SlideShare a Scribd company logo

SQL Server

W
webhostingguy

This document discusses the new security model introduced in SQL Server 2005. It covers principals and securables, the new schema model, security for CLR, database mirroring, and tips for configuring security. Specific features covered include new permission types like CONTROL and IMPERSONATE, using schemas to centralize permissions, defining service accounts, and minimizing exposed surface area through configuration. The document provides guidance on implementing a balanced security approach in SQL Server 2005.

1 of 20
Download to read offline
INSIDE SQL Server • 03 Principals and securables InSIder • 05 New schema model • 09 Security for CLR Tips for SQL Server pros May 2007 • 14 article 1: Database mirroring and its witness New security model • 17 article 2: Find and fix resource- in SQL Server 2005 intensive SQL Server queries Organizations traditionally spend little money to secure the database server level. Instead, security is added to the to-do list of DBAs and developers. Get familiar with the security features in SQL Server 2005, and allow them to make your job easier. Brought to you by SearchSQLServer.com 3
SearchSQLServer.com New security model in SQL Server 2005 New Security Model Michelle Gutzait works as a senior in SQL Server 2005 database consultant By MIcheLLe GuTzAIT for Itergy International Inc., O an IT consulting firm specializing in the design, implementation, security rganizations don’t tend aged and controlled. In many and support of Microsoft to invest in securing cases, security standards are products in the enterprise. SQL Server instances created after applications and Gutzait has been involved and databases. Instead, databases are deployed, and in IT for 20 years as there is a tendency to that makes them difficult to leave security consid- implement. a developer, business erations to database admin- Whenever possible, you analyst and database istrators and developers. The should plan security standards consultant. For the last problem is that if there are no according to existing and future 10 years, she has worked defined security standards, it applications. Security consid- exclusively with SQL may leave data vulnerable. erations should always be part Server. Her skills include Security standards are impor- of the database and application SQL Server infrastructure tant for any organization. The design. For an existing environ- design, database design, problem is that it is not enough ment, the best approach is to performance tuning, just to develop them — they plan and formulate the security security, high availability, should also be applied, man- modifications step by step. VLDBs, replication and T-SQL/packages coding. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 PrinciPals and securables in sQl server 005 The new security model in SQL 2005 defines two main security objects — principals and securables: principals are entities that can there are three types of principals: request SQL Server resources. windows-level sql server-level database-level They can be arranged in a hi- principals principal principals erarchy. A principal inherits • Windows domain • SQL Server login • Database user the permissions given to it in a login • Database role higher level of that hierarchy. • Windows local login • Application role every principal has a security identifier, or SID. securables are the resources the securable scopes: to which the SQL Server data- server level database level schema level base engine authorization • Endpoint • Database user • Type system regulates access. Some • Database • Database role • XML schema collection securables can be contained • Application role • Object within others, creating nested • Assembly • Function hierarchies called scopes, which • Message type • Procedure • Route • Queue can, themselves, be secured. • Service • Synonym Access to securables can be • Remote service binding • Table • Fulltext catalog • View • Certificate • Asymmetric key • Symmetric key • Contract • Schema Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 granted for principals in each new Permission -- grant permissions on the level. delegation caPability -- user “Michelle”: For example, a database user In SQL Server 2005, more USE AdventureWorks; or a database role, which can permissions can be given both GRANT CONTROL ON USER:: contain zero or more users, can in the instance and in the da- Michelle TO Joseph; get access to a database ob- tabase level than in previous ject or to a database schema, releases. Also, permissions „ ALTER ANY – provides the which can contain zero or more can now be inherited — for ability to alter properties objects. Also, a database user example, permissions given to of an object. Depending on or role can get permissions to a schema are inherited by the the scope, inheritance can view definitions and to grant schema’s objects. here are ex- be limited to objects of a permissions to another data- amples of new permissions: specific type. For example, base user or role. its variation in the form As in previous versions, a „ CONTROL – functionally ALTER ANY ‘object_type’ user who wants to access data equivalent to all permis- grants permissions to from a database must pass sions granted to the ob- modify every instance of through two stages of authenti- ject’s owner and inherited ‘object_type’ within server cation — one at the SQL Server by all subentities within its or database scope. For level (login) and the other at scope. Principals that have example: the database level (user). CONTROL permission on a ALTER ANY DATABASE DDL securable can grant per- TRIGGER mission on that securable. ALTER ANY SCHEMA For example: ALTER ANY ROLE -- Grant CONTROL -- permission on -- AdventureWorks user -- Michelle to user Joseph -- now the user Joseph can Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 „ IMPERSONATE – permits impersonating another user, without requiring DEFINITION TO public -- Grant role “public” to -- view any object definition ø Use synonyms when you want to keep an object name under a specific schema, but that object resides in a different schema, SysAdmin or dbo privileg- -- in the database level: different database or a different es, as was the case in SQL GRANT VIEW DEFINITION SQL Server instance. Server 2000. For example: TO public -- Grants IMPERSONATE -- Grant VIEW DEFINITION database objects? In SQL Serv- -- permission on user -- permission on er 2005, that problem has been -- Michelle to -- AdventureWorks role solved by moving the object -- AdventureWorks -- Accountants together definition under the “schema” -- application role -- with GRANT OPTION to object. -- Accountants. -- database user Michelle Schema can have an owner, -- The role Accountants can -- (now user Michelle can which can be easily reassigned -- now impersonate -- view the definition of the without having to change the -- Michelle: -- Accountants role and ownership of each object. Also, USE AdventureWorks; -- grant it permissions): applications will not break if GRANT IMPERSONATE USE AdventureWorks; they reference the schema ON USER::Michelle TO GRANT VIEW DEFINITION name before the object name Accountants; ON ROLE::Accountants when the object’s ownership TO Michelle WITH GRANT is shifted. It is still possible to „ VIEW DEFINITION – gives OPTION; grant permission to an object, read access to an object’s such as a table. But as a best metadata via catalog the strength of the new practice, centralize permissions views. For example: schema model by schema, not by objects. -- Grant role “public” to view how many times have you tried -- any object definition to delete a user from your SQL when to use synonyms -- in the instance level: Server 2000 database and A synonym is an alternative GRANT VIEW ANY couldn’t because it was owning name given to a schema- 5 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 scoped object. The synonym sions, the second run will wait synGetAuthorName FOR is created under the schema until the first transaction ends. pubs.dbo.fnGetAuthorName; object but not bound to it. In SELECT dbo. other words, the deletion of the It seems that the best choice synGetAuthorName(‘171-10- synonym will not issue an error for using synonyms is when you 1178’) message if it is used in another would like to keep an object object. The synonym is used name under a specific schema, ddl triggers during runtime, so the object but the object resides in a dif- The new DDL Triggers option, names are not verified during ferent schema or in a differ- among other things, allows the synonym’s creation. you ent database or different SQL DBAs to control security issues, can grant permissions on syn- Server instance. use a synonym such as automating grant per- onyms. For example: instead of using a view if the missions or auditing. -- First result will be from synonym is for a table. For ex- here is an example of a DDL -- publishers_1: ample: trigger from the Microsoft De- DROP SYNONYM publish -- Table resides in another veloper Network (MSDN): CREATE SYNONYM publish -- schema: -- Grant VIEW DEFINITION FOR pubs.dbo.publishers_1 CREATE SYNONYM -- on each created role or SELECT * FROM publish Schema1.Authors -- user to public: -- Second result will be from FOR Schema2.dbo.Authors CREATE TRIGGER -- publishers_2: -- Table resides in another GrantViewDefOnPrincipal DROP SYNONYM publish -- server (myserverSQL2005 ON DATABASE CREATE SYNONYM publish -- is a Linked Server): FOR CREATE_USER, FOR pubs.dbo.publishers_2 CREATE SYNONYM dbo. CREATE_ROLE SELECT * FROM publish RemoteAuthors AS Note that the synonym is a FOR [myserverSQL2005]. DECLARE database object. If you try to pubs.dbo.authors @event_type sysname, run the above code as a trans- -- Synonym for a function: @principal_name sysname, action from two different ses- CREATE SYNONYM @sql nvarchar(max); Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 SELECT @sql = security configurations is really necessary. ‘(/EVENT_INSTANCE/’+ for sQl server „ use a small number of ‘EventType) [1]’; There are two extreme methods database roles to which SELECT @event_type = of applying security: you grant permissions. eventdata().value „ ThE LAzY MODEL – The Don’t grant permissions on (@sql,’sysname’), less security, the better. a per-user basis. @principal_name = This may result in either „ use only stored proce- eventdata().value giving too many or too few dures to access the data (@sql,’sysname’); permissions, but security and grant permissions to IF (@event_type = management is easier and these stored procedures. ‘CREATE_USER’) less complicated. „ Allow only one owner- SELECT @sql = „ SECuRE EVERYThINg ship to all the objects and ‘GRANT VIEW ‘ + POSSIbLE. This may com- schemas. This will simplify ‘DEFINITION ON ‘ + plicate the environment, granting the permissions ‘USER :: ‘ + producing more manage- and will help avoid permis- @principal_name + ment effort. sion chains. ‘ TO PUBLIC ‘ ; ELSE Most organizations are using defining service SELECT @sql = a security model that is be- accounts ‘GRANT VIEW ‘ + tween these two extremes. In previous versions, it was ‘DEFINITION ON ‘ + When designing a security easier to add SQL Server and ‘ROLE :: ‘ + model, try to keep it simple but SQL Server Agent services ac- @principal_name + satisfying. For example: counts to the sysadmin group ‘ TO PUBLIC ‘ ; „ Decide that the schema is than to play with the Group EXEC (@sql) the most granular unit to Policy Objects or permissions which you grant permis- of that account. sions. Don’t grant permis- In SQL Server 2005, the SQL sion to an object, unless it Server service account: Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 „ Requires less privilege password expiration poli- If so, few features such as the than in previous versions. cies because changing the xp_cmdshell Stored Procedure It can now be defined as password of the service and ad hoc queries through a member of the users account does not require linked servers — OPeNROW- group (non-domain user) restarting SQL Server SeT and OPeNDATASOuRce or Domain users group 2005. — are disabled by default in a (domain user). During newly installed instance of SQL installation, the user is The SQL Server Agent ser- Server 2005. automatically placed in the vice account requires sysadmin Database mail is another SQL Server service group privileges in the SQL Server great new feature in SQL Server and the group is granted instance it is associated with. 2005. you might go through the exactly the privileges that however, in SQL Server 2005, complicated process of config- it needs. SQL Server Agent job steps uring SQL Mail in SQL 2000, „ Should be changed only can be configured to use prox- or you might be using an alter- by using SQL Server Con- ies that encapsulate alternate native method of running SQL figuration Manager or by credentials. Mail, like SP_SQLSMTPMail or using the equivalent func- xp_smtp_sendmail. Note that tionality in the Windows surface area there is a problem using this Management Instrumen- configuration feature. If there is a bug in the tation (WMI) APIs. using SQL Server 2005 installation database program or SSIS pack- Configuration Manager minimizes the “attack surface” age, it can easily flood the mail ensures that the new ser- because, by default, optional server. vice account is placed in features are not installed. It’s The SQL Server Surface Area the appropriate Windows possible to turn off the features configuration command-line group and is thus granted in SQL Server Surface Area interface, sac.exe, makes it exactly the correct privi- configuration or use the system possible to import and export leges to run the service. stored procedure sp_configure. settings. This enables you to „ Can be configured by upgrading from SQL 2000? standardize the configuration Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 of a group of SQL Server 2005 not gain a higher security If you do decide to use en- instances. For example: level than it needs -- for cryption, remember that en- sac in server1.out –S example, by impersonating cryption and decryption algo- MyServer the SQL Server Service or rithms are comparably heavy to SQL Server Agent service run. First, never index encrypted integration and account. columns. Also, test the encryp- security for common „ Managed code should tion-decryption performance language runtime access local resources as on the expected amount of data The security model of the Mi- much as possible. and application functionality crosoft SQL Server integra- before you decide to use it. tion with the Microsoft .NeT SQL Server now integrates Framework common language the user-based security model other security enhance- runtime (cLR) manages and of SQL Server with the code ments in sQl 005 secures access between differ- access-based security model of here are descriptions of a few ent types of cLR and non-cLR the cLR. more security enhancements: objects running within SQL „ With SQL Server 2005, Server. data encryPtion you can alter the execu- Because cLR programs can Data encryption is a great new tion context with the EX- affect the stability and robust- feature in SQL Server 2005, but ECuTE AS clause available ness of the SQL Server environ- you should use it wisely and as part of the definition of ment, it is important to follow only if necessary. Remember stored procedures, func- these best practices: that using this feature will re- tions, queues and triggers. „ Protect the non-SQL Serv- sult in performance and admin- EXECuTE AS can also be er resources, such as net- istrative issues. Generally, SQL used to set the execution work and operating system Server and database permis- context within a SQL batch resources, with a higher sions can be enough for most instead of SETuSER. The security level. applications when they are well execution context choices „ Managed code should planned and applied. are: Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 • execute as caller — the and the key/certificate’s „ Endpoint-based authenti- caller of the procedure (no permissions. cation is used to provide impersonation). This is the „ Direct access to system secure communication only pre-SQL Server 2005 tables is no longer allowed. in scenarios where SQL behavior. Instead, they are exposed Server 2005, running on • execute as owner — the through catalog views, Windows Server 2003, owner of the procedure. encompassing both server functions natively as a • execute as self — the and database-wide set- Web service, listening and creator of the procedure. tings. responding to hTTP SOAP • execute as ‘username’ „ SQL Server 2005 can requests. — a specific user. manage SQL Server ac- „ Permissions on DTS pack- „ Server 2005 offers a much count password and ages in SQL 2000 were more granular way of as- lockout properties (such difficult to manage. SSIS sociating privileges with as password complexity, packages are flexible and procedural code with code password expiration and can run in different ways. signing. by using the ADD account lockout) with local „ Microsoft baseline Se- SIgNATuRE DDL state- and domain-based group curity Analyzer (MbSA) ment, you can sign the Policies. This functionality is a utility that scans for procedure with a certifi- is available only on Win- common insecurities in a cate or asymmetric key. A dows 2003 Server sys- SQL Server configuration. user can then be created tems. Example: Run MbSA on a regularly for the certificate or asym- CREATE LOGIN Michelle scheduled basis, either metric key itself and per- WITH locally or across the net- missions assigned to that PASSWORD = work. user. When the procedure ‘Change$NxtLogin’ MUST_ is executed, the code ex- CHANGE, xP_cmdshell handy ecutes with a combination CHECK_EXPIRATION = ON, examPles of the caller’s permissions CHECK_POLICY = ON xp_cmdshell is a very powerful 0 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 Stored Procedure. In SQL Server 1 delete a specific file on the security best practices. They will 2000, it is enabled by default. c:temp directory in each of run on SQL Server 2000 as well In SQL Server 2005, it is dis- these servers. as on SQL 2005. abled by default. 2 collect the list of the in- With sp_cmdshell you could stalled programs and tools run the following command: on each of the servers, prior Exec xp_cmdshell ‘del /S c:’ to consolidation. links for sql server which deletes the c: drive and you could go computer by Security Considerations for all its subdirectories in the computer and do these two Integration Services server where the SQL Server tasks. you could write code. http://msdn2.microsoft.com/ instance is running. Oops, sorry, you are a DBA— en-us/library/ms137833.aspx If I am doing so as the sa or but what could be easier than in the sysadmin role in SQL and to create a table with the SQL Security Considerations for the SQL Server Service account Server instances names, create SQL Server is a sysadmin on the computer a cursor on them and then loop http://msdn2.microsoft.com/ running the SQL Server, it can and run what’s needed to be en-us/library/ms161948.aspx be too powerful. run? But here are two examples In Task 1, you’ll see code to CLR Integration Security where you could use xp_cmd- delete a file, which results in no http://msdn2.microsoft.com/ shell because it is quicker and output. en-us/library/ms131071.aspx more straightforward: In Task 2, you’ll see code to Imagine that you have more show the contents of a directo- SQL Server 2005 Best than 30 servers hosting SQL ry on a server. here, you’ll find Practices Analyzer Server instances. the results of the code in Task http://www.microsoft. your manager asks you to do 2, assuming it ran against only com/downloads/details. two things: one server. aspx?FamilyId=DA0531e4- note: These two examples are e94c-4991-82FA-F0e3FBD05e not secured and are against 63displaylang=en Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
Advertorial Stately IT The Pennsylvania State University Dell Services helped Penn State upgrade the hardware foundation for its learning management system using Dell™ PowerEdge™ 6850 servers and Microsoft SQL Server 2005 Since its founding in 1855 as a small agricultural college dedicated to applying scientific principles to farming, The Pennsylvania State University—affectionately known as Penn State—has grown into a world-class learning institution with more than 84,000 enrolled students. Like many universities, Penn State uses learning management system (LMS) technology to help manage academic course content. Unfortunately, until recently the university’s system was plagued with performance and scalability issues due to an aging hardware infrastructure. The university’s IT staff turned to trusted longtime technology partner Dell for answers. Working closely with Dell Services, the staff tested the LMS on a new hardware architecture. “We found that Dell hardware offered excellent performance for the LMS and enabled us to handle more users than the previous system,” explains Lowell Smith, database administrator at Penn State. — Alex Pollock, Lead Database Administrator, The Penn State University 73
Advertorial Stately IT The Pennsylvania State University With such positive test results in hand, the Penn State IT team felt confident deploying a hardware infrastructure, including Dell™ PowerEdge™ 6850 servers, on which Penn State runs Microsoft SQL Server 2005 Enterprise to provide database support for the LMS. According to Alex Pollock, lead database administrator at Penn State, the combination of Dell PowerEdge servers with SQL Server has resulted in impressive performance gains for the LMS compared to the previous system. “Re-indexing used to take four hours—completing outside our maintenance window,” Pollock states. “Once we went to SQL Server 2005 on the PowerEdge 6850 servers, the whole process could be completed in half an hour—eight times faster.” Even though the user load has more than doubled, the performance of the ANGEL system is impressive: application availability is exceptional and hardware utilization is nowhere near capacity. “Our user load has skyrocketed in recent months—now we are experiencing 1.4 million Web hits on the system per hour,” notes Peter Dawson, manager of mid-tier infrastructure for Administrative Information Services at Penn State. “But even under that load, our servers are running at 25 to 30 percent capacity, which indicates that we have plenty of room to grow. To view the entire story, go to www.dell.com 73
SearchSQLServer.com Database mirroring and its witness SQLServer Insider Backup and RecoveRy Greg Robidoux is the president Database mirroring and founder of Edgewood and its witness Solutions LLC, a technology services company delivering By GReG ROBIDOux professional services and product solutions for Microsoft SQL Server 2005’s database mirroring feature offers new function- SQL Server. He ality that allows you to configure database failover much easier than in the past. When configuring database mirroring, one option is to has authored use the high Availability mode. This option allows for synchronizing numerous articles of transaction writes on both servers, as well as offers the ability of and has delivered automated failover. When using the high Availability mode, you need presentations at to have three instances of SQL Server: the principal, mirror and the regional SQL Server witness. here is a summary of what each component does. users groups and national SQL Server „ PRINCIPAL – this is the instance that stores the active database. „ MIRROR – this is the instance that receives transactions to keep events. Robidoux the mirrored database in sync. also serves as the „ WITNESS – this is the instance that communicates with the prin- SearchSQLServer.com cipal and mirror to determine if failover should occur. Backup and Recovery expert. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com Database mirroring and its witness what is the role of the ability mode and you want, primary data center, your mirror witness server? or need, automatic failover. and witness can communicate The witness is a third instance This instance doesn’t do much and take over the job. of SQL Server 2005 that acts more than communicate with Physical location is not the as an intermediary between the principal and the mirror to only point of concern when the principal and the mirror in make sure they are still alive. placing your witness. It would order to determine when to fail No database activity is occur- also make sense to install the over. By having a third instance, ring on this instance, just com- witness on a different physical it creates the ability to have a munication between the three server. It is possible to create 2–1 vote that says one of my components. three instances on one server components is not available and set up database mirroring. and, therefore, I am going to where should the But, if you are trying to elimi- fail over. Because of the need witness be? nate hardware failure as a pos- to determine if the components This really depends on your sible cause of downtime, the are online or offline before an network configuration and the witness should be installed on a automatic failover, the witness reliability of your components. different piece of hardware. server is only needed when If you implement this over a If you are trying to eliminate you implement the high Avail- WAN and have periodic net- data center outages, it makes ø work glitches by having the sense to have your mirror in You can create three witness near the principal, then a different physical location. instances on one server you can eliminate some un- Based on this assumption, you when setting up database necessary failovers. In addition, should keep the witness and mirroring. But, if you if your primary data center has the principal in the same data are trying to eliminate some issues and you want to center and your mirror in a dif- downtime caused by ensure your database stays on- ferent location. hardware failure, install the witness on a different line, it may make sense to keep piece of hardware. this with the mirror. Therefore, if there are any issues in your 5 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com Database mirroring and its witness what version of sQl what haPPens if the summary Implementing the server 005 for the witness fails? high Availability mode of data- witness? Because the witness is just one base mirroring is pretty straight- The witness server can run of the three components, if it forward by just implementing on any version of SQL Server fails, it does not necessarily another instance of SQL Server 2005, including the express mean that a failover will occur. to act as the witness. Although edition. The principal and mir- As long as the principal and mir- from that perspective it is fairly ror can only run on the Stan- ror can still communicate with easy, you should implement dard, enterprise and Developer each other, there is no need for a database mirroring in differ- editions of SQL Server 2005. failover. Therefore, the failure of ent phases until you get the just the witness will not trigger hang of how it works and when what kind of server an automated failover. it will kick in. using the high does the witness run Protection mode as the first on? how does failover work? implementation probably makes you can install the witness on Since three components make more sense than jumping right any hardware and operating up the high Availability mode, into the high Availability mode. system that supports the ver- two of these components need either way, though, take the sion of SQL Server 2005 you to determine that a problem time to test this new component are using for the witness. Be- has occurred and then initiate of SQL Server 2005 before you cause of the nature and role a failover. If the principal server take the leap into using it as part of the witness, I suggest using fails and the witness and mir- of your production failover strat- hardware that you feel is reli- ror can still communicate, the egy. able and will not cause further failover process will kick in. The Get a step-by-step explana- complications when imple- mirror will become the principal tion to setting up database mir- menting and utilizing database and the witness will continue to roring in a previous article titled mirroring. perform its duties as the witness Database mirroring setup in SQL server. Server 2005 found at Search SQL Server.com. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com Find and fix resource-intensive SQL Server queries SQLServer Insider peRfoRmance Jeremy Kadlec is the Find and fix principal database engineer at resource-intensive Edgewood Solutions, a technology services SQL Server queries company delivering professional services and product solutions By JeReMy KADLec for Microsoft SQL Server. He has Taming resource-intensive SQL Server queries is no small authored numerous articles and task. Finding them can be a challenge and fixing them delivers frequent is typically unique to the query. Here are five common presentations resource-intensive queries with possible resolutions. regionally and nationally. He how to find resource- perceived as slow, the root cause authored the intensive Queries and resolution can be much more “Rational Guide Identifying resource-intensive complex. The following resources queries is simple when your ap- will help you address common to IT Project plication experiences performance problems: Management” and is issues and users communicate „ To identify resource-intensive the SearchSQLServer. when and where the issues oc- queries, leverage SQL Server com performance and cur. If the overall application is 2000 Profiler. tuning expert. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com Find and fix resource-intensive SQL Server queries „ To determine how the opti- While users have to ask for this information, you can create mizer processes the code these figures for business rea- the necessary index to support internally, review individu- sons, the queries may cause a the query and avoid costly table al query plans in a graphi- significant resource drain. scanning. cal format using Query To balance the need to run Analyzer. resource-intensive queries and large result sets „ To access query plans, use retrieve timely data for users, Querying for hundreds or the T-SQL command SET change the process to execute thousands of rows while only ShOWPLAN_ALL or SET a stored procedure on a pre- displaying 10 to 50 rows in the ShOWPLAN_TEXT for a defined basis, which populates application is certainly a drain textual view of the output a table that stores the aggre- on SQL Server, especially when from the SQL Server opti- gate results. Then have users the query is frequently issued mizer. access the aggregated data by the same user. Since the instead of issuing the resource- data isn’t going to change, the intensive query. application’s throughput would calculation Queries benefit from caching that data users in management and table scanning on the Web server using ADO. executive management posi- Table scanning is probably the NeT. Another option would be tions issue calculation queries single biggest offender of drain- to cache the IDs or the unique throughout the day. They calcu- ing SQL Server resources. The identifier for the result set and late figures over a long period good news is that the problem query for the detailed data as of time with a primarily static is usually easy to fix. The best the data is browsed. A final op- data set (i.e., calculating year- way to diagnose this resource tion I have seen work well is to to-date sales or monthly inven- drainer is to review the query issue the query with a cOuNT tory figures). Depending on plan. The SQL Server optimizer clause and let users know how your applications, the calcula- will indicate which portion of much data will be returned. If it tions may be different, although the query is scanning tables by is a significant amount of data, the premise remains the same. table and column name. With fine-tune the query param- Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com Find and fix resource-intensive SQL Server queries eters to reduce the result set; not many users will be able to that execute one or more times per second using few resources SQL Server review a large result set, which just becomes overwhelming. — but the number of aggregate resources used is staggering. InSIder They don’t only eat up SQL is brought to you by cursors Server resources, but also an SearchSQLServer.com. cursors are notorious for quick- excessive amount of network The stories “Database ly turning a high-end server into round trips. you can expect to mirroring and its a single-user machine. cursors see this happen in Web-based witness” and “Find and typically build a large data set applications. If you store data in fix resource-intensive and process data one row at a session variable or cookie, the a time, which often serializes problem is resolved. SQL Server queries” the processing. Originally de- originally appeared on veloped for ISAM and VSAM summary Take a step back SearchSQLServer.com. databases, Microsoft included and think about how your ap- support for this processing from plications interact with SQL the earliest versions of SQL Server from a functional per- editors Server. Although they are a vi- spective. Think about com- christine casatelli able way to perform data pro- plaints users have had histori- heidi Sweeney cessing, they are not efficient cally about the application as copy editor — and your goal should be to well as long-running processes. Martha Moore migrate away from cursors and Observe how users work with design director use set-based logic. the applications and make per- Ronn campisi formance improvements in the www.ronncampisi.com single Queries that run code based on how users have rePeatedly evolved with the application. Some of the most deviant sets of queries are single queries Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
SearchSQLServer.com New security model in SQL Server 2005 Additional Resources from Dell Ø Embracing a new level of user experience:the hardware foundation for its learning management system Dell Services helped Penn State upgrade http://www.dell.com/content/topics/global.aspx/casestudies/en/2007_penn?c=uscs=555l=ens=biz Ø SQL Server 2005: Preparing for a Smooth Upgrade http://www.dell.com/downloads/global/power/ps1q06-20060126-Microsoft.pdf Ø Maximizing SQL Server Performance http://www.dell.com/downloads/global/power/ps4q05-20050272-Symantec.pdf Ø http://www.dell.com/content/topics/global.aspx/power/en/setc?c=uscs=555l=ens=biz The Scalable Enterprise Technology Center Ø Microsoft SQL Server 2005 Virtualization http://www.dell.com/downloads/global/power/ps4q06-20060405-Muirhead.pdf Ø The Definitive Guide to Scaling Out SQL Server 2005 http://www.dell.com/content/topics/global.aspx/alliances/en/ebook_landing?c=uscs=555l=ens=biz 0 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 7

Recommended

SID - First Credit
SID - First CreditSID - First Credit
SID - First CreditCisco Case Studies
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
21st Century SOA
21st Century SOA21st Century SOA
21st Century SOABob Rhubart
 
Dell Active System 800 Converged Infrastructure solution: User collaboration ...
Dell Active System 800 Converged Infrastructure solution: User collaboration ...Dell Active System 800 Converged Infrastructure solution: User collaboration ...
Dell Active System 800 Converged Infrastructure solution: User collaboration ...Principled Technologies
 
It operation 1
It operation 1It operation 1
It operation 1muzuddin
 
Introduction to change data capture in sql server 2008 tech republic
Introduction to change data capture in sql server 2008 tech republicIntroduction to change data capture in sql server 2008 tech republic
Introduction to change data capture in sql server 2008 tech republicKaing Menglieng
 
Diagnosability versus The Cloud, Redwood Shores 2011-08-30
Diagnosability versus The Cloud, Redwood Shores 2011-08-30Diagnosability versus The Cloud, Redwood Shores 2011-08-30
Diagnosability versus The Cloud, Redwood Shores 2011-08-30Cary Millsap
 
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1Novell
 

Recommended

SID - First Credit
SID - First CreditSID - First Credit
SID - First CreditCisco Case Studies
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
21st Century SOA
21st Century SOA21st Century SOA
21st Century SOABob Rhubart
 
Dell Active System 800 Converged Infrastructure solution: User collaboration ...
Dell Active System 800 Converged Infrastructure solution: User collaboration ...Dell Active System 800 Converged Infrastructure solution: User collaboration ...
Dell Active System 800 Converged Infrastructure solution: User collaboration ...Principled Technologies
 
It operation 1
It operation 1It operation 1
It operation 1muzuddin
 
Introduction to change data capture in sql server 2008 tech republic
Introduction to change data capture in sql server 2008 tech republicIntroduction to change data capture in sql server 2008 tech republic
Introduction to change data capture in sql server 2008 tech republicKaing Menglieng
 
Diagnosability versus The Cloud, Redwood Shores 2011-08-30
Diagnosability versus The Cloud, Redwood Shores 2011-08-30Diagnosability versus The Cloud, Redwood Shores 2011-08-30
Diagnosability versus The Cloud, Redwood Shores 2011-08-30Cary Millsap
 
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1
Introduction to Crystal and Jasper Reports for Novell Sentinel 6.1Novell
 
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Principled Technologies
 
Oracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudOracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudBob Rhubart
 
Shankar kandavel resume new
Shankar kandavel resume newShankar kandavel resume new
Shankar kandavel resume newkandavel shankar
 
Cisco UCS - CA World 2013
Cisco UCS - CA World 2013 Cisco UCS - CA World 2013
Cisco UCS - CA World 2013 Ranjit Nayak
 
How to Maintain Software Appliances
How to Maintain Software AppliancesHow to Maintain Software Appliances
How to Maintain Software AppliancesNovell
 
Innovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle CoherenceInnovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle CoherenceBob Rhubart
 
Application-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsApplication-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsBob Rhubart
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachNovell
 
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon ProcessorsHarness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon ProcessorsReadWriteEnterprise
 
Ingres Products
Ingres Products Ingres Products
Ingres Products Actian Corporation
 
Filename intelvmwaresolutionbrief asset4
Filename intelvmwaresolutionbrief asset4Filename intelvmwaresolutionbrief asset4
Filename intelvmwaresolutionbrief asset4ReadWrite
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused EnterpriseNovell
 
Microsoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Partner Technical DatasheetMicrosoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Partner Technical DatasheetMicrosoft Private Cloud
 
DBA Resume
DBA ResumeDBA Resume
DBA Resumejagadeesh Babu
 
Shahed Anwar Resume
Shahed Anwar ResumeShahed Anwar Resume
Shahed Anwar ResumeMd. Shahed Anwar
 
Intel - Office 2010 Solution Brief
Intel - Office 2010 Solution BriefIntel - Office 2010 Solution Brief
Intel - Office 2010 Solution BriefReadWriteEnterprise
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell
 
Citrix Xen Desktop Solution White Paper
Citrix Xen Desktop Solution White PaperCitrix Xen Desktop Solution White Paper
Citrix Xen Desktop Solution White PaperReadWriteEnterprise
 
Dell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell World
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basicsrainynovember12
 
Sql server
Sql serverSql server
Sql serverHudson Brendon
 
Apresentação SQL Server 29/04
Apresentação SQL Server 29/04Apresentação SQL Server 29/04
Apresentação SQL Server 29/04Allen Informática
 

More Related Content

What's hot

Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Principled Technologies
 
Oracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudOracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudBob Rhubart
 
Shankar kandavel resume new
Shankar kandavel resume newShankar kandavel resume new
Shankar kandavel resume newkandavel shankar
 
Cisco UCS - CA World 2013
Cisco UCS - CA World 2013 Cisco UCS - CA World 2013
Cisco UCS - CA World 2013 Ranjit Nayak
 
How to Maintain Software Appliances
How to Maintain Software AppliancesHow to Maintain Software Appliances
How to Maintain Software AppliancesNovell
 
Innovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle CoherenceInnovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle CoherenceBob Rhubart
 
Application-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsApplication-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsBob Rhubart
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachNovell
 
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon ProcessorsHarness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon ProcessorsReadWriteEnterprise
 
Filename intelvmwaresolutionbrief asset4
Filename intelvmwaresolutionbrief asset4Filename intelvmwaresolutionbrief asset4
Filename intelvmwaresolutionbrief asset4ReadWrite
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused EnterpriseNovell
 
Microsoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Partner Technical DatasheetMicrosoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Partner Technical DatasheetMicrosoft Private Cloud
 
Intel - Office 2010 Solution Brief
Intel - Office 2010 Solution BriefIntel - Office 2010 Solution Brief
Intel - Office 2010 Solution BriefReadWriteEnterprise
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell
 
Citrix Xen Desktop Solution White Paper
Citrix Xen Desktop Solution White PaperCitrix Xen Desktop Solution White Paper
Citrix Xen Desktop Solution White PaperReadWriteEnterprise
 
Dell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell World
 

What's hot (19)

Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...Dell Active System 800 converged infrastructure solution: VDI and collaborati...
Dell Active System 800 converged infrastructure solution: VDI and collaborati...
 
Oracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the CloudOracle VM Consolidation and Path to the Cloud
Oracle VM Consolidation and Path to the Cloud
 
Shankar kandavel resume new
Shankar kandavel resume newShankar kandavel resume new
Shankar kandavel resume new
 
Cisco UCS - CA World 2013
Cisco UCS - CA World 2013 Cisco UCS - CA World 2013
Cisco UCS - CA World 2013
 
How to Maintain Software Appliances
How to Maintain Software AppliancesHow to Maintain Software Appliances
How to Maintain Software Appliances
 
Innovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle CoherenceInnovations in Grid Computing with Oracle Coherence
Innovations in Grid Computing with Oracle Coherence
 
Application-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural ConsiderationsApplication-Driven Virtualization: Architectural Considerations
Application-Driven Virtualization: Architectural Considerations
 
Workload IQ: A Differentiated Approach
Workload IQ: A Differentiated ApproachWorkload IQ: A Differentiated Approach
Workload IQ: A Differentiated Approach
 
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon ProcessorsHarness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
Harness Enterprise Data with SQL Server 2008 R2 and New Intel Xeon Processors
 
Ingres Products
Ingres Products Ingres Products
Ingres Products
 
Filename intelvmwaresolutionbrief asset4
Filename intelvmwaresolutionbrief asset4Filename intelvmwaresolutionbrief asset4
Filename intelvmwaresolutionbrief asset4
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused Enterprise
 
Microsoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Partner Technical DatasheetMicrosoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Partner Technical Datasheet
 
DBA Resume
DBA ResumeDBA Resume
DBA Resume
 
Shahed Anwar Resume
Shahed Anwar ResumeShahed Anwar Resume
Shahed Anwar Resume
 
Intel - Office 2010 Solution Brief
Intel - Office 2010 Solution BriefIntel - Office 2010 Solution Brief
Intel - Office 2010 Solution Brief
 
Novell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access SolutionNovell iFolder 3.8: A Simple, Secure File Access Solution
Novell iFolder 3.8: A Simple, Secure File Access Solution
 
Citrix Xen Desktop Solution White Paper
Citrix Xen Desktop Solution White PaperCitrix Xen Desktop Solution White Paper
Citrix Xen Desktop Solution White Paper
 
Dell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions Lab
 

Viewers also liked

Apresentação SQL Server 29/04
Apresentação SQL Server 29/04Apresentação SQL Server 29/04
Apresentação SQL Server 29/04Allen Informática
 
Sql server performance Tuning
Sql server performance TuningSql server performance Tuning
Sql server performance TuningSimon Huang
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuningngupt28
 
retrieving data using SQL statements
retrieving data using SQL statementsretrieving data using SQL statements
retrieving data using SQL statementsArun Nair
 
