Chapter 19 - SQL Server Security![]()
![]() Just about everyone is concerned with the security of their data. If you're not, then you may not have considered how easy it is to get access to sensitive data on your server. One thing to remember, however, is that sometimes too much security can get in the way of productivity. Make sure that you achieve a balance between your need to manage access to data and monitor users, and the users' needs to use the data. No document can categorically define every possible security option, however, this chapter's purpose is to illustrate the features that SQL Server offers and to offer suggestions on what you can do to secure your environment from unauthorized access.
Understanding the Types of SecuritySecuring your data from internal and external attacks is an important job for you as a database administrator. It is important that you can control who and how data is accessed on your server. Security in SQL Server will help you manage the access that you give to your users.Securing your data from internal attacks is probably your primary concern for most corporate environments. This security will involve the monitoring of and management of corporate databases at the direction of the managers of your company. Security is often designed to limit the sorts of data that your employees can see and when they can see it. Securing your data from external attacks (such as over the Internet) is much more complicated, and is generally only applicable to those companies who are beginning to have an Internet presence with their SQL Server databases. This chapter will focus more on internal security. This security will act in a layered approach, starting with logins and user permissions that secure the basic access to the server. The second layer adds views and stored procedures that limit data access. Finally, the third layer is an external security through things like physical LAN access, fire-walls, and so on. Microsoft's SQL Server security system can be implemented in three ways on any server: standard, integrated, and mixed. These security methods control how SQL Server manages user accounts on the server and how it interacts with Windows NT's own security system. To configure a database server's security type for standard, integrated, or mixed security, follow these steps:
Using Standard SecurityIn Standard Security mode, SQL Server is wholly responsible for managing and maintaining accounts on the server. In this case, SQL Server is responsible for authenticating a user and for enforcing password/login restrictions. This is the most common way of configuring SQL Server because it behaves identically to Sybase on any hardware platform and to SQL Server 4.2 on OS/2. The majority of the rest of this chapter will discuss the features of standard security. For more information on Windows NT's integrated security system, refer to Que's Special Edition Using Windows NT Server.
Using Integrated SecurityBecause SQL Server runs only on Windows NT, Microsoft could take advantage of, and integrate into, Windows NT's excellent security system. When operating in integrated security mode, Windows NT is responsible for managing user connections through its Access Control List (ACL). The advantage of integrated security include single-password access to all resources on a Windows NT domain and password aging and encryption across the network.A login to the Windows NT server is either granted or denied connection to the SQL Server based on attributes of the user's login account to the NT server. This granting of permission or authentication between client and server creates a trusted login to the server. At this point, NT only validates that the login name is valid for accessing any particular resource available on the network or server.
When a user establishes a trusted connection to the SQL Server, the user is either:
All other database-based permissions, such as permissions on tables, views and other objects, are managed by SQL Server in the same way as a server running in standard security mode. These security permissions are discussed next.
Using Mixed SecurityMixed security, as its name implies, is a combination of both standard and integrated security and means that users can login to the server in either way. When a user connects to a SQL Server in mixed security mode, the server validates the login by first checking whether the login name has already established a trusted connection to the NT server. If no connection is found, SQL Server then performs its own validation of the login name and password supplied. If the requested login is not a known SQL Server login, access is denied.
Creating and Managing User AccountsSQL Server has two levels of a user that are important to understand. The first level of a user is a login. A login is the ability to attach to the SQL Server itself. SQL Server manages logins on a server-wide basis. All logins are stored in the SYSLOGINS table of the master database. The second level of a user is a user. Users are SQL Server's way of managing who has permissions to interact with resources (such as tables and stored procedures) in a given database. A user can be in one or many databases. All users are stored in the SYSUSERS table of each database for which they have permission to access.SQL Server uses these distinctions to allow a single user to have different levels of access based on the database that they are connecting to, and yet retain the same password. To support this, a user has a login or connection permission to the server. This login is what SQL Server associates a password to. Without a valid login to the server, a user will not have access to any of the server's databases with the possible exception of remote systems using remote stored procedures. Once a login is created, it is then necessary to create a user of a database on that server. This process is very similar to creating a SQL Server system login and is described in the following sections.
