Apress SQL server security distilled 2nd edition sep 2008 ISBN 1590592190
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.75 MB, 530 trang )
SQLServerSecurityDistilled,Second
Edition
ISBN:1590592190
byMorrisLewis
Apress©2004(352pages)
Thisbooktakesanin-depthlookatwhatyou
candotosecuredatainSQLServer,shows
howtoauthenticateaccesstodataonthe
server,andauthorizeswhatuserscanand
can'tdowiththatdata,inversions6.5,7.0,
and2000.
TableofContents
SQLServerSecurityDistilled,SecondEdition
AdditionalInformation
Introduction
Chapter1 - ASecurityRoadmap
Chapter2 - AuthenticatingLogins
Chapter3 - DatabaseSecurityinSQLServer6.5
DatabaseSecurityinSQLServer7.0and
Chapter4 2000
Chapter5 - SecuringDataontheNetwork
Chapter6 - DesigningSecurityforApplications
Chapter7 - SecuringDataTransformationServices
Chapter8 - ReplicationSecurity
Chapter9 - ManagingSecurityforSQLServerCE
AppendixA - References
Index
ListofFigures
ListofTables
ListofListings
BackCover
SQLServeristhedominantrelationaldatabaseinthe
Windowsmarketanddatasecurityisahugeand
growingconcernforallbusinesses.SecuringSQL
Serverisoneofthemostimportantresponsibilitiesof
theSQLServerprofessional.
SQLServerDistilled,SecondEditionisaverycarefully
researched,clearlyexplainedbookonsecuringSQL
Server,byanauthorwhoknowsSQLServerinsideand
out.Ifyoufollowthepracticalguidelinesthatare
clearlysetoutinthisbook,thenyoustandaverygood
chanceofmakingsurethatthedatastoredinyour
databaseissecureandthattheconversationbetween
yourapplicationsandthedatabaseissecure
(preventingSQLinjectionattacks,etc.).Forexample,
anyDBAwhoimplementedthesecurityprecautions
detailedinthebookwouldnothavebeenaffectedby
theinfamousSlammervirus.
Thissecondeditionofferspracticaladviceonhowto
implementgoodpracticesthatwillwardofffuture
virusesbeforetheyareevencreated,anditcontains
newcontentthatreflectsallupdatestoSQLServer's
securitymechanisms.
AbouttheAuthor
MorrisLewishasbeensmittenwithStructuredQuery
Languagesincethefirsttimehisprofessorwrote
SELECT*FROMAUTHORSonthechalkboard14years
ago.Hehasworkedwithnootherdatabaseserver
sincehefirstinstalledSQLServer4.21aonhis16MHZ,
Intel386computerwithallofthe32megabytesof
RAMrunningWindowsNT3.51morethan8yearsago.
Withthemantra"ItisOKtoworryiftheyreallyare
outtogetyou,"hehasfocusedonallaspectsof
securingWindowsandSQLServersinceheconnected
hisfirstservertotheInternet,6yearsago.Now,he
runsatrainingandconsultingcompany,HolistechInc.,
thatfocusesonhelpingclientscreatebetterandmore
securedatabaseapplications,andteachingthemhow
toavoidthemistakesthatcanleadtoproblemsinthe
future.
SQLServerSecurityDistilled,SecondEdition
MORRISLEWIS
Copyright©2004byMorrisLewis
Allrightsreserved.Nopartofthisworkmaybereproducedortransmitted
inanyformorbyanymeans,electronicormechanical,including
photocopying,recording,orbyanyinformationstorageorretrieval
system,withoutthepriorwrittenpermissionofthecopyrightownerand
thepublisher.
ISBN(pbk):1-59059-219-0
PrintedandboundintheUnitedStatesofAmerica12345678910
Trademarkednamesmayappearinthisbook.Ratherthanusea
trademarksymbolwitheveryoccurrenceofatrademarkedname,weuse
thenamesonlyinaneditorialfashionandtothebenefitofthetrademark
owner,withnointentionofinfringementofthetrademark.
