Upload File

intro to sql server security by robert biddle

13
INTRO TO SQL SERVER SECURITY By Robert Biddle http://xkcd.com/327/

Upload: austin-long

Post on 18-Jan-2016

216 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: INTRO TO SQL SERVER SECURITY By Robert Biddle

INTRO TO SQL SERVER SECURITY

By Robert Biddle

http://xkcd.com/327/

Page 2: INTRO TO SQL SERVER SECURITY By Robert Biddle

About Me

Data Architect with Hilton Grand Vacations

Working with SQL Server for 8 years Certified

MCITP Database Administrator MCITP Database Developer

Blog: http://[email protected] Twitter: @robert_biddle Email: [email protected]

http://[email protected]/
mailto:[email protected]
Page 3: INTRO TO SQL SERVER SECURITY By Robert Biddle

Agenda

Intended for Software Developers Cover the basics

Logins, Users, Roles, Schemas, Permissions SQL Injection

What is it? How to prevent it?

Page 4: INTRO TO SQL SERVER SECURITY By Robert Biddle

Authentication

SQL Authentication Requires Username and Password Info stored on Database Server

Windows Authentication Requires Username or Group Info stored in Active Directory Generates a Token for access Integrated Security Trusted Connection

Page 5: INTRO TO SQL SERVER SECURITY By Robert Biddle

Logins

SA (sysadmin) Used for Server-level access Fixed Server Roles

sysadmin serveradmin securityadmin processadmin setupadmin bulkadmin diskadmin dbcreator public

Page 6: INTRO TO SQL SERVER SECURITY By Robert Biddle

Users

dbo, guest, INFORMATION_SCHEMA, sys Used for database-level access Fixed Database Roles

db_owner db_accessadmin db_datareader db_datawriter db_ddladmin db_securityadmin db_backupoperator db_denydatareader db_denydatawriter

Page 7: INTRO TO SQL SERVER SECURITY By Robert Biddle

Tying Logins to Users

Every User (database-level) must tie to a Login (server-level)

Page 8: INTRO TO SQL SERVER SECURITY By Robert Biddle

Database Owner

Go to Properties >> Files.

Maps the user to dbo, which has db_owner rights.

Use SA or a Service Account.

Page 9: INTRO TO SQL SERVER SECURITY By Robert Biddle

Schemas

One level under database-level Essentially a Namespace or

Organizational Unit Prefixed before Table name

Sales.SalesOrderDetail dbo.ErrorLog Person.Contact [MyDomain\MyUsername].MycreatedTable

Page 10: INTRO TO SQL SERVER SECURITY By Robert Biddle

Permissions Hierarchy

Page 11: INTRO TO SQL SERVER SECURITY By Robert Biddle

Permissions

Permissions are applied to Securables Granular control Can be Granted, Denied, or Revoked

ALTER CONTROL DELETE EXECUTE INSERT SELECT UPDATE VIEW DEFINITION

Page 12: INTRO TO SQL SERVER SECURITY By Robert Biddle

Dynamic SQL

Dynamic SQL – Dynamically building a string and executing that string.

Why is it good? Gives more flexibility than using Stored

Procedures. Generally good performance.

Why is it bad? Vulnerable to attacks.

Page 13: INTRO TO SQL SERVER SECURITY By Robert Biddle

Resources

SQL Server Security Cribsheet by Robyn Page www.simple-talk.com (Under SQL Database

Administration) The Curse and Blessings of Dynamic SQL by

Erland Sommarskog www.sommarskog.se/dynamic_sql.html

Contact Info Blog: http://robbiddle.wordpress.com Twitter: @robert_biddle Email: [email protected]

http://www.simple-talk.com/
http://www.sommarskog.se/dynamic_sql.html
http://robbiddle.wordpress.com/

Intro to Spark and Spark SQL

Sql server ___________session_1-intro

Beginning SQL: Differences Between SQL Server and Oracle Les Kopari Independent Consultant A Quick Intro for SQL Server Users

No SQL - Intro

Biddle & Webb

A TelExperiment by Sebastian Marius KirschA rst origami version of the Soma Cube was intro-duced by Steve Biddle in his book ‘The New Ori-gami’. Steve Biddle uses Sonob e units

Lecture 03 Intro SQL Relational Algebra

SQL Fundamentals I Volume I Intro

SQL Azure Intro and what’s New

Avimory SQL Server 2008 Intro

Intro to Footprinting a Target and SQL Injection

Intro SQL Server 2008

SQL - Intro

Intro to Spark and Spark SQL - cseweb.ucsd.edu

Intro a SQL Server 2008

Intro to Cypher for the SQL Developer

Inb343 week2 sql server intro

1094 sybase - intro to sql

intro for sql

Faegre Drinker Biddle & Reath LLP · Faegre Drinker Biddle & Reath LLP

Manual SQL Server 2008 Intro Duc to Rio

No SQL - A Simple Intro

L26 FactoryTalk AssetCentre Intro - Rockwell Automation · L26 –FactoryTalk AssetCentre Intro. ... Microsoft SQL Server 2005 Standard or 2008 R2 ... Serve r, SQL Server Agent,

U-SQL Intro (SQLBits 2016)

Biddle - VRV

Integrigy Intro to SQL Injection Attacks

SQL Intro (MS SQL Server and MySQL) Telerik Software Academy Databases

Quick intro sul Source Control su SQL Server

1 Intro to JOINs SQL INNER JOIN SQL OUTER JOIN SQL FULL JOIN SQL CROSS JOIN Intro to VIEWs Simple VIEWs Considerations about VIEWs VIEWs as filters ALTER

Megger Biddle

SQL Azure Intro and What’s New Level: Introductory to Intermediate Andy Thiru SQL/BI Developer

TOPIC 1 Intro to SQL Server

Intro To PL/SQL

Intro to t sql – 3rd session

Advanced SQL - CRITFC · • Original SEQUEL Whitepaper • W3Schools.com Intro to Basic SQL • PRAGIM Technologies SQL Video Tutorials • Microsoft T-SQL Reference. Links • Microsoft