1
5/15/17
Chapter 2
Managing Security
2
5/15/17
Users
• Users are database-level principals and are created to access resources
within a
database.
• User and Log-in names should match.
• Users can be added to any one or more of the
available database roles.
3
5/15/17
Users vs. Login
• Logins:
•
•
•
•
•
Be created at the instance level
Can be mapped to a Windows user account, a domain account, a Windows group, a domain
group, ..
Provide a user access to the SQL Server instance.
access to one or more databases.
Do not provide access to the objects contained within the database.
• Permissions to access database objects are at the database user level.
4
5/15/17
SQL Server security
•
A user passes through 2 stages of security in SQL Server
•
•
Authentication – validates that a user can connect to a SQL Server instance (Login)
Authorization – permissions validation; controls the activities the user is allowed to perform in the SQL Server
database (User)
5
5/15/17
SQL Server authentication
•
Windows Authentication
•
•
•
Windows performs the authentication
SQL Server trusts that authentication and provides access to the Windows accounts as configured.
Windows user and group accounts can be mapped to SQL Server
6
5/15/17
SQL Server authentication
•
SQL Server specific logins:
•
•
•
•
Windows user account is not required
Password is passed across the network for authentication
•
Password is encrypted automatically
The primary advantage of this authentication scheme:
•
SQL Server can authenticate any login no matter how they may have authenticated to the Windows network.
This option is typically less secure because it gives access to any-one who has the SQL Server password, without
regard to his or her Windows identity.
7
5/15/17
SQL Server authentication
•
Adding a new login
•
•
Create new user in Windows.
•
Once the users exist in the Windows user list or the Windows domain, SQL Server can recognize them.
Add a new login to SQL Server.
•
•
Use SSMS
Use T-SQL command
8
5/15/17
SQL Server authentication
• Adding a New Windows Login
•
Use SSMS
9
5/15/17
SQL Server authentication
• Adding a New Login
•
Use T-SQL command:
CREATE LOGIN [name] {WITH <options> | FROM <source>}
•
Options: contain many options. The most important one is the PASSWORD option. (The other
possible options are DEFAULT_DATABASE, DEFAULT_LANGUAGE, and
CHECK_EXPIRATION.)
•
Source:
• WINDOWS: the login will be mapped to an existing Windows user account
• CERTIFICATE: the name of the certificate to be associated with this login.
• ASYMMETRIC KEY: the name of the asymmetric key to be associated with this login.
5/15/17
SQL Server authentication
•
Ex 1: Create a new SQL Server login for “Mary”
USE sample;
CREATE LOGIN mary WITH PASSWORD = ‘password';
•
Ex 2: Creates a new login for “Bob” on the server
USE sample;
CREATE LOGIN Bob from Windows;
• Remove an existing login: use the DROP LOGIN statement
Ex: DROP LOGIN [AughtEight\Bob];
10
11
5/15/17
Schema
• Schemas are collections of database objects such as tables, views, and
• Permissions can be granted to individual schemas within a database,
procedures.
providing a
powerful way to manage permissions.
• It is not necessary to grant access to each object within a schema when granting
permission to the schema.
12
5/15/17
Principal
•
Principal are logins allow you to connect to SQL Server. There are effectively three types of logins or
server principals
•
•
•
Windows domain login
Windows local login
SQL Server login
13
5/15/17
Principal
•
Windows-level principals
•
•
•
Windows Domain Login
Windows local login
Windows group
14
5/15/17
Principal
•
SQL Server-level principals
•
•
•
•
SQL Server login
SQL Server login mapped to a Windows login
SQL Server login mapped to a certificate
SQL Server login mapped to an asymmetric key
15
5/15/17
Principal
•
Database-level principals
•
•
•
•
•
•
•
•
Database user
Database user mapped to SQL Server login
Database user mapped to a Windows login
Database user mapped to a certificate
Database user mapped to an asymmetric key
Database role
Application role
Public role
5/15/17
Securable objects in SQL Server
•
•
•
Server
Database
Schema
16
17
5/15/17
Roles
•
SQL server provides two roles
•
•
Fixed server-level:
•
•
have a serverwide scope
Used for administration tasks
Database-level roles:
•
•
•
•
have a database-level scope
custom database-level roles can be created
Used for admin and security
Include the public
18
5/15/17
The fixed server-level role
•
sysadmin – Perform any activity in the server.
