Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 14 Configuring Security for SQL Server Agent.

Published byHoward Greene Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 14 Configuring Security for SQL Server Agent."— Presentation transcript:

1 Module 14 Configuring Security for SQL Server Agent

2 Module Overview Understanding SQL Server Agent Security Configuring Credentials Configuring Proxy Accounts

3 Lesson 1: Understanding SQL Server Agent Security Overview of SQL Server Agent Security SQL Server Agent Roles Discussion: SQL Server Agent Job Dependencies Assigning Security Contexts to Agent Job Steps SQL Server Agent Security Troubleshooting Demonstration 1A: Assigning a Security Context to Job Steps

4 Overview of SQL Server Agent Security Network permissions are determined by the service account:  Built-in accounts such as Local and Network Service  Windows domain accounts Account used to execute jobs must connect to:  SQL Server instance for T-SQL Job Steps  Windows and network resources for other job types Proxy Accounts can be used It is important to make sure that each SQL Server Agent job step runs in an appropriate security context.

5 SQL Server Agent Roles sysadmin fixed role members can administer SQL Server Agent Fixed database roles in the msdb control access for other users RoleDescription SQLAgentUserRole Control permission for jobs and schedules that they own SQLAgentReaderRole All permissions of the SQLAgentUserRole plus permission to view the list of all available jobs and job schedules SQLAgentOperatorRole Permission to manage local jobs, view properties for operators and proxies, and enumerate available proxies and alerts

6 Discussion: SQL Server Agent Job Dependencies What SQL Server resources would SQL Server Agent Jobs potentially depend upon? What resources outside of SQL Server might SQL Server Agent jobs depend upon? What identity is needed for accessing the external resources?

7 Assigning Security Contexts to Agent Job Steps T-SQL job steps:  SQL Server Agent impersonates the owner of the Job  If the owner is a member of the sysadmin fixed server role, the step runs under the SQL Server Agent service account  Members of the sysadmin fixed server role can also specify a different user Other job step types:  Members of sysadmin fixed role can use SQL Server Agent account (default)  Proxy Accounts are used to define the credentials to use

8 SQL Server Agent Security Troubleshooting Check:  That the job is running  The security account that the job is executing under SQL Server Agent Service Account or Proxy SQL User for T-SQL Job Steps  The permissions for the account Check tasks the job is performing Review job step history

9 Demonstration 1A: Assigning a Security Context to Job Steps In this demonstration, you will see:  How to view the identity that a job step was executed under  How to change the security context for T-SQL job steps  How to troubleshoot a job step

10 Lesson 2: Configuring Credentials Overview of Credentials Configuring Credentials Managing Credentials Demonstration 2A: Configuring Credentials

11 Overview of Credentials Credentials are:  Required for access to external resources  Password encrypted using the service master key Credentials are used to:  Provide a Windows identity for SQL Server Logins that need to access external resources  Provide identities for Proxy Accounts that are used in SQL Server Agent Job Steps Credentials are SQL Server objects that store authentication information.

12 Configuring Credentials Created using T-SQL or SSMS Stored in master database with secret encrypted using the service master key Created using T-SQL or SSMS Stored in master database with secret encrypted using the service master key USE master; GO CREATE CREDENTIAL Agent_Export WITH IDENTITY = N'VIENNA\Agent_Export', SECRET = N'Pa$$w0rd'; GO USE master; GO CREATE CREDENTIAL Agent_Export WITH IDENTITY = N'VIENNA\Agent_Export', SECRET = N'Pa$$w0rd'; GO

13 Managing Credentials SELECT * FROM sys.credentials; GO ALTER CREDENTIAL Agent_Export WITH IDENTITY = N'VIENNA\Agent_Export', SECRET = N'NewPa$$w0rd'; GO DROP CREDENTIAL Agent_Export; GO SELECT * FROM sys.credentials; GO ALTER CREDENTIAL Agent_Export WITH IDENTITY = N'VIENNA\Agent_Export', SECRET = N'NewPa$$w0rd'; GO DROP CREDENTIAL Agent_Export; GO Credentials can be listed by querying the sys.credentials system view Credentials are modified using ALTER CREDENTIAL  Both the identity and the secret are always altered Credentials are removed via DROP CREDENTIAL

14 Demonstration 2A: Configuring Credentials In this demonstration you will see:  How to create a job that copies a file  How to create a credential using T-SQL

