Your SlideShare is downloading. ×
SQL Server Security Basics
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

SQL Server Security Basics

371

Published on

Understand potential data threats and how SQL Server’s design protects against them. …

Understand potential data threats and how SQL Server’s design protects against them.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
371
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • DEMO – Adding a Windows Login, Window Logins via Transact-SQL\n
  • DEMO – rest of section and SQL Server Logins via Transact-SQL\n
  • \n
  • \n
  • DEMO – rest of section\n
  • \n
  • DEMO\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • DEMO – rest of section\n
  • DEMMO – rest of section\n
  • DEMO – rest of section\n
  • \n
  • \n
  • DEMO – rest of section\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • DEMO: rest of section\n
  • DEMO: rest of section\n
  • DEMO: rest of section\n
  • DEMO: rest of section\n
  • Transcript

    • 1. SQL Server Security Basics Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 2. Objectives• Understand potential data threats and how SQL Server’s design protects against them• Learn about SQL Server and Windows integrated authentication• See how SQL Server provides an authorization system to control access to data and objects Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 3. Agenda• Security Overview• Authentication• Authorization Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 4. Security Overview• Relational data is a tempting target for attackers• SQL Server 2008 provides plenty of features to secure your data and server • Need to understand the threats • Match countermeasures to the threats Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 5. The Threats• Identifying threats is a critical first step • Type of data will probably influence security measures• Sometimes the best way to protect data is to never put it in a database• Typical threats • Theft of data • Data vandalism • Protecting data integrity • Illegal storage• Understand threats to protect against them Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 6. Security Design Philosophy• Trustworthy Computing memo, 2002• Four pillars of security design • Secure by design • Secure by default • Secure in deployment • Secure through communications• “It’s just secure” • Implications throughout the product • SQL Server is reasonably secure out of the box • Your job is to keep it secure Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 7. The Two Stages of Security• Similar to Windows security • Authentication: who are you? • Authorization: now that we know who you are, what can you do? Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 8. Key SQL Server SecurityTerms Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 9. Key SQL Server SecurityTerms • Authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 10. Key SQL Server SecurityTerms • Authentication • Authorization Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 11. Key SQL Server SecurityTerms • Authentication • Authorization • Group Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 12. Key SQL Server SecurityTerms • Authentication • Authorization • Group • Impersonation Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 13. Key SQL Server SecurityTerms • Authentication • Authorization • Group • Impersonation • Login Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 14. Key SQL Server SecurityTerms • Authentication • Permission • Authorization • Group • Impersonation • Login Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 15. Key SQL Server SecurityTerms • Authentication • Permission • Authorization • Principal • Group • Impersonation • Login Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 16. Key SQL Server SecurityTerms • Authentication • Permission • Authorization • Principal • Group • Privilege • Impersonation • Login Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 17. Key SQL Server SecurityTerms • Authentication • Permission • Authorization • Principal • Group • Privilege • Impersonation • Role • Login Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 18. Key SQL Server SecurityTerms • Authentication • Permission • Authorization • Principal • Group • Privilege • Impersonation • Role • Login • User Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 19. Agenda• Security Overview• Authentication• Authorization Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 20. Authentication• Process of verifying that a principal is who or what it claims to be • SQL Server has to uniquely identify principals in order to authorize• Two paths to authentication • Windows authentication • SQL Server authentication• Authentication modes • Mixed Mode Authentication • Windows Only Authentication Mode Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 21. Windows Integrated • SQL Server assumes a trust relationship with Windows Server • Windows does the heavy lifting for authentication • The SQL Server checks permissions on the principal • Advantages • Single user login • Auditing features • Simplified login management • Password policies • Changes only take effect when user connects Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 22. Configuring SQL ServerSecurity Settings• Select either when install or later• Settings apply to all databases and server objects in an instance of SQL Server• Changing modes after installation may or may not cause problems • Windows to Mixed • Mixed to Windows Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 23. SQL Server Authentication• Client applications must provide login credentials as part of connection string• Logins stored in SQL Server• Windows authentication stronger • But must use SQL Server authentication with old versions of Windows, non- Windows systems Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 24. Windows and SQL ServerLogins• SQL Server logins are not stored in Windows • Disabled if you select Windows authentication• Mixed mode is much more flexible • But less secure Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 25. Beware of the sa Login• System administrator login• Mapped to sysadmin fixed server role• Conveys full system administrator privileges• Cannot modify or delete• Must use a strong password!• Use only as access of last resort• NEVER use sa for database access through client applications Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 26. Password Policy andEnforcement• Before SQL Server 2005, no enforcement of passwords for SQL Server logins • No minimum strength • No expiration policy• SQL Server now hooks into Windows password policy • Windows Server 2003, Vista, and later versions • NetValidatePasswordPolicy API method Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 27. Contained Databases• Not a security feature per se • But introduces a new authentication scheme• Solves problem of moving databases • Past: move database plus external dependencies • Contained databases solves associated problems Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 28. Contained Databases• Can create a SQL user with a password• Windows user in database• Not associated with a login• Authenticate against contained database • Get a token for that database only • Security boundary is tightly scoped• If authentication fails at database, doesn’t fall back to duplicate login, if Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 29. Contained DatabasesAuthentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 30. Contained DatabasesAuthentication Connection Request Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 31. Contained DatabasesAuthentication Connection Request Initial catalog specified? Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 32. Contained DatabasesAuthentication Connection Request Initial catalog specified? No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 33. Contained DatabasesAuthentication Connection Request Initial Yes Initial catalog catalog specified? contained? No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 34. Contained DatabasesAuthentication Connection Request Initial Yes Initial catalog catalog specified? contained? