Domain Service Accounts versus Local Service Accounts There are a few restrictions to which account types can be used by SQL Server services.. If the service must access file shares or
Trang 11 Open up the SQL Server configuration Manager.
2 click on SQL Server Services as in Figure 4.14.
3 Right-click on SQL Server Agent and click Properties.
4 in the properties window on the Log-on tab click on the drop-down
menu for Built-in account: and take a look at the available accounts.
5 Now take a look on the Service tab and locate the Start Mode
Remember that at the time of install this service is disabled
This is where you would change the Start Mode in order to
enable SQL Server Agent.
6 Select the Cancel button to exit Properties.
7 Exit the SQL Server configuration Manager.
Domain Service Accounts
versus Local Service Accounts
There are a few restrictions to which account types can be used by SQL Server
services There are a couple things to consider when selecting an account type to
use with a SQL Server service
If the service must access file shares or use link server connections to other
SQL servers, using a minimally privileged Domain user account is the best option
The Local service account is a built-in account with the same level of access to
resources and objects as members of the Users group The limited access of the local service account can help safeguard the system if individual services or processes are
compromised
You cannot use a Local Service account for SQL Server or SQL Server Agent
Trang 2Summary of Exam Objectives
The key to securing SQL Server is understanding the security hierarchy and the elements involved The security of how principals connect to SQL Server and how the numerous features that require access to resources beyond SQL Server should
be managed using The Principle of Least Privilege
SQL Server security is managed through Logins, Database users, Server-level Roles, Database-level Roles, and the service accounts needed by the various SQL Server features It is very important to carefully consider the level of permissions needed for each user and establish the most precise match in order to reduce security risk exposure If a user has access to SQL Server resources that they will not use or do not need, the policy has been violated
Doing your due diligence to understand what a specific permission or role has access to will help you best fit the user’s permissions to their specific needs and establish the best secured SQL Server possible
Exam Objectives Fast Track
Principals
Windows-level principals are a Windows Domain Login, Windows
˛
local login, and Windows group
SQL Server-level principals are a SQL Server login, SQL Server login
˛
mapped to a Windows login, SQL Server login mapped to a certificate, and SQL Server login mapped to an asymmetric key
Database-level principals are a Database User, Database user mapped to
˛
a SQL Server login, Database user mapped to a Windows login, Database user mapped to a certificate, Database user mapped to an asymmetric key, Database Role, Application Role, and Public Role
Roles
Like a Windows group, SQL server provides two roles, fixed server-level
˛
and database-level roles
Fixed Server-level Roles have a serverwide scope
˛
Database-level Roles have a database-level scope and custom database-level
˛
roles can be created
Trang 3The “Principle of Least Privilege”
Do not grant more permissions than necessary
˛
Be familiar with what each specific permission enables a user to
˛
accomplish
Inadvertently elevated permissions can pose a significant security risk
˛
Users
Users are database-level principals and are created to access resources
˛
within a database
User and Log-in names should match
˛
Users can be added to any one or more of the available database roles
˛
Schemas
Schemas are collections of database objects such as tables, views, and
˛
procedures
Permissions can be granted to individual schemas within a database,
˛
providing a powerful way to manage permissions
It is not necessary to grant access to each object within a schema when
˛
granting permission to the schema
Permissions
Designing a permissions strategy is important when properly securing
˛
database objects
Permissions can be granted on the database, on each schema within the
˛
database, or by granting permissions on each individual table or view
within the database
Grantable permissions include SELECT, VIEW CHANGE TRACKING,
˛
UPDATE, REFERENCES, INSERT, DELETE, EXECUTE,
RECEIVE, VIEW DEFINITION, ALTER, TAKE OWNERSHIP,
and CONTROL
Trang 4Automatic auditing is available in SQL Server 2008 Enterprise, and can be
˛
enabled using SQL Server Audit
Auditing can be enabled at the Server level and Database level
˛
CDC and DDL triggers are methods of tracking data changes and structural
˛
changes to the database schema
The SQL Server Configuration Manager
Properties for SQL Server services can be managed in the Surface Area
˛
Configuration Facet
SQL Server features such as Database mail and CLR integration are not
˛
enabled by default
Disabling unnecessary features helps secure SQL Server
˛
Security and SQL Agent
SQL Server Agent Proxies are set up and mapped to the appropriate
˛
credentials to perform the required tasks
Credentials can be associated with one or more SQL Server Agent
˛
subsystems
One or more Proxies can be associated with the available SQL Server
˛
Agent subsystems
Trang 5Exam Objectives
Frequently Asked Questions
Q: What is considered to be a Principal in SQL Server 2008?
A: Any entity that requests SQL Server Resources
Q: What is the definition of “The Principle of Least Privilege”?
A: Only give permissions that are needed Giving more access violates this
principle
Q: Can you modify Server-level Roles?
A: No, Server-level Roles are fixed and cannot be modified
Q: Can you create your own Database-level Roles?
A: Yes, Database-level Roles can be created to better fit a user’s security
requirements
Q: What is the most secure Authentication Mode and why?
A: The Windows Authentication Mode is more secure because it is managed by
the Windows operating system and subject to additional Windows password
policies
Q: What SQL Server tool is used to enable the DatabaseMail feature in
SQL Server 2008?
A: The Surface Configuration Tool
Q: When working with SQL Server services such as SQL Server Agent, which tool
do you use?
A: SQL Server Configuration Manager
Q: When setting up SQL Server services that need to perform tasks outside of the
local server, which account type should you use?
A: Domain Service Accounts