1. Diferentes Técnicas de Administración de
Logins y Usuarios en SQL-Server
Expositor: Carlos Rojas Vargas
MVP, MCSA, MCITPro, MCTS, MCT, MCSE
Moderador: Adrian MIranda

2. Gracias a nuestros auspiciadores
Database Security as Easy as A-B-C
http://www.greensql.com
Hardcore Developer and IT
Training
http://www.pluralsight.com
SQL Server Performance
Try PlanExplorer today!
http://www.sqlsentry.com

3. Próximos SQL Saturday
6 de Diciembre de 2014
https://www.sqlsaturday.com/351/register.aspx
24 de Enero de 2015
https://www.sqlsaturday.com/346/register.aspx
18 de Abril de 2015
https://www.sqlsaturday.com/368/register.aspx
9 de Mayo de 2015
https://www.sqlsaturday.com/373/register.aspx

4. Capítulo Global PASS en Español
4
4
Reuniones semanales todos los miércoles a
las 12PM UTC-5 (Hora de Colombia)
https://www.facebook.com/SpanishPASSVC

5. 5
Asistencia Técnica
Si requiere asistencia
durante la sesión debe
usar la sección de
preguntas que esta en el
menú de la derecha.
Use el botón de Zoom
para ajustar su pantalla
al tamaño deseado
Escriba sus preguntas
en la sección de
preguntas que esta en el
menú de la derecha

6. 6
Carlos Rojas
Carlos Rojas Vargas es Microsoft MVP en SQL-Server desde el año 2001 con 13 años consecutivos de obtener
este reconocimiento y trabaja con SQL-Server desde el año 1995. A partir de 1999 se certifica como MCT y
comienza a impartir Capacitación certificada Microsoft, actualmente trabaja como Trainer para Corporación
CTE, un CPLS de Microsoft. También trabaja como Consultor en SQL-Server, Windows Server, Virtualización
con Hyper-V, Alta Disponibilidad y Soluciones de Colaboración con Sharepoint en Grupo CMA, un Partner de
Microsoft. En este momento cuenta con las certificaciones MCSA(SQL-Server 2012), MCSA(SQL-Server 2008),
MCITPro (Database Administrator SQL-Server 2008), MCTS(Sharepoint 2010), MCTS(SQL-Server 2008),
MCTS(Windows Server 2008 Applications Infrastructure, Configuration), MCTS(Windows Server Virtualization,
Configuration), MCTS(SQL Server 2008, Business Intelligence Development and Maintenance), MCTS(Visual
Studio 2008), MCITPro (SQL-Server 2005), MCTS(SQL-Server 2005), MCTS(Visual Studio 2005),
MCTS(Sharepoint Server 2007), MCTS(Sharepoint Services 3.0), MTA(Windows Server Administration
Fundamentals), MTA(Windows® Operating System Fundamentals), MTA(Database Administration
Fundamentals), MCDBA, MCSD.NET, MCAD, MCSE, MCSA, MCDST, MCT, A+, N+, IC3 y CIW-CI. Es el
Fundador y Administrador del Grupo de Usuarios de SQL-Server de Costa Rica(http://www.sqlugcr.net).
Generalmente participa como Expositor en los Lanzamientos de Productos, TechDays, eXpert Zone, .NET
Future Developers y Developer Days que Microsoft organiza en diferentes países, además participó como
Expositor en el Primer, Tercer y Sétimo Simposio Latinoamericano de Sharepoint y como Expositor en los SQL-Saturday
y en las 24 Horas PASS patrocinados por PASS. Fuera de Costa Rica ha impartido capacitación de
SQL-Server y Visual Studio en Honduras, Nicaragua, Panamá y México.
6

7. 7
Security Overview

8. Security Best Practices
Make security a part of your standard process
Use the principle of least privilege
Implement defense-in-depth (layered security)
Enable only required services and features
Regularly review security settings
Educate users about the importance of security
Define security roles based on business rules

9. Managing Logins Historically
Windows Logins
 Authentication/Policy managed by Windows
SQL Server Logins
 Managed by SQL Server
 Based on Windows policies
 Password Policy Options:
 HASHED (pw is already hashed)
 MUST_CHANGE
 CHECK_EXPIRATION
 CHECK_POLICY

10. Database Users and Roles Historically
Database Users
 Logins map to database users
Database Roles
 Users can belong to multiple roles
 Guest (does not require a user account)
 dbo (Server sysadmin users)
Application Roles
 Used to support application code

11. Built-In Server / Database Roles
Server Roles
• SysAdmin
• ServerAdmin
• SetupAdmin
• SecurityAdmin
• ProcessAdmin
• DiskAdmin
• DBCreator
• BulkAdmin
Database Roles
• db_accessadmin
• db_BackupOperation
• db_DataReader
• db_DataWriter
• db_DDLAdmin
• db_DenyDataReader
• db_DenyDataWriter
• db_Owner
• db_SecurityAdmin
• public

