This document discusses securing Microsoft SQL Server. It covers securing the SQL Server installation, controlling access to the server and databases, and validating security. Key points include using least privilege for service accounts, controlling access through logins, roles and permissions, auditing with SQL Server Audit and Policy Based Management, and services available from Pragmatic Works related to SQL Server security, training and products.

1. Introduction to SQL
Server Security

2. MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
• Founded 2008 by MSFT MVP Brian Knight
• Focused on the MSFT SQL Server Platform
• Provides services, training and software
• MSFT/HP “go to” partner:
• Gold Certified:
o BI
o Data Management
o SQL Performance
• Team led by multiple MVP’s
• Offices throughout the US with Corporate
HQ in Jacksonville, FL
Pragmatic Works Company History

3. Getting Started
Jason
Strate
e: jstrate@pragmaticworks.com
b: www.jasonstrate.com
t: StrateSQL
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

4. Agenda
Overview
Securing SQL Server
Accessing SQL Server
Controlling Access
Validation
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

5. OVERVIEW
Overview
Securing SQL
Server
Accessing SQL
Server
Controlling
Access
Validation

6. Overview
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

7. Overview
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

8. Overview
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

9. Overview
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

10. SECURING SQL SERVER
Overview
Securing SQL
Server
Accessing SQL
Server
Controlling
Access
Validation

11. Start With Installation
• Operating system?
• Services?
• Tools?
• Features?
• Configuration?
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

12. Service Accounts
• Virtual Service account
• Managed Service account
• Domain user
• Local user
• Network Service account
• Local System account
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

13. Security Tip
Principle
of least
privilege
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

14. Location, Location, Location
• Where is the server
physically?
• Where is the server on the
network?
• Behind the firewall?
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

15. ACCESSING SQL SERVER
Overview
Securing SQL
Server
Accessing SQL
Server
Controlling
Access
Validation

16. Accessing the Server
• Login
– Windows Authentication
• Group
• User
– SQL Server Authentication
– Certificate
– Asymmetric Key
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

17. SQL Server Authentication
• Password policy
– Account lockout duration
– Account lockout threshold
– Reset account lockout counter after
– Complexity
– Password history
• Enforce password expiration
• Change password next login
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

18. Advanced Access
Certificate Asymmetric Key
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

19. CONTROLLING ACCESS
Overview
Securing SQL
Server
Accessing SQL
Server
Controlling
Access
Validation

20. Security Model Basics
• Resource within SQL Server, such as a
database, table, procedure, or feature.Securable
• Object to which permissions can be
assigned, such as a login or certificate.Principal
• Activity on the securable that is granted
to the principal, such as read or view.Permission
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

21. Permission Modes
GRANT
DENYREVOKE
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

22. Server Securables
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

23. Security Tip
CONTROL
SERVER is a
replacement
for sysadmin
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

24. Database Securables
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

25. Example 1
• GRANT VIEW SERVER STATE TO
SQLCHICKEN
• GRANT CONTROL SERVER TO
SQLBALLS
• GRANT SHOW PLAN TO
AUNTKATHI
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

26. Example 2
• GRANT EXECUTE TO SQLCHICKEN
• DENY EXECUTE ON
dbo.usp_action TO SQL CHICKEN
• GRANT SELECT ON dbo.table TO
SQLBALLS
• GRANT VIEW DATABASE STATE TO
AUNTKATHI
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

27. Security Roles
• Server Roles
• Custom Server Roles
• Database Roles
• Custom Database Roles
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

28. Server Roles
• Bulkadmin
• Dbcreator
• Diskadmin
• Processadmin
• Securityadmin
• Setupadmin
• Sysadmin
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

29. Custom Server Roles
• New for SQL Server 2012
• Create what you need
– Junior DBA
– Security admin
– Monitoring
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com
Trust me,
I’m a junior
DBA

30. Security Tip
CONTROL
SERVER is a
replacement
for sysadmin
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

31. Database Roles
• Db_accessadmin
• Db_backupoperator
• Db_datareader
• Db_datawriter
• Db_ddladmin
• Db_denydatareader
• Db_denydatawriter
• Db_owner
• Db_securityadmin
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

32. Security Tip
Beware of
db_owner and
RESTRICTED_USER
mode
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

33. Custom Database Roles
• Been around since dirt
• Useful for
– Setting department
permissions
– Grouping stored
procedure access
– Simplifying permission
management
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

34. Security Tip
Use roles over
logins for
permission
assignments
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

35. VALIDATION
Overview
Securing SQL
Server
Accessing SQL
Server
Controlling
Access
Validation

36. Validation
• Audits
– C2 Auditing
– Common Criteria Control
• SQL Server Audit
• Policy Based Management
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

37. SQL Server Audit
• SQL Server 2008
– Enterprise edition feature
• SQL Server 2012
– Standard edition feature
– Accessible via Extended Events
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

38. SQL Server Audit
• Server
– Permission changes
– DBCC events
– Failed logins
• Database
– DML activity
– SELECT activity
– Object modification
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

39. Policy Based Management
• Introduced SQL Server 2008
– All editions
• Backwards compatibility
– To SQL Server 2000…. Kinda
• Checks
– DDL triggers
– Object properties
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

40. Policy Based Management
• Add super power
with…
Enterprise Policy
Management
Framework
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

41. Wrapping Up
Securing SQL Server
Accessing SQL Server
Controlling Access
Validation
MAKING BUSINESS INTELLIGENT
www.pragmaticworks.com

42. Services
Speed development through training, and
rapid development services from
Pragmatic Works.
Products
BI products to covert to a Microsoft BI
platform and simplify development on
the platform.
Foundation
Helping those who do not have the
means to get into information technology
achieve their dreams.
For more information…
Name: Jason Strate
Email: jstrate@pragmaticworks.com
Blog: www.jasonstrate.com
Resource: jasonstrate.com/go/Security