SQL Server Security Basics

•Download as PPT, PDF•

0 likes•1,970 views

Understand potential data threats and how SQL Server’s design protects against them, Learn about SQL Server and Windows integrated authentication, and see how SQL Server provides an authorization system to control access to data and objects.

Technology

SQL Server Security Basics –
Part 1
http://www.LearnNowOnline.com

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Objectives
• Understand potential data threats and how
SQL Server’s design protects against them
• Learn about SQL Server and Windows
integrated authentication
• See how SQL Server provides an authorization
system to control access to data and objects

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Agenda
• Security Overview
• Authentication
• Authorization

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Security Overview
• Relational data is a tempting target for
attackers
• SQL Server 2008 provides plenty of features to
secure your data and server
• Need to understand the threats
• Match countermeasures to the threats

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

The Threats
• Identifying threats is a critical first step
• Type of data will probably influence security measures
• Sometimes the best way to protect data is to never
put it in a database
• Typical threats
• Theft of data
• Data vandalism
• Protecting data integrity
• Illegal storage
• Understand threats to protect against them
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Security Design Philosophy
• Trustworthy Computing memo, 2002
• Four pillars of security design
• Secure by design
• Secure by default
• Secure in deployment
• Secure through communications
• “It’s just secure”
• Implications throughout the product
• SQL Server is reasonably secure out of the box
• Your job is to keep it secure

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

The Two Stages of Security
• Similar to Windows security
• Authentication: who are you?
• Authorization: now that we know who you are,
what can you do?

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Key SQL Server Security Terms
• Authentication • Permission
• Authorization • Principal
• Group • Privilege
• Impersonation • Role
• Login • User

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Authentication
• Process of verifying that a principal is who or what it
claims to be
• SQL Server has to uniquely identify principals in order to
authorize
• Two paths to authentication
• Windows authentication
• SQL Server authentication
• Authentication modes
• Mixed Mode Authentication
• Windows Only Authentication Mode

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Windows Integrated Authentication
• SQL Server assumes a trust relationship with Windows
Server
• Windows does the heavy lifting for authentication
• The SQL Server checks permissions on the principal
• Advantages
• Single user login
• Auditing features
• Simplified login management
• Password policies
• Changes only take effect when user connects
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Configuring SQL Server Security
Settings
• Select either when install or later
• Settings apply to all databases and server
objects in an instance of SQL Server
• Changing modes after installation may or may
not cause problems
• Windows to Mixed
• Mixed to Windows

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

SQL Server Authentication
• Client applications must provide login
credentials as part of connection string
• Logins stored in SQL Server
• Windows authentication stronger
• But must use SQL Server authentication with old
versions of Windows, non-Windows systems

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Windows and SQL Server Logins
• SQL Server logins are not stored in Windows
• Disabled if you select Windows authentication
• Mixed mode is much more flexible
• But less secure

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Beware of the sa Login
• System administrator login
• Mapped to sysadmin fixed server role
• Conveys full system administrator privileges
• Cannot modify or delete
• Must use a strong password!
• Use only as access of last resort
• NEVER use sa for database access through
client applications
Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

End of Part 1

http://www.LearnNowOnline.com

Learn More @ http://www.learnnowonline.com
Copyright © by Application Developers Training Company

Recently uploaded

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Real Time Object Detection Using Open CV

Khem

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...

Strategies for Landing an Oracle DBA Job as a Fresher

GenCyber Cyber Security Day Presentation

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Powerful Google developer tools for immediate impact! (2023-24 C)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Real Time Object Detection Using Open CV

How to Troubleshoot Apps for the Modern Connected Worker

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Tech Trends Report 2024 Future Today Institute.pdf

[2024]Digital Global Overview Report 2024 Meltwater.pdf

Axa Assurance Maroc - Insurer Innovation Award 2024

Boost Fertility New Invention Ups Success Rates.pdf

Scaling API-first – The story of a global engineering organization

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Artificial Intelligence: Facts and Myths

presentation ICT roal in 21st century education

SQL Server Security Basics

2. Objectives • Understand potential data threats and how SQL Server’s design protects against them • Learn about SQL Server and Windows integrated authentication • See how SQL Server provides an authorization system to control access to data and objects Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

4. Security Overview • Relational data is a tempting target for attackers • SQL Server 2008 provides plenty of features to secure your data and server • Need to understand the threats • Match countermeasures to the threats Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

5. The Threats • Identifying threats is a critical first step • Type of data will probably influence security measures • Sometimes the best way to protect data is to never put it in a database • Typical threats • Theft of data • Data vandalism • Protecting data integrity • Illegal storage • Understand threats to protect against them Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

6. Security Design Philosophy • Trustworthy Computing memo, 2002 • Four pillars of security design • Secure by design • Secure by default • Secure in deployment • Secure through communications • “It’s just secure” • Implications throughout the product • SQL Server is reasonably secure out of the box • Your job is to keep it secure Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

7. The Two Stages of Security • Similar to Windows security • Authentication: who are you? • Authorization: now that we know who you are, what can you do? Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

8. Key SQL Server Security Terms • Authentication • Permission • Authorization • Principal • Group • Privilege • Impersonation • Role • Login • User Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

10. Authentication • Process of verifying that a principal is who or what it claims to be • SQL Server has to uniquely identify principals in order to authorize • Two paths to authentication • Windows authentication • SQL Server authentication • Authentication modes • Mixed Mode Authentication • Windows Only Authentication Mode Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

11. Windows Integrated Authentication • SQL Server assumes a trust relationship with Windows Server • Windows does the heavy lifting for authentication • The SQL Server checks permissions on the principal • Advantages • Single user login • Auditing features • Simplified login management • Password policies • Changes only take effect when user connects Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

12. Configuring SQL Server Security Settings • Select either when install or later • Settings apply to all databases and server objects in an instance of SQL Server • Changing modes after installation may or may not cause problems • Windows to Mixed • Mixed to Windows Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

13. SQL Server Authentication • Client applications must provide login credentials as part of connection string • Logins stored in SQL Server • Windows authentication stronger • But must use SQL Server authentication with old versions of Windows, non-Windows systems Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

14. Windows and SQL Server Logins • SQL Server logins are not stored in Windows • Disabled if you select Windows authentication • Mixed mode is much more flexible • But less secure Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

15. Beware of the sa Login • System administrator login • Mapped to sysadmin fixed server role • Conveys full system administrator privileges • Cannot modify or delete • Must use a strong password! • Use only as access of last resort • NEVER use sa for database access through client applications Learn More @ http://www.learnnowonline.com Copyright © by Application Developers Training Company

Editor's Notes

DEMO – Adding a Windows Login, Window Logins via Transact-SQL
DEMO – rest of section and SQL Server Logins via Transact-SQL

SQL Server Security Basics

Recommended

Recommended

More Related Content

More from LearnNowOnline

More from LearnNowOnline (20)

Recently uploaded

Recently uploaded (20)

SQL Server Security Basics

Editor's Notes