Transcript login
Chapter Overview • Understanding the Authentication Process • Understanding the Authorization Process • Creating and Managing Logins 1 Authentication Process 2 Authentication Method Security Issues • Unencrypted user names and passwords on the wire • Password policies • Lockout policies 3 Net-Library Issues • The client and Microsoft SQL Server must support a matching set of Net-Libraries. • Default client Net-Libraries are TCP/IP Sockets and Named Pipes, and connections are attempted in that order. • Use the Client Network Utility to modify client NetLibraries. • Only Named Pipes and Multiprotocol Net-Libraries require an existing authenticated connection. 4 SQL Server Authentication Modes 5 Security Account Delegation • SQL Server can impersonate an authenticated user to access resources outside of SQL Server. • All participating servers must be running Windows 2000 and have security account delegation enabled. • The SQL Server service account must be trusted for delegation. • The user requesting delegation must be trusted for delegation. • The SQL Server instance must have a Service Principal Name (SPN). 6 Server Roles Grant ServerWide Permissions sysadmin serveradmin setupadmin securityadmin processadmin dbcreator diskadmin bulkadmin 7 Database-Specific Permissions Database owner DBO role User Guest user Public role Fixed database role User-defined database role Statement permissions Object permissions Application role 8 Fixed Database Roles db_owner db_accessadmin db_securityadmin db_ddladmin db_backupoperator db_datareader db_datawriter db_denydatawriter db_denydatareader 9 Login Accounts Using Create Login Wizard • Specify the authentication type for the login. • You can grant or deny SQL Server access to a Windows user or group. • Define a server role, if any. • Specify the databases to which the login will be a permitted user. 10 Login Accounts Using Enterprise Manager Directly 11 User-Defined Database Roles • Create the user-defined database role within a specific database. • Add users within the database to that role. • A user-defined database role has no permissions assigned to it automatically. 12 Windows Login Accounts Using Transact-SQL • sp_grantlogin 'login' • sp_revokelogin 'login' • sp_denylogin 'login' • sp_defaultdb 'login', 'database' • sp_defaultlanguage 'login', 'language' 13 SQL Server Login Accounts Using Transact-SQL • sp_addlogin 'login', ['password', 'database', 'language', 'sid', 'encryption_option'] • sp_droplogin 'login' • sp_password 'old_password', 'new_password', 'login' • sp_defaultdb 'login', 'database' • sp_defaultlanguage 'login', 'language' 14 Server Roles and Database Access Using Transact-SQL • sp_addsrvrolemember 'login', 'role' • sp_dropsrvrolemember 'login', 'role' • sp_grantdbaccess 'login', 'name_in_db' • sp_revokedbaccess 'name' 15 Database Roles Using Transact-SQL • sp_changedbowner 'login', 'remap_alias_flag' • sp_addrolemember 'role', 'security_account' • sp_droprolemember 'role', 'security_account' • sp_addrole 'role', 'owner' • sp_droprole 'role' 16 Viewing Access Information Using Enterprise Manager • View on a user-by-user basis in the Logins container within the Security container. • View server role membership in the Server Roles container within the Security container. • View database access on a per-user basis in the Users container in each database. • View database role membership in the Roles container in each database. 17 Viewing Access Information Using Transact-SQL • sp_helplogins ['login'] • sp_helpsrvrolemember ['role'] • sp_helpuser ['security_account'] • sp_helprolemember ['role'] • sp_helpntgroup ['name'] 18 Chapter Summary • Authentication is required for access, and authorization is required to perform specific actions. • SQL Server supports Windows and SQL Server authentication. • SQL Server can run in Windows Authentication Mode or Mixed Mode. • Server roles grant server-wide administration rights, and database roles grant database-specific rights. • View access information on a user basis or a role basis. 19