Chapter 10 Outline

advertisement
Chapter 10, Managing Access to SQL Server 2000
|1|
Chapter Overview
A.
B.
C.
Understanding the Authentication Process
Understanding the Authorization Process
Creating and Managing Logins
Chapter 10, Lesson 1
Understanding the Authentication Process
|2|
1.
Authentication Process
A.
B.
|3|
2.
Windows authentication
1.
The user presents either a Kerberos ticket or an access token.
2.
SQL Server verifies the authenticity of the Kerberos ticket or access
token.
3.
SQL Server checks the user’s name against the list of Microsoft
Windows users and groups permitted access and then grants or denies
access.
4.
This type of connection is called a trusted connection.
SQL Server authentication
1.
The user submits a login name and password.
2.
The name and password are submitted in clear text unless SSL
encryption is used for the entire session.
3.
SQL Server checks the user’s name against the list of SQL Server
security accounts permitted access and then grants or denies access.
4.
You must use SQL Server authentication to connect to SQL Server
running on Microsoft Windows Me or Windows 98.
Authentication Method Security Issues
A.
B.
C.
D.
Authentication
1.
In Windows authentication, the Windows operating system authenticates
the user by using an encrypted name and password.
2.
In SQL Server authentication, the user is never authenticated by the
Windows operating system.
Authentication credentials
1.
In Windows authentication, a Kerberos ticket or access token is
presented to SQL Server.
2.
In SQL Server authentication, the user name and password are submitted
in clear text unless SSL encryption is used for the entire session.
Password policies
1.
The Windows operating system supports password policies.
2.
No password policies are supported in SQL Server.
Account lockout policies
1.
The Windows operating system supports account lockout policies.
2.
No account lockout policies are supported in SQL Server.
|4|
3.
Net-Library Issues
A.
B.
C.
D.
E.
|5|
4.
SQL Server Authentication Modes
A.
B.
|6|
5.
Windows Authentication Mode
1.
Default mode
2.
Only permits connections using Windows authentication
3.
More secure than Mixed Mode
Mixed Mode
1.
You must enable Mixed Mode, either during setup or in the properties of
SQL Server in SQL Server Enterprise Manager.
2.
Switching authentication modes requires a restart of the SQL Server
service.
3.
Permits connections using either Windows authentication or SQL Server
authentication
4.
Required for users, such as NetWare or UNIX clients, connecting to
SQL Server without authentication by the Windows operating system
Security Account Delegation
A.
B.
C.
D.
E.
F.
2
The client and Microsoft SQL Server must support a matching set of
Net-Libraries.
Default client Net-Libraries are TCP/IP Sockets and Named Pipes, and
connections are attempted in that order.
Use the Client Network Utility to modify the configured client NetLibraries, to modify their connection order, or to enable SSL encryption.
The Named Pipes and Multiprotocol Net-Libraries require an
authenticated connection to the Windows domain. This is achieved
either by using a login to the domain or by connecting to a share within
the Microsoft Windows domain.
TCP/IP Sockets and the remaining Net-Libraries do not require any
authentication to attempt to connect to SQL Server.
SQL Server can impersonate an authenticated user to access
resources outside of SQL Server, such as in the file system on a
remote system or on another instance of SQL Server.
All participating servers must be running Windows 2000 with Active
Directory directory services installed.
Security account delegation must be enabled in Active Directory on
each participating server.
The SQL Server service domain user account must be trusted for
delegation.
The user requesting delegation must be trusted for delegation.
The SQL Server instance must have a Service Principal Name (SPN).
Outline, Chapter 10
Microsoft SQL Server 2000 System Administration
Chapter 10, Lesson 2
Understanding the Authorization Process
|7|
1.
Server Roles Grant Server-Wide Permissions
A.
B.
C.
D.
E.
F.
G.
H.
|8|
2.
The sysadmin role has permission to perform any activity within SQL
Server.
The serveradmin role has permission to configure server-wide settings
and shut down SQL Server.
The setupadmin role has permission to install and configure linked
servers, remote servers, and replication. Mark stored procedure for
execution at startup.
The securityadmin role has permission to manage server logins,
CREATE DATABASE statement permissions, read error logs, and
change passwords.
The processadmin role has permission to manage or kill SQL Server
processes.
The dbcreator role has permission to create, alter, and delete
databases.
The diskadmin role has permission to manage disk files and backup
devices.
The bulkadmin role has permission to execute the BULK INSERT
statement.
Database-Specific Permissions
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.
Database owner—A specified user who can perform any activity within
the database.
DBO role—Members of the serveradmins server role map to the DBO
role in each database and can perform any activity within the database.
User—A login that is permitted database access.
Guest user—A special account that permits authenticated logins to
have limited database access.
Public role—All permitted users in a database belong to the public role
in that database.
Fixed database role—Roles in each database with predefined
permissions.
User-defined database role—Custom roles in each database with
definable permissions.
Statement permissions—Permissions to execute specified statements,
such as CREATE PROCEDURE.
Object permissions—Permissions to access specified database objects,
such as tables or views.
Application role—Custom roles in each database granted to an
application for all users accessing SQL Server through that application.
Outline, Chapter 10
Microsoft SQL Server 2000 System Administration
3
|9|
3.
Fixed Database Roles
A.
B.
C.
D.
E.
F.
G.
H.
I.
The db_owner role has permission to perform any task within a
database.
