Module 4: Managing Security

Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and Roles Managing Security Within SQL Server Managing Application Security Managing SQL Server Security in the Enterprise

 Implementing an Authentication Mode Authentication Processing Choosing an Authentication Mode Mutual Authentication Using Kerberos Impersonation and Delegation Encryption Steps in Implementing an Authentication Mode Creating Login Accounts Setting Up Login Accounts

Authentication Processing sysxloginssysxlogins Windows 2000 Group or User SQL Server Login Account sysxloginssysxlogins Verifies entry in sysxlogins table; trusts that Windows 2000 has verified password Verifies entry in sysxlogins table; trusts that Windows 2000 has verified password Verifies entry in sysxlogins table, and verifies password SQL Server

Choosing an Authentication Mode Advantages of Windows Authentication Mode Advanced security features Adding groups as one account Fast access Advantages of Mixed Mode Non-Windows 2000 and Internet clients can use it to connect

Mutual Authentication Using Kerberos SQL Server Mutual Authentication Encrypted Data Password Encrypted Data Password User KerberosKerberos

Impersonation and Delegation File system File system Impersonation Delegation SQL Server

Encryption Internal Encryption Login passwords Transact-SQL definitions Network Encryption

Steps in Implementing an Authentication Mode Set the Authentication Mode Stop and Restart MSSQLServer Service Create Windows 2000 Groups and Users Authorize Windows 2000 Groups and Users to Access SQL Server Authorize Windows 2000 Groups and Users to Access SQL Server Create SQL Server Login Accounts for Users Who Connect with Non-Trusted Connections Create SQL Server Login Accounts for Users Who Connect with Non-Trusted Connections

Creating Login Accounts master..sysxloginsmaster..sysxlogins name BUILTIN\Administrators accountingdomain\payroll accountingdomain\maria mary sa BUILTIN\Administrators accountingdomain\payroll accountingdomain\maria mary sa dbname master Northwind pubs master Northwind pubs master password NULL ******** NULL ********

Demonstration: Setting Up Login Accounts

Lab A: Managing Security

 Assigning Login Accounts to Users and Roles Northwind..sysusersNorthwind..sysusers uid name public dbo INFORMATION_SCHEMA payroll public dbo INFORMATION_SCHEMA payroll Users are stored here Users are stored here Permissions are stored here Permissions are stored here Northwind..sysprotectsNorthwind..sysprotects id uid action protecttype 205

Assigning Login Accounts to User Accounts Adding User Accounts SQL Server Enterprise Manager sp_grantdbaccess system stored procedure dbo User Account guest User Account

 Assigning Login Accounts to Roles Fixed Server Roles Fixed Database Roles User-defined Database Roles

Fixed Server Roles RoleRolePermissionPermission sysadmin Perform any activity dbcreator Create and alter databases diskadmin Manage disk files processadmin Manage SQL Server processes serveradmin Configure server-wide settings setupadmin Install replication securityadmin Manage and audit server logins bulkadmin Execute BULK INSERT statements

Fixed Database Roles RoleRolePermissionPermission public Maintain all default permissions db_owner Perform any database role activity db_accessadmin Add or remove database users, groups, and roles Add or remove database users, groups, and roles db_ddladmin Add, modify, or drop database objects db_security admin Assign statement and object permissions db_backupoperator Back up database db_datareader Read data from any table db_datawriter Add, change, or delete data from all tables db_denydatareader Cannot read data from any table db_denydatawriter Cannot change data in any table

User-defined Database Roles Add a Role: When a Group of People Needs to Perform the Same Activities in SQL Server If You Do Not Have Permissions to Manage Windows 2000 Accounts

Demonstration: Assigning Login Accounts to User Accounts and Roles

 Assigning Permissions to Users and Roles Types of Permissions Granting, Denying, and Revoking Permissions Granting permissions to allow access Denying permissions to prevent access Revoking granted and denied permissions

Types of PermissionsPredefinedPredefined Fixed Role Object Owner ObjectObject SELECT INSERT UPDATE DELETE REFERENCES SELECT INSERT UPDATE DELETE REFERENCES SELECT UPDATE REFERENCES SELECT UPDATE REFERENCES EXEC TABLE VIEW COLUMN STORED PROCEDUREStatementStatement CREATE DATABASE CREATE TABLE CREATE VIEW CREATE PROCEDURE CREATE RULE CREATE DEFAULT CREATE FUNCTION BACKUP DATABASE BACKUP LOG

 Granting, Denying, and Revoking Permissions GRANT: Can Perform Action REVOKE: Neutral REVOKE: Neutral DENY: Cannot Perform Action

Granting Permissions to Allow Access User/RoleUser/RoleSELECTSELECT Eva Ivan David public INSERTINSERT UPDATEUPDATE DELETEDELETE DRIDRI

Denying Permissions to Prevent Access User/RoleUser/RoleSELECTSELECT Eva Ivan David public INSERTINSERT UPDATEUPDATE DELETEDELETE DRIDRI

Revoking Granted and Denied Permissions User/RoleUser/RoleSELECTSELECT Eva Ivan David public INSERTINSERT UPDATEUPDATE DELETEDELETE DRIDRI

Managing Security Within SQL Server Determine Use of Default Login Accounts sa BUILTIN\Administrators Determine Function of guest User Account Determine public Role Permissions Apply Permissions to Roles Create Objects with Owner dbo Secure CmdExec and ActiveScripting Job Steps

Lab B: Managing Permissions

 Managing Application Security Managing Security with Views and Stored Procedures Managing Client Application Security with Application Roles

Managing Security with Views and Stored Procedures EmployeesEmployees EmployeeID LastName Davolio Fuller Leverling Davolio Fuller Leverling FirstName Nancy Andrew Janet Nancy Andrew Janet ReportsTo SELECT * FROM Employees EXEC Employee_Update 1, 9 SELECT * FROM Employee_View

 Managing Client Application Security with Application RolesOrdersOrders OrderID CustomerID EmployeeID VINET TOMSP HANAR VINET TOMSP HANAR Microsoft Excel Order Entry Application

Creating Application Roles Creating an Application Role Inserts a Row into the sysusers Table Managing Application Role Permissions

EXEC sp_setapprole 'SalesApp', {ENCRYPT N'hg_7532LR'}, 'ODBC' Activating Application Roles User Must Specify Password Scope Is Current Database—if User Switches to Another Database, User Has Guest Permissions in That Database Role Cannot Be Deactivated Until User Disconnects

Lab C: Managing Application Security

 Managing SQL Server Security in the Enterprise Using Group Policy to Secure SQL Server Using Proxy Servers, Firewalls, and Routers Using On-the-Wire Encryption to Secure Data

Using Group Policy to Secure SQL Server Security Areas That Can Be Configured Account policies Restricted groups Software policies

Using Proxy Servers, Firewalls, and Routers User SQL Server Microsoft Proxy Server Internet S e c u r e

Using On-the-Wire Encryption to Secure Data Internet Protocol Security Secure Sockets Layer

Use Mixed Mode for Non-Trusted or Internet Clients Only Use the sysadmin Role Rather Than the sa Login Account Remove Windows 2000 Accounts First, Then SQL Server Accounts dbo User Should Own All Objects Use Stored Procedures and Views to Simplify Security Recommended Practices

Review Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and Roles Managing Security Within SQL Server Managing Application Security Managing SQL Server Security in the Enterprise