances and Databases05 |
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Similar presentations

Ads by Google