SQL Server Query Optimization, Execution and Debugging Query Performance
SQL Server Query Optimization, Execution and Debugging Query PerformanceSQL Server Query Optimization, Execution and Debugging Query Performance
SQL Server Query Optimization, Execution and Debugging Query PerformanceVinod Kumar
 
Why & how to optimize sql server for performance from design to query
Why & how to optimize sql server for performance from design to queryWhy & how to optimize sql server for performance from design to query
Why & how to optimize sql server for performance from design to queryAntonios Chatzipavlis
 
Introduction to SQL
Introduction to SQLIntroduction to SQL
Introduction to SQLRam Kedem
 
SQL Server Query Tuning Tips - Get it Right the First Time
SQL Server Query Tuning Tips - Get it Right the First TimeSQL Server Query Tuning Tips - Get it Right the First Time
SQL Server Query Tuning Tips - Get it Right the First TimeDean Richards
 
SQL – A Tutorial I
SQL – A Tutorial ISQL – A Tutorial I
SQL – A Tutorial IGagan Deep
 
SQL Server Performance Tuning Baseline
SQL Server Performance Tuning BaselineSQL Server Performance Tuning Baseline
SQL Server Performance Tuning Baseline► Supreme Mandal ◄
 
Introduction to sql database on azure
Introduction to sql database on azureIntroduction to sql database on azure
Introduction to sql database on azureAntonios Chatzipavlis
 
SQL Server Tuning to Improve Database Performance
SQL Server Tuning to Improve Database PerformanceSQL Server Tuning to Improve Database Performance
SQL Server Tuning to Improve Database PerformanceMark Ginnebaugh
 
SQL select statement and functions
SQL select statement and functionsSQL select statement and functions
SQL select statement and functionsVikas Gupta
 
Visão histórica do SQL Server
Visão histórica do SQL ServerVisão histórica do SQL Server
Visão histórica do SQL ServerMarcelo Ramos
 
SQL in the Hybrid World
SQL in the Hybrid WorldSQL in the Hybrid World
SQL in the Hybrid WorldTanel Poder
 

Viewers also liked (20)

Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
 
Sql server
Sql serverSql server
Sql server
 
Apresentação SQL Server 29/04
Apresentação SQL Server 29/04Apresentação SQL Server 29/04
Apresentação SQL Server 29/04
 
Sql server performance Tuning
Sql server performance TuningSql server performance Tuning
Sql server performance Tuning
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
 
retrieving data using SQL statements
retrieving data using SQL statementsretrieving data using SQL statements
retrieving data using SQL statements
 
SQL Server Query Optimization, Execution and Debugging Query Performance
SQL Server Query Optimization, Execution and Debugging Query PerformanceSQL Server Query Optimization, Execution and Debugging Query Performance
SQL Server Query Optimization, Execution and Debugging Query Performance
 
Why & how to optimize sql server for performance from design to query
Why & how to optimize sql server for performance from design to queryWhy & how to optimize sql server for performance from design to query
Why & how to optimize sql server for performance from design to query
 
Introduction to SQL
Introduction to SQLIntroduction to SQL
Introduction to SQL
 
SQL Server Query Tuning Tips - Get it Right the First Time
SQL Server Query Tuning Tips - Get it Right the First TimeSQL Server Query Tuning Tips - Get it Right the First Time
SQL Server Query Tuning Tips - Get it Right the First Time
 
SQL – A Tutorial I
SQL – A Tutorial ISQL – A Tutorial I
SQL – A Tutorial I
 
SQL Server Performance Tuning Baseline
SQL Server Performance Tuning BaselineSQL Server Performance Tuning Baseline
SQL Server Performance Tuning Baseline
 
Introduction to sql database on azure
Introduction to sql database on azureIntroduction to sql database on azure
Introduction to sql database on azure
 
Sql Server
Sql ServerSql Server
Sql Server
 
SQL | Computer Science
SQL | Computer ScienceSQL | Computer Science
SQL | Computer Science
 
SQL Server Tuning to Improve Database Performance
SQL Server Tuning to Improve Database PerformanceSQL Server Tuning to Improve Database Performance
SQL Server Tuning to Improve Database Performance
 
SQL select statement and functions
SQL select statement and functionsSQL select statement and functions
SQL select statement and functions
 
Visão histórica do SQL Server
Visão histórica do SQL ServerVisão histórica do SQL Server
Visão histórica do SQL Server
 
SQL in the Hybrid World
SQL in the Hybrid WorldSQL in the Hybrid World
SQL in the Hybrid World
 
Aprenda SQL Server
Aprenda SQL ServerAprenda SQL Server
Aprenda SQL Server
 

Similar to SQL Server

Sql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor adminsSql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor adminsKlaudiia Jacome
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Serverwebhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Microsoft SQL Azure - Agility in the New Economy Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Technical DatasheetMicrosoft SQL Azure - Agility in the New Economy Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Technical DatasheetMicrosoft Private Cloud
 
Revolutionize Your Data Infrastructure with MS SQL Server 2022
Revolutionize Your Data Infrastructure with MS SQL Server 2022Revolutionize Your Data Infrastructure with MS SQL Server 2022
Revolutionize Your Data Infrastructure with MS SQL Server 2022Direct Deals, LLC
 
Resume_Tushar_Kanti_DBA
Resume_Tushar_Kanti_DBAResume_Tushar_Kanti_DBA
Resume_Tushar_Kanti_DBATushar Kanti
 
Why Should you choose SQL Server 2019 ?
Why Should you choose SQL Server 2019 ?Why Should you choose SQL Server 2019 ?
Why Should you choose SQL Server 2019 ?SoftwareDeals
 
Government and Education Webinar: Simplify Your Database Performance Manageme...
Government and Education Webinar: Simplify Your Database Performance Manageme...Government and Education Webinar: Simplify Your Database Performance Manageme...
Government and Education Webinar: Simplify Your Database Performance Manageme...SolarWinds
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
Sql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetSql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetKlaudiia Jacome
 

Similar to SQL Server (20)

Sql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor adminsSql server 2008 r2 security overviewfor admins
Sql server 2008 r2 security overviewfor admins
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Server
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Server
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Server
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Server
 
MICROSOFT SQL Server
MICROSOFT SQL ServerMICROSOFT SQL Server
MICROSOFT SQL Server
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
Shivangi gupta
Shivangi guptaShivangi gupta
Shivangi gupta
 
Microsoft SQL Azure - Agility in the New Economy Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Technical DatasheetMicrosoft SQL Azure - Agility in the New Economy Technical Datasheet
Microsoft SQL Azure - Agility in the New Economy Technical Datasheet
 
Revolutionize Your Data Infrastructure with MS SQL Server 2022
Revolutionize Your Data Infrastructure with MS SQL Server 2022Revolutionize Your Data Infrastructure with MS SQL Server 2022
Revolutionize Your Data Infrastructure with MS SQL Server 2022
 
Shantkumar_Resume
Shantkumar_ResumeShantkumar_Resume
Shantkumar_Resume
 
Shantkumar resume
Shantkumar resumeShantkumar resume
Shantkumar resume
 
SQL Server
SQL ServerSQL Server
SQL Server
 
Resume_Tushar_Kanti_DBA
Resume_Tushar_Kanti_DBAResume_Tushar_Kanti_DBA
Resume_Tushar_Kanti_DBA
 
Why Should you choose SQL Server 2019 ?
Why Should you choose SQL Server 2019 ?Why Should you choose SQL Server 2019 ?
Why Should you choose SQL Server 2019 ?
 
Government and Education Webinar: Simplify Your Database Performance Manageme...
Government and Education Webinar: Simplify Your Database Performance Manageme...Government and Education Webinar: Simplify Your Database Performance Manageme...
Government and Education Webinar: Simplify Your Database Performance Manageme...
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 
Shantkumar_Resume
Shantkumar_ResumeShantkumar_Resume
Shantkumar_Resume
 
Confio presentation
Confio presentationConfio presentation
Confio presentation
 
Sql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheetSql server 2008 r2 security datasheet
Sql server 2008 r2 security datasheet
 

More from webhostingguy

Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serverswebhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreementwebhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructurewebhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.pptwebhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandiserswebhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mbwebhostingguy
 
Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...
Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...
Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...webhostingguy
 

More from webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
 
Notes8
Notes8Notes8
Notes8
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
 
Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...
Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...
Installation of MySQL 5.1 Cluster Software on the Solaris 10 ...
 