TechnicalReviewers:VictoriaHudgson,SarahLarder,CraigWeldon
EditorialBoard:SteveAnglin,DanAppleman,GaryCornell,James
Cox,TonyDavis,JohnFranklin,ChrisMills,SteveRycroft,Dominic
Shakeshaft,JulianSkinner,JimSumser,KarenWatterson,GavinWray,
JohnZukowski
LeadEditor:TonyDavis
AssistantPublisher:GraceWong
ProjectManager:BethChristmas
CopyEditors:NicoleLeClercandNancyDepper
ProductionManager:KariBrooks
ProductionEditor:KellyWinquist
Proofreader:ThistleHillPublishingServices,LLC
Compositor:KineticPublishingServices,LLC
Indexer:JohnCollins
Artist:KineticPublishingServices,LLC
CoverDesigner:KurtKrames
ManufacturingManager:TomDebolski
DistributedtothebooktradeintheUnitedStatesbySpringer-VerlagNew
York,Inc.,175FifthAvenue,NewYork,NY,10010andoutsidetheUnited
StatesbySpringer-VerlagGmbH&Co.KG,Tiergartenstr.17,69112
Heidelberg,Germany.
IntheUnitedStates:phone1-800-SPRINGER,email
<>,orvisit.OutsidetheUnitedStates:fax+496221345229,email
<>,orvisit.
Forinformationontranslations,pleasecontactApressdirectlyat2560
NinthStreet,Suite219,Berkeley,CA94710.Phone510-549-5930,fax
510-549-5939,email<>,orvisit
.
Theinformationinthisbookisdistributedonan"asis"basis,without
warranty.Althougheveryprecautionhasbeentakeninthepreparationof
thiswork,neithertheauthor(s)norApressshallhaveanyliabilitytoany
personorentitywithrespecttoanylossordamagecausedorallegedto
becauseddirectlyorindirectlybytheinformationcontainedinthiswork.
Thesourcecodeforthisbookisavailabletoreadersat
intheDownloadssection.
ThisbookisdedicatedtoDr.DonaldFairbairn,forintroducingmeto
programmingover25yearsago;toDr.DennisHood,forintroducingme
toStructuredQueryLanguage;andtoDr.WilliamHooper,forbeinga
goodfriend,teacher,andmentorwhileIfinishedmybachelor'sdegree.I
wouldnotbewhereIamwereitnotfortheirtutelage.Iwisheveryone
wereblessedtohavesuchpeopleintheirlives.
Thisbookisalsodedicatedtomywife,Lisa,forsomany,manythingsit
wouldtakeanotherbooktolistthemall.
AbouttheAuthor
MorrisLewishasbeensmittenwithStructuredQueryLanguagesince
thefirsttimehisprofessorwroteSELECT*FROMAUTHORSonthe
chalkboard14yearsago.Hehasworkedwithnootherdatabaseserver
sincehefirstinstalledSQLServer4.21aonhis16MHzIntel386
computerwithallof32megabytesofRAMrunningWindowsNT3.51,
morethan8yearsago.
Withthemantra"ItisOKtoworryiftheyreallyareouttogetyou,"hehas
focusedonallaspectsofsecuringWindowsandSQLServersincehe
connectedhisfirstservertotheInternet,6yearsago.Now,herunsa
trainingandconsultingcompany,HolistechIncorporated
(),thatfocusesonhelpingclientscreate
betterandmoresecuredatabaseapplications,andonteachingthem
howtoavoidthemistakesthatcanleadtoproblemsinthefuture.Hecan
becontactedat<>ifyouneedhelpkeeping
thebadguysoutofyourapplications.
Acknowledgments
First,IneedtotellmyfamilyandfriendsIamsincerelygratefulforallthe
patiencetheyhadwithmeforthelast6months.Isawalotofmyoffice
andtoolittleofthem,buttheywerealwayssupportiveandencouraging.I
amsuretheyallwillbegladtoseethegrumpy,oldbearwhogrowledat
anyoneenteringhisdengointohibernationforawhile.
Second,IwanttothankRichardWaymireforencouragingmetodothis
bookwhenIfirstmentionedittohimandforsharingfreelyhisinsightinto
howSQLServerworksunderthehood.Inmanycases,Icouldsetup
teststodeterminewhatSQLServerwasdoing,butRichardoftenhelped
meunderstandwhyitwasdoingit.Thisbookwouldnotbeascomplete
withouthishelp.