Using SQL Enterprise Manager to Create a LOGINThe SQL Enterprise Manager provides a simple way of creating a login to the database. Just perform the following steps:
If, at a later stage, it is necessary to add a user to a database, highlight the database in the SQL Enterprise Manager and then select Users from the Manage menu. The Manage Users dialog box will appear, as shown in figure 19.6. Fig. 19.6 - The Manage Users dialog box shows a new user (swarner) being created for the Login swarner. Select the user to be added to the database from the Login drop-down list box and enter the name by which it is to be identified. You should not change the name if you do not want to create an alias. Finally, click Add.
Dropping Logins and Users with SQL Enterprise ManagerSQL Enterprise Manager's Manage Logins and Manage Users dialog boxes both provide a Drop button. Use this button to drop any user or login that you no longer want to have access to the database or server.
Using sp_addlogin to Add Logins to a ServerThe sp_addlogin stored procedure is provided to add a login to the server using Transact-SQL statements. The syntax for sp_addlogin is as follows:
The following is an example of creating a login to the server with the default database of pubs and a password of Allen.
Using sp_adduser to Add New Users to Databasessp_adduser is similar in style to the sp_addlogin procedure. It takes an existing login and adds it to the currently active database. Note that you must issue a use database xxx and be in the required database to add a user to before running the sp_adduser stored procedure.
Below is an example of adding a user to the currently active database. Because no username is supplied, the login_id is assumed for the username.
Creating and Using GroupsSQL Server provides the ability to create groups of users so that security permissions granted to all members are the same. This provides far better simplicity and is a more practical approach to security than granting individual users specific permissions on any particular set of tables.
Using SQL Enterprise Manager to Add GroupsSQL Enterprise Manager provides an easy method for adding groups to the database. Just perform the following steps:
Dropping Groups with SQL Enterprise ManagerDropping security groups with SQL Enterprise Manager involves performing the same steps as creating them. You can use the Manage Groups dialog box (refer to fig. 19.8) to drop any unneeded groups from the server. Removing a group will not remove any users associated with those groups. Any permissions granted to users because they were members of the groups will be revoked.
Using Permissions and SQL ServerPermissions are the rights to access an object (such as a table) in the database). Permissions are granted to a user or group to allow that user or group to perform functions such as select data, add new rows (insert), and update data. Several permissions exist on objects in the database and descriptions follow.Permissions are implicitly granted to the owner or creator of an object. The owner can then decide to grant permissions to other users or groups as that user sees fit.
SQL Server provides the GRANT and REVOKE commands to give or take away permission from a user. SQL Enterprise Manager also provides an easy way to add and remove permissions.
Object PermissionsObject permissions are the permissions to act on tables and other objects (such as stored procedures and views) in the database.The following is a list of permissions available on tables and their descriptions:
Using SQL Enterprise Manager to Manage PermissionsSQL Enterprise Manager provides an easy way of managing permissions for users and groups in a database. Perform the following steps:
Using GRANT and REVOKESQL Server's Transact-SQL interface to permissions is through the GRANT and REVOKE statements.The GRANT Transact-SQL command is used to give a permission or permissions to a user or group in SQL Server. Granting a permission allows the user or group to perform the granted permission. The syntax for using GRANT is as follows:
The syntax for REVOKE is as follows:
object_name is a table, view, or stored procedure for which permissions are being granted or revoked. name_list is a list of usernames or groups for which permissions are being granted or revoked. Multiple names should be separated by commas. Specifying PUBLIC will include all users.
The following example grants SELECT and UPDATE permissions on the AUTHORS table:
Using Views to Enhance SecurityViews provide a great way to enhance security because they limit the data that is available to a user. For example, you can have a group of users in grp_junior_emp that are not allowed to view any of the authors that receive more than 50 percent royalties because these are to be available only to the senior managers or other employees within the company. In Listing 19.1, the Transact-SQL shows how this can be achieved.
