mastering sql server 2000 security PHẦN 1 ppt

Mike’s primary areas of expertise areData Transformation Services DTS, Analysis Server, and all areas related to security.. Gearhead Press Books in PrintFor complete information about cu

Mike Young is the co-founder of Softouch Inc Mike has spent the last

sev-eral years teaching, consulting, and developing training materials aboutMicrosoft products Mike has spent the majority of his time over the yearssupporting and consulting about Microsoft SQL Server He has a back-ground in database administration and is concerned that his clients meettheir expectations for the product Mike’s primary areas of expertise areData Transformation Services (DTS), Analysis Server, and all areas related

to security

Curtis W Young is the other co-founder of Softouch Inc Curtis has a deep

love for training and education Curtis’ background is on the ming side He has taught and consulted regarding Visual Basic, VisualInterdev, Visual C++, and Java Curtis has spent a significant amount oftime designing and developing applications that use SQL Server as theback-end database He receives the most satisfaction from providing sys-tems solutions to business obstacles

program-About the Authors

xxxi

Mike Young Curtis W.Young

Mastering SQL

Gearhead Press

Mastering SQL

Mike Young Curtis W.Young

Mastering SQL

Gearhead Press

Publisher: Robert Ipsen

Editor: Ben Ryan

Consulting Editor: Donis Marshall

Managing Editor: Angela Smith

New Media Editor: Brian Snapp

Text Design & Composition: Wiley Composition Services

Designations used by companies to distinguish their products are often claimed astrademarks In all instances where Wiley Publishing, Inc., is aware of a claim, theproduct names appear in initial capital or all capital letters Readers, however,should contact the appropriate companies for more complete information regard-ing trademarks and registration

This book is printed on acid-free paper ∞

Copyright © 2002 by Mike Young, Curtis Young All rights reserved

Published by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system ortransmitted in any form or by any means, electronic, mechanical, photocopying,recording, scanning or otherwise, except as permitted under Sections 107 or 108

of the 1976 United States Copyright Act, without either the prior written sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA

permis-01923, (978) 750-8400, fax (978) 750-4744 Requests to the Publisher for permissionshould be addressed to the Legal Department, Wiley Publishing, Inc., 10475Crosspointe Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-mail: permcoordinator@wiley.com

This publication is designed to provide accurate and authoritative information inregard to the subject matter covered It is sold with the understanding that thepublisher is not engaged in professional services If professional advice or otherexpert assistance is required, the services of a competent professional personshould be sought

The Gearhead Press trademark is the exclusive property of Gearhead Group Corporation

Library of Congress Cataloging-in-Publication Data:

ISBN: 0-471-21970-3

Wiley also publishes its books in a variety of electronic formats Some content thatappears in print may not be available in electronic versions For more informationabout Wiley products, visit our web site at www.wiley.com

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

A Note from Gearhead Press

Gearhead Press is dedicated to publishing technical books for experiencedInformation Technology professionals—network engineers, developers,system administrators, and others—who need to update their skills, learnhow to use technology more effectively, or simply want a quality reference

to the latest technology Gearhead Press emerged from my experience withprofessional trainers of engineers and developers: people who truly under-stand first-hand the needs of working professionals Gearhead Pressauthors are the crème de la crème of industry trainers, working at the com-panies that define the technology revolution For this reason, GearheadPress authors are regularly in the trenches with the developers and engi-neers that have changed the world through innovative products Drawingfrom this experience in IT training, our books deliver superior technicalcontent with a unique perspective that is based on real-world experience.Now, as an imprint of Wiley Publishing, Inc., Gearhead Press will con-tinue to bring you, the reader, the level of quality that Wiley has deliveredconsistently for nearly 200 years

Thank you

Donis Marshall

Founder, Gearhead Press

Consulting Editor, Wiley Publishing, Inc

Gearhead Press Books in Print

(For complete information about current and upcoming titles, go to www wiley.com/compbooks)