The db_accessadmin role has permission to add or remove Windows
groups and users, and SQL Server security accounts as database
users.
The db_securityadmin role has permission to manage permissions,
roles, role memberships, and object ownership in a database.
The db_ddladmin role has permission to add, modify, or drop database
objects in a database.
The db_backupoperator has permission to run DBCC commands, issue
checkpoints, and back up the database.
The db_datareader role has permission to read data from any table or
view in the database.
The db_datawriter role has permission to modify or delete data from
any table or view in the database.
The db_denydatawriter role is denied permission to read data from any
table or view in the database.
The db_denydatareader is denied permission to modify or delete data
from any table or view in the database.
Chapter 10, Lesson 3
Creating and Managing Logins
|10|
1.
Login Accounts Using Create Login Wizard
A.
B.
C.
D.
E.
|11|
2.
Login Accounts Using SQL Server Enterprise Manager
Directly
A.
B.
C.
D.
E.
|12|
3.
Define the authentication type, server role(s), and database access.
Can also configure a default language and database for the login
Can also view existing logins that are currently members of a server
role or database role during the login creation process
Can also add login to fixed database role within any database
Can create only one account at a time
User-Defined Database Roles Using SQL Server Enterprise
Manager
A.
B.
4
Specify the authentication type for the login.
1.
Link an existing Windows group or user to the login.
2.
Create a security account within SQL Server.
Grant or deny SQL Server access to the login account.
Define a server role, if any.
Specify the databases to which the login will be a permitted user.
Can create only one account at a time
Create the user-defined database role within a specific database.
Add users within the database to that role.
Outline, Chapter 10
Microsoft SQL Server 2000 System Administration
C.
|13|
4.
Windows Login Accounts Using Transact-SQL
A.
B.
C.
D.
E.
|14|
5.
B.
C.
D.
E.
6.
B.
C.
D.
7.
sp_addlogin 'login', ['password’, 'database', 'language’, 'sid’,
'encryption_option']—Creates a new security account within SQL
Server, optionally specifying additional parameters.
sp_droplogin 'login'—Drops a SQL Server login.
sp_password 'old_password', 'new_password', 'login'—Adds or
changes a password for a SQL Server login.
sp_defaultdb 'login', 'database'—Changes the default database for
either type of login.
sp_defaultlanguage 'login', 'language'—Changes the default language
for either type of login.
Server Roles and Database Access Using Transact-SQL
A.
|16|
sp_grantlogin 'login'—Creates a login for a Windows group or user.
sp_revokelogin 'login'—Revokes a login for a Windows group or user.
sp_denylogin 'login'—Denies login access to a Windows group or user.
sp_defaultdb 'login', 'database'—Changes the default database for
either type of login.
sp_defaultlanguage 'login', 'language'—Changes the default language
for either type of login.
SQL Server Login Accounts Using Transact-SQL
A.
|15|
A user-defined database role has no permissions assigned to it
automatically; it is simply a collection of users within a database.
sp_addsrvrolemember 'login', 'role'—Adds a login as a member of a
server role.
sp_dropsrvrolemember 'login', 'role'—Drops a login from membership in
a server role.
sp_grantdbaccess 'login', 'name_in_db'—Grants a login database
access, generally using the same name as the login name.
sp_revokedbaccess 'name'—Removes a login from the list of permitted
users of a database.
Database Roles Using Transact-SQL
A.
B.
C.
D.
E.
sp_changedbowner 'login', 'remap_alias_flag'—Changes the owner of
the database.
sp_addrolemember 'role', 'security_account'—Adds a security account
to a database role.
sp_droprolemember 'role', 'security_account'—Drops a security account
from a database role.
sp_addrole 'role’, 'owner'—Adds a user-defined database role.
sp_droprole 'role'—Removes a user-defined database role.
Outline, Chapter 10
Microsoft SQL Server 2000 System Administration
5
|17|
8.
Viewing Access Information Using SQL Server Enterprise
Manager
A.
B.
C.
D.
|18|
9.
Viewing Access Information Using Transact-SQL
A.
B.
C.
D.
E.
|19|
sp_helplogins ['login']—All logins or a specific login, including database
access rights and role memberships.
sp_helpsrvrolemember ['role']—All server roles and their members, or a
specified server role and its membership.
sp_helpuser ['security_account']—All users in the current database, or a
specified user in the database, and their database role membership.
sp_helprolemember ['role']—All database roles and their members, or a
specified database role and its membership.
sp_helpntgroup ['name']—All Windows groups with SQL Server access
to a database, or the access rights of a specified Windows group.
Chapter Summary
A.
B.
C.
D.
E.
F.
G.
6
View on a user-by-user basis in the Logins container within the Security
container.
View server role membership in the Server Roles container within the
Security container.
View database access on a per-user basis in the Users container in
each database.
View database role membership in the Roles container in each
database.
Authentication is required for access to SQL Server, and authorization
is required to perform actions within SQL Server.
SQL Server supports Windows authentication and SQL Server
authentication.
SQL Server can run in Windows Authentication Mode or Mixed Mode.
Server roles are used to grant server-wide administration rights.
Database roles are used to grant database-specific rights.
Create login accounts one by one in SQL Server Enterprise Manager,
and create many at once using Transact-SQL.
View access information on a user basis or a role basis using SQL
Server Enterprise Manager or Transact-SQL.
Outline, Chapter 10
Microsoft SQL Server 2000 System Administration
Download