Listing 19.1 19_01.SQLUsing Groups and Views to Create a Well-Secured Environment
Using Stored Procedures to Conceal Underlying Data Objects and Business RulesStored procedures can be used in a very similar fashion to views to provide a level of security on the data that completely conceals the data available to a user and/or the business processes involved in manipulating the data.In Listing 19.2, you can see the same data concealment as demonstrated in using the view in Listing 19.1 except that it is achieved through the use of a stored procedure. Listing 19.2 19_02.SQLUsing Groups and Stored Procedures to Conceal Data Structures on the Server
Listing 19.3 19_03.SQLStored Procedure That Allows Updating of the AUTHORS Table
Using Security Beyond SQL ServerThere are a number of steps that can be taken to provide a more secured environment in which SQL Server will operate. Some of the sections below may seem obvious, but are worth thinking about. I recommend that you designate a person to be responsible for system security at your workplace. This person will live, breath, and eat security and should be clearly empowered to implement any of the steps outlined below. System Security Officers (SSO) are becoming more and more common within organizations due to the highly accessible nature of public access networks, such as the Internet. Their roles are that of company custodians.
Physical SecurityOften overlooked when designing the security of a system is the physical security of the server itself. Granted, it is unlikely that the average hacker will spend all day sitting on the system console hacking into a server trying various passwords without being noticed. However, if the server can physically be removed from its location, many unscrupulous users will be prepared to spend more time in the comfort of their homes. This would also include its mass data storage devices, such as tapes and hard drives.Ensure that physical access to the server is limited. Provide locked doors, preferably with electronic locks, that secure the server, and optionally bolt the server to the structure on which it resides. Remember in these days of smaller and smaller hardware, the server can be a laptop or similarly small device. This makes it such that it is not so difficult to steal the box. Because Windows NT provides excellent remote administration capabilities, you can remove monitors and keyboards from servers that must be placed in high access areas. This will stop the idle person from walking by and examining the server. As an alternative, there are plenty of hardware manufacturers that provide secure casings for server boxes that can be used to provide better security for your server. It is assumed that the same level of physical security applied to the SQL Server will also be applied to the following:
Local Area Network (LAN) AccessA common mistake on LANs is to have unmonitored network nodes that allow access. Ensure that all nodes on the network that do not have computers actually attached to them have been disconnected from the hub so that no one can bring in a laptop and access the LAN at a physical level.For highly secure environments, provide all users with SecureID cards or similar devices. These devices generate passwords that are authenticated by the Network fileserver and change constantly. This will stop users without valid identification cards from having access to the LAN, even if they have physical access to a node. At a LAN software level, ensure that all the features of the LAN's software are being utilized. Most network operating systems provide at least government approved C2 level of security, but only if you turn it on. Unlike the B2 standard of security, C2 provides the features but does not enforce their use. Windows NT, Netware 4.1 and some versions of UNIX support C2 security. Make sure that you are doing all the basics of good user management on your local area network, as follows:
Remote or Wide Area Network AccessIt's much harder to control WAN or remote access to a network than the local access provided through the LAN. However, some of the steps that you can take are as follows:
Application SecurityThere are a number of steps that you can take to make your applications secure independently of the security applied at the SQL Server level. Some things that you might want to consider are as follows:
Remember, if the security of your database is important to you, you should always ensure that the database itself is secure with or without application programs. You must do this because sophisticated users on your network and on the Internet (if you are connected) will always be able to use a different application to work with your data if they wish. This would bypass any application-only security that was being enforced.
Encrypted Multi-Protocol NetLibraryIf security is a serious concern in the environment that SQL Server is being used, then it is possible to implement the SQL Server Multi-Protocol NetLibrary (MPNL). This feature is available in version 6.0 and higher. MPNL provides a Remote Procedure Call (RPC)-based interface from clients to the SQL Server. MPNL requires that the protocol be added as a listener service to the enginethough MPNL is not actually a listener because it is RPC-based.One key advantage of MPNL is that it can be encrypted. The encryption algorithm used can be enabled for individual clients; however, the server must be enabled for encrypted traffic. Support for clients varies. Check your SQL Server documentation for the client support available in your version. Server enumeration via the dbserverenum call in NetLibrary is not supported on servers that are MPNL-enabled. Clients must know the name of servers that are operating in this mode.
From Here...Having discovered the many facets of SQL Server security, it is most likely that you will spend the next few months trying to fill the holes that you now know exist. If you are lucky enough to be reading this book before you implement SQL Server in your environment, take advantage of what you have learned and apply as many security features as necessary to provide the appropriate control needed.Take a look at the following chapters for more information that may be useful in creating a secure environment:
|