•
The BUILTIN\Administrators group and the local administrator’s are sysadmin
•
serveradmin – Change server-wide configuration options and shut down the server.
•
securityadmin – Manage logins and their properties. They will be able to reset passwords for SQL
Server logins and GRANT, DENY, and Revoke permissions.
•
•
•
•
•
processadmin – End processes running in an instance of SQL Server.
setupadmin – Add and remove linked servers.
bulkadmin – Run the BULK INSERT statement.
diskadmin – Manage disk files.
dbcreator – CREATE, ALTER, DROP, and restore any database.
5/15/17
The fixed server-level role
•
A user is assigned to a server role by means of a system sp:
sp_addsrvrolemember
[ @loginame = ] ‘login’,
[ @rolename = ] ‘role’
Ex: EXEC sp_addsrvrolemember ‘XPS\Lauren’, ‘sysadmin’
•
sp_dropsrvrolemember to remove a login from a fixed server role
Ex: EXEC sp_dropsrvrolemember ‘XPS\Lauren’, ‘sysadmin’
•
•
sp_helpsrvrole: Get a list of the fixed server roles
sp_srvrolepermission: get the specific permissions for each role
19
20
5/15/17
The fixed database-level roles
•
db_owner – Can drop the database as well as permission to perform all configuration and
maintenance tasks.
•
db_security_admin – Can modify role membership and manage permissions.
•
Please be careful when adding principals to this role; an unintended privilege escalation could result.
•
db_accessadmin – Can add or remove database access for Windows logins, Windows groups, and
SQL Server logins.
•
•
•
•
•
db_backupoperator – Can back up the database.
•
db_denydatareader – Will deny permission in the database to read any data in the user tables.
db_ddladmin – Can run any Data Definition Language command.
db_datawriter – Can add, delete, or change data in all user tables.
db_datareader – Can read all data from all user tables.
db_denydatawriter – Will deny permission in the database to add, modify, or delete any data in the
user tables.
21
5/15/17
The fixed database-level roles
•
Setting Up Database User Accounts:
CREATE USER [LoginName] FOR LOGIN [LoginName
Ex:
USE master;
CREATE LOGIN [AughtEight\Bob] FROM WINDOWS;
USE AdventureWorks2008;
CREATE USER BillyBob FOR LOGIN [AughtEight\Bob]
WITH DEFAULT_SCHEMA = sales;
5/15/17
The fixed database-level role
•
A user is assigned to a server role by means of a system sp:
sp_addrolemember
[ @rolename = ] ‘role’,
[ @loginame = ] ‘login’,
Ex: sp_addrolemember ‘db_datareader’, ‘Carol’;
•
sp_dropsrvrolemember to remove a login from a fixed server role
Ex: sp_droprolemember ‘db_datareader’, ‘Carol’;
•
sp_helprolemember: Get a list of the fixed database roles
22
23
5/15/17
Principal of least privilege
• Do not grant more permissions than necessary.
• Be familiar with what each specific permission enables a user to accomplish.
• Inadvertently elevated permissions can pose a significant security risk.
˛
24
5/15/17
Authorization
•
Only authorized users are able to execute statements or perform operations on an entity
•
There are three Transact-SQL statements related to authorization:
•
•
•
•
Grant gives a right right to perform an action
Deny explicitly denies a right
Revoke removes an existing grant or deny
Permissions are applied to the objects (tables, views, stored procs, etc.) in the database
25
5/15/17
Permission
• Grant statement
GRANT action ON object TO principal WITH {options}
•
Ex 1:
USE master
GRANT CREATE ANY DATABASE TO Ted;
GO
•
Ex2:
USE Master
GRANT CREATE FUNCTION TO mary;