Next,IwanttothankthefolksatVMware(http:/www.vmware.com)
forcreatingtheirGSXServerproduct.AtonepointIhadelevenvirtual
machineswithacombinationoftwodifferentserveroperatingsystems,
allthreeversionsofSQLServer,andclientsrunningWindowsNTand
2000.Usingphysicalhardwarewouldhavetakensignificantlymore
resourcesandtime,anditwouldhavebeendifficulttoverifyhowallthe
differentversionsinteractedwitheachother.Iprobablycouldhave
writtenthisbookwithoutGSXServer,butitwouldhavebeenmuch
harder.
Finally,IwanttothankthegiantswhohaveworkedandwrittenonSQL
Serversecuritybeforeme,forlettingmehitcharideontheirshoulders.
ManybookshavebeenindispensableinteachingmehowWindows
networksandSQLServerwork,andtheyshouldbeyourstartingpointfor
delvingdeeperintotheintricaciesofsecuringdatainaWindowsNTor
2000network.AppendixAcollectsthereferencesmadethroughoutthis
booktogether,foreasyreference.
AdditionalInformation
Morrishascreatedawebsitetoaccompanythisbook,
.BecausesecuringSQLServer
ofteninvolvessecuringWindows,thissitecoversalltopicsrelatingto
securingWindows2000networksandallversionsofSQLServer.The
sitewillalsopreviewchangestosecuritycominginthenextversionof
SQLServer.Besuretovisitandregistersoyoucanstayuptodateon
thelatesttechniquesforkeepingyourdatasecure.
Note Allthecodeusedinthisbookandanyerrataareavailablein
theDownloadssectionontheApresssiteat
.
Introduction
Let'sfaceit,asSQLServerprofessionals,weknowthatindividual
securityoptionscanappearsimpleonthesurface—assignauserhere,
createarolethere.Butasthenumberofusersincreases,theneedfor
finercontroloverthemsnowballs,makingunexpecteddifficultiesinthe
assignationofroles.Andthemoreinterconnectedyournetwork,themore
opportunitiesthereareforahackertofindaweaknessinyourdefenses.
Theseoptionsthatseemedsimpletoimplementcloseupsuddenlylooka
lotmoreinvolvedwhentakentogether.Inthisbook,Ishowyouwhatis
reallygoingonunderthehoodofSQLServerwhenyoulogin:the
networkpackets,thesystemtables,andtherelationshipbetweenusers,
roles,andpermissions.Ifyoualreadyknowhowtoassignausertoa
group,butyoureallywanttounderstandthenutsandboltsofSQL
Serversecurity,thisisthebookforyou.
YoushouldalreadyhaveaworkingknowledgeofSQLServer;Idonot
explainconceptssuchasDTSorreplication,andexpectyoutoalready
understandthesesubjects.IdiscussanumberofbasicWindowsnetwork
administrationconceptsthatyoushouldalsobefamiliarwith:Windows
domains,networkprotocols,NTLMauthentication,Kerberossecurity,
NTFSpermissions,andshare-levelsecurity.
WhatthisBookCovers
Thisbookcanbereadasanarrative.Someofthechapters,especially3
and4,shouldbereadfromstarttofinishinonego;theresultsyouwill
getwhenyoutrytheexamplesdependsuponfollowingthesameorderin
whichtheexamplesappearinthebook.
Chapter1:ASecurityRoadmap
WhatarethemainfeaturesofSQLServersecurity?Inthischapter,Iset
outanoverviewofthemainoptions,creatingaclear"bigpicture"into
whichyoucanslotthemoredetailedinformationcontainedinsubsequent
chapters.
Chapter2:AuthenticatingLogins
ThefirststepingainingaccesstoyourdataisauthenticationattheSQL
Serverlevel.Idiscusshowthisisdone,bothwithSQLServerlogin
accountsandWindowsdomainaccounts.Iexplainhowthisprocess
worksatthepacketlevel,andseehowthenetworktrafficforvarious
transportprotocolscanbesniffedifsentunencrypted.Idiscussother
strategiesformakingyourpasswordsmoresecure,andtheimplications
ofdenyingloginsoraddingthemtoserverroles.
