Tài liệu Module 7: Securing docx

To secure access to SQL Server, the administrator can create user logins, configure login permissions, and assign roles to the user logins!. Using SQL Server identity for authentication

Contents

Overview 1

Lesson: SQL Server Connections and

Security 2

Lesson: SQL Server Role-Based Security 15

Lesson: Securing SQL Server

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2002 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with an explanation of how to use Microsoft® SQL Server™ security features to protect Web application data After completing this module, students will be able to connect securely to a SQL Server database, and use the SQL Server security model to protect a Web

application against SQL injection attacks

After completing this module, students will be able to:

! Use Microsoft Windows® Authentication or SQL Server Authentication to authenticate SQL Server connections

! Create different types of SQL Server roles and assign members to those roles

! Secure SQL Server communication channels by using connection application programming interfaces (APIs)

! Secure SQL Server against SQL injection attacks

To teach this module, you need the following materials:

! Microsoft PowerPoint® file 2300A_07.ppt

! Hypertext Markup Language (HTML) code sample file 2300A_07_code.htm

To prepare for this module:

! Read all of the materials for this module

! Complete the practices and lab

! Read Chapter 6, “SQL Server Security Overview,” in Designing Secure

Web-Based Applications for Microsoft Windows 2000 by Michael Howard

(Redmond, Microsoft Press®), 2000

! Read Module 1, “SQL Server Overview,” in Course 2072, Administering a

Microsoft SQL Server 2000 Database

! Visit the Microsoft Security page at http://www.microsoft.com/security/ security_bulletins/ms02020_sql.asp

How to Teach This Module

This section contains information that will help you to teach this module

Lesson: SQL Server Connections and Security

This section describes the instructional methods for teaching each topic in this lesson

Explain the two types of identities that can be used to connect to SQL Server Inform the class that this topic provides the overview of the two identities, Windows user and SQL Server user Do not cover the identities in detail with this topic The rest of module explains the two identities in detail and provides the advantages and disadvantage of both of the identities

Explain the two authentication methods that are used to authenticate the client based on its identity For the Windows user identity, Windows Authentication

is used, and for the SQL User Identity, SQL Server Authentication is used Compare the two authentication choices and emphasize that Windows Authentication is generally preferred because it offers more security services Also, explain the situations in which using SQL Server Authentication is more useful

Explain the two security modes that are available in SQL Server: Windows only and SQL Server and Windows Inform students that the Windows only and SQL Server and Windows security modes are also known as integrated security mode and mixed security mode, respectively

When explaining the security modes, use Enterprise Manager on the London computer to show the security mode setting that is on the Glasgow computer Explain how SQL Server security configuration affects database connection pooling Also, explain how students can improve the database connection pooling by limiting the user identities that are presented to SQL Server

Show the Microsoft MSDN® documentation for the SqlConnection class to

show all of the possible connection string values

Explain the connection string values that specify the type of authentication that will be used to authenticate clients

Explain the two logins that exist in SQL Server by default: sa and the Local administrators group Emphasize to the class that these two logins have access

to all of the databases in the SQL Server instance Therefore, these logins are not good choices for Web application logins

Use Enterprise Manager to show the default logins to the students

Explain the two categories of SQL Server permissions: object and statement Also, inform students about the permissions that can be granted, denied, or revoked under each category

Lesson: SQL Server Role-Based Security

Use Enterprise Manager and expand to the logins and then to server roles Show the students the list of server roles

Inform students about the three types of database roles that exist on each database in SQL Server The following three topics provide details of the three types of database roles; therefore, do not go into details with this topic

Explain all of the roles that are part of the fixed database role

Show the class how to add the user database role into a database

Show the class how to add the application database role into a database

Introduce the demonstration by explaining the Internet Information Services (IIS) authentication modes for the TailspinToys and TailspinToysAdmin Web applications Ask the students how each Web application should connect to SQL Server Use these answers to further ask what configuration changes the students would make to SQL Server to accomplish configuration

This topic describes the best practices for connecting to SQL Server Emphasize

to the class that these best practices must be followed when developing Web applications that connect to SQL Server

The focus of this practice is connection strings Ask students why a particular connection string succeeded or failed

Lesson: Securing SQL Server Communication

The focus for this topic is the communication channel between the Web server and SQL Server

You can optionally run the lab after this topic and then return to the final lesson after the lab

