Introduction to SQL Server Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Introduction to SQL Server Security

on

  • 1,273 views

 

Statistics

Views

Total Views
1,273
Views on SlideShare
713
Embed Views
560

Actions

Likes
0
Downloads
21
Comments
0

6 Embeds 560

http://www.jasonstrate.com 494
http://sqlserverpedia.com 25
http://www.sqlservercentral.com 20
http://feeds.feedburner.com 12
http://www.newsblur.com 6
http://newsblur.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Introduction to SQL Server Security Presentation Transcript

  • 1. Introduction to SQLServer Security
  • 2. MAKING BUSINESS INTELLIGENTwww.pragmaticworks.com• Founded 2008 by MSFT MVP Brian Knight• Focused on the MSFT SQL Server Platform• Provides services, training and software• MSFT/HP “go to” partner:• Gold Certified:o BIo Data Managemento SQL Performance• Team led by multiple MVP’s• Offices throughout the US with CorporateHQ in Jacksonville, FLPragmatic Works Company History
  • 3. Getting StartedJasonStratee: jstrate@pragmaticworks.comb: www.jasonstrate.comt: StrateSQLMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 4. AgendaOverviewSecuring SQL ServerAccessing SQL ServerControlling AccessValidationMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 5. OVERVIEWOverviewSecuring SQLServerAccessing SQLServerControllingAccessValidation
  • 6. OverviewMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 7. OverviewMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 8. OverviewMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 9. OverviewMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 10. SECURING SQL SERVEROverviewSecuring SQLServerAccessing SQLServerControllingAccessValidation
  • 11. Start With Installation• Operating system?• Services?• Tools?• Features?• Configuration?MAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 12. Service Accounts• Virtual Service account• Managed Service account• Domain user• Local user• Network Service account• Local System accountMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 13. Security TipPrincipleof leastprivilegeMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 14. Location, Location, Location• Where is the serverphysically?• Where is the server on thenetwork?• Behind the firewall?MAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 15. ACCESSING SQL SERVEROverviewSecuring SQLServerAccessing SQLServerControllingAccessValidation
  • 16. Accessing the Server• Login– Windows Authentication• Group• User– SQL Server Authentication– Certificate– Asymmetric KeyMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 17. SQL Server Authentication• Password policy– Account lockout duration– Account lockout threshold– Reset account lockout counter after– Complexity– Password history• Enforce password expiration• Change password next loginMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 18. Advanced AccessCertificate Asymmetric KeyMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 19. CONTROLLING ACCESSOverviewSecuring SQLServerAccessing SQLServerControllingAccessValidation
  • 20. Security Model Basics• Resource within SQL Server, such as adatabase, table, procedure, or feature.Securable• Object to which permissions can beassigned, such as a login or certificate.Principal• Activity on the securable that is grantedto the principal, such as read or view.PermissionMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 21. Permission ModesGRANTDENYREVOKEMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 22. Server SecurablesMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 23. Security TipCONTROLSERVER is areplacementfor sysadminMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 24. Database SecurablesMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 25. Example 1• GRANT VIEW SERVER STATE TOSQLCHICKEN• GRANT CONTROL SERVER TOSQLBALLS• GRANT SHOW PLAN TOAUNTKATHIMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 26. Example 2• GRANT EXECUTE TO SQLCHICKEN• DENY EXECUTE ONdbo.usp_action TO SQL CHICKEN• GRANT SELECT ON dbo.table TOSQLBALLS• GRANT VIEW DATABASE STATE TOAUNTKATHIMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 27. Security Roles• Server Roles• Custom Server Roles• Database Roles• Custom Database RolesMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 28. Server Roles• Bulkadmin• Dbcreator• Diskadmin• Processadmin• Securityadmin• Setupadmin• SysadminMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 29. Custom Server Roles• New for SQL Server 2012• Create what you need– Junior DBA– Security admin– MonitoringMAKING BUSINESS INTELLIGENTwww.pragmaticworks.comTrust me,I’m a juniorDBA
  • 30. Security TipCONTROLSERVER is areplacementfor sysadminMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 31. Database Roles• Db_accessadmin• Db_backupoperator• Db_datareader• Db_datawriter• Db_ddladmin• Db_denydatareader• Db_denydatawriter• Db_owner• Db_securityadminMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 32. Security TipBeware ofdb_owner andRESTRICTED_USERmodeMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 33. Custom Database Roles• Been around since dirt• Useful for– Setting departmentpermissions– Grouping storedprocedure access– Simplifying permissionmanagementMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 34. Security TipUse roles overlogins forpermissionassignmentsMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 35. VALIDATIONOverviewSecuring SQLServerAccessing SQLServerControllingAccessValidation
  • 36. Validation• Audits– C2 Auditing– Common Criteria Control• SQL Server Audit• Policy Based ManagementMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 37. SQL Server Audit• SQL Server 2008– Enterprise edition feature• SQL Server 2012– Standard edition feature– Accessible via Extended EventsMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 38. SQL Server Audit• Server– Permission changes– DBCC events– Failed logins• Database– DML activity– SELECT activity– Object modificationMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 39. Policy Based Management• Introduced SQL Server 2008– All editions• Backwards compatibility– To SQL Server 2000…. Kinda• Checks– DDL triggers– Object propertiesMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 40. Policy Based Management• Add super powerwith…Enterprise PolicyManagementFrameworkMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 41. Wrapping UpSecuring SQL ServerAccessing SQL ServerControlling AccessValidationMAKING BUSINESS INTELLIGENTwww.pragmaticworks.com
  • 42. ServicesSpeed development through training, andrapid development services fromPragmatic Works.ProductsBI products to covert to a Microsoft BIplatform and simplify development onthe platform.FoundationHelping those who do not have themeans to get into information technologyachieve their dreams.For more information…Name: Jason StrateEmail: jstrate@pragmaticworks.comBlog: www.jasonstrate.comResource: jasonstrate.com/go/Security