SQL Server - Bài
Securing Databases &T-SQL for Data Control Vu Tuyet Trinhtrinhvt-fit@mail.hut.edu.vnHanoi University of Technology1 MicrosoftMicrosoftOutlineUnderstanding SQL Server Security Model Managing logins, users and roles Managing PermissionsData Control Language (DCL) and Security IssuesImplementing Security through Database ObjectsOther Security OptionsColumn Level EncryptionProxy AccountsCredentials MicrosoftMicrosoftSQL Server Security Model MicrosoftMicrosoftSQL Server Security OverviewLayered Security Model:Windows LevelSQL Server LevelDatabaseSchemas (for database objects)Terminology:PrincipalsSecurablesPermissionsScopes and Inheritance MicrosoftMicrosoftPrincipalsSecurable Permissions MicrosoftMicrosoftPrincipals, Securable and PermissionsPrincipal Individuals, groups, and processes that can request SQL Server resources.Logins, Users, Roles, etcSecurableA Securable is a resource that can be securedTables, Views, Endpoints, etcPermissionPermissions grant principals access to securablesGrant a user Execute rights to a Stored Procedure, etcSQL 2005 introduces new permissions like Control, Alter Any and ImpersonatePermissions work in hierarchies MicrosoftMicrosoftSecurity Architecture in SQL Server 2000AuthenticationFirst stage of securityIdentifies users based on login information they provideOnly verifies that users can connect to a SQL Server 2000 instanceDoes not provide access to databases and their objectsAuthorizationSecond stage of securityOccurs when database permissions are checked to determine which actions a particular user can perform within a database MicrosoftMicrosoftOutline√Understanding the security architecture of SQL ServerManaging logins, users and rolesManaging permissionsControlling access with database objects and ownership chainsAuditing SQL Server MicrosoftMicrosoftSQL Server Service AccountsLocal Service AccountPermissions of “Users” group (limited)No network authenticationNetwork Service AccountPermissions of Users groupNetwork authentication with Computer accountDomain User AccountsAdds network access for cross-server functionality MicrosoftMicrosoftCreating LoginsTransact-SQL CREATE LOGIN statementReplaces sp_AddLogin and sp_GrantLoginSQL Server LoginsWindows LoginsSQL Server Management StudioSetting server authentication optionsLogin AuditingManaging Logins [...]... of the role SQL Server Management Studio Microsoft Working with Users and Roles Built-In Server / Database Roles Microsoft Configuring Permissions Scopes of Securables Server Database Schema Objects Permission Settings: GRANT REVOKE DENY Options WITH GRANT OPTION AS (Sets permissions using another user or role) Microsoft Managing Execution Permissions Transact -SQL Code can... Figure 8-1 2: Ownership chain Microsoft Other Security Options Database Encryption SQL Server Agent Encrypting Object Definitions Data encryption Proxies based on subsystems allow lock-down by job step types Preventing SQL Injection attacks Microsoft Use application design best practices Password Policies You can now use windows password policies for SQL accounts (note that SQL accounts... rules Windows Server 2003 or higher Enforcement can be decided on a per-login basis This feature is not enforced by default Logins upgraded from SQL 2000 will not have this turned on Microsoft Credentials Overview A credential is a record that contains the authentication information required to connect to a resource outside of SQL Server Generally it maps to a Windows login SQL Server logins... Credentials Benefits Giving SQL Server accounts access to OS resources Creating SQL Agent proxies Giving applications access to other SQL services (SSAS, SSRS, SSIS) Microsoft Agent Proxy Accounts Defines the security context for a job step SQL 2000 – only one proxy account available for all jobs Generally this account had very high levels of privileges SQL 2005 – Many proxy accounts that... procedures and user-defined functions Stored procedures and user-defined functions allow sets of TSQL statements to be stored and executed as a single unit Microsoft They are typically used to enforce business rules or perform logic Implementing Security through Database Objects Controlling access with triggers Triggers are similar to stored procedures in that they contain saved groups of T -SQL statements... Authentication/Policy managed by Windows SQL Server Logins Managed by SQL Server Password Policy Options: Microsoft Based on Windows policies HASHED (pw is already hashed) MUST_CHANGE CHECK_EXPIRATION CHECK_POLICY Database Users and Roles Database Users Logins map to database users Database Roles Users can belong to multiple roles Guest (does not require a user account) dbo (Server sysadmin users)... explicitly used Microsoft Agent Proxy Accounts SQLAgentUser Role SQL Login Grant Logon as Batch Microsoft Credential Windows Login Give Access Proxy Principal Agent Proxy Accounts Subsystems ActiveX Script Operating System Replication Distributor Replication Merge Replication Queue Reader Replication Snapshot Replication Transaction-Log Reader Analysis Services Command Analysis . AccountsCredentials MicrosoftMicrosoftSQL Server Security Model MicrosoftMicrosoftSQL Server Security OverviewLayered Security Model:Windows Level SQL Server LevelDatabaseSchemas. for cross -server functionality MicrosoftMicrosoftCreating LoginsTransact -SQL CREATE LOGIN statementReplaces sp_AddLogin and sp_GrantLogin SQL Server LoginsWindows