SQL Server Security Basics | The Principle of Least Privilege

We need to walk a fine line when granting privileges to a user to perform certain task. Principle of Least Privilege says that a user be granted only those privileges, which are required to perform their task – nothing more, nothing less. This principle is also known as the principle of minimal privilege or the principle of least authority.

We should always follow the principle of least privilege when granting permissions to database users. A database user, whose task is to extract reports, should be granted read permissions to the schema. Image if the same user has write permissions to the database, potentially database can be compromised; sales data can be fudged to make it look great before the management if a user has extra privileges.

There is no direct way or a charter, which lists set of permissions vis-à-vis functional task. It varies from organization to organization. In order to come up with a security model, start by assigning least level of privileges (that may seem appropriate to you) to perform the intended task and then test. As a quick tip try to remove one privilege at a time and check the impact on the task under consideration. This way you will be able to formulate a security model.

I came across an incident recently where a team received a database backup (was in Oracle though not SQL Server) from a customer to fix an issue and a user account that was used to restore the backup actually overwrite password profiles that were set-up internally. It was discovered very late when some of the application users reported passwords being expired after one week of creation.

Security is very important for an organization to sustain for long, and there is no alternative but to conscientiously follow principle of least privilege.

 

References:

• Principle of Least Privilege (Wikipedia)
• Brian Kelley’s post (I consider him a gem in Security field)
• Excerpts from Microsoft documents

Advertisement

SQL Server Security Basics | What is Authorization?

Think of this:

• Whether a stranger is authorized to enter your house without your permission?
• Whether you authorize your friend to take your car whenever he wants to go on a drive?
• Whether a co-employee is authorized to access your confidential information stored with Human Resource department?

You might be getting a hang of it… Authorization is all about “What can a person (or identity in digital world) do?”; have they so called “access rights/privileges” to the desired “resources”.

That being said, Authorization takes a form of access policies that an organization sets forth for the resources being used. These access policies are created and/or controlled by an authority (usually a senior employee or department head).  These policies are formulated based on “principle of least privilege” – which says that a user/identity should only have minimum set of privileges to get their work done.

In SQL Server, Authorization is enforced with Permissions, and we have a freedom to club common permissions into Roles. These permissions are hierarchical in nature and exist both at database and server level.

I will talk more about Authorizations, Permission Hierarchy, and principle of least privilege in upcoming blogs. So stay tuned!

SQL Server Security Basics | What is Authentication?

By definition Authentication means the process of verifying the identity of a user or process. If a user wants to talk to the database, SQL Server asks “Who you are?”, and authenticates you. There are three types of authentication modes available:

• Windows Authentication
• SQL Server Authentication
• Azure Active Directory

Windows Authentication

• This is the default authentication mode and the more secure as compared to SQL Server Authentication.
• Microsoft BOL recommends to use Windows Authentication over SQL Server Authentication.
• This mode is available both on SQL Server running on-premises and Azure Virtual Machine.
• It uses Kerberos security protocol.
• Connection made under this mode is also called “Trusted Connection” as SQL Server trusts Windows credentials.
• Has additional password policy, such as strong password validation, support for account lock and password expiration.

SQL Server Authentication

• Logins here are validated which are created and managed by SQL Server.
• Unlike Windows Authentication, user should provide credentials every time while connecting to SQL Server.
• There are few (optional) password policies also available.
• This mode can be used where there is a requirement to support mixed operating system for applications and users cannot be validated using Windows domain.
• Can be useful with web-applications where users have the provision to create their own identities.
• It does not use Kerberos security protocol, and there is also a risk for applications that connect automatically with the SQL Server may save the password in file in clear text.

Azure Active Directory

• This authentication mechanism validates an identity based on Azure Active Directory (Azure AD).
• It supports token-based authentication, ADFS (domain federation) and/or built-in vanilla authentication without domain synchronization.
• It can also support mechanism of password rotation in a single place.
• Allows management of identities centrally (Central ID), which helps in simplifying user and permission management.

I am going to write a series of blogs on security basics, this one is first one in the row. Stay tuned.

References:

Choosing Authentication Mode

Azure AD Authentication

SQL Server (vNext) on Linux – CTP 1.0

Last month November 16^th, 2016, Microsoft announced its first Community Technology Preview of next release of SQL Server, called SQL Server vNext. This release will run not only on Windows but also no Linux, Docker, or macOS (via Docker).

Here is the download link for SQL Server vNext CTP 1.0

Sneak peak: New features and enhancements

Database Engine

• Addition of new compatibility level 140
• Improvement in incremental statistics update threshold (available through new database COMPATIBILITY_LEVEL 140)
• Addition of new DMVs:  sys.dm_exec_query_statistics_xml (return live query plan and execution statistics for the running batch), sys.dm_os_host_info (provide operating system information for both Windows and Linux)
• Many performance and language enhancements to In-Memory tables:
  • Support for more than 8 indexes
  • Support for sp_spaceused, sp_rename, CASE statement, TOP (N) WITH TIES
• Clustered Columnstore Indexes now support LOB columns (nvarchar(max), varchar(max), varbinary(max)).
• New function: STRING_AGG()
• Database roles are created with R Services for managing permissions associated with packages
• Addition for new Japanese Collation

R Services

• Microsoft R Server and SQL Server R Services provide a variety of new features to enhance integration of R with SQL Server and the Microsoft BI stack

Integration Services (SSIS)

• Support Scale Out of SSIS – easier to run SSIS package on multiple machines
• Support for Microsoft Dynamics Online Resources – connection to Microsoft Dynamics AX Online and Microsoft Dynamics CRM Online thru OData source and connection manager

Useful Links

• Microsoft’s Official Announcement
• vNext Release Notes
• What’s new in vNext Release
• SQL Server on Linux documentation to get you started with Linux installation.
• vNext CTP 1.0 direct ISO download

 

Extended Properties: An Introduction

What are Extended Properties?

It is a feature which helps in storing metadata of SQL Server objects in database. It allows you to add descriptive text, instructions, formatting rules to display a column value and input masks. Extended Properties are created as user-defined name/value pairs; managed and stored internally in the database which helps in reading and evaluating the object information the same way. You can have multiple extended properties for a single object.

How are they defined?

Extended property is defined as a user-defined name/value pair. Name property is of sysname type whereas Value property is of sql_variant type (contains up to 7500 bytes of data). The classification of the objects is done at three levels: level 0, level 1 and level 2

Level 0: Highest Level; objects that are contained at database scope.

Level 1: Objects in schema or user scope

Level 2: Objects at this level are contained by objects are level 1

For example, if we specify table column as “Schema.Table.Column”, Schema is Level 0 object, Table is Level 1 object and Column is Level 2 object. It’s important to note that while referring to child levels, we need to specify parent levels that contain the child objects. For instance, if we are adding metadata for column (at level 2), we need to specify table name (level 1) and schema name (level 0).

Which objects have extended property support?

Here is the list of objects, