Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server Security 101 How did you get in here, and

Published byVebjørn Thorbjørnsen Modified over 5 years ago

Similar presentations

Presentation on theme: "SQL Server Security 101 How did you get in here, and"— Presentation transcript:

1 SQL Server Security 101 How did you get in here, and
Who said you could do that? Presented by: Pat Phelan DBA Mentor at Involta, LLC.

2 Presenter confessions
This is a “101” presentation, it is not a deep dive into internals! Wikipedia citations This presentation cites Wikipedia Academia doesn’t support those citations Wikipedia makes definitions and additional information freely accessible Wikipedia makes most of those available in many human languages. Feedback request This presentation is evolving Constructive comments and suggestions are welcome!

3 Session Overview We will cover (built into this presentation)
AD/Windows basics SQL Server Logins Database users Permissions We might cover (based on audience interest) SQL security Pre-SQL 2000 security Principle of least privilege Other information sources Non-SQL Server kinds of security

4 AD/Windows features used by SQL
AD - Active Directory Often includes a number suffix that ties AD to a Windows Server version Directory of Windows Objects Computers Users Groups Printers

5 Kerberos https://en.wikipedia.org/wiki/Kerberos_(protocol)
AD security component since Windows 2000 AD uses a Kerberos subset Kerberos provides authentication of client and server Kerberos encourages encrypted communication for all traffic Kerberos requires encrypted communication for inital identification

6 SPN - Service Principal Names
Associates multiple AD/Windows objects within Kerberos Computer address (usually Ethernet IP address and port) Service name AD/Windows account for this SPN SETSPN.EXE Requires Domain Administrator privilege to run Lists and modifies SPNs FCI (SQL Server Failover Cluster Instance) notes SPNs are why FCIs are so much easier for Domain Adminis to install! Default security doesn’t permit non-Domain Admin to install FCI

7 SID – Windows Security Identifier
Always authoritative if an object has a SID, then the SID defines the object’s identity Defined to be variable length Usually a GUID under the covers

8 Names in Windows Names are easy and decorative for security communication. Names are for humans, rarely used inside of Windows Names come in many varieties Object usually have multiple names “Friendly” name Canonocial name Fully qualified name Applications can usually find a SID from a name

9 Windows Security-speak
People usually use names Windows almost always uses SIDs SPNs are critically important for services to access AD AD is Window’s authoritative source for security information Users Computers Groups

10 SQL Logins Logins authenticate a connection to the server
Logins divide into two types… At least a dozen ways! Server login Contained Login SQL Authenticated Login Windows Authenticated Login

11 Contained SQL Logins Especially important in DaaS, such as Azure or Cosmos DB Highly scalable Only database user association No server level permissions Can not be sysadmin Can not create new databases Limited access to other databases No cross database joins Limited access to system databases (master, msdb)

12 SQL Server Logins Can have server level permissions (such as sysadmin)
Can access multiple databases Cross database joins System databases (master and msdb) Can stop the SQL Server Windows authenticated users can have Service level permissions too

13 Database User No Authentication Inherits its identity from Login
Nearly all object permissions are granted to Users, not Logins

14 Authentication Types SQL Authentication Windows Authentication
Login name Password Windows Authentication Kerberos ticket grants SID access AD/Windows User AD/Windows Group

15 Security notes Login returned by SUser_SName()
User returned by User_Name() Impersonation SETUSER EXECUTE AS

16 EXECUTE xp_logininfo Relies on SPN and Kerberos for AD/Windows information My definitive answer for “What access does <blank> have to this SQL Server?” Parameters @option = ‘all’ Enumerates all of the access paths that a given login can use to get access as a result set @option = ‘members’ Enumerates the members of an AD/Windows Group as a result set!

17 SQL Server permissions
Great presenters can cover SQL permissions in about 30 hours I’m not that great We only have an hour Let’s give it a shot anyway! Full discussion starts at: databases/security/permissions-database-engine Pretty SQL Security poster PDF at:

18 SQL Permission related commands
GRANT Give permission DENY Forbid ever* getting permission REVOKE Drop previous GRANT or DENY *Note that there is a specific exception where an identity is: Denied access to a table Granted access to a column within that table

19 How Identity (Login or User) matches work
Exact match for your identity Match for a SQL Role that includes your identity Recursive Match for an AD/Windows Group that includes your AD User Usually recursive

20 How permissions are checked
If the Identity is a sysadmin, it has permission If the Identity owns any container (database, schema, etc.), it has permission If the Identity is DENIED, it can’t get permission There can be an exception for a GRANT on a column created after a DENY on the associated object. If the Identity is GRANTED permission, it has permission By default, no permission (except sysadmin and owner)

21 Database Permissions Keyword Permission to:
EXECUTE Execute code (function or stored procedure) SELECT Retrieve information INSERT Add new data (usually rows) to an object UPDATE Change data in an object DELETE Remove data from an object

22 Historical SQL Server permissions
SysAdmin Ability to do anything that SQL can do SecurityAdmin Ability to add logins and grant permissions ServerAdmin “Power User” able to manage much of SQL Server others

23 Modern SQL Server permissions
SysAdmin still exists, almost unchanged Much more granular permissions 237 in SQL 2017 / Azure 230 in SQL 2016 219 in SQL 2014 214 in SQL 2012

24 Evaluation Request Please fill out the evaluation forms
If you have specific comments or questions, please me Comments and questions are how I learn to present better. If you want me to give better presentations, you need to give me feedback! No comment is small or insignificant. I read them all. Thanks!

25 SQL Security 101 How did you get in here, and who said that you could do that?
Quad City PASS Local User Group Davenport, Iowa Pat Phelan DBA Mentor at Involta, LLC. Edit 

Download ppt "SQL Server Security 101 How did you get in here, and"

Similar presentations

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
MySQL Access Privilege System

MySQL Access Privilege System
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.

1 CSIT 320. Just as the combination of a database and a database management system collects and organizes information about an institution/company/… as.
Security and Integrity

Security and Integrity
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.

PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.

By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.

Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.

DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

Similar presentations

Ads by Google