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 35. Contained DatabasesAuthentication Connection Request Initial Yes Initial Yes Authent- catalog catalog ication specified? contained? type? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 36. Contained DatabasesAuthentication Connection Matching Request user in database ? SQL Server Initial Yes Initial Yes Authent- catalog catalog ication specified? contained? type? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 37. Contained DatabasesAuthentication Connection Matching Request user in database ? SQL Server No Initial Yes Initial Yes Authent- catalog catalog ication specified? contained? type? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 38. Contained DatabasesAuthentication Connection Matching Yes Request user in Password database match? ? SQL Server No Initial Yes Initial Yes Authent- catalog catalog ication specified? contained? type? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 39. Contained DatabasesAuthentication Connection Matching Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- catalog catalog ication Authentication specified? contained? type? failure No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 40. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 41. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 42. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No Windows Matching login or group? Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 43. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No Windows Matching login or group? No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 44. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No Windows Matching Matching Yes principal login or in group? database ? No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 45. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No No Windows Matching Matching Yes principal login or in group? database ? No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 46. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No No Windows Matching Matching Yes principal Yes login or in group? database ? No Server-level authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 47. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial Yes Initial Yes Authent- No Permis- Yes catalog catalog ication Authentication sion in specified? contained? type? failure database ? No No No Windows Matching Matching Yes principal Yes login or in group? database ? No Server-level Database authentication authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 48. Contained DatabasesAuthentication Connection Matching Yes Yes Request user in Password database match? ? SQL Server No No Initial catalog Yes Initial catalog Yes Authent- ication * Authentication No Permis- sion in Yes specified? contained? type? failure database ? No No No Windows Matching Matching Yes principal Yes login or in group? database ? No Server-level Database authentication authentication Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 49. Agenda• Security Overview• Authentication• Authorization Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 50. Authorization• Principals: user or process allowed to access securable objects• Securables: protected resource• Permissions: type of access Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 51. Principals Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 52. Principals • Windows-level principals • Windows Domain Login • Windows Group • Windows Local Login • SQL Server-level principals • SQL Server Login • SQL Server Login mapped to a certificate • SQL Server login mapped to a Windows login • SQL Server Login mapped to an asymmetric key • Database-level principals • Application Role • Database Role • Database User • Database User mapped to a certificate • Database User mapped to a Windows login • Database User mapped to an asymmetric key • Public Role Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 53. Principals• Scope of a principal determines scope of permission• Principal can be a login, user, or role • Roles are analogous to Windows groups • Users in role inherit role’s permissions • Simplify security management• Types of roles • Fixed server roles • User-defined server roles • Fixed database roles • User-defined database roles Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 54. Fixed Server Roles• Cannot alter, even to add new ones, except to add logins to a role• Server roles • System administrator • Bulk insert administrator • Database creator • Disk administrator • Process administrator • Server administrator • Setup administrator • Security administrator Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 55. User-Defined Server Roles• Long awaited security feature • Long have had user-defined database roles • But nothing at the server level• Used to be, only way to grant some permissions was through a fixed server role• SQL Server 2012 solves these problems Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 56. Fixed Database Roles• Control authorization within a database• Configure each database individually• Database roles • db_accessadmin • db_backupoperator • db_datareader • db_datawriter • db_ddladmin • db_denydatareader • db_denydatawriter • db_owner • db_securityadmin Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 57. The Public Role• Every database user assigned to this role• Be very careful about granting permissions• Normally restrict permissions for this role Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 58. The dbo (Database Owner)Role• Mapped to sysadmin fixed server role• Not related to db_owner role Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 59. User-Defined Database Roles• Standard role• Application role Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 60. Securable Objects• Protected resource that you can control access to• Physical object or action Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 61. Securable Objects Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 62. Securable Objects Server Database Endpoint Remote Binding Route Server Role SQL Server Login Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 63. Securable Objects Server Database Database Endpoint Application Role Remote Binding Assembly Route Asymmetric Key Server Role Certificate SQL Server Database user Login Fixed Database Role Full-Text Catalog Message Type Schema Service Service Contract Symmetric Key Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 64. Securable Objects Server Database Database Endpoint Application Role Schema Remote Binding Assembly Default Route Asymmetric Key Function Server Role Certificate Procedure SQL Server Database user Query Stats Login Fixed Database Queue Role Rule Full-Text Synonym Catalog Table Message Type Trigger Schema Type Service View Service Contract XML Schema Symmetric Key Collection Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 65. Learn More! Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 66. Learn More!• This is an excerpt from a larger course. Visit www.learnnowonline.com for the full details! Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 67. Learn More!• This is an excerpt from a larger course. Visit www.learnnowonline.com for the full details! Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 68. Learn More!• This is an excerpt from a larger course. Visit www.learnnowonline.com for the full details!• Learn more about about SQL Server on SlideShare Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company
    • 69. Learn More!• This is an excerpt from a larger course. Visit www.learnnowonline.com for the full details!• Learn more about about SQL Server on SlideShare  A Tour of SQL Server Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

    ×