17730_sql server security

7/29/2019 17730_SQL Server Security

1/42

SQL SERVER 2008 SECURITY


2/42

Security isnt about guaranteeing a completely attack-proof system.

Its about ensuring that you take the necessary steps to minimize the scope of

the attack.


3/42

SQL Server Authentication Modes

Microsoft SQL Server 2008 offers two options for authenticating users.

The default mode is Windows Authentication Mode, which offers a highlevel of security by using the operating systems authenticationmechanism.

Windows Authentication Mode provides greater security than SQL

Server Authentication. The benefits of using the Windows Authentication Mode include:

Reducing the administrative overhead for your SQL or Database

Administrators by allowing them to use accounts that already exist, and the

ability to use stronger authentication protocols, such as Kerberos


4/42

The other is, SQL Server and Windows Authentication Mode (also

known as Mixed Mode), offers the ability to allow both Windows-

based and SQL-based authentications.

Mixed Mode authentication allows you to create logins that are

unique to the SQL Server, and do not have a corresponding

Windows account.

This can be helpful for applications that require users who are notpart of your enterprise to be able to authenticate and gain access to

securable in your database.


5/42

Changing the Authentication Mode from Management Studio

To change the authentication mode from the Management Studio,

follow these steps:

1. Launch SQL Server Management Studio.

2. In Object Explorer, select your server.

3. Right-click your server and select Properties.

4. Under the Select a page pane, select Security.

5. Under the heading Server authentication, select or review theappropriate authentication mode


6/42


7/42

Using the xp_instance_regwrite Extended Stored Procedure

Can also change the authentication mode using the xp_instance_regwrite

extended stored procedure, as long as you have administrative

permissions on the local server.

The following example shows you how to change the authentication

mode to SQL Server andWindows Authentication Mode:

USE masterEXEC xp_instance_regwrite N HKEY_LOCAL_MACHINE,

N Software\Microsoft\MSSQLServer\MSSQLServer, N LoginMode,REG_DWORD, 2


8/42

USE master

EXEC xp_instance_regwrite N, N, N LoginMode, REG_DWORD, 2

You can also change the authentication mode to Windows

Authentication Mode by changing the DWORD value to 1,

USE master

EXEC xp_instance_regwrite N, N, N LoginMode, REG_DWORD, 1


9/42

Principals The term principal is used to describe individuals, groups,

and processes that will interact with the SQL Server.

The resources available to a principal are dependent on

where the principal resides.

Microsoft SQL Server supports several different types ofprincipals defined at three different levels: the Windows level,

the SQL Server level, and the database level.


10/42

To create some local Windows accounts:

1. From the Start Menu, right-click My Computer and select Manage.

2. In the Computer Management window, expand Local Users and Groups

3. Right-click the Users folder and select New User.

4. In the User Name box, enter Roy.

5. In the Password and Confirm Password boxes, enter P@ssw0rd.

7. Click Create.


11/42


12/42


13/42


14/42

Logins Microsoft SQL Server 2008 offers two kinds of logins for authentication.

Windows logins are associated with user or group accounts stored in Active Directory or

the local Security Accounts Manager (SAM)database.

Active Directory: Store information and data about networks and domains.

SAM: stores user accounts and security descriptors for users on the local computer.

SQL logins are used to represent an individual or entity that does not have a Windows

account, and, therefore, must rely on the SQL Server for storage and management of

account information.

Windows logins, whether they represent an individual or a group, are bound by the

password policy.

When a login is created for a Windows user or group, no password information is stored

in the SQL Server.


15/42

Windows logins are also authenticated prior to connecting to the SQL

Server.

This means that Active Directory or the operating system will have

already verified the principals identity. When a Windows login is created for a group, all members of that group

have the ability to authenticate against the SQL Server without having to

create separate logins for each user.

SQL Server logins, however, must authenticate against the SQL Server.This makes the SQL Server responsible for verifying the users identity.

SQL stores the login and password information in the Master database.


16/42

Creating Logins in Management Studio

1. From the Object Explorer, expand your server.

2. Expand the Security folder.

3. Right-click Logins and select New Login.

4. In the New Login dialog box, either type the Login name you want to

add, or click the Search button to browse for aWindows account.

5. If you are creating a SQL Login, select the SQL Server authenticationradio button.

6. Also, when you select SQL Server authentication, you can choose tonot enforce the password policies.

7.You may also want to change the users default database and language.


17/42


18/42

Creating Logins Using T-SQL:

Can use the CREATE LOGIN statement.

CREATE LOGIN allows you to create either Windows or SQL logins.

Replaces two stored procedures that were used in previous versions ofSQL, sp_grantlogin and sp_addlogin

Use the following format for the CREATE LOGIN statement:

CREATE LOGIN [name] {WITH | FROM }

The next slide shows the options available with this statement.

Create login alice with password abcd hashed


19/42

PASSWORD = password :

Creates a new password for SQL logins. If this value is already hashed, use the HASHED

option. Passwords are case-sensitive.

HASHED:

When a password is created for a SQL login, the password is stored in the database using a one-

way hashing algorithm. This provides several benefits. Because the password is not stored in

plaintext, it cannot be read by simply querying a system view. Because the hashing process is

one-way, the password cannot be extrapolated from the hash value.

MUST_CHANGE:

Requires the user to change his or her password at the next login. This is valid for SQL logins

only. CHECK_POLICY and CHECK_EXPIRATION must be set to ON for this to work.

SID = sid:

Allows you to manually specify a SID (Security Identifier) for a new user. If this value is

left blank, the SID will be automatically generated.


20/42

DEFAULT_LANGUAGE = language

Assigns the default language for the login. If not specified, the default language of the server at

the time the login was created will be used.

CHECK_POLICY = { ON | OFF }

This is often a favorite option for the CREATE LOGIN statement. It allows you to apply your

Windows-based password policies to SQL logins. When Microsoft SQL Server 2008 is installed

this is ON by default.

CHECK_EXPIRATION = { ON | OFF }A complement to the CHECK_POLICY option, this allows your Windows-based password

expiration policy to also apply to SQL logins. If CHECK_POLICY is ON, then this will default

to ON. Otherwise, the default value is OFF.

M i L i


21/42

Managing Logins

SQL Server Management Studio includes several property sheets to configure logins.

From the General property sheet, you can change the following attributes:

Password

Password Policy

Password Expiration

Force the user to change the password at the next login

Default Database

Default Language

ALTER LOGIN name { | WITH }


22/42


23/42

CREDENTIALS A credential is a record that contains the authentication information

required to connect to a resource outside of SQL Server

mapping SQL Server logins to external Windows accounts.

Credentials can be configured as a one-to-one mapping, or a many-to-

one mapping, allowing multiple SQL Server logins to use one shared

Windows account for external access.

One login can now be associated with multiple credentials


24/42

Creating a New Credential

To create a new credential, follow these steps:

1. In Object Explorer, expand your server.

2. Expand the Security folder.

3. Right-click Credentials and select New Credential.

4. Type a name for the credential

5. Either type the name of a Windows account, or click the ... button tobrowse for an account.

6. Enter the password for the account.

7. Re-enter the password to confirm.

8. Click OK.


25/42

Using Transact SQL:


26/42

Using Transact-SQL:

You can use the CREATE CREDENTIAL statement as an alternative means to create a new SQL

credential object. The syntax is as follows:

CREATE CREDENTIAL name WITH IDENTITY = identity_name[, SECRET = secret]

ALTER CREDENTIAL statement can be used to alter the name of the credential, the identity its

associated with, and the password.

Once the credential is no longer needed, it can be removed with the DROP CREDENTIAL command, as

follows:

DROP CREDENTIAL name

Example:

USE master

CREATE CREDENTIAL StreetCred

WITH IDENTITY = AughtFive\CarolStreet,

SECRET = P@ssw0rd;

GO

You can then associate Carols SQL Server login with :

ALTER LOGIN Carol WITH CREDENTIAL = StreetCred;

GO


27/42

Server Roles Microsoft SQL Server 2008 includes a number of server-level roles

that are available to simplify management for SQL logins.

These are often referred to as fixed server roles because membership

is the only thing you can really change about these roles.

The fixed server roles are designed to allow you to automatically

assign a common set of permissions to a login, based upon the

purpose of the role.