SQL Server

  • 1. INSIDE SQL Server • 03 Principals and securables InSIder • 05 New schema model • 09 Security for CLR Tips for SQL Server pros May 2007 • 14 article 1: Database mirroring and its witness New security model • 17 article 2: Find and fix resource- in SQL Server 2005 intensive SQL Server queries Organizations traditionally spend little money to secure the database server level. Instead, security is added to the to-do list of DBAs and developers. Get familiar with the security features in SQL Server 2005, and allow them to make your job easier. Brought to you by SearchSQLServer.com 3
  • 2. SearchSQLServer.com New security model in SQL Server 2005 New Security Model Michelle Gutzait works as a senior in SQL Server 2005 database consultant By MIcheLLe GuTzAIT for Itergy International Inc., O an IT consulting firm specializing in the design, implementation, security rganizations don’t tend aged and controlled. In many and support of Microsoft to invest in securing cases, security standards are products in the enterprise. SQL Server instances created after applications and Gutzait has been involved and databases. Instead, databases are deployed, and in IT for 20 years as there is a tendency to that makes them difficult to leave security consid- implement. a developer, business erations to database admin- Whenever possible, you analyst and database istrators and developers. The should plan security standards consultant. For the last problem is that if there are no according to existing and future 10 years, she has worked defined security standards, it applications. Security consid- exclusively with SQL may leave data vulnerable. erations should always be part Server. Her skills include Security standards are impor- of the database and application SQL Server infrastructure tant for any organization. The design. For an existing environ- design, database design, problem is that it is not enough ment, the best approach is to performance tuning, just to develop them — they plan and formulate the security security, high availability, should also be applied, man- modifications step by step. VLDBs, replication and T-SQL/packages coding. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 3. SearchSQLServer.com New security model in SQL Server 2005 PrinciPals and securables in sQl server 005 The new security model in SQL 2005 defines two main security objects — principals and securables: principals are entities that can there are three types of principals: request SQL Server resources. windows-level sql server-level database-level They can be arranged in a hi- principals principal principals erarchy. A principal inherits • Windows domain • SQL Server login • Database user the permissions given to it in a login • Database role higher level of that hierarchy. • Windows local login • Application role every principal has a security identifier, or SID. securables are the resources the securable scopes: to which the SQL Server data- server level database level schema level base engine authorization • Endpoint • Database user • Type system regulates access. Some • Database • Database role • XML schema collection securables can be contained • Application role • Object within others, creating nested • Assembly • Function hierarchies called scopes, which • Message type • Procedure • Route • Queue can, themselves, be secured. • Service • Synonym Access to securables can be • Remote service binding • Table • Fulltext catalog • View • Certificate • Asymmetric key • Symmetric key • Contract • Schema Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 4. SearchSQLServer.com New security model in SQL Server 2005 granted for principals in each new Permission -- grant permissions on the level. delegation caPability -- user “Michelle”: For example, a database user In SQL Server 2005, more USE AdventureWorks; or a database role, which can permissions can be given both GRANT CONTROL ON USER:: contain zero or more users, can in the instance and in the da- Michelle TO Joseph; get access to a database ob- tabase level than in previous ject or to a database schema, releases. Also, permissions „ ALTER ANY – provides the which can contain zero or more can now be inherited — for ability to alter properties objects. Also, a database user example, permissions given to of an object. Depending on or role can get permissions to a schema are inherited by the the scope, inheritance can view definitions and to grant schema’s objects. here are ex- be limited to objects of a permissions to another data- amples of new permissions: specific type. For example, base user or role. its variation in the form As in previous versions, a „ CONTROL – functionally ALTER ANY ‘object_type’ user who wants to access data equivalent to all permis- grants permissions to from a database must pass sions granted to the ob- modify every instance of through two stages of authenti- ject’s owner and inherited ‘object_type’ within server cation — one at the SQL Server by all subentities within its or database scope. For level (login) and the other at scope. Principals that have example: the database level (user). CONTROL permission on a ALTER ANY DATABASE DDL securable can grant per- TRIGGER mission on that securable. ALTER ANY SCHEMA For example: ALTER ANY ROLE -- Grant CONTROL -- permission on -- AdventureWorks user -- Michelle to user Joseph -- now the user Joseph can Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 5. SearchSQLServer.com New security model in SQL Server 2005 „ IMPERSONATE – permits impersonating another user, without requiring DEFINITION TO public -- Grant role “public” to -- view any object definition ø Use synonyms when you want to keep an object name under a specific schema, but that object resides in a different schema, SysAdmin or dbo privileg- -- in the database level: different database or a different es, as was the case in SQL GRANT VIEW DEFINITION SQL Server instance. Server 2000. For example: TO public -- Grants IMPERSONATE -- Grant VIEW DEFINITION database objects? In SQL Serv- -- permission on user -- permission on er 2005, that problem has been -- Michelle to -- AdventureWorks role solved by moving the object -- AdventureWorks -- Accountants together definition under the “schema” -- application role -- with GRANT OPTION to object. -- Accountants. -- database user Michelle Schema can have an owner, -- The role Accountants can -- (now user Michelle can which can be easily reassigned -- now impersonate -- view the definition of the without having to change the -- Michelle: -- Accountants role and ownership of each object. Also, USE AdventureWorks; -- grant it permissions): applications will not break if GRANT IMPERSONATE USE AdventureWorks; they reference the schema ON USER::Michelle TO GRANT VIEW DEFINITION name before the object name Accountants; ON ROLE::Accountants when the object’s ownership TO Michelle WITH GRANT is shifted. It is still possible to „ VIEW DEFINITION – gives OPTION; grant permission to an object, read access to an object’s such as a table. But as a best metadata via catalog the strength of the new practice, centralize permissions views. For example: schema model by schema, not by objects. -- Grant role “public” to view how many times have you tried -- any object definition to delete a user from your SQL when to use synonyms -- in the instance level: Server 2000 database and A synonym is an alternative GRANT VIEW ANY couldn’t because it was owning name given to a schema- 5 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 6. SearchSQLServer.com New security model in SQL Server 2005 scoped object. The synonym sions, the second run will wait synGetAuthorName FOR is created under the schema until the first transaction ends. pubs.dbo.fnGetAuthorName; object but not bound to it. In SELECT dbo. other words, the deletion of the It seems that the best choice synGetAuthorName(‘171-10- synonym will not issue an error for using synonyms is when you 1178’) message if it is used in another would like to keep an object object. The synonym is used name under a specific schema, ddl triggers during runtime, so the object but the object resides in a dif- The new DDL Triggers option, names are not verified during ferent schema or in a differ- among other things, allows the synonym’s creation. you ent database or different SQL DBAs to control security issues, can grant permissions on syn- Server instance. use a synonym such as automating grant per- onyms. For example: instead of using a view if the missions or auditing. -- First result will be from synonym is for a table. For ex- here is an example of a DDL -- publishers_1: ample: trigger from the Microsoft De- DROP SYNONYM publish -- Table resides in another veloper Network (MSDN): CREATE SYNONYM publish -- schema: -- Grant VIEW DEFINITION FOR pubs.dbo.publishers_1 CREATE SYNONYM -- on each created role or SELECT * FROM publish Schema1.Authors -- user to public: -- Second result will be from FOR Schema2.dbo.Authors CREATE TRIGGER -- publishers_2: -- Table resides in another GrantViewDefOnPrincipal DROP SYNONYM publish -- server (myserverSQL2005 ON DATABASE CREATE SYNONYM publish -- is a Linked Server): FOR CREATE_USER, FOR pubs.dbo.publishers_2 CREATE SYNONYM dbo. CREATE_ROLE SELECT * FROM publish RemoteAuthors AS Note that the synonym is a FOR [myserverSQL2005]. DECLARE database object. If you try to pubs.dbo.authors @event_type sysname, run the above code as a trans- -- Synonym for a function: @principal_name sysname, action from two different ses- CREATE SYNONYM @sql nvarchar(max); Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 7. SearchSQLServer.com New security model in SQL Server 2005 SELECT @sql = security configurations is really necessary. ‘(/EVENT_INSTANCE/’+ for sQl server „ use a small number of ‘EventType) [1]’; There are two extreme methods database roles to which SELECT @event_type = of applying security: you grant permissions. eventdata().value „ ThE LAzY MODEL – The Don’t grant permissions on (@sql,’sysname’), less security, the better. a per-user basis. @principal_name = This may result in either „ use only stored proce- eventdata().value giving too many or too few dures to access the data (@sql,’sysname’); permissions, but security and grant permissions to IF (@event_type = management is easier and these stored procedures. ‘CREATE_USER’) less complicated. „ Allow only one owner- SELECT @sql = „ SECuRE EVERYThINg ship to all the objects and ‘GRANT VIEW ‘ + POSSIbLE. This may com- schemas. This will simplify ‘DEFINITION ON ‘ + plicate the environment, granting the permissions ‘USER :: ‘ + producing more manage- and will help avoid permis- @principal_name + ment effort. sion chains. ‘ TO PUBLIC ‘ ; ELSE Most organizations are using defining service SELECT @sql = a security model that is be- accounts ‘GRANT VIEW ‘ + tween these two extremes. In previous versions, it was ‘DEFINITION ON ‘ + When designing a security easier to add SQL Server and ‘ROLE :: ‘ + model, try to keep it simple but SQL Server Agent services ac- @principal_name + satisfying. For example: counts to the sysadmin group ‘ TO PUBLIC ‘ ; „ Decide that the schema is than to play with the Group EXEC (@sql) the most granular unit to Policy Objects or permissions which you grant permis- of that account. sions. Don’t grant permis- In SQL Server 2005, the SQL sion to an object, unless it Server service account: Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 8. SearchSQLServer.com New security model in SQL Server 2005 „ Requires less privilege password expiration poli- If so, few features such as the than in previous versions. cies because changing the xp_cmdshell Stored Procedure It can now be defined as password of the service and ad hoc queries through a member of the users account