SQL Server Security Basics
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Objectives
Understand potential data threats and how SQL Servers design protects against them Learn about SQL Server and Windows integrated authentication See how SQL Server provides an authorization system to control access to data and objects
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Agenda
Security Overview Authentication Authorization
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Security Overview
Relational data is a tempting target for attackers SQL Server 2008 provides plenty of features to secure your data and server
Need to understand the threats
Match countermeasures to the threats
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�The Threats
Identifying threats is a critical first step
Type of data will probably influence security measures
Sometimes the best way to protect data is to never put it in a database Typical threats
Theft of data Data vandalism Protecting data integrity Illegal storage
Understand threats to protect against them
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Security Design Philosophy
Trustworthy Computing memo, 2002 Four pillars of security design
Secure by design Secure by default Secure in deployment Secure through communications
Its just secure
Implications throughout the product SQL Server is reasonably secure out of the box Your job is to keep it secure
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�The Two Stages of Security
Similar to Windows security
Authentication: who are you? Authorization: now that we know who you are,
what can you do?
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Key SQL Server Security Terms
Authentication Authorization Group Impersonation Login Permission Principal Privilege Role User
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Agenda
Security Overview Authentication Authorization
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Authentication
Process of verifying that a principal is who or what it claims to be
SQL Server has to uniquely identify principals in order to
authorize
Two paths to authentication
Windows authentication SQL Server authentication
Authentication modes
Mixed Mode Authentication Windows Only Authentication Mode
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Windows Integrated Authentication
SQL Server assumes a trust relationship with Windows Server
Windows does the heavy lifting for authentication The SQL Server checks permissions on the principal
Advantages
Single user login Auditing features Simplified login management Password policies
Changes only take effect when user connects
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Configuring SQL Server Security Settings
Select either when install or later Settings apply to all databases and server objects in an instance of SQL Server Changing modes after installation may or may not cause problems
Windows to Mixed
Mixed to Windows
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�SQL Server Authentication
Client applications must provide login credentials as part of connection string Logins stored in SQL Server Windows authentication stronger
But must use SQL Server authentication with old
versions of Windows, non-Windows systems
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Windows and SQL Server Logins
SQL Server logins are not stored in Windows
Disabled if you select Windows authentication
Mixed mode is much more flexible
But less secure
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Beware of the sa Login
System administrator login Mapped to sysadmin fixed server role Conveys full system administrator privileges Cannot modify or delete Must use a strong password! Use only as access of last resort NEVER use sa for database access through client applications
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Password Policy and Enforcement
Before SQL Server 2005, no enforcement of passwords for SQL Server logins
No minimum strength No expiration policy
SQL Server now hooks into Windows password policy
Windows Server 2003, Vista, and later versions NetValidatePasswordPolicy API method
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Contained Databases
Not a security feature per se
But introduces a new authentication scheme
Solves problem of moving databases
Past: move database plus external dependencies Contained databases solves associated problems
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Contained Databases Authentication
Can create a SQL user with a password Windows user in database Not associated with a login Authenticate against contained database
Get a token for that database only
Security boundary is tightly scoped
If authentication fails at database, doesnt fall back to duplicate login, if any
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Contained Databases Authentication
Connection Request Matching user in database ?
Yes
Password match?
Yes
SQL Server No
Initial catalog specified?
Yes
Initial catalog contained?
Yes
Authentication type?
Authentication failure No
Matching principal in database ?
No No
Permission in database ?
Yes
No
No
Windows
Matching login or group?
Yes
Yes
No
Server-level authentication
Database authentication
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Agenda
Security Overview Authentication Authorization
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Authorization
Principals: user or process allowed to access securable objects Securables: protected resource Permissions: type of access
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Principals
Windows-level principals
Windows Domain Login Windows Group Windows Local Login
SQL Server-level principals
SQL Server Login SQL Server Login mapped to a certificate SQL Server login mapped to a Windows login SQL Server Login mapped to an asymmetric key Application Role Database Role Database User Database User mapped to a certificate Database User mapped to a Windows login Database User mapped to an asymmetric key Public Role
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
Database-level principals
�Principals
Scope of a principal determines scope of permission Principal can be a login, user, or role
Roles are analogous to Windows groups
Users in role inherit roles permissions Simplify security management
Types of roles
Fixed server roles User-defined server roles Fixed database roles User-defined database roles
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Fixed Server Roles
Cannot alter, even to add new ones, except to add logins to a role Server roles
System administrator Bulk insert administrator Database creator Disk administrator Process administrator Server administrator Setup administrator Security administrator
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�User-Defined Server Roles
Long awaited security feature
Long have had user-defined database roles But nothing at the server level
Used to be, only way to grant some permissions was through a fixed server role SQL Server 2012 solves these problems
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Fixed Database Roles
Control authorization within a database Configure each database individually Database roles
db_accessadmin db_backupoperator db_datareader db_datawriter db_ddladmin db_denydatareader db_denydatawriter db_owner db_securityadmin
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�The Public Role
Every database user assigned to this role Be very careful about granting permissions Normally restrict permissions for this role
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�The dbo (Database Owner) Role
Mapped to sysadmin fixed server role Not related to db_owner role
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�User-Defined Database Roles
Standard role Application role
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Securable Objects
Protected resource that you can control access to Physical object or action
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Securable Objects
Server Database Endpoint Remote Binding Route Server Role SQL Server Login
Database Application Role Assembly Asymmetric Key Certificate Database user Fixed Database Role Full-Text Catalog Message Type Schema Service Service Contract Symmetric Key
Schema Default Function Procedure Query Stats Queue Rule Synonym Table Trigger Type View XML Schema Collection
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
�Learn More!
This is an excerpt from a larger course. Visit www.learnnowonline.com for the full details! Learn more about about SQL Server on SlideShare
A Tour of SQL Server
Learn More @ http://www.learnnowonline.com
Copyright by Application Developers Training Company