12. Configuring Permissions
Scopes of Securables
 Server
 Database
 Schema
 Objects
Permission Settings:
 GRANT
 REVOKE
 DENY
Options
 WITH GRANT OPTION
 AS (Sets permissions using another user or role)

13. 13
Configuration Options
Authentication mode
 Use Integrated Security
 More secure protocols (Kerberos and NTLM)
 Kerberos allows for delegation
 Allows for password policy enforcements
 Typically does not require application to store passwords
 If using Mixed mode (Standard SQL Authentication)
 Use SSL to encrypt network traffic
 Use strong passwords
 Never use blank passwords
Login auditing
 Audit failed login attempts at the very least
Choose static ports for named instances
 Avoid opening UDP1434 at firewall
Use Microsoft Baseline Security Analyzer

14. What is a Contained Databases ?
•A contained database is a database which includes all the required
settings, metadata and operates in isolation from the SQL Server Database
Engine. In other words it has no functional dependency on SQL Server
Instance be it Login, collation setting or metadata info.
• The most popular feature being, user connecting to the database without
having a Login at SQL Server Instance level; means there is no login
registered for this user in Master DB.
• It’s very easy to migratemove these databases to another SQL Instance,
since there is no dependency at the Instance level. This also makes it easy
and practical for DB Owner to manage all the configuration settings
independently without any intervention of SysAdmin.

15. Contained Databases Scenarios
• In SQL Server 2012/2014 Microsoft introduced a first step toward contained
databases, introducing partially contained databases (also known as Partial-
CDB). Partially Contained Databases provide some isolation from the
instance of SQL Server but do not yet provide full containment.
• There are some scenarios where it would be useful to completely isolate a
database and its management from the server on which it resides. For
example, a database that participates in an AlwaysOn availability group is
mirrored on multiple server instances, and it is useful to be able to failover
to a secondary instance without having to synchronize server-level logins
required to access the database. SQL Server 2012 introduces contained
databases to facilitate these scenarios.

16. Partially Contained Database
User information is stored in user
database and not in master database.
Users with passwords are
authenticated by the database
16

17. Contained Databases Users
There are two types of users for contained databases.
Contained database user with password: Contained database
users with passwords are authenticated by the database.
Windows principals: Authorized Windows users and members of
authorized Windows groups can connect directly to the database
and do not need logins in the master database.
Users based on logins in the master database can be granted access to
a contained database, but that would create a dependency on the SQL
Server instance, so Microsoft doesn’t recommend doing this.

18. Benefits of Partially Contained Databases
They make easier to migrate databases from one server to another. Errors
related to orphan users are no longer an issue with contained databases, since a
contained database user can now be created without an associated login.
Authentication can now occur at the database level.
Contained database users can be Windows and SQL Server authentication
users.
A contained database user can access only contained database objects. They
cannot access system databases and cannot access server objects.
Metadata is stored on the contained database and not stored on system
databases. This makes contained databases more portable than the databases
we know.
18

19. Limitations of Partially Contained Databases
Partially contained databases do not allow the following features:
19
 Numbered procedures
 Schema-bound objects that depend on built-in functions with collation changes
 Binding change resulting from collation changes, including references to objects,
columns, symbols, or types.
 Replication
 Change data capture
 Change tracking

20. Creating a Contained Databases
sp_configure 'show advanced options', 1 ;
GO
RECONFIGURE ;
GO
sp_configure 'contained database authentication', 1;
GO
RECONFIGURE ;
GO
sp_configure 'show advanced options', 0 ;
GO
RECONFIGURE ;
GO
CREATE DATABASE [MyContainedDB]
CONTAINMENT = PARTIAL
GO
20

21. Creating Contained Databases and Users
• Enable contained databases at the sever instance level
• Create contained databases
• Create users in the contained databases
CREATE DATABASE [MyContainedDB]
CONTAINMENT = PARTIAL
GO
USE [MyContainedDB]
GO
CREATE USER [SalesAppUser] WITH PASSWORD = 'Pa$$w0rd'
GO
CREATE USER [ADVENTUREWORKSSalesAppAccount]
GO

22. Creating a Contained Database User
USE [MyContainedDB]
GO
CREATE USER [SalesAppUser] WITH PASSWORD = ‘Pa$$w0rd’
GO
CREATE USER [ADVENTUREWORKSSalesAppAccount]
GO
When connecting to the database, client applications must specify the database as
part of the connection string to ensure that the contained user credentials are used
instead of a server-level login.
22

23. Demo

24. Preguntas?

25. A continuación …
Database Unit Testing
Carlos Lone

26. Gracias por participar