Lesson: Preventing SQL Injection Attacks

Explain the SQL injection attack and provide examples of SQL injection attacks

The focus of this instructor-led practice is to show how an SQL injection attack

Fixed Server Roles

Database Roles

Fixed Database Roles

User Database Role

Use the Code Example link that is given at the bottom of the slide to show an example of using SQL parameters in Microsoft ADO.NET–based Web applications

This demonstration shows how to secure a Web page against an SQL injection attack The Web page will be secured by using a parameterized SQL query instead of an SQL query that is built using string concatenation

Reiterate that using parameters prevents the form field values from being executable SQL

Lab 7: Securing Microsoft SQL Server Data

The Web pages in both the TailspinToys and TailspinToysAdmin Web applications must read data from the TailspinToys SQL Server database In this lab, students will create connection strings to connect to SQL Server and then call utility functions to read data from the SQL Server database

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

Lab Setup

To complete this lab, you can continue working in the Tailspin Toys Microsoft Visual Studio® NET projects that you have already created, or you can start with new files

If you want to start with new files, you must copy the appropriate starter projects to the lab virtual root directories There are separate starter projects for the Active Server Pages (ASP) and the Microsoft ASP.NET exercises

! Create the Web applications for the ASP exercises

1 Copy all of the contents of the ASP starter folder install_folder\Labfiles\

Lab07\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys

2 Copy all of the contents of the ASP starter folder install_folder\Labfiles\

Lab07\ASP\Starter\TailspinToysAdmin to the TailspinToysAdmin IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin

! Create the Web applications for the ASP.NET exercises

1 Copy all of the contents of the ASP.NET starter folder install_folder\

Labfiles\Lab07\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\

TailspinToys.NET

2 Copy all of the contents of the ASP.NET starter folder install_folder\

Labfiles\Lab07\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET

3 Edit the file c:\Inetpub\wwwroot\TailspinToysAdmin.NET\Web.config and change the <allow roles="London\TailspinAdmins"/> tag to be <allow

roles="computerName\TailspinAdmins"/>, where computerName is the

name of your computer

! Configure IIS authentication

1 Run the IIS administrative tool

2 Expand the computer node and the Default Web Site node in the tree

3 Right-click the TailspinToysAdmin virtual directory, and click Properties

4 Click Directory Security

5 In the Anonymous access and authentication control group, click Edit

6 Clear the Anonymous access check box

7 Click OK twice to save your changes

8 Right-click the TailspinToysAdmin.NET virtual directory, and click Properties

9 Click Directory Security

10 In the Anonymous access and authentication control group, click Edit

11 Clear the Anonymous access check box

12 Click OK twice to save your changes

! Configure SQL Server (instructors only)

• You must perform the “Adding Roles and Logins to SQL Server”

demonstration in Module 7, “Securing Microsoft SQL Server,” in Course

2300, Developing Secure Web Applications for this lab to function properly

Lab Results

Performing the lab in this module introduces the following configuration change:

The <appSettings> element of the Web.config file for TailspinToys.NET and

TailspinToysAdmin.NET will be modified to use Integrated Windows authentication

Overview

! SQL Server Connections and Security

! SQL Server Role-Based Security

! Securing SQL Server Communication

! Preventing SQL Injection Attacks

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In Web applications, a database is an important component that must be secured against attack Understanding the security features of Microsoft® SQL Server and how to use them effectively is critical for developing secure Web applications In this module, you will learn how to use SQL Server security features to protect Web application data

The code samples in this module are provided in both Microsoft Visual Basic® NET and C#

After completing this module, you will be able to:

! Use Microsoft Windows® Authentication or SQL Server Authentication to authenticate SQL Server connections

! Create different types of SQL Server roles and assign members to those roles

! Secure SQL Server communication channels by using connection application programming interfaces (APIs)

! Secure SQL Server against SQL injection attacks

Introduction

Note

Objectives

Lesson: SQL Server Connections and Security

! SQL Client Identity

! Overview of Authentication in SQL Server

! Configuring the SQL Server Security Mode

! Security Configuration and Connection Pooling

! Connecting to SQL Server

! SQL Server Logins

! SQL Server Permissions

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

SQL Server provides several security features that can be used to secure Web application data SQL Server also integrates with Windows operating systems and makes use of the secure Windows authentication services

To secure access to SQL Server, the administrator can create user logins, configure login permissions, and assign roles to the user logins The permissions and roles determine which actions users can perform, in addition to what kind of data the users can access The primary goal in managing