28/42

To add a login to a fixed server role use the sp addsrvrolemember stored


29/42

To add a login to a fixed server role, use the sp_addsrvrolememberstored

procedure.

sp_addsrvrolemember [ @loginame= ] login , [ @rolename = ] role

Simply provide the login name and the role name. EXAMPLE:

USE master

CREATE LOGIN Ted WITH PASSWORD = P@ssw0rd;

GOEXEC sp_addsrvrolemember Ted, securityadmin;

GO

Use sp_dropsrvrolememberto remove a login from a fixed server role.

USE master

EXEC sp_dropsrvrolemember Ted, securityadmin;

GO


30/42

Database Users Database users are another component of the security model employed

by Microsoft SQL Server 2008.

Users are granted access to database securables, either directly or

through membership in one or more database roles.

Users are also associated with ownership of objects such as tables, views,

and stored procedures. When a login is created, unless it is a member of a fixed server role with

database administrative privileges, that login has no explicit permissions

within the various databases attached to the server. When this happens,

the login is associated with the guest database user, and inherits thepermissions of that user account.

Note that the user name does not have to match the login name.

Extended Properties page, which allows you to designate or view

additional metadata information about this user.


31/42


32/42

CREATE USER:

The CREATE USER statement can also be used for creating newdatabase users.

CREATE USER offers more options over how the user is created thanthe GUI allows.

Each database has two users created by default.

Dbo user:

The dbo user (also known as the database owner) has all rights and privilegesto perform any operation in the database.

Members of the fixed server role, sysadmin, as well as the sa account, aremapped to dbo.

Any object created by a sysadmin is automatically owned by dbo.

The dbo user is also the owner of the default schema, also called dbo.

The dbo user cannot be deleted.


33/42

Guest user:

The guest account is also present in every database, but is disabled by

default.

The guest account is commonly used when a person has login access to theSQL Server, but no user access to a database.

If the database has a guest account, and it is enabled, then the login will

connect to that database with guest access.

guest is a member of the public role, and has all of the permissions assignedto that role,

but can be granted explicit permissions to securables as well.


34/42

CREATE USER name [{{FOR | FROM} source |WITHOUT LOGIN] [WITH DEFAULT_SCHEMA

= schema_name]

You can also use the ALTER USER statement to

make changes to a user account


35/42

USE master;


36/42

;

CREATE LOGIN [AughtFive\ab] FROM WINDOWS

USE AdventureWorks;

CREATE USER Bill FOR LOGIN [AughtFive\ab]

WITH DEFAULT_SCHEMA = sales

USE AdventureWorks

ALTER USER SalesSecurity

WITH NAME = SalesSchemaSecurity;

GO

USE AdventureWorks

ALTER USER Bill

WITH DEFAULT_SCHEMA = Production;

GO

USE AdventureWorks

DROP USER Bill;GO


37/42

Fixed Database Roles Every SQL database has a list of fixed database roles that allow you to delegate permissions

to users as necessary.

As with the fixed server roles, membership is the only thing you can change about these

roles.

User-defined database roles offer greater control over managing permissions and access to

resources within a database. Can create user-defined roles that allow you to control access to securables for an entire

collection of users at once.

Can create a database role to identify a group of users, all of whom need access to a

common set of resources, or can use roles to identify the permissions being granted to a

securable in the database.

Regardless of the purpose of your role, its function should be clearly identified by the name

of the role.


38/42

Creating a New User Defined Database Role in Management Studio


39/42

Creating a New User-Defined Database Role in Management Studio

Database

Security

Roles then database roles

New database role

In the New Role dialog box, you are prompted to provide a name for the

role. Click add for adding members for that role

You can also select existing schemas that will be owned by this role, and

add users as members to this role.

In addition to the General property sheet, you also have the Securablespage and the Extended Properties page, which you can use to assign

permissions or set additional attributes, respectively.


40/42

CREATE ROLE


41/42

C O

When using the CREATE ROLE statement, you can also specify the

owner of the role.

USE AdventureWorksCREATE ROLE SalesStaff

AUTHORIZATION Ted;

GO

DROP ROLE rolename will let you remove a role from the databaseonce it is no longer needed:

USE AdventureWorks

DROP ROLE SalesStaffRole;

GO


42/42

The following example adds the database user Ted to thedb_datareader role:

USE AdventureWorks

EXEC sp_addrolemember db_datareader, Ted;

GO

To remove Ted from the db_datareader role, use the

following stored procedure:

USE AdventureWorks

EXEC sp_droprolemember db_datareader, Ted;

GO

17730_sql server security

Documents