24 hop edición español -diferentes técnicas de administración de logins y usuarios en sql server...
TRANSCRIPT
Diferentes Técnicas de Administración de
Logins y Usuarios en SQL-Server
Expositor: Carlos Rojas Vargas
MVP, MCSA, MCITPro, MCTS, MCT, MCSE
Moderador: Adrian MIranda
Gracias a nuestros auspiciadores
Database Security as Easy as A-B-C
http://www.greensql.com
Hardcore Developer and IT Training
http://www.pluralsight.com
SQL Server PerformanceTry PlanExplorer today!
http://www.sqlsentry.com
Próximos SQL Saturday
24 de Enero de 2015 https://www.sqlsaturday.com/346/register.aspx
18 de Abril de 2015 https://www.sqlsaturday.com/368/register.aspx
9 de Mayo de 2015 https://www.sqlsaturday.com/373/register.aspx
6 de Diciembre de 2014 https://www.sqlsaturday.com/351/register.aspx
4
Capítulo Global PASS en Español
4
Reuniones semanales todos los miércoles a
las 12PM UTC-5 (Hora de Colombia)
https://www.facebook.com/SpanishPASSVC
5
Asistencia Técnica
Si requiere asistenciadurante la sesión debe usar la sección de preguntas que esta en el menú de la derecha.
Use el botón de Zoom para ajustar su pantalla al tamaño deseado
Escriba sus preguntas en la sección de preguntas que esta en el menú de la derecha
6
Carlos Rojas
Carlos Rojas Vargas es Microsoft MVP en SQL-Server desde el año 2001 con 13 años consecutivos de obtener este reconocimiento y trabaja con SQL-Server desde el año 1995. A partir de 1999 se certifica como MCT y comienza a impartir Capacitación certificada Microsoft, actualmente trabaja como Trainer para Corporación CTE, un CPLS de Microsoft. También trabaja como Consultor en SQL-Server, Windows Server, Virtualización con Hyper-V, Alta Disponibilidad y Soluciones de Colaboración con Sharepoint en Grupo CMA, un Partner de Microsoft. En este momento cuenta con las certificaciones MCSA(SQL-Server 2012), MCSA(SQL-Server 2008), MCITPro (Database Administrator SQL-Server 2008), MCTS(Sharepoint 2010), MCTS(SQL-Server 2008), MCTS(Windows Server 2008 Applications Infrastructure, Configuration), MCTS(Windows Server Virtualization, Configuration), MCTS(SQL Server 2008, Business Intelligence Development and Maintenance), MCTS(Visual Studio 2008), MCITPro (SQL-Server 2005), MCTS(SQL-Server 2005), MCTS(Visual Studio 2005), MCTS(Sharepoint Server 2007), MCTS(Sharepoint Services 3.0), MTA(Windows Server AdministrationFundamentals), MTA(Windows® Operating System Fundamentals), MTA(Database AdministrationFundamentals), MCDBA, MCSD.NET, MCAD, MCSE, MCSA, MCDST, MCT, A+, N+, IC3 y CIW-CI. Es el Fundador y Administrador del Grupo de Usuarios de SQL-Server de Costa Rica(http://www.sqlugcr.net). Generalmente participa como Expositor en los Lanzamientos de Productos, TechDays, eXpert Zone, .NET Future Developers y Developer Days que Microsoft organiza en diferentes países, además participó como Expositor en el Primer, Tercer y Sétimo Simposio Latinoamericano de Sharepoint y como Expositor en los SQL-Saturday y en las 24 Horas PASS patrocinados por PASS. Fuera de Costa Rica ha impartido capacitación de SQL-Server y Visual Studio en Honduras, Nicaragua, Panamá y México.
6
7
Security Overview
Security Best Practices
Make security a part of your standard process
Use the principle of least privilege
Implement defense-in-depth (layered security)
Enable only required services and features
Regularly review security settings
Educate users about the importance of security
Define security roles based on business rules
Managing Logins Historically
Windows Logins Authentication/Policy managed by Windows
SQL Server Logins Managed by SQL Server Based on Windows policies
Password Policy Options: HASHED (pw is already hashed)
MUST_CHANGE
CHECK_EXPIRATION
CHECK_POLICY
Database Users and Roles Historically
Database Users Logins map to database users
Database Roles Users can belong to multiple roles
Guest (does not require a user account)
dbo (Server sysadmin users)
Application Roles Used to support application code
Built-In Server / Database Roles
Server Roles
• SysAdmin
• ServerAdmin
• SetupAdmin
• SecurityAdmin
• ProcessAdmin
• DiskAdmin
• DBCreator
• BulkAdmin
Database Roles
• db_accessadmin
• db_BackupOperation
• db_DataReader
• db_DataWriter
• db_DDLAdmin
• db_DenyDataReader
• db_DenyDataWriter
• db_Owner
• db_SecurityAdmin
• public
Configuring Permissions
Scopes of Securables
Server
Database
Schema
Objects
Permission Settings:
GRANT
REVOKE
DENY
Options
WITH GRANT OPTION
AS (Sets permissions using another user or role)
13
Configuration OptionsAuthentication mode Use Integrated Security More secure protocols (Kerberos and NTLM) Kerberos allows for delegation Allows for password policy enforcements Typically does not require application to store passwords
If using Mixed mode (Standard SQL Authentication) Use SSL to encrypt network traffic Use strong passwords Never use blank passwords
Login auditing Audit failed login attempts at the very least
Choose static ports for named instances Avoid opening UDP1434 at firewall
Use Microsoft Baseline Security Analyzer
What is a Contained Databases ?