SQL Server security is to restrict database permissions so that users are less likely to execute harmful commands and procedures

After completing this lesson, you will be able to:

! Explain the SQL Server authentication modes and identify when to use each mode

! Configure SQL Server for authentication modes

! Select the appropriate connection method for accessing SQL Server

! Define the SQL Server permission types and identify when to use each type

of permission

! Create logins to allow users to connect to SQL Server

! Assign permission to the users

Introduction

Lesson objectives

Internet Information Services

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The context of the client application defines the user identity that is presented to

a SQL Server for authentication In Web applications, the identity of the Internet Information Services (IIS) request determines the identity that is presented to SQL Server for authentication

Client applications can connect to SQL Server using one of two types of identities:

! Windows user identity SQL Server identifies and authenticates users based on their Windows user identities With the Windows user identity, the resources within SQL Server are secured for Windows users and groups Using Windows user identity for authentication is most often used for an intranet Web application where users are already members of a Windows domain

! SQL Server user identity SQL Server maintains its own user database, which is then used to identify the valid user When the client application connects to SQL Server by using the SQL Server user identity, SQL Server validates that user identity by using the information that is stored within SQL Server itself With the SQL Server user identity, the resources within SQL Server are secured by using SQL Server users and roles Using SQL Server identity for

authentication is not as secure as Windows user identity, but it may be required for some Internet Web applications

Introduction

Types of identities

Overview of Authentication in SQL Server

! Windows Authentication

" Windows users and groups

" Rich and secure service

" Proxy servers pose problems

! SQL Server Authentication

" Users’ login information is stored in SQL Server

" Fewer security features

" Useful in Internet scenarios

! Windows Authentication is the preferred choice because it is more secure than SQL Server Authentication

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When client applications connect to SQL Server, the user identity of the client application must be authenticated SQL Server supports two different

authentication systems:

! Windows Authentication

! SQL Server Authentication SQL Server can authenticate users by calling the Windows security services Windows Authentication requires trusted connections between the client application and SQL Server These trusted connections use the impersonation features of Windows security services to present the user identity of the client application to the SQL Server service for authentication

With Windows Authentication, SQL Server uses the user and group accounts that are available in a Windows domain for authentication Windows users do not require a separate SQL Server login and password

The benefit of using Windows Authentication is that it allows SQL Server to use the abundant and secure sets of services that are provided by Windows operating systems for authentication With Windows Authentication, there is support for aging passwords, enforcing strong password schemes, and enforcing account lockout after repeated failed login attempts

SQL Server can also authenticate users by using its own built-in security services With SQL Server Authentication, the users and roles reside within the master SQL Server database, and SQL Server authenticates the calling user SQL Server Authentication has the advantage of not being limited by proxy servers over the Internet; however, it has fewer security features than Windows security

Introduction

Windows Authentication

SQL Server

Authentication

Windows Authentication is the preferred authentication choice because it is more secure than SQL Server Authentication However, it is not always possible to use Windows Authentication in Internet Web applications

Proxy servers can prevent identity flow when your database needs to authenticate the user through Windows Authentication over the Internet A proxy server executes Hypertext Transfer Protocol (HTTP) requests on behalf

of client browser users Proxy servers may execute these requests without the security context of the client browser, so the identity of the user will not flow to the Web application (and subsequently, the identity of the user will not flow to SQL Server) Rather, the identity of the proxy server will flow to SQL Server, and in the case of Windows Authentication, this is most often not a Windows user identity Some proxy servers can be configured to flow Windows identities, but this is not supported by all proxy servers In such cases, SQL Server Authentication is useful, and is recommended

Authentication choices

Configuring the SQL Server Security Mode

! Windows only

users and groups

! SQL Server and Windows

Authentication

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

SQL Server can be configured to support one of two security modes:

! Windows only

! SQL Server and Windows These security mode settings are set for a SQL Server instance and therefore affect all of the databases in a SQL Server instance When in doubt, select the SQL Server and Windows security mode for the broadest configuration option The Windows only security mode in SQL Server exclusively uses Windows Authentication for client connections All SQL Server users must be Windows users The users can also be members of Windows groups The Windows only security mode is also called the integrated security mode

The SQL Server and Windows security mode uses either Windows Authentication or SQL Server Authentication In the SQL Server and Windows security mode, the client application specifies the authentication mode to use when the user is first connected to SQL Server The SQL Server and Windows security mode is also called the mixed security mode