Books in the Gearhead Press Point to Point Series

Migrating to Microsoft Exchange 2000 by Stan Reimer

Books in the Gearhead Press In the Trenches Series

Windows 2000 Automated Deployment by Ted Malone and Rolly Perraux

Designing NET Web Services Using ADO.NET and XML by Richard

Hundhausen and Steven Borg

Acknowledgments xix

Application Programming Interfaces 14

Contents

ix

Client Net-Libraries and Authentication 16 Application Design with Security in Mind 16 Views 16

Packages 21

Data Transformation Services Security Concerns 22

Replication 24

Scripts 39

Security 44 Operations 45

Overview of Microsoft Clustering Services 55

x Contents

Clustering Defined 55

Installing SQL Server for Clustering 61Documentation 62

Requirements for Domain User Account 70

Locating Files and Folders and Rebuilding Registry Keys 74 Shared Files for All Instances of SQL Server 2000 74 Program and Data Files for the

Default Instance of SQL Server 2000 75

Windows NT LAN Manager Authentication 87 The Authentication Process of a Windows Login 88 SQL Authentication 88 Comparing Windows Authentication with SQL Authentication 89 The Advantages of Windows Authentication 89 Justification of SQL Authentication 90

Encryption 93

Contents xi

Impersonation and Delegation 94Impersonation 94 Delegation 94

Managing Windows Authentication Logins 100

Chapter 6 Designing Application Security 133

Performance 136

xii Contents

Programming Framework 136 Security 137 Views 137

Chapter 7 Implementing Front-End Application Security 155

Client Net-Libraries and Network Protocols 156 Net-Libraries 157

Chapter 8 Implementing Microsoft’s Enterprise Development Strategy 175

Two-Tier Client/Server Architecture 178 Three-Tier Client/Server Architecture 180

Security in Three-Tier Applications 182

Contents xiii

Chapter 9 Introducing the SQL Server Agent Service 201

Multiple Job Steps and Job Responses 213

Configuring a Messaging (Mail) Profile 217

SQL Server Agent Service Configuration 222

Chapter 10 Managing Distributed Data Security 231

Reference Objects on Linked Servers 234 Linked Server Security Requirements 235

xiv Contents

Changing Log Shipping Roles 245

Contents xv

SQL Profiler 332SQL Trace 333

xvi Contents

New Record Tracking 342

The User Who Made the Most Recent Modification 344 The User Who Made the Most Recent Modification

Is Stored with the Creator of the Record 345

Overview of Internet Integration Features of SQL Server 2000 352

Connections through Firewalls and Proxy Servers 360 Using a Firewall System with SQL Server 360 Connections to SQL Server through a Proxy Server 361 Reverse-Publishing with a Proxy Server 362 Connecting to SQL Server through a Web Server 363 Using Active Data Objects with Active Server Pages 364 Using Java Database Connectivity to Access SQL Server 366

Configuring SQL Server Support in

More Information 394

Chapter 2: Designing a Successful Security Model 397Chapter 3: Exploring Initial Security Parameters 398

Chapter 7: Implementing Front-End

Chapter 8: Understanding Microsoft’s

Chapter 9: Introducing the SQL Server

Chapter 10: Managing Distributed Data Security 406Chapter 11: Managing Data Transformation Services 408Chapter 12: Exploring Analysis Services Security 408

xviii Contents

This book was only made possible by the dedication and patience of eral individuals First has been the work of J.W Olsen as editor Jerry hasbeen very patient and informative as we struggled to learn the nuances ofwriting and publishing this book He has also made up for our lack of writ-ing skills to help us create a book worthy of publishing We would also like

sev-to acknowledge and thank the entire staff at Gearhead Press and WileyPublishing, Inc., particularly Donis Marshall, for giving us the supportnecessary to get this book off the ground

Finally and most importantly, we want to acknowledge the employees ofSoftouch, who have had to put up with our constant discussions pertaining

to this publication Without their support and ability to fill in where sary, this book would never have become a reality

neces-Acknowledgments

Over the past several years I have developed an interest in security and theprotection of data Several tools and books are available that introducesecurity, but there is no comprehensive SQL Server security manual Thisbook is written out of a desire to see that type of a reference available to alladministrators and developers of SQL Server.