Chapter3:DatabaseSecurityinSQLServer6.5
Onceyougainaccesstotheserver,therearealotofoptionsforyouto
setoneachdatabase.Whichrolescanyouuse?Whichusersandroles
shouldbedenied?Someoftheoptionsyoucanexercisealsodepend
upontheorderinwhichtheyareexecuted,returningsomequite
unexpectedresults.Iunravelthesemysteriesinthischapter.
Chapter4:DatabaseSecurityinSQLServer7.0and2000
SecurityonSQLServer7.0and2000hasmadeastepchangefromSQL
Server6.5.Now,youcanassignusersandWindowsgroupstoasmany
databaserolesasyouwant.Youhavebuilt-inserverroles,application
roles,andasmanyuser-definedrolesasyouwant.Withallthese
options,yougainbothpowerandcomplexitywhencomparedtoSQL
Server6.5.Onceagain,Iweaveapaththroughthevariousoptions
available.
Chapter5:SecuringDataontheNetwork
ThebestsecuritypracticescanprotectdatawhileitstaysunderSQL
Server'scontrol,butonceitleavesthesafetyoftheserver,thereare
severalwaystostealorchangedataasittravelsthenetworkbetween
theclientandserver.Expertsagreethatyoumustbejustasvigorousin
yourdefenseagainstattacksfromtheinternalnetworkasyouarefor
attacksfromtheInternet,andinfact,severalstudieshaveshownthat
60–80percentofallattackscomefrominsidethenetwork.Thisnew
chapterforthesecondeditionwillshowyouseveralstrategiesfor
keepingyourdatasafefromseveralkindsofnetwork-basedattacks.
Chapter6:DesigningSecurityforApplications
Settingloginrightsanddatabasepermissionsarenottheonlywaysto
protectyourdata.TheapplicationsthatuseSQLServeralsohavea
greateffectonthetotalsecurity.Poorlydesignedapplicationscan
undermineeventhebestofSQLServer'ssecuritymechanisms;
therefore,learningtowritesecureapplicationsshouldbeahighpriorityif
youaretrulyconcernedwithend-to-endsecurity.Thischapternotonly
includesthediscussionfromthefirsteditionofthedifferentwaysan
attackercanusetheSQLInjectionAttacktowreakhavoconyour
system,butalsoaddsnewexplanationsofhowyoucanuseForms
AuthenticationinASP.NETtoauthenticateusersandhowyoucan
encryptyourdatabeforestoringitinthedatabasetoprevent
unauthorizedaccess.
Chapter7:SecuringDataTransformationServices
DataTransformationServices(DTS)packagescanbesavedinanumber
ofways,andeachwayhasitsownimplicationsforthesecurityofthe
package.Whicheverwaythey'resaved,packagesaredesignedtobe
executedbydifferentusers,eachofwhommayhavedifferentsecurity
credentialsfromthepackagecreator's.Inthischapter,youseehowto
implementsecurityforDTS,whoeverisexecutingthepackage.
Chapter8:ReplicationSecurity
Replicationofferstheusefulabilitytosendaccuratedataouttoremote
servers,andevenhaveseveralremoteserversworkonthedata,collate
it,andreturnit.However,withtherequirementofenablingSQLServer
AgentaccessfromremoteserverstoyourSQLServer,replicationalso
givesanattackeragreatopportunitytocompromiseyourserver.Inthis
chapter,youseehowthiscouldhappenandwhatstepstotaketo
minimizetherisk.
Chapter9:ManagingSecurityinSQLServerCE
Mobiledevicesposeaparticularsecurityproblem.Duetotheirmobility,
theyareeasilystolen,andSQLServerCEisacompactprogram,lacking
manyofthesecurityfeaturesofadesktopserver/domain.Ifocusinthis
chapteronwhatyoucandotoSQLServerCEtokeepyourdatasafe
frompryingeyes.
AppendixA
Thisappendixcontainsalistingofusefulreferencesandhyperlinksto
cooltools,alertsites,whitepapers,andfurtherreading.
WhatYouNeedtoUsethisBook
OneofthefollowingSQLServersisrequired:
SQLServer6.5ServicePack5awiththepost5ahotfix
SQLServer7.0ServicePack4
SQLServer2000ServicePack2
SQLServerCE2.0(Chapter8only)
Youwillalsoneedtorunoneitherofthefollowing:
WindowsNT4ServicePack6
Windows2000ServicePack2
Idon'tcoverSQLServeronWindows9x.
Chapter1:ASecurityRoadmap
Overview
Inmanyways,securingSQLServerremindsmeofpaintingsbyMonetI
sawattheMuseumofFineArtsinBostonyearsago.Whenyoustand
veryclosetoMonet'spaintings,allyouseeislittledotsofcolor.Itisonly
whenyoustandbackthatyouseehowthedotsconvergeintoacomplete
picture.Obviously,Monethadtofocusonwhereheplacedeachspotof
paint,butitisequallyobviousthatheknewwherethosedaubsofpaint
weregoingtogobeforehestartedpainting.Foradatabaseserver,the
daubsofpaintmightbeauser,orapermission,orapieceofdata,and
thepicturetheyformshowshowtheyallrelatetoeachother,andhow
theyfulfilltheprimarygoalofgivingpeoplenomoreandnolessthanthe
rightstheyneedtoaccomplishtheirtasks.Muchlikethepainting,we
needtofocusonwherewewillassignpermissions,butwealsoneedto
havethebigpictureinmindbeforewestart.
Quiteoften,peopleareoverwhelmedatthesheernumberofdetailstobe
managedwhenmakingsurethatdatabaseusersgetthepermissions
theydeserveanddonotgetpermissionstheydonotdeserve.Let'sface
it,securingSQLServerisnotasimpletask.Theprocessstartsbytrying
todeterminetheidentityofauserwhowantstologin.ThenSQLServer
hastodecidewhethertheuserhaspermissiontoperformaverylargelist
ofactivitiesattheserverlevel.Finally,SQLServerhastodecidewhether
theusercanaccessadatabase,whatidentityhewillhavewithinthat
database,andwhathecandowiththedatastoredthere.Toaddtothe
complexity,theusercouldbelogginginwithaWindowsaccountinstead
ofanaccountmanagedbySQLServerand,inSQLServer7.0and2000,
hecouldreceivebothserveranddatabasepermissionsbybeinga
memberofaWindowsgroup.Ifyoulookateachindividualpieceofthe
processtotheexclusionoftheothers,providingappropriateaccessto
datadoesseemtobeeasybut,whenyouputallthepiecestogether,the
totalpicturecanbequiteintimidating.
Fortunately,youdonothavetobeageniuslikeMonettolearnto
combineallthoseindividualpiecesintoacoherent,understandable,and
manageablesecurityplan.Partofthelearningprocessistodevelopan
understandingofwhichthingsyouneedtouse,andwhichthingsyoucan
leaveout.JustasMonetdidnotuseeverycoloravailableinasingle
painting,soareyounotrequiredtouseeveryfeatureSQLServeroffers
forsecuringdata.SQLServerisveryflexiblebecauseitisusedinmany
distinctlydifferentenvironments.Atechniquethatisappropriateforone
environmentwilloftensimplynotworkinadifferentone;therefore,my
goalforthisbookistoteachyouhowtoevaluatethestrengthsand
weaknessesofthedifferentwaysofsecuringdataforyourparticular
environment.
EventhoughsecuringaservermayremindmeofMonet'spaintings,our
toolswillconsistnotofbrushesandpaints,butofaccounts,passwords,
andpermissions.Beforewemoveontootherchaptersinwhichwedig
intothedetailsofhowSQLServerimplementssecurity,let'slookatwhat
isavailabletohelpusallowthegoodpeopleinandkeepthebadpeople
out.
AuthenticationandAuthorization
Everydiscussionofsecurityconcernsthetwinprocessesof
authenticationandauthorization.Authenticationreferstotheprocess
ofidentifyingauser,andauthorizationreferstotheprocessof
determiningwhatthatusercando.ForSQLServer,authentication
occursbothduringinitialloginandeachtimeauserattemptstousea
databaseforthefirsttimeduringasession.Authorizationoccursevery
timeauserattemptstoperformanyoperationwithinadatabase.
Authorizationwillalsocomeintoplayanytimeauserattemptstochange
SQLServer'sconfiguration,useasystemstoredprocedure,make
changestodatabaseconfigurations,andsoon.
