Contenu connexe
Plus de LearnNowOnline (20)
Sql Server Security Basics
- 1. SQL Server Security Basics
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 2. Objectives
• Understand potential data threats and
how SQL Server’s design protects
against them
• Learn about SQL Server and Windows
integrated authentication
• See how SQL Server provides an
authorization system to control access
to data and objects
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 3. Agenda
• Security Overview
• Authentication
• Authorization
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 4. Security Overview
• Relational data is a tempting target for
attackers
• SQL Server 2008 provides plenty of
features to secure your data and server
• Need to understand the threats
• Match countermeasures to the threats
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 5. The Threats
• Identifying threats is a critical first step
• Type of data will probably influence security
measures
• Sometimes the best way to protect data is to
never put it in a database
• Typical threats
• Theft of data
• Data vandalism
• Protecting data integrity
• Illegal storage
• Understand threats to protect against them
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 6. Security Design Philosophy
• Trustworthy Computing memo, 2002
• Four pillars of security design
• Secure by design
• Secure by default
• Secure in deployment
• Secure through communications
• “It’s just secure”
• Implications throughout the product
• SQL Server is reasonably secure out of the box
• Your job is to keep it secure
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 7. The Two Stages of Security
• Similar to Windows security
• Authentication: who are you?
• Authorization: now that we know who you
are, what can you do?
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 8. Key SQL Server Security
Terms
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 9. Key SQL Server Security
Terms
• Authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 10. Key SQL Server Security
Terms
• Authentication
• Authorization
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 11. Key SQL Server Security
Terms
• Authentication
• Authorization
• Group
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 12. Key SQL Server Security
Terms
• Authentication
• Authorization
• Group
• Impersonation
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 13. Key SQL Server Security
Terms
• Authentication
• Authorization
• Group
• Impersonation
• Login
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 14. Key SQL Server Security
Terms
• Authentication • Permission
• Authorization
• Group
• Impersonation
• Login
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 15. Key SQL Server Security
Terms
• Authentication • Permission
• Authorization • Principal
• Group
• Impersonation
• Login
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 16. Key SQL Server Security
Terms
• Authentication • Permission
• Authorization • Principal
• Group • Privilege
• Impersonation
• Login
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 17. Key SQL Server Security
Terms
• Authentication • Permission
• Authorization • Principal
• Group • Privilege
• Impersonation • Role
• Login
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 18. Key SQL Server Security
Terms
• Authentication • Permission
• Authorization • Principal
• Group • Privilege
• Impersonation • Role
• Login • User
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 19. Agenda
• Security Overview
• Authentication
• Authorization
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 20. Authentication
• Process of verifying that a principal is who or
what it claims to be
• SQL Server has to uniquely identify principals in
order to authorize
• Two paths to authentication
• Windows authentication
• SQL Server authentication
• Authentication modes
• Mixed Mode Authentication
• Windows Only Authentication Mode
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 21. Windows Integrated
• SQL Server assumes a trust relationship with
Windows Server
• Windows does the heavy lifting for authentication
• The SQL Server checks permissions on the
principal
• Advantages
• Single user login
• Auditing features
• Simplified login management
• Password policies
• Changes only take effect when user connects
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 22. Configuring SQL Server
Security Settings
• Select either when install or later
• Settings apply to all databases and
server objects in an instance of SQL
Server
• Changing modes after installation may
or may not cause problems
• Windows to Mixed
• Mixed to Windows
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 23. SQL Server Authentication
• Client applications must provide login
credentials as part of connection string
• Logins stored in SQL Server
• Windows authentication stronger
• But must use SQL Server authentication
with old versions of Windows, non-
Windows systems
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 24. Windows and SQL Server
Logins
• SQL Server logins are not stored in
Windows
• Disabled if you select Windows
authentication
• Mixed mode is much more flexible
• But less secure
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 25. Beware of the sa Login
• System administrator login
• Mapped to sysadmin fixed server role
• Conveys full system administrator
privileges
• Cannot modify or delete
• Must use a strong password!
• Use only as access of last resort
• NEVER use sa for database access
through client applications
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 26. Password Policy and
Enforcement
• Before SQL Server 2005, no
enforcement of passwords for SQL
Server logins
• No minimum strength
• No expiration policy
• SQL Server now hooks into Windows
password policy
• Windows Server 2003, Vista, and later
versions
• NetValidatePasswordPolicy API method
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 27. Contained Databases
• Not a security feature per se
• But introduces a new authentication
scheme
• Solves problem of moving databases
• Past: move database plus external
dependencies
• Contained databases solves associated
problems
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 28. Contained Databases
• Can create a SQL user with a password
• Windows user in database
• Not associated with a login
• Authenticate against contained
database
• Get a token for that database only
• Security boundary is tightly scoped
• If authentication fails at database,
doesn’t fall back to duplicate login, if
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 33. Contained Databases
Authentication
Connection
Request
Initial Yes Initial
catalog catalog
specified? contained?
No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 34. Contained Databases
Authentication
Connection
Request
Initial Yes Initial
catalog catalog
specified? contained?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 35. Contained Databases
Authentication
Connection
Request
Initial Yes Initial Yes Authent-
catalog catalog ication
specified? contained? type?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 36. Contained Databases
Authentication
Connection Matching
Request user in
database
?
SQL Server
Initial Yes Initial Yes Authent-
catalog catalog ication
specified? contained? type?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 37. Contained Databases
Authentication
Connection Matching
Request user in
database
?
SQL Server
No
Initial Yes Initial Yes Authent-
catalog catalog ication
specified? contained? type?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 38. Contained Databases
Authentication
Connection Matching Yes
Request user in Password
database match?