Introduction

Windows only

SQL Server and

Windows

The SQL Server security mode can be configured by using Enterprise Manager

To set the SQL Server security mode:

1 Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager

This opens the SQL Server Enterprise Manager

2 Expand the tree to locate the instance of SQL Server The instance of SQL Server is often named (local)

3 Right-click the instance of SQL Server, and then click Properties

4 In the SQL Server Properties dialog box, click the Security tab, as shown

in the following illustration

5 Under Authentication, click the appropriate option

Click the Windows only option for implementing Windows Authentication Otherwise, click the SQL Server and Windows option to allow logins from

both types of authentication: Windows Authentication and SQL Server Authentication

6 Click OK to save your changes

Setting the security

mode

Security Configuration and Connection Pooling

! Connection pooling requires all the connections to have the same identity

! If the Web application uses Windows only authentication and impersonates the identity of the client browser:

! Limiting user identities requires Web applications to not impersonate the client browser identity

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Connection pooling is useful for scaling up the concurrent database connections

of a Web application Database connection pooling enables a Web application

to use any unused connection from a pool of connections that do not need to be reestablished for each use

The main benefit of connection pooling is improved performance, which is not achieved when you use authenticated connections that have multiple user identities that are associated with them Connection pooling requires that all connections in the pool to have the same identity associated with them

The SQL Server security configuration can have an impact on connection pooling Connections are pooled per user If your Web application is using Windows only security and is impersonating the identity of the client browser

to authenticate a connection to SQL Server, there may be many user identities connecting to the SQL Server server Each of these user identities will have its own connection pool; and will not be in the same connection pool

To limit the user identities that are presented to SQL Server, thereby improving connection pooling, you can have a single identity communicate with

SQL Server To have a single identity, the Web application should not impersonate the client browser identity You can ensure that the Web application does not impersonate the client browser identity by using either of the security modes: Windows only security or SQL Server and Windows security In Windows only security, the identity of the Web application process

is presented to SQL Server In SQL Server and Windows security, a single SQL Server user can be presented to SQL Server as part of the connection string

" Connection string contains uid=username;pwd=password

! Requested mode must match SQL Server configuration

! Store connection strings in a configuration file

" inc for ASP Web applications and Web.config for ASP.NET Web applications

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

When a client application connects to SQL Server, the connection string specifies which type of authentication the client application needs to use The value of the connection string is the same for ActiveX® Data Objects (ADO) and Microsoft ADO.NET

For Windows Authentication, include Trusted_Connection=yes in the

connection string to specify that the identity of the client application should be used to authenticate the connection with SQL Server:

server=computerName;Trusted_Connection=yes;!

database=databaseName

For SQL Server Authentication, include uid=username;pwd=password in the

connection string and specify the required SQL Server login and password The SQL Server login that is contained in the connection string is used to

authenticate the connection with SQL Server:

server=computerName;uid=userName;pwd=password;!

database=databaseName

If you specify uid and pwd in clear text in the connection string, you

might want to encrypt the connection string To learn about encryption, see Module 9, “Encrypting, Hashing, and Signing Data,” in Course 2300,

Developing Secure Web Applications

Introduction

Connection string

values

Note

Connection strings should be stored in a separate file from the Web page content to better secure the connection string content For Active Server Pages (ASP) Web applications, connection strings can be stored in inc files For Microsoft ASP.NET Web applications, connection strings can be stored in a Web.config file

The authentication type that is specified in the connection string must match the configured security settings for the SQL Server instance If the client specifies SQL Server Authentication in the connection, but the SQL Server instance is configured for Windows only security, the connection will be refused

Client and server must

match

SQL Server Logins

! Add logins to permit user connections to SQL Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Logins must be added to SQL Server to permit particular users to connect to SQL Server Logins must be added to SQL Server for both integrated and mixed mode security For Windows only security, Windows users and groups may be added to the SQL Server logins For SQL Server and Windows security, SQL Server users are added to the list of logins

These logins are added to an instance of SQL Server and not to individual databases However, you can restrict the list of databases that a login can access You can also restrict the role membership for a login, both within a database and at the server level

By default, there are two logins for an instance of SQL Server:

! sa

The sa login is a SQL Server user that can be used for the SQL Server and

Windows security connections

! Local administrators group (BUILTIN\Administrators) The BUILTIN\Administrators login is a Windows 2000 group and can be used for Windows only security connections