Forauthentication,whichChapter2covers,therearefiveserver
scenariosthatarepossiblewithSQLServer6.5,7.0,and2000running
onWindowsNTand2000:
SQLServer6.5onWindowsNT
SQLServer7.0onWindowsNT
SQLServer2000onWindowsNT
SQLServer7.0onWindows2000
SQLServer2000onWindows2000
Fortunately,allbutthelastscenariousebasicallythesamemechanisms
toauthenticateusers.ItisonlywhenIcoverSQLServer2000runningon
Windows2000thatIneedtoexpandthediscussiontoencompassthe
newsecurityfeaturesinWindows2000.
AuthorizationiseasiertocoverbecausethereisnooperatingsystembaseddifferenceintheauthorizationprocessbetweenWindowsNTand
Windows2000.However,SQLServer6.5hasimportantdifferencesfrom
SQLServer7.0and2000,soIcovertheminseparatechapters.
Togetstarted,I'vecreatedasecurityroadmap(seeFigure1-1)tohelp
youkeeptrackofwhereyoumustmakedecisionsaboutwhichfeatureto
use.
Figure1-1:Thesecurityroadmap
ThisisapictureIkeepinmyheadwhenI'mtroubleshootingserver
accessproblemsortryingtodeterminewhatpermissionsauserhasina
database.Eachsectionrepresentsadifferentplacewhereyoucan
controlaccess.Inthenextfewsections,Iputallthesecuritymechanisms
intothecontextofthispicture,sothathopefullyattheendofthischapter
youwillhaveasenseofwhereeachpartfitsintotheoverallschemeof
managingSQLServersecurity.
OptionsforAuthentication
Theplacetostartisauthentication.WhenIstartedteachingclasseson
SQLServer,Idiscoveredthatmostofmystudentsdidnotrealizethatall
interactionwithSQLServerhappensthroughaclientapplication.Asa
service,SQLServerrunswithoutauserinterface.Infact,theonlyway
youcanchangetheserver'ssettingswithoutusingaclientapplicationis
bysettingcommandlineparametersand/orregistrysettings.
Clientauthentication,therefore,isacriticalpieceofanysecurityplan.
Administratorsusuallydonotneedtoworryaboutauthenticationbecause
theyareusingWindowsNTaccountsorSQLServeraccountsthatgrant
themcompletecontroloverthesystem,butusersarenot—andshould
notbe—sofortunate.Thatmeansyourfirstdecision,whendesigninga
securityplan,willbehowyoursystem'suserswillvalidatetheirlogin
information.
SQLServer6.5and7.0havetwowaystoauthenticatelogins:Windows
NTauthenticationandSQLServerauthentication,andSQLServer2000
addsKerberosandActiveDirectoryauthentication.Chapter2coversthe
detailsofhowauthenticationworks,sofornow,let'sjustconcentrateon
howtheseauthenticationmodesfitintothepicture.
WindowsAuthentication
TounderstandWindowsNT/2000authentication,youhavetounderstand
howWindowsNTrepresentsauser'spermissionswithinthesystem.
Whenauserlogsin,whethersheissittingatthecomputeritselforis
connectingtothesystemacrossthenetwork,WindowsNTcreatesan
accesstoken,whichcontainstheuser'ssecurityidentifier(SID)anda
listofallthegroups(bothlocalandglobal)ofwhichtheuserisa
member.Eachtimeauserattemptstoopenaprotectedresource,
WindowsNTcomparestheSIDandgroupmembershipsintheaccess
tokentotheaccesscontrollist(ACL),whichlistsapprovedusersfor
thatresource.
Userrightsplayarolehereaswell.ForaWindowslocallogin,auser
musthavethe"Logonlocally"userright,whereasnetworkusersrequire
the"Accessthiscomputerfromthenetwork"userright.Thoserights,of
course,canbegrantedtoanygroupofwhichtheuserisamember,
includinggroupsthathaveimplicitmembership,suchastheEveryone
localgroup.
ThediagraminFigure1-2illustrateshowaclientauthenticatesusing
WindowsNTauthentication.
Figure1-2:WindowsNTauthentication
Intheclientdocumentation,thiskindofauthenticationiscalledatrusted
connection,primarilybecausetheonlykindsofclientsthatcanuseit
aretheonesthatWindowsNTtrusts—thatis,otherWindowsclients.The
maindifferencebetweenWindowsNTauthenticationandSQLServer
authenticationisthattheWindows-basedclientknowshowtoencryptthe
logincredentialsthewayWindowsexpects,insteadofsendingthe
accountandpasswordacrossthenetworkincleartext,asisthecase
withSQLServerauthentication.
