You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/qHA450Aykmr
What do you need to know to work with SQL Server security properly?
In this talk, we'll look at the must knows of SQL Server security. We will start with how a person or application connects to SQL Server and the types of authentication SQL Server provides. We will then look at the hierarchical security model SQL Server implements and how this flows down from server all the way down to tables, views, and stored procedures. Afterwards, we will discuss particular security roles which allows access without explicit permissions. Finally, we will look at ownership chaining and how that can also allow a user access to an object because of a reference from a different object.
Speaker: K. Brian Kelley is an author, columnist, Certified Information Systems Auditor (CISA), and former Microsoft Data Platform (SQL Server) MVP (2009-2016) focusing primarily on SQL Server and Windows security. In addition to being a database administrator, he has served as an infrastructure and security architect encompassing solutions with Citrix, virtualization, and Active Directory. Brian is also a Certified Information Systems Auditor (CISA) and has been the head of a financial organization’s computer incident response team. Brian is active in the IT community having spoken at DevConnections, SQL Saturdays, code camps, and user groups.
2. Contact Information
K. Brian Kelley
Email: kbriankelley@acm.org
Twitter: @kbriankelley
Infrastructure/Security Blog: https://truthsolutions.wordpress.com
Personal Development Blog: https://gkdba.wordpress.com
3. My Background
• Infrastructure and Security Architect
• Database administrator / architect
• Formerly:
– Incident response team lead
– Penetration Tester
• Certified Information Systems Auditor (CISA)
• SQL Server security columnist / blogger
• Editor for CIS SQL Server Security Benchmarks
4. Agenda
• Basic Security Principles
• Authentication and Authorization
• SQL Server Permissions Architecture
• Ownership Chaining
7. Principle of Least Privilege
• Only what’s needed. No less, no more.
• Too little and the job doesn’t got done.
• Too much, and you’ve increased your risk!
8. Defense in Depth
• Security is like an onion. It has layers.
• Not just more, but different, too.
• Think about the old game Breakout.
10. Authentication
• Authentication – Who are you?
• Logins allow access to SQL Server
• Also known as server principals
• Three types:
– Windows accounts
– Windows groups
– SQL Server logins
12. Authorization
• Authorization – What are you allowed to do?
• Server Level
• Database Level
• Lower (schema, objects, etc.)
• SQL Server Default: Deny unless explicit grant
13. Connecting to Databases
• Technically an Authorization
• Differentiated from Logins
• Called User or Database Principal
• Can have access to the server and not a database
19. Permissions
• Can be directly against an object
• If applied against a scope, inherited inside
• Only permissions which are applicable
• Schema / Object Owner Exception
22. Ownership Chaining
• Security mechanism specific to SQL Server
• Recommended best practice
• Prevents direct access to base tables
• Reduces number of permissions checks
23. Ownership Chaining
• One object references another
• Objects have the same owner
• User has permission to the first object in the chain
• SQL Server assumes the owner intended access
• Direct access to second object fails