does not require linked servers — OPeNROW- group (non-domain user) restarting SQL Server SeT and OPeNDATASOuRce or Domain users group 2005. — are disabled by default in a (domain user). During newly installed instance of SQL installation, the user is The SQL Server Agent ser- Server 2005. automatically placed in the vice account requires sysadmin Database mail is another SQL Server service group privileges in the SQL Server great new feature in SQL Server and the group is granted instance it is associated with. 2005. you might go through the exactly the privileges that however, in SQL Server 2005, complicated process of config- it needs. SQL Server Agent job steps uring SQL Mail in SQL 2000, „ Should be changed only can be configured to use prox- or you might be using an alter- by using SQL Server Con- ies that encapsulate alternate native method of running SQL figuration Manager or by credentials. Mail, like SP_SQLSMTPMail or using the equivalent func- xp_smtp_sendmail. Note that tionality in the Windows surface area there is a problem using this Management Instrumen- configuration feature. If there is a bug in the tation (WMI) APIs. using SQL Server 2005 installation database program or SSIS pack- Configuration Manager minimizes the “attack surface” age, it can easily flood the mail ensures that the new ser- because, by default, optional server. vice account is placed in features are not installed. It’s The SQL Server Surface Area the appropriate Windows possible to turn off the features configuration command-line group and is thus granted in SQL Server Surface Area interface, sac.exe, makes it exactly the correct privi- configuration or use the system possible to import and export leges to run the service. stored procedure sp_configure. settings. This enables you to „ Can be configured by upgrading from SQL 2000? standardize the configuration Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 9. SearchSQLServer.com New security model in SQL Server 2005 of a group of SQL Server 2005 not gain a higher security If you do decide to use en- instances. For example: level than it needs -- for cryption, remember that en- sac in server1.out –S example, by impersonating cryption and decryption algo- MyServer the SQL Server Service or rithms are comparably heavy to SQL Server Agent service run. First, never index encrypted integration and account. columns. Also, test the encryp- security for common „ Managed code should tion-decryption performance language runtime access local resources as on the expected amount of data The security model of the Mi- much as possible. and application functionality crosoft SQL Server integra- before you decide to use it. tion with the Microsoft .NeT SQL Server now integrates Framework common language the user-based security model other security enhance- runtime (cLR) manages and of SQL Server with the code ments in sQl 005 secures access between differ- access-based security model of here are descriptions of a few ent types of cLR and non-cLR the cLR. more security enhancements: objects running within SQL „ With SQL Server 2005, Server. data encryPtion you can alter the execu- Because cLR programs can Data encryption is a great new tion context with the EX- affect the stability and robust- feature in SQL Server 2005, but ECuTE AS clause available ness of the SQL Server environ- you should use it wisely and as part of the definition of ment, it is important to follow only if necessary. Remember stored procedures, func- these best practices: that using this feature will re- tions, queues and triggers. „ Protect the non-SQL Serv- sult in performance and admin- EXECuTE AS can also be er resources, such as net- istrative issues. Generally, SQL used to set the execution work and operating system Server and database permis- context within a SQL batch resources, with a higher sions can be enough for most instead of SETuSER. The security level. applications when they are well execution context choices „ Managed code should planned and applied. are: Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 10. SearchSQLServer.com New security model in SQL Server 2005 • execute as caller — the and the key/certificate’s „ Endpoint-based authenti- caller of the procedure (no permissions. cation is used to provide impersonation). This is the „ Direct access to system secure communication only pre-SQL Server 2005 tables is no longer allowed. in scenarios where SQL behavior. Instead, they are exposed Server 2005, running on • execute as owner — the through catalog views, Windows Server 2003, owner of the procedure. encompassing both server functions natively as a • execute as self — the and database-wide set- Web service, listening and creator of the procedure. tings. responding to hTTP SOAP • execute as ‘username’ „ SQL Server 2005 can requests. — a specific user. manage SQL Server ac- „ Permissions on DTS pack- „ Server 2005 offers a much count password and ages in SQL 2000 were more granular way of as- lockout properties (such difficult to manage. SSIS sociating privileges with as password complexity, packages are flexible and procedural code with code password expiration and can run in different ways. signing. by using the ADD account lockout) with local „ Microsoft baseline Se- SIgNATuRE DDL state- and domain-based group curity Analyzer (MbSA) ment, you can sign the Policies. This functionality is a utility that scans for procedure with a certifi- is available only on Win- common insecurities in a cate or asymmetric key. A dows 2003 Server sys- SQL Server configuration. user can then be created tems. Example: Run MbSA on a regularly for the certificate or asym- CREATE LOGIN Michelle scheduled basis, either metric key itself and per- WITH locally or across the net- missions assigned to that PASSWORD = work. user. When the procedure ‘Change$NxtLogin’ MUST_ is executed, the code ex- CHANGE, xP_cmdshell handy ecutes with a combination CHECK_EXPIRATION = ON, examPles of the caller’s permissions CHECK_POLICY = ON xp_cmdshell is a very powerful 0 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 11. SearchSQLServer.com New security model in SQL Server 2005 Stored Procedure. In SQL Server 1 delete a specific file on the security best practices. They will 2000, it is enabled by default. c:temp directory in each of run on SQL Server 2000 as well In SQL Server 2005, it is dis- these servers. as on SQL 2005. abled by default. 2 collect the list of the in- With sp_cmdshell you could stalled programs and tools run the following command: on each of the servers, prior Exec xp_cmdshell ‘del /S c:’ to consolidation. links for sql server which deletes the c: drive and you could go computer by Security Considerations for all its subdirectories in the computer and do these two Integration Services server where the SQL Server tasks. you could write code. http://msdn2.microsoft.com/ instance is running. Oops, sorry, you are a DBA— en-us/library/ms137833.aspx If I am doing so as the sa or but what could be easier than in the sysadmin role in SQL and to create a table with the SQL Security Considerations for the SQL Server Service account Server instances names, create SQL Server is a sysadmin on the computer a cursor on them and then loop http://msdn2.microsoft.com/ running the SQL Server, it can and run what’s needed to be en-us/library/ms161948.aspx be too powerful. run? But here are two examples In Task 1, you’ll see code to CLR Integration Security where you could use xp_cmd- delete a file, which results in no http://msdn2.microsoft.com/ shell because it is quicker and output. en-us/library/ms131071.aspx more straightforward: In Task 2, you’ll see code to Imagine that you have more show the contents of a directo- SQL Server 2005 Best than 30 servers hosting SQL ry on a server. here, you’ll find Practices Analyzer Server instances. the results of the code in Task http://www.microsoft. your manager asks you to do 2, assuming it ran against only com/downloads/details. two things: one server. aspx?FamilyId=DA0531e4- note: These two examples are e94c-4991-82FA-F0e3FBD05e not secured and are against 63displaylang=en Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 12. Advertorial Stately IT The Pennsylvania State University Dell Services helped Penn State upgrade the hardware foundation for its learning management system using Dell™ PowerEdge™ 6850 servers and Microsoft SQL Server 2005 Since its founding in 1855 as a small agricultural college dedicated to applying scientific principles to farming, The Pennsylvania State University—affectionately known as Penn State—has grown into a world-class learning institution with more than 84,000 enrolled students. Like many universities, Penn State uses learning management system (LMS) technology to help manage academic course content. Unfortunately, until recently the university’s system was plagued with performance and scalability issues due to an aging hardware infrastructure. The university’s IT staff turned to trusted longtime technology partner Dell for answers. Working closely with Dell Services, the staff tested the LMS on a new hardware architecture. “We found that Dell hardware offered excellent performance for the LMS and enabled us to handle more users than the previous system,” explains Lowell Smith, database administrator at Penn State. — Alex Pollock, Lead Database Administrator, The Penn State University 73
  • 13. Advertorial Stately IT The Pennsylvania State University With such positive test results in hand, the Penn State IT team felt confident deploying a hardware infrastructure, including Dell™ PowerEdge™ 6850 servers, on which Penn State runs Microsoft SQL Server 2005 Enterprise to provide database support for the LMS. According to Alex Pollock, lead database administrator at Penn State, the combination of Dell PowerEdge servers with SQL Server has resulted in impressive performance gains for the LMS compared to the previous system. “Re-indexing used to take four hours—completing outside our maintenance window,” Pollock states. “Once we went to SQL Server 2005 on the PowerEdge 6850 servers, the whole process could be completed in half an hour—eight times faster.” Even though the user load has more than doubled, the performance of the ANGEL system is impressive: application availability is exceptional and hardware utilization is nowhere near capacity. “Our user load has skyrocketed in recent months—now we are experiencing 1.4 million Web hits on the system per hour,” notes Peter Dawson, manager of mid-tier infrastructure for Administrative Information Services at Penn State. “But even under that load, our servers are running at 25 to 30 percent capacity, which indicates that we have plenty of room to grow. To view the entire story, go to www.dell.com 73