Theprocessbeginswiththeclientapplication'sattempttomakea
connectiontotheserver.Icoverhowtheclientfindstheserveralittle
laterwhenIdiscusstheSQLServernetworklibrariesinChapter2.The
networklibraryusedontheclientaffectsboththewaytheclientfindsthe
serverandthewaytheclientsendsdatatotheserver.Forthepurposes
ofthediscussioninthissection,youcanjustassumethattheclientcan
findtheserver.
Theprocessofsendingdatabackandforthtotheoperatingsystemis
calledinterprocesscommunication,orIPCforshort.IPCstartedasa
wayforoneapplicationtosenddatatoanotherapplicationonthesame
WindowsNTmachine,butitwasexpandedtoallowanapplicationto
senddatatoanotherapplicationonanentirelydifferentcomputeracross
thenetwork.Intheprocess,thearchitectsofWindowsNTrealizedthat
becauseallclientsmustauthenticateinWindowsNTbeforetheyare
allowedtodoanythingonthecomputer,IPCclientsmusthaveawayto
authenticatewhentheyattempttoconnectacrossthenetwork.Thus,at
startup,WindowsNTor2000createsahiddensystemsharenamed
IPC$.
Note IfyouwanttoknowmoreaboutIPCmechanismsandhow
WindowsNTmanagesapplicationandnetworksecurity,you
shouldconsultInsideWindowsNTbyHelenCuster(Microsoft
Press,ISBN:155615481X),AdvancedWindows,ThirdEdition
byJeffreyRichter(MicrosoftPress,ISBN:1572315482),and
ProgrammingWindows,FifthEditionbyCharlesPetzold
(MicrosoftPress,ISBN:157231995X).ThefirstoneisamustreadforallWindowsNTadministrators,andthelattertwoare
must-readsforallWindowsNTprogrammers.WindowsNT
administratorswhoknowalittleaboutprogrammingcanbenefit
fromreadingAdvancedWindowstoo.
AllclientswantingtologintoWindowsNTattempttoconnecttoIPC$
withamechanismthatisidenticaltoconnectingtoashareddirectory.
BecauseIPC$isasharedresource,attemptingtoconnecttoittriggersa
loginprocessontheserver.Intheprocess,theclientoperatingsystem
sendsitssecuritycredentialstotheserversothatWindowscanbuildan
accesstoken.
Theaccountcanbeeitherintheserver'slocalsecuritystorageorinthe
domain'ssecuritystorage.Iftheuserdoesnotprovideadomainaccount
orifthedomainprovidedisnotonerecognizedbytheserver,Windows
consultsitslocalsecuritystoragetoseeiftheaccountandpasswordcan
befoundthere.Iftheaccountisadomainaccount,thenWindowsmakes
aconnectiontoadomaincontrollerandasksittovalidatetheaccount
andpassword.Ifthedomaincontrollerapprovesthecredentials,itsends
backthelistofdomainglobalgroupsofwhichtheaccountisamember.
Inbothcases,theoperatingsystemalwayschecksthelocalsecurity
storageandaddsthelocalgroupsthathavetheloginaccountandany
domainglobalgroupsasamember.Inthecaseofadomainaccount,this
checkisinadditiontothecheckofthedomainsecuritydatabase.
Afterauthenticatingtheuser'sWindowsaccount,SQLServerreceivesa
completelistofsecurityidentifiersforboththeuser'sWindowsNT/2000
accountandthelocalandglobalgroupsofwhichheisamember.The
netresultisthatausercangainaccesstoSQLServerthroughoneof
thefollowing:
Theuser'spersonalaccount
Thelocaloperatingsystem'slocalgroups(inthecaseofSQL
Serverrunningonamemberserver)
Thedomain'slocalgroups(onlyincertain,specialcases)
Thedomaingroups,includingdomainlocal,global,anduniversal
groups
OncetheoperatingsystemcompilesthelistofSIDs,SQLServertakes
overtheauthenticationprocessusingatablecontainingloginaccount
information.Chapter2goesintodetailonhowSQLServerdetermines
loginprivilegesforversions6.5,7.0,and2000.