Both of these logins are in the System Administrators and db_owner roles

These logins have access to all of the databases in the SQL Server instance These logins are intended to be used to administer the SQL Server instance and SQL Server databases These logins are not good choices for Web application logins because they have so much control over the SQL Server databases

Introduction

Default logins in SQL

Server

To add a Windows 2000 user or group to SQL Server:

1 Open SQL Server Enterprise Manager

2 Expand the tree to locate the instance of SQL Server The instance is often named (local)

3 Expand the instance of SQL Server

4 Expand the Security folder

5 Right-click Logins, and then click New Login

6 In the SQL Server Login Properties dialog box, do the following:

a Select Windows Authentication

b Under Authentication, in the Domain box, click the appropriate domain

or computer name

c In the Name text box, type the Windows 2000 user or group name

d On the Server Roles tab, check the appropriate server roles for the new

login

e On the Database Access tab, check the databases that the new login will

have access to

f Click OK to save the new login

Adding a new login

SQL Server Permissions

! Permissions can be:

! Two types of permissions:

certain database objects

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Resources within SQL Server are secured by permissions Permissions can be granted, denied, or revoked A grant permission allows a user to perform a particular action or set of actions on a resource A deny permission prevents a user from performing a particular action or set of actions on a resource A revoke permission revokes a previously granted or denied permission

There are two types of permissions that can be granted, denied, or revoked The two types of permissions are statement and object permissions

A statement permission controls the rights to run particular SQL statements These SQL statements are used to create and modify databases The following

is a list of statement permissions that can be granted, denied, or revoked:

An object permission controls the rights to perform certain operations against certain SQL Server database objects These operations encompass working with data and executing stored procedures The following is a list of object

permissions that can be granted, denied, or revoked:

! SELECT, INSERT, UPDATE, and DELETE for a table or view

! SELECT and UPDATE for individual columns of a table or view

! SELECT for user-defined functions

! INSERT and DELETE for a table or view

! EXECUTE for stored procedures

Object permissions

Lesson: SQL Server Role-Based Security

! Fixed Server Roles

! Database Roles

! Fixed Database Roles

! User Database Role

! Application Database Role

! Demonstration: Adding Roles and Logins to SQL Server

! Best Practices for Connecting to SQL Server

! Instructor-Led Practice: Connecting to SQL Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

SQL Server roles are similar to groups in a Windows operating system Similar

to Windows groups, SQL Server roles can be used to assign permissions to a group of users SQL Servers roles can have built-in permissions that are associated with them SQL Server roles contain database logins and have permissions granted to particular sets of database operations There are two types of roles in SQL Server:

! Fixed server roles

! Database roles After completing this lesson, you will be able to:

! Explain the SQL Server role types and identify when to use each type of role

! Create the three kinds database roles—fixed, user, and application—in SQL Server and assign members to those roles

! Configure a Web application to connect to SQL Server with the least privileges

Introduction

Lesson objectives

Fixed Server Roles

Can perform any activity in the SQL Server installationsysadmin

Can manage extended stored proceduressetupadmin

Can configure the server-wide settingsserveradmin

Can manage the logins for the serversecurityadmin

Can manage the processes running in SQL Serverprocessadmin

Can manage the SQL Server disk files diskadmin

Can create and alter databases dbcreator

Can perform the bulk insert operationbulkadmin

Permission Role

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Fixed server roles are predefined sets of rights that can be assigned to a SQL Server login These roles are defined for a SQL Server instance, rather than for a particular SQL Server database These roles permit logins, which are contained as a member in the roles, to perform administrative tasks on an instance of SQL Server

Fixed server roles are listed in the Security Roles item in the Security folder for

a SQL Server instance in Enterprise Manager When logins are created or edited, they can be added to or removed from fixed server roles by using the

Server Roles tab of the Properties dialog box

The list of fixed server roles is a fixed list, as the name implies, which means that you cannot add or delete fixed server roles You can add logins only as members of the fixed server roles The following table lists the fixed server roles and their permissions

