Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server Security Mistakes Everyone Makes

Similar presentations


Presentation on theme: "SQL Server Security Mistakes Everyone Makes"— Presentation transcript:

1 SQL Server Security Mistakes Everyone Makes
Robert L Davis Database Engineer @SQLSoldier

2 Robert L Davis @SQLSoldier PASS Security Virtual Chapter
Microsoft Certified Master Data Platform MVP @SQLSoldier Database Engineer BlueMountain Capital Management 16+ years working with SQL Server PASS Security Virtual Chapter Volunteers needed Database Engineer at BlueMountain Capital Management Foremer Principal Database Architect at DB Best Technologies Former Principal DBA at Outerwall, Inc Former Sr. Product Consultant with Idera Software Former Program Manager for SQL Server Certified Master program in Microsoft Learning Former Sr. Production DBA / Operations Engineer at Microsoft (CSS) Microsoft Certified Master: SQL Server 2008 / MCSM Charter: Data Platform Co-founder of the SQL PASS Security Virtual Chapter MCITP: Database Developer: SQL Server 2005 and 2008 MCITP: Database Administrator: SQL Server 2005 and 2008 MCSE: Data Platform MVP 2014 Co-author of Pro SQL Server 2008 Mirroring Former Idera ACE (Advisors & Community Educators) 2 time host of T-SQL Tuesday Guest Professor at SQL University, summer 2010, spring/summer 2011 Speaker at SQL PASS Summit 2010, 2011, and 2012 including a pre-con in 2012 Speaker/Pre-con at SQLRally 2012 16+ years working with SQL Server Writer for SQL Server Pro (formerly SQL Server Magazine) Member: Mensa Dog picture: Maggie and Woody SQLCruise instructor: Seattle to Alaska 2012 Speaker at SQL Server Intelligence Conference in Seattle 2012 Blog: Twitter:

3 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database

4 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database “What’s the big deal?”

5 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.”

6 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.” “Right?”

7 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database Once a user logs in, they get all permissions available to them

8 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset

9 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships

10 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users

11 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all';

12 SQL Server Security Mistakes Everyone Makes
Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all'; Demo

13 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions

14 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group

15 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions

16 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions

17 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects

18 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings

19 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files

20 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups

21 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database

22 SQL Server Security Mistakes Everyone Makes
Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database Demo

23 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner

24 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid

25 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid Select D.name As DBName, P.name As DBOwnerLogin, SUSER_SNAME(D.owner_sid) As DBOwnerWindowsAccount From sys.databases As D Left Join sys.server_principals As P On P.sid = D.owner_sid; *Query included in session demo files

26 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo

27 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database

28 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database

29 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database

30 SQL Server Security Mistakes Everyone Makes
Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database: The server principal <login> is not able to access the database <database> under the current security context.

31 SQL Server Security Mistakes Everyone Makes
Q & A

32 Thank you for attending!
Thanks! Thank you for attending! My blog: Twitter: twitter.com/SQLSoldier


Download ppt "SQL Server Security Mistakes Everyone Makes"

Similar presentations


Ads by Google