15 Lesson 3: Configuring Proxy Accounts Overview of Proxy Accounts Working with Built-in Proxy Accounts Managing Proxy Accounts Demonstration 3A: Configuring Proxy Accounts

16 Overview of Proxy Accounts Created using SSMS or dbo.sp_add_proxy procedure in msdb Can always be used by sysadmin fixed server role members Can be used with permission by:  SQL Login  msdb or server role JobProxyCredentialResource Proxy Accounts provide SQL Server Agent with access to Microsoft Windows security credentials

17 Working with Built-in Proxy Accounts Proxies are defined for specific SQL Server Subsystems Proxies can be used by one or more subsystems  Provides limited security for specific functions Each job step type is associated to specific subsystem, except T-SQL

18 Managing Proxy Accounts Proxies are defined in msdb Configuration information can be accessed through system tables in msdb  sysproxies, sysproxylogin, sysproxyloginsubsystem, syssubsystems USE msdb; GO SELECT p.name as ProxyName, c.name as CredentialName, p.description as ProxyDescription FROM dbo.sysproxies AS p INNER JOIN sys.credentials AS c ON p.credential_id = c.credential_id; USE msdb; GO SELECT p.name as ProxyName, c.name as CredentialName, p.description as ProxyDescription FROM dbo.sysproxies AS p INNER JOIN sys.credentials AS c ON p.credential_id = c.credential_id;

19 Demonstration 3A: Configuring Proxy Accounts In this demonstration, you will see:  How to define a Proxy Account  How to use a Proxy Account  How to view Proxy Accounts and their properties using T-SQL

20 Lab 14: Configuring Security for SQL Server Agent Exercise 1: Troubleshoot job execution failure Exercise 2: Resolve the security issue Challenge Exercise 3: Perform further troubleshooting (Only if time permits) Logon information Estimated time: 45 minutes

21 Lab Scenario You have deployed a job that extracts details of prospects that have not been contacted recently. You have also scheduled the job to run before each of the two marketing planning meetings that occur each week. The marketing team has deployed new functionality in Promote application to improve the planning processes. Rather than having the job scheduled, it is necessary for the Promote application to execute the job on demand. The Promote application connects as a SQL login called PromoteApp. One of the other DBAs Terry Adams has attempted to configure SQL Server so that the PromoteApp login can execute the job. However he is unable to resolve why the job still will not run. In this lab you need to troubleshoot and resolve the problem.

22 Lab Review What do you need to do when the password for a credential expires? Can credentials use external encryption providers?

23 Module Review and Takeaways Review Questions Best Practices

Download ppt "Module 14 Configuring Security for SQL Server Agent."

Similar presentations

Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.

Module 8 Importing and Exporting Data. Module Overview Transferring Data To/From SQL Server Importing & Exporting Table Data Inserting Data in Bulk.
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Module 17 Tracing Access to SQL Server 2008 R2. Module Overview Capturing Activity using SQL Server Profiler Improving Performance with the Database Engine.

Module 17 Tracing Access to SQL Server 2008 R2. Module Overview Capturing Activity using SQL Server Profiler Improving Performance with the Database Engine.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Module 5: Performing Administrative Tasks. Overview Configuration Tasks Routine SQL Server Administrative Tasks Automating Routine Maintenance Tasks Creating.

Module 5: Performing Administrative Tasks. Overview Configuration Tasks Routine SQL Server Administrative Tasks Automating Routine Maintenance Tasks Creating.
SQL Server Agent Keith Binford. SQL Server Agent SQL Server Agent is a Windows service that can execute and schedule tasks and jobs.

SQL Server Agent Keith Binford. SQL Server Agent SQL Server Agent is a Windows service that can execute and schedule tasks and jobs.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.

1 Chapter Overview Transferring and Transforming Data Introducing Microsoft Data Transformation Services (DTS) Transferring and Transforming Data with.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Module 13 Automating SQL Server 2008 R2 Management.

Module 13 Automating SQL Server 2008 R2 Management.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Module 18 Monitoring SQL Server 2008 R2. Module Overview Monitoring Activity Capturing and Managing Performance Data Analyzing Collected Performance Data.

Module 18 Monitoring SQL Server 2008 R2. Module Overview Monitoring Activity Capturing and Managing Performance Data Analyzing Collected Performance Data.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google