  • 14. SearchSQLServer.com Database mirroring and its witness SQLServer Insider Backup and RecoveRy Greg Robidoux is the president Database mirroring and founder of Edgewood and its witness Solutions LLC, a technology services company delivering By GReG ROBIDOux professional services and product solutions for Microsoft SQL Server 2005’s database mirroring feature offers new function- SQL Server. He ality that allows you to configure database failover much easier than in the past. When configuring database mirroring, one option is to has authored use the high Availability mode. This option allows for synchronizing numerous articles of transaction writes on both servers, as well as offers the ability of and has delivered automated failover. When using the high Availability mode, you need presentations at to have three instances of SQL Server: the principal, mirror and the regional SQL Server witness. here is a summary of what each component does. users groups and national SQL Server „ PRINCIPAL – this is the instance that stores the active database. „ MIRROR – this is the instance that receives transactions to keep events. Robidoux the mirrored database in sync. also serves as the „ WITNESS – this is the instance that communicates with the prin- SearchSQLServer.com cipal and mirror to determine if failover should occur. Backup and Recovery expert. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 15. SearchSQLServer.com Database mirroring and its witness what is the role of the ability mode and you want, primary data center, your mirror witness server? or need, automatic failover. and witness can communicate The witness is a third instance This instance doesn’t do much and take over the job. of SQL Server 2005 that acts more than communicate with Physical location is not the as an intermediary between the principal and the mirror to only point of concern when the principal and the mirror in make sure they are still alive. placing your witness. It would order to determine when to fail No database activity is occur- also make sense to install the over. By having a third instance, ring on this instance, just com- witness on a different physical it creates the ability to have a munication between the three server. It is possible to create 2–1 vote that says one of my components. three instances on one server components is not available and set up database mirroring. and, therefore, I am going to where should the But, if you are trying to elimi- fail over. Because of the need witness be? nate hardware failure as a pos- to determine if the components This really depends on your sible cause of downtime, the are online or offline before an network configuration and the witness should be installed on a automatic failover, the witness reliability of your components. different piece of hardware. server is only needed when If you implement this over a If you are trying to eliminate you implement the high Avail- WAN and have periodic net- data center outages, it makes ø work glitches by having the sense to have your mirror in You can create three witness near the principal, then a different physical location. instances on one server you can eliminate some un- Based on this assumption, you when setting up database necessary failovers. In addition, should keep the witness and mirroring. But, if you if your primary data center has the principal in the same data are trying to eliminate some issues and you want to center and your mirror in a dif- downtime caused by ensure your database stays on- ferent location. hardware failure, install the witness on a different line, it may make sense to keep piece of hardware. this with the mirror. Therefore, if there are any issues in your 5 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 16. SearchSQLServer.com Database mirroring and its witness what version of sQl what haPPens if the summary Implementing the server 005 for the witness fails? high Availability mode of data- witness? Because the witness is just one base mirroring is pretty straight- The witness server can run of the three components, if it forward by just implementing on any version of SQL Server fails, it does not necessarily another instance of SQL Server 2005, including the express mean that a failover will occur. to act as the witness. Although edition. The principal and mir- As long as the principal and mir- from that perspective it is fairly ror can only run on the Stan- ror can still communicate with easy, you should implement dard, enterprise and Developer each other, there is no need for a database mirroring in differ- editions of SQL Server 2005. failover. Therefore, the failure of ent phases until you get the just the witness will not trigger hang of how it works and when what kind of server an automated failover. it will kick in. using the high does the witness run Protection mode as the first on? how does failover work? implementation probably makes you can install the witness on Since three components make more sense than jumping right any hardware and operating up the high Availability mode, into the high Availability mode. system that supports the ver- two of these components need either way, though, take the sion of SQL Server 2005 you to determine that a problem time to test this new component are using for the witness. Be- has occurred and then initiate of SQL Server 2005 before you cause of the nature and role a failover. If the principal server take the leap into using it as part of the witness, I suggest using fails and the witness and mir- of your production failover strat- hardware that you feel is reli- ror can still communicate, the egy. able and will not cause further failover process will kick in. The Get a step-by-step explana- complications when imple- mirror will become the principal tion to setting up database mir- menting and utilizing database and the witness will continue to roring in a previous article titled mirroring. perform its duties as the witness Database mirroring setup in SQL server. Server 2005 found at Search SQL Server.com. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 17. SearchSQLServer.com Find and fix resource-intensive SQL Server queries SQLServer Insider peRfoRmance Jeremy Kadlec is the Find and fix principal database engineer at resource-intensive Edgewood Solutions, a technology services SQL Server queries company delivering professional services and product solutions By JeReMy KADLec for Microsoft SQL Server. He has Taming resource-intensive SQL Server queries is no small authored numerous articles and task. Finding them can be a challenge and fixing them delivers frequent is typically unique to the query. Here are five common presentations resource-intensive queries with possible resolutions. regionally and nationally. He how to find resource- perceived as slow, the root cause authored the intensive Queries and resolution can be much more “Rational Guide Identifying resource-intensive complex. The following resources queries is simple when your ap- will help you address common to IT Project plication experiences performance problems: Management” and is issues and users communicate „ To identify resource-intensive the SearchSQLServer. when and where the issues oc- queries, leverage SQL Server com performance and cur. If the overall application is 2000 Profiler. tuning expert. Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 18. SearchSQLServer.com Find and fix resource-intensive SQL Server queries „ To determine how the opti- While users have to ask for this information, you can create mizer processes the code these figures for business rea- the necessary index to support internally, review individu- sons, the queries may cause a the query and avoid costly table al query plans in a graphi- significant resource drain. scanning. cal format using Query To balance the need to run Analyzer. resource-intensive queries and large result sets „ To access query plans, use retrieve timely data for users, Querying for hundreds or the T-SQL command SET change the process to execute thousands of rows while only ShOWPLAN_ALL or SET a stored procedure on a pre- displaying 10 to 50 rows in the ShOWPLAN_TEXT for a defined basis, which populates application is certainly a drain textual view of the output a table that stores the aggre- on SQL Server, especially when from the SQL Server opti- gate results. Then have users the query is frequently issued mizer. access the aggregated data by the same user. Since the instead of issuing the resource- data isn’t going to change, the intensive query. application’s throughput would calculation Queries benefit from caching that data users in management and table scanning on the Web server using ADO. executive management posi- Table scanning is probably the NeT. Another option would be tions issue calculation queries single biggest offender of drain- to cache the IDs or the unique throughout the day. They calcu- ing SQL Server resources. The identifier for the result set and late figures over a long period good news is that the problem query for the detailed data as of time with a primarily static is usually easy to fix. The best the data is browsed. A final op- data set (i.e., calculating year- way to diagnose this resource tion I have seen work well is to to-date sales or monthly inven- drainer is to review the query issue the query with a cOuNT tory figures). Depending on plan. The SQL Server optimizer clause and let users know how your applications, the calcula- will indicate which portion of much data will be returned. If it tions may be different, although the query is scanning tables by is a significant amount of data, the premise remains the same. table and column name. With fine-tune the query param- Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 19. SearchSQLServer.com Find and fix resource-intensive SQL Server queries eters to reduce the result set; not many users will be able to that execute one or more times per second using few resources SQL Server review a large result set, which just becomes overwhelming. — but the number of aggregate resources used is staggering. InSIder They don’t only eat up SQL is brought to you by cursors Server resources, but also an SearchSQLServer.com. cursors are notorious for quick- excessive amount of network The stories “Database ly turning a high-end server into round trips. you can expect to mirroring and its a single-user machine. cursors see this happen in Web-based witness” and “Find and typically build a large data set applications. If you store data in fix resource-intensive and process data one row at a session variable or cookie, the a time, which often serializes problem is resolved. SQL Server queries” the processing. Originally de- originally appeared on veloped for ISAM and VSAM summary Take a step back SearchSQLServer.com. databases, Microsoft included and think about how your ap- support for this processing from plications interact with SQL the earliest versions of SQL Server from a functional per- editors Server. Although they are a vi- spective. Think about com- christine casatelli able way to perform data pro- plaints users have had histori- heidi Sweeney cessing, they are not efficient cally about the application as copy editor — and your goal should be to well as long-running processes. Martha Moore migrate away from cursors and Observe how users work with design director use set-based logic. the applications and make per- Ronn campisi formance improvements in the www.ronncampisi.com single Queries that run code based on how users have rePeatedly evolved with the application. Some of the most deviant sets of queries are single queries Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 73
  • 20. SearchSQLServer.com New security model in SQL Server 2005 Additional Resources from Dell Ø Embracing a new level of user experience:the hardware foundation for its learning management system Dell Services helped Penn State upgrade http://www.dell.com/content/topics/global.aspx/casestudies/en/2007_penn?c=uscs=555l=ens=biz Ø SQL Server 2005: Preparing for a Smooth Upgrade http://www.dell.com/downloads/global/power/ps1q06-20060126-Microsoft.pdf Ø Maximizing SQL Server Performance http://www.dell.com/downloads/global/power/ps4q05-20050272-Symantec.pdf Ø http://www.dell.com/content/topics/global.aspx/power/en/setc?c=uscs=555l=ens=biz The Scalable Enterprise Technology Center Ø Microsoft SQL Server 2005 Virtualization http://www.dell.com/downloads/global/power/ps4q06-20060405-Muirhead.pdf Ø The Definitive Guide to Scaling Out SQL Server 2005 http://www.dell.com/content/topics/global.aspx/alliances/en/ebook_landing?c=uscs=555l=ens=biz 0 Principals and securables New schema model Security for CLR Database mirroring Find and fix SQL Server queries 7