ManagingServerAccessusingWindowsNTGroups
ThisisagoodpointatwhichtomentionthatWindowsauthenticationis
notlimitedtojustuseraccountsinSQLServer7.0and2000;bothlocal
andglobalgroupscanbegrantedloginpermissionaswell.Inthiscase,
insteadofstoringtheSIDforanindividualaccount,SQLServerstores
theSIDforthegroup.
Theeffectofthisapproachisthatyoucanmanageaccesstoyourserver
throughWindowsNTor2000domainglobalgroups,orbyadding
WindowsuserstolocalgroupsontheSQLServeritself.IftheWindows
NTor2000accountadministratorsarealsotheSQLServer
administrators,andifitmakessensetomanageyourSQLServerusers'
accessatthedomainlevel,thenthismethodgreatlysimplifiesserver
accessmanagement.Ratherthancreatingtensorevenhundredsof
loginaccounts,youcancreateseveralgroupsthatrepresentthedifferent
groupsofpeoplewhowillbeusingthesystemandplacemembersinthe
groupsatthedomainserver.
IfyouneedtodenyaccesstoaspecificmemberofaWindowsNTgroup,
youhavetwooptions.First,youcandenyaccesstotheuser'sWindows
NTaccountexplicitly.Second,youcancreateasingledomaingroup,
denythatgroupaccesstoSQLServer,andplaceanyuserswhomaynot
accesstheserverinthatgroup.Becausehavingonlyoneofheraccess
tokenSIDsdeniedmeanstheusercannotlogin,youneedonlyone
groupfortheentireorganization.
Fromthispointon,normalSQLServerpermissionscheckingtakesover.
InChapter4,youwillseethatSQLServer7.0and2000usethecontents
oftheaccesstokenwhencheckingpermissionsattheserverand
databaselevel,butotherthanthat,Windowsisoutofthepicture.Now,
let'sturnourattentiontowhathappenswhentheclientlogsinwithan
accountmaintainedbySQLServer.
SQLServerAuthentication
YoucanthinkofSQLServerauthenticationasthelowestcommon
denominatorforauthentication,becauseitsupportsloginsfromall
clients,nomatterwhatoperatingsystemtheyuse.SQLServer
authenticationsupportsconnectionsfromclientsthatare
RunningallversionsofWindows
UsingtheTCP/IPnetworkprotocol(forexample,UnixorNovell
NetWareclients)
UsingtheAppleTalknetworkprotocol(forexample,theiMac)
UsingtheBanyanVinesnetworkprotocol
ThedifferencesbetweenSQLServerauthenticationandWindowsNT
authenticationareasfollows::
TherequestforlogincomesdirectlytoSQLServer.
SQLServermaintainstheinternallistofpermittedlogins,andthe
loginrequestdoesnotuseWindowsNTpasswordencryption.
Onceloggedin,grantingpermissionsisgenerallythesameforbothSQL
ServerandWindowsauthenticatedlogins.InSQLServer6.5,thereare
nodifferencesinthewayyouassignpermissionstoeithertypeoflogin.(I
coveralltheoptionsforassigningpermissionsinSQLServer6.5in
Chapter3.)InSQLServer7.0and2000,theonlydifferencebetween
SQLServerandWindowsauthenticatedloginsisthattheSQLServer
logindoesnotcarryanyWindowsNTgrouporaccountinformationwith
it,whichmeansthatitcannotgainanyadditionalpermissionsgrantedto
Windowsgroups.Instead,itwillgainitspermissionsfromserverand
databaseroles,asIdiscussinChapter4.
KerberosandActiveDirectoryAuthentication
SQLServer2000addsitsownadditionstothelistofauthentication
methodsforhandlingWindows2000clients.ForWindows95/98and
WindowsNTclients,andforWindows2000clientsconnectingtoSQL
Server2000runningonWindowsNT,authenticationinSQLServer2000
isthesameasitisinSQLServer7.0.ForSQLServer2000runningon
Windows2000,however,youwillhavetheoptionofauthenticating
throughActiveDirectoryand/orusingtheKerberosauthentication
protocol.
Chapter5coversthedetails,butthemaindifferenceisthatWindows
2000usesKerberossecuritythroughtheActiveDirectoryservice.Forthe
