Module 4:

Managing Security
Overview

Overview of SQL Server Security

Protecting the Server Scope
Protecting the Database Scope
Managing Keys and Certificates in SQL Server
Lesson 1: Overview of SQL Server Security

What Are Principals?

What Are Securables?
SQL Server 2005 Permissions
What Are Principals?

Securables
Permissions
Principals
Windows Group
Domain User Account
Windows Local User Account

SQL Server Login

Server Role
SQL Server

User
Database Role
Database Application Role
What Are Securables?

Securables
Permissions
Principals
Windows Group
Domain User Account Files
Local User Account Registry Keys
Windows

SQL Server Login Server

Server Role
SQL Server
Database

User Schema
Database Role
Database Application Role
SQL Server 2005 Permissions

Securables
Permissions
Principals
Windows Group
Domain User Account ACL Files
Local User Account Registry Keys
Windows
GRANT/REVOKE/DENY
CREATE
SQL Server Login ALTER
Server
DROP
Server Role CONTROL
SQL Server CONNECT
SELECT Database
EXECUTE
UPDATE
User DELETE Schema
INSERT
Database Role TAKE OWNERSHIP
Database Application Role VIEW DEFINITION
BACKUP
Lesson 2: Protecting the Server Scope

What Are SQL Server Authentication Modes?

How Password Policies Work
How to Manage SQL Server Logins
What Are Fixed Server Roles?
Requirements for Delegation
What Are Credentials?
Server-Scope Permissions
Practice: Managing Logins
What Are SQL Server Authentication Modes?

Windows Authentication mode

Users are authenticated by Windows
Users access SQL Server through a login mapped to their Windows account

SQL Server and Windows Authentication mode

Users connecting over a trusted connection access SQL Server by using Windows
authentication
Users connecting over a nontrusted connection are validated by SQL Server
How Password Policies Work

Pa$$w0rd

Group Policy Object

(GPO)

Group Policy defines Windows password requirements

SQL Server applies password policy to SQL logins
 Requires Windows Server 2003
How to Manage SQL Server Logins

CREATE LOGIN [SERVERX\SalesDBUsers]

Alice
login_name
FROM
WITH WINDOWS
{ WITH
Password
SQL_login_options
= 'Pa$$w0rd'
WITH DEFAULT_DATABASE
| FROM WINDOWS [= WITH
AdventureWorks
windows_login_options ] }
What Are Fixed Server Roles?

Role Description
sysadmin Perform any activity
dbcreator Create and alter databases
diskadmin Manage disk files
serveradmin Configure server-wide settings

securityadmin Manage and audit server logins

processadmin Manage SQL Server processes

bulkadmin Run the BULK INSERT statement

setupadmin Configure replication and linked servers

Requirements for Delegation

Active Directory requirements

 User trusted for delegation
 Computer trusted for delegation
SQL Server requirements
 Service Principal Name (SPN)
 TCP/IP
What Are Credentials?

Alternative representations of logins

Enable users connecting to SQL to connect to resources
outside SQL Server
Usually consist of Windows user name and password
Server-Scope Permissions

Server permissions

USE master
GRANT ALTER ANY DATABASE
TO [ADVENTUREWORKS\Holly]

Server scope securable permissions

USE master
GRANT ALTER
ON LOGIN :: AWWebApp
TO [ADVENTUREWORKS\Holly]
Practice: Managing Logins

In this practice, you will:

Verify the current SQL Server authentication
mode
Create a SQL Server login based on a
Windows account
Assign server-scope permissions to a SQL
Server login
Lesson 3: Protecting the Database Scope

How to Manage Users

Special Users
What Are Database Roles?
What Are Application Roles?
Database-Scope Permissions
Schema-Scope Permissions
Practice: Managing Users
How to Manage Users

Provide access to individual databases

Can map to an individual user login or a Windows
group login
Created using SQL Server Management Studio or
CREATE USER statement
Special Users

dbo user
 Exists in all databases by default
 Members of sysadmin role and the sa login account
are mapped to dbo
 Any object a member of sysadmin creates
automatically belongs to dbo
 Cannot be deleted
guest user
 Exists in all databases by default
 Disabled by default
 Allows logins with no user account to access
the database
What Are Database Roles?

Fixed database roles

 Granted permissions for common database tasks
User-defined database roles
 Group users with similar permission requirements
Public role
 Contains all users in the database
What Are Application Roles?

Application is associated with an application role

Alternative security context for a user only exists while the
application is active
Create using SQL Server Management Studio or the
CREATE APPLICATION ROLE statement
Database-Scope Permissions

Database permissions

USE AdventureWorks
GRANT ALTER ANY USER
TO HRManager

Database-scope securable permissions

USE AdventureWorks
GRANT SELECT
ON SCHEMA :: Sales
TO SalesUser
Schema-Scope Permissions

User-defined type permissions

USE AdventureWorks
GRANT EXECUTE
ON TYPE :: Person.addressType
TO SalesUser

All other schema-scope permissions

USE AdventureWorks
GRANT SELECT
ON Sales.Order
TO SalesUser
Practice: Managing Users

In this practice, you will:

Create a new database user
Assign database-scope permissions to a
user
Assign schema-scope permissions to a
user
Lesson 4: Managing Keys and Certificates in SQL Server

What Are Keys?

What Are Certificates?
SQL Server Cryptography Architecture
When to Use Keys and Certificates
Demonstration: Using Certificates
What Are Keys?

Encrypt Decrypt

Symmetric
 Same key used to encrypt and decrypt
Asymmetric
 Pair of values: public key and private key
 One encrypts, the other decrypts
What Are Certificates?

Associates a public key with entity that holds that key

Contents:
 Identifier information of the subject
 Validity period
 Issuer identifier information and digital signature
SQL Server Cryptography Architecture

Service master key

Database master key

Asymmetric Certificate
key

Symmetric key
When to Use Keys and Certificates

Data encryption
Code module signing
Impersonation context
Inter-server authentication
Demonstration: Using Certificates

In this demonstration, you will see how to:

Create a new Windows user and databases
for testing certificates
Create a master database key and certificate,
export the public key of the certificate from
one database, and import the public key into
another database
Use the certificate as an authenticator for a
database user
Lab: Managing Security

Exercise 1: Creating Logins and Assigning

Server-Scope Permissions
Exercise 2: Creating and Managing Users
Exercise 3: Using a Certificate to Protect
Data