As a reader of this book, your feedback is highly useful If you have anysuggestions or have had personal experiences that are not addressed bythis book, I would appreciate your comments to help ensure that I caninclude them in an updated version Any comments or suggestions can besent to Mike@softouchtraining.com

Throughout this book you will be introduced to the security concernsrelated to SQL Server In working with the product over the years, I havecome to realize that managing security is as much about what you can’t do

as it is about what you can do You need to know the features and the itations of the product Through an understanding of the limitations, youcan account for these items in some other manner SQL Server security, ifdesigned and implemented correctly, is easy to manage and troubleshoot

lim-Overview of This Book and Technology

Microsoft SQL Server 2000 is continuing to grow in market share Microsofthas positioned it as a robust, fast, easy-to-use relational database management

Introduction

xxi

system Because SQL Server is easy to install and configure, several party software development companies have chosen it as their back-end data-base Because of this growth in market share, many organizations have theneed to support SQL Server Security is a constant area of concern.

third-Many organizations have made the decision to use SQL Server as theirprimary database management system Organizations that have made thischoice need to design a security strategy that can be applied somewhatconsistently throughout their organization It is also imperative that allSQL Server administrators and developers be on the same page pertaining

to security implementation Increased communication can help decreasetroubleshooting time and frustration related to SQL Server security A solidsecurity design coupled with effective communication will result in lessoverhead of administration of SQL Server This book has been written tolay out the design issues involved with SQL Server You can take the sug-gestions and combine them with your internal political structure to create

a solution that works for you

Many other organizations have to support SQL Server even though it isnot the primary database management system This occurs when you pur-chase or develop an application that requires SQL Server as the database.Often, the security in this described environment is more complicated This

is because the application you purchased has already made most of thesecurity decisions for you It is your responsibility to support the applica-tion and troubleshoot the security concerns as they arise This book pro-vides information for individuals who have to occasionally support SQLServer

As the market for SQL Server continues to grow, so do the requirementsfor educated individuals As organizations move more data to SQL Server,the security concerns become increasingly important In past versionsmany organizations have hesitated to store mission-critical data in SQLServer Because Microsoft has overcome most of the scalability and robust-ness concerns, many organizations are overcoming their hesitations Asmore mission-critical data is ported to SQL Server, an added emphasisshould be placed on understanding SQL Server security Then the under-standing needs to be applied and supported

As a consultant I have spent many hours with organizations trying tooutline a consistent security design for SQL Server I have yet to find acomplete resource on the security considerations and configuration forSQL Server I have written this book to provide that reference

xxii Introduction

How This Book Is Organized

This book is organized in a modular format It does not necessarily need to

be read in the order in which it is presented The book is divided into parts

to categorize the main subjects The book is written in five parts, whichconsist of the following items:

Part I: System Security Design. This part provides an overview of

the book as well as an introduction into the security design of SQL

Server SQL Server security can be easy to implement and support,

but it depends on a solid design Many organizations fail to create a

security design and the applications that are implemented do not low a consistent security strategy Inconsistent security approaches

fol-increase the overhead related to administering SQL Server security

This part outlines the necessary requirements for a solid security

design and approach to SQL Server

Part II: Security Management Fundamentals. This part introduces

the basics of SQL Server security The main topics covered include

initial installation security issues, creating and managing logins, and

managing object permissions For experienced SQL Server users, thissection is a review This section introduces SQL Server security to

those who are not proficient with the basic security parameters

Part III: Application Development Security Concerns. This section isprimarily for application developers It outlines the application secu-rity design issues Many applications are designed and created beforesecurity is considered This part outlines the application security

design issues and then moves to security considerations for the

application developer This includes a description of how to

imple-ment various security options from the front-end application

This part also introduces the security concerns related to multitier

development

Part IV: Data Management Security. After the design and initial

con-figuration are out of the way, many of the day-to-day security issues

are tackled in this part This part of the book is beneficial to

adminis-trators who support SQL Server on a daily basis This part focuses onthe SQL Server Agent service and its security considerations This

part also addresses replication, data transformation services (DTS),

Introduction xxiii