Role Permission

bulkadmin Can perform the bulk insert operation

dbcreator Can create and alter databases

diskadmin Can manage the SQL Server disk files

processadmin Can manage the processes running in SQL Server

securityadmin Can manage the logins for the server

serveradmin Can configure the server-wide settings

setupadmin Can manage extended stored procedures

sysadmin Can perform any activity in the SQL Server installation

The default logins (sa and BUILTIN\Administrators) are members of the sysadmin role, which grants the logins complete access to the SQL Server instance These logins should not be used as Web application logins to SQL Server because they could permit a compromised Web application to have complete control over a SQL Server instance

Introduction

List of fixed server roles

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Each database in SQL Server contains roles Database roles are applied to individual databases, and they match database users to database permissions There are three kinds of database roles:

! Fixed

! User

! Application

All three kinds of database roles can be found within the Roles item within a

database's folder in SQL Server Enterprise Manager

Introduction

Fixed Database Roles

Cannot write data to any table in the databasedb_denydatawriter

Cannot read data from any table in the databasedb_denydatareader

Can write data to all tables in the databasedb_datawriter

Can read data from all tables in the databasedb_datareader

Can issue data definition language statementsdb_ddladmin

Can back up a database and a transaction log db_backupoperator

Can assign permissions to users and roles within the database

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Fixed database roles, similar to fixed server roles, are predefined roles that cannot be modified or deleted You can change only the role membership Fixed database roles are predefined for each database, and they grant permissions only for that database

The following table lists the fixed database roles and their permissions

Fixed database role Permissions

db_owner Has full control over the database

db_accessadmin Can grant and revoke access to the database

db_securityadmin Can assign permissions to users and roles within the

database

db_backupoperator Can back up a database and a transaction log

db_ddladmin Can issue data definition language (DDL) statements db_datareader Can read (SELECT) data from all of the tables in the

database

db_datawriter Can write (UPDATE, INSERT, DELETE) data to all of the

tables in the database

db_denydatareader Cannot read (SELECT) data from any table that is in the

database

db_denydatawriter Cannot write (UPDATE, INSERT, DELETE) data to any

table that is in the database

There is one more role, Public, which appears in the list of database roles Public is a form of a fixed database role Public appears within each SQL Server database and is analogous to the Everyone group in Windows 2000 security You cannot set the members of the Public role because all database users are automatically members of the Public role All of the permissions that the Public role contains are assigned to all of the database users For example, if you deny read permissions to the Public role on a table, no database user can read that table

Introduction

Fixed database roles

User Database Role

Within the database folder, right-click Roles, and then click New Database Role

Within the database folder, right-click Roles, and then click New Database Role

Specify the name for the role and select the Standard role option

Specify the name for the role and select the Standard role option

Click Add and specify the member users

Click Permissions and assign the appropriate permissions to that new role

Click Permissions and assign the appropriate permissions to that new role

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In addition to the fixed database roles that are predefined for a database, you can create your own roles, which are called user roles User roles have user members and permissions, similar to other roles You can create, modify, and delete user roles within a SQL Server database

To add a new user database role to an existing SQL Server database:

1 Open SQL Server Enterprise Manager

2 Expand the tree to locate your instance of SQL Server

3 Expand your instance of SQL Server

4 Expand the Databases folder

5 Expand the database in which you want to add a new user role

6 Right-click the Roles item, and then click New Database Role

The Database Role Properties dialog box is displayed

7 In the Database Role Properties dialog box, in the Name text box, specify

a name for the new role

8 Verify that the Standard role option is selected

9 Click Add to add users to the new role

The Add Roles Members dialog box is displayed

10 Select the users, and then click OK to add users to the new role

11 Click OK to add the role You must add the role before you can set its

permissions

Introduction

Adding a user database

role

12 Double-click the new role to open the Database Role Properties dialog box The following illustration shows the Database Role Properties dialog

box

13 Click Permissions to view the permissions associated with the role

14 By default, roles are created with no permissions Grant the appropriate set

of permissions to objects in the database for the new role

15 Click OK to save the permissions changes

16 Click OK to save the role changes

Application Database Role

Within the database folder, right-click Roles, and then click New Database Role

Within the database folder, right-click Roles, and then click New Database Role

Specify the name of the role and select the Application role option

Specify the name of the role and select the Application role option

Enter the password for the role

Click Permissions and assign the appropriate permissions to that new role

Click Permissions and assign the appropriate permissions to that new role

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

An application role is a special type of role that has no user members This role contains the associated permissions and is secured by a password