• A contained database is a database which includes all the requiredsettings, metadata and operates in isolation from the SQL Server DatabaseEngine. In other words it has no functional dependency on SQL ServerInstance be it Login, collation setting or metadata info.
• The most popular feature being, user connecting to the database withouthaving a Login at SQL Server Instance level; means there is no loginregistered for this user in Master DB.
• It’s very easy to migrate\move these databases to another SQL Instance,since there is no dependency at the Instance level. This also makes it easyand practical for DB Owner to manage all the configuration settingsindependently without any intervention of SysAdmin.
Contained Databases Scenarios
• In SQL Server 2012/2014 Microsoft introduced a first step toward containeddatabases, introducing partially contained databases (also known as Partial-CDB). Partially Contained Databases provide some isolation from theinstance of SQL Server but do not yet provide full containment.
• There are some scenarios where it would be useful to completely isolate adatabase and its management from the server on which it resides. Forexample, a database that participates in an AlwaysOn availability group ismirrored on multiple server instances, and it is useful to be able to failoverto a secondary instance without having to synchronize server-level loginsrequired to access the database. SQL Server 2012 introduces containeddatabases to facilitate these scenarios.
16
Partially Contained Database
User information is stored in user
database and not in master database.
Users with passwords are
authenticated by the database
Contained Databases Users
There are two types of users for contained databases.
Contained database user with password: Contained database users with passwords are authenticated by the database.
Windows principals: Authorized Windows users and members of authorized Windows groups can connect directly to the database and do not need logins in the master database.
Users based on logins in the master database can be granted access to a contained database, but that would create a dependency on the SQL Server instance, so Microsoft doesn’t recommend doing this.
18
Benefits of Partially Contained Databases
They make easier to migrate databases from one server to another. Errors
related to orphan users are no longer an issue with contained databases, since a
contained database user can now be created without an associated login.
Authentication can now occur at the database level.
Contained database users can be Windows and SQL Server authentication
users.
A contained database user can access only contained database objects. They
cannot access system databases and cannot access server objects.
Metadata is stored on the contained database and not stored on system
databases. This makes contained databases more portable than the databases
we know.
19
Limitations of Partially Contained Databases
Partially contained databases do not allow the following features:
Numbered procedures
Schema-bound objects that depend on built-in functions with collation changes
Binding change resulting from collation changes, including references to objects,
columns, symbols, or types.
Replication
Change data capture
Change tracking
20
Creating a Contained Databases
sp_configure 'show advanced options', 1 ;
GO
RECONFIGURE ;
GO
sp_configure 'contained database authentication', 1;
GO
RECONFIGURE ;
GO
sp_configure 'show advanced options', 0 ;
GO
RECONFIGURE ;
GO
CREATE DATABASE [MyContainedDB]
CONTAINMENT = PARTIAL
GO
Creating Contained Databases and Users
• Enable contained databases at the sever instance level
• Create contained databases
• Create users in the contained databases
CREATE DATABASE [MyContainedDB]
CONTAINMENT = PARTIAL
GO
USE [MyContainedDB]
GO
CREATE USER [SalesAppUser] WITH PASSWORD = 'Pa$$w0rd'
GO
CREATE USER [ADVENTUREWORKS\SalesAppAccount]
GO
22
Creating a Contained Database User
USE [MyContainedDB]
GO
CREATE USER [SalesAppUser] WITH PASSWORD = ‘Pa$$w0rd’
GO
CREATE USER [ADVENTUREWORKS\SalesAppAccount]
GO
When connecting to the database, client applications must specify the database as part of the connection string to ensure that the contained user credentials are used instead of a server-level login.
Demo
Preguntas?
Database Unit Testing
Carlos Lone
A continuación …
Gracias por participar