?
SQL Server
No
Initial Yes Initial Yes Authent-
catalog catalog ication
specified? contained? type?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 39. Contained Databases
Authentication
Connection Matching Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent-
catalog catalog ication Authentication
specified? contained? type? failure
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 40. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 41. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 42. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No No Windows
Matching
login or
group?
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 43. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No No Windows
Matching
login or
group?
No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 44. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No No Windows
Matching
Matching Yes principal
login or in
group? database
?
No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 45. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No
No No Windows
Matching
Matching Yes principal
login or in
group? database
?
No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 46. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis-
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No
No No Windows
Matching
Matching Yes principal Yes
login or in
group? database
?
No
Server-level
authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 47. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial Yes Initial Yes Authent- No Permis- Yes
catalog catalog ication Authentication sion in
specified? contained? type? failure database
?
No
No No Windows
Matching
Matching Yes principal Yes
login or in
group? database
?
No
Server-level Database
authentication authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 48. Contained Databases
Authentication
Connection Matching Yes Yes
Request user in Password
database match?
?
SQL Server
No No
Initial
catalog
Yes Initial
catalog
Yes Authent-
ication
*
Authentication
No Permis-
sion in
Yes
specified? contained? type? failure database
?
No
No No Windows
Matching
Matching Yes principal Yes
login or in
group? database
?
No
Server-level Database
authentication authentication
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 49. Agenda
• Security Overview
• Authentication
• Authorization
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 50. Authorization
• Principals: user or process allowed to
access securable objects
• Securables: protected resource
• Permissions: type of access
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 51. Principals
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 52. Principals
• Windows-level principals
• Windows Domain Login
• Windows Group
• Windows Local Login
• SQL Server-level principals
• SQL Server Login
• SQL Server Login mapped to a certificate
• SQL Server login mapped to a Windows login
• SQL Server Login mapped to an asymmetric key
• Database-level principals
• Application Role
• Database Role
• Database User
• Database User mapped to a certificate
• Database User mapped to a Windows login
• Database User mapped to an asymmetric key
• Public Role
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 53. Principals
• Scope of a principal determines scope of
permission
• Principal can be a login, user, or role
• Roles are analogous to Windows groups
• Users in role inherit role’s permissions
• Simplify security management
• Types of roles
• Fixed server roles
• User-defined server roles
• Fixed database roles
• User-defined database roles
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 54. Fixed Server Roles
• Cannot alter, even to add new ones, except
to add logins to a role
• Server roles
• System administrator
• Bulk insert administrator
• Database creator
• Disk administrator
• Process administrator
• Server administrator
• Setup administrator
• Security administrator
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 55. User-Defined Server Roles
• Long awaited security feature
• Long have had user-defined database
roles
• But nothing at the server level
• Used to be, only way to grant some
permissions was through a fixed server
role
• SQL Server 2012 solves these problems
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 56. Fixed Database Roles
• Control authorization within a database
• Configure each database individually
• Database roles
• db_accessadmin
• db_backupoperator
• db_datareader
• db_datawriter
• db_ddladmin
• db_denydatareader
• db_denydatawriter
• db_owner
• db_securityadmin
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 57. The Public Role
• Every database user assigned to this
role
• Be very careful about granting
permissions
• Normally restrict permissions for this
role
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 58. The dbo (Database Owner)
Role
• Mapped to sysadmin fixed server role
• Not related to db_owner role
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 59. User-Defined Database Roles
• Standard role
• Application role
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 60. Securable Objects
• Protected resource that you can control
access to
• Physical object or action
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 61. Securable Objects
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 62. Securable Objects
Server
Database
Endpoint
Remote Binding
Route
Server Role
SQL Server
Login
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 63. Securable Objects
Server
Database Database
Endpoint Application Role
Remote Binding Assembly
Route Asymmetric Key
Server Role Certificate
SQL Server Database user
Login Fixed Database
Role
Full-Text
Catalog
Message Type
Schema
Service
Service Contract
Symmetric Key
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 64. Securable Objects
Server
Database Database
Endpoint Application Role Schema
Remote Binding Assembly Default
Route Asymmetric Key Function
Server Role Certificate Procedure
SQL Server Database user Query Stats
Login Fixed Database Queue
Role Rule
Full-Text Synonym
Catalog Table
Message Type Trigger
Schema Type
Service View
Service Contract XML Schema
Symmetric Key Collection
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 65. Learn More!
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 66. Learn More!
• This is an excerpt from a larger course. Visit
www.learnnowonline.com for the full details!
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 67. Learn More!
• This is an excerpt from a larger course. Visit
www.learnnowonline.com for the full details!
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 68. Learn More!
• This is an excerpt from a larger course. Visit
www.learnnowonline.com for the full details!
• Learn more about about SQL Server on
SlideShare
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
- 69. Learn More!
• This is an excerpt from a larger course. Visit
www.learnnowonline.com for the full details!
• Learn more about about SQL Server on
SlideShare
A Tour of SQL Server
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company
Notes de l'éditeur
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- DEMO – Adding a Windows Login, Window Logins via Transact-SQL\n
- DEMO – rest of section and SQL Server Logins via Transact-SQL\n
- \n
- \n
- DEMO – rest of section\n
- \n
- DEMO\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- DEMO – rest of section\n
- DEMMO – rest of section\n
- DEMO – rest of section\n
- \n
- \n
- DEMO – rest of section\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- DEMO: rest of section\n
- DEMO: rest of section\n
- DEMO: rest of section\n
- DEMO: rest of section\n