For application database role to be effective, you must first enable it by calling

the sp_setapprole stored procedure The sp_setapprole stored procedure takes

an application role name and password, as parameters, as shown in the following example:

exec sp_setapprole 'MyAppRole', {Encrypt N 'P@ssword8'}

After this stored procedure is called for a connection, all of the other permissions for users are turned off within the database and only the permissions that are associated with the application role are enabled The only way to disable an enabled application role is to close the connection to SQL Server

Application roles allow the client application to take responsibility for security The client application uses the same permissions that are assigned for all users

to the application role Consequently, a client application ensures that users are permitted to perform only certain operations

To add a new application database role:

1 Open SQL Server Enterprise Manager

2 Expand the tree to locate your instance of SQL Server

3 Expand the instance of SQL Server

4 Expand the Databases folder

5 Expand the database in which you want to add an application role

6 Right-click Roles, and then click New Database Role

7 In the Database Role Properties dialog box, in the Name box, type the

new role's name

8 Select Application role

9 In the Password box, type a password for the new role

10 Click OK to add the new role You must add a role before setting its

13 By default, roles are created with no permissions Grant the appropriate set

of permissions for the new role

14 Click OK to save the permission changes

15 Click OK to save the role changes

Demonstration: Adding Roles and Logins to SQL Server

1 Configure SQL Server to use SQL Server and Windows authentication

2 Create SQL Server roles

3 Add a Windows 2000 group as a SQL Server login

4 Create a new SQL Server login

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this demonstration, you will see how to add logins to a SQL Server database and how to put those logins into role memberships This demonstration will add

a Windows 2000 group named TailspinAdmins as a login and create a new SQL Server login named WebUser

This demonstration must be successfully performed for Lab 7, “Securing SQL Server Data,” to work properly In this lab, all of the students will connect

to the instructor computer’s database These logins must exist in the instructor database prior to the start of the lab

! Configure the SQL Server Enterprise Manager for the Glasgow computer

1 Open the SQL Server Enterprise Manager

2 Expand the tree to the SQL Server Group node

3 Right-click SQL Server Group, and then click New SQL Server Registration

4 In the Register SQL Server Wizard, on the Welcome to the Register SQL Server Wizard page, click Next

5 On the Select a SQL Server page, in the Available servers list, click Glasgow, click Add, and then click Next

6 On the Select an Authentication Mode page, check SQL Server Authentication

7 On the Select Connection Option page, enter a Login name of sa and a Password of P@ssw0rd and click Next

8 On the Select SQL Server Group page, click Next to accept the default

settings

9 On the Completing the Register SQL Server Wizard page, click Finish Introduction

Note

! Configure the SQL Server security mode

1 Within SQL Server Enterprise Manager, expand the tree to the Glasgow

instance of SQL Server

2 Right-click Glasgow, and then click Properties

3 In the SQL Server Properties dialog box, on the Security tab, notice that

that the authentication is set to SQL Server and Windows

4 Click OK to close the dialog box

For this demonstration to work, the 2300Student and 2300Instructor Windows users and the TailspinAdmins Windows group must exist on both the London and Glasgow computers

! Add the InternetStoredProcs role

1 In SQL Server Enterprise Manager, expand the Glasgow node in the tree, expand the Databases folder, and then expand the TailspinToys database

2 Right-click Roles, and then click New Database Role

3 In the Database Role Properties dialog box, name the new role InternetStoredProcs, and then click OK

4 In SQL Server Enterprise Manger, double-click InternetStoredProcs in the

list of roles

5 In the Database Role Properties dialog box, click Permissions

6 Check the Exec column for the following stored procedures:

! Add the IntranetStoredProcs role

1 In SQL Server Enterprise Manager, right-click Roles, and then click New Database Role

2 In the Database Role Properties dialog box, name the new role IntranetStoredProcs, and then click OK

3 Double-click IntranetStoredProcs in the list of roles

4 In SQL Server Enterprise Manger, double-click IntranetStoredProcs in the

list of roles

5 In the Database Role Properties dialog box, click Permissions

6 Check the Exec column for the following stored procedures:

7 Click OK twice to save your permission changes

! Add the TailspinAdmins login

1 In SQL Server Enterprise Manager, browse back to the Glasgow node in the

tree

2 Expand the Security folder

3 Right-click Logins, and then click New Login

4 In the SQL Server Login Properties dialog box, make the name for the new role GLASGOW\TailspinAdmins

5 In the Database box, select TailspinToys

6 On the Database Access tab, locate TailspinToys in the list of databases and check the Permit column