11.3 Establish a Windows NT/2000 Authentication Mode SQL Server is a much more complex database engine than desktop systems such as Jet.. This mode means that SQL Server explicitly trus
Trang 111.3 Establish a Windows NT/2000 Authentication Mode
SQL Server is a much more complex database engine than desktop systems such as Jet SQL Server is a true server engine; it provides access to multiple databases or even
hundreds of users simultaneously Furthermore, unlike Jet, which is tightly bound into Microsoft Access, SQL Server exists as a separate entity on a computer, which most often is located across a network from the user's desktop computer
A building that contains multiple offices is a good analogy for the way that SQL Server is built The building is secured, and each office within the building is locked Carrying the analogy further, each office contains locked desk drawers and filing cabinets A person who wants to use information in one of those file cabinets must enter the building, gain entrance to a locked office, and have a key or other permission to open a locked file cabinet
SQL Server requires each user to be authenticated before it permits the user to open a database Authentication is somewhat like having to show an employee ID card to a guard at the front door of a building Without proper credentials, you don't get into the building Similarly, you don't get "into" SQL Server unless you have been properly
authenticated
SQL Server supports two different authentication modes:
• Windows NT/2000 authentication This mode means that SQL Server explicitly
trusts Windows to authenticate the user Anyone who has a valid Windows user ID and password is allowed to access SQL Server This is known as a trusted
connection because SQL Server trusts Windows to allow only qualified people into the computer system and onto SQL Server Windows NT/2000 Authentication works only with Windows NT or Windows 2000, and it has the distinct advantage
of being quite simple to administer Furthermore, the Windows NT/2000 security provides for expiration and other controls over password usage In fact, SQL Server even recognizes the user's membership in Windows security groups
• SQL Server and Windows NT/2000 authentication Using this mode means that
both SQL Server and Windows are involved in authenticating the user The user is not able to access SQL Server unless both Windows and SQL Server are able to verify the user's identity and password SQL Server and Windows NT/2000
Authentication mode is often referred to as mixed-mode authentication
The selected authentication mode simply directs SQL Server where to look for the user's credentials In other words, authentication is performed by SQL Server, and describes how SQL Server verifies the user's identity
Trang 2You've decided that mixed-mode authentication is too much work, and users are likely to forget either their Windows password or their SQL Server password In fact, some users have resorted to writing down their passwords on sticky notes attached to their computer monitors Obviously, this creates a security risk You'd like to make it as easy as possible for users to get into SQL Server so that they can use the databases you've created for them
Technique
Enterprise Manager includes all the dialog boxes that are required to set SQL Server's authentication mode Changing the authentication mode takes only a few moments, and it affects all databases that SQL Server manages
Steps
SQL Server takes a layered approach to securing the data in its tables These layers
include authentication-whereby a user is identified by username and password-and
permissions on the objects (such as tables and views) stored in the database
As a developer or SQL Server administrator, you must choose which authentication mode your users use to access SQL Server
In Windows NT/2000 authentication mode, any user who is able to log in to Windows is able to access SQL Server.Windows NT/2000 Authentication mode is the easiest possible way for users to access SQL Server As long as a user is an authorized user of Windows
NT or Windows 2000, he'll be able to get into SQL Server No extra password or user identity is required for admittance to SQL Server, which reduces the risk that a user will store a password in an insecure place
1 Choose Start, Programs, Microsoft SQL Server, Enterprise Manager to open
Enterprise Manager
2 Open the SQL Server group and right-click on the server you want to configure
3 Select Properties from the context menu that appears (The Properties command should be highlighted in the context menu.)
4 Select the Security tab
5 Select Windows Only from the authentication options near the top of the Security tab, as shown in Figure 11.8
Figure 11.8 Select Windows Only from the Authentication options in the
Properties dialog box
Trang 36 Click the OK button to complete the process and close the Properties dialog box
Comments
Windows NT/2000 authentication simply means that SQL Server trusts Windows to authenticate users Windows determines the user's identity and group member as the user logs into his computer From that point on, the user has full access to SQL Server
installations that are configured to accept Windows NT/2000 authentication
The main problem with Windows NT/2000 authentication mode is that it doesn't work with Windows 95, Windows 98, or non-Windows computers Anyone who is connected
to your network from a Unix or Apple Macintosh computer will not be able to use
Windows NT/2000 authentication You'll have to set up mixed-mode authentication for these users
Another problem with Windows NT/2000 authentication is that in many environments, more than one person shares the same computer For instance, consider a point-of-sale terminal in a retail environment or an industrial computer located on a factory floor
Trang 4Multiple users typically access these computers, and because SQL Server admits anyone logged into the computer, SQL Server can't distinguish between individual users This can be a problem in environments where some users must be prevented from viewing certain tables or accessing certain data within a database
Note
Although this discussion makes it sound as though SQL Server is passive when working under Windows NT/2000 authentication mode, there is more to the story than discussed here SQL Sever actually calls Windows
NT or 2000 to retrieve the user's Windows login identity and group membership If the user's group membership changes while he is logged into Windows, SQL Server sees the changes as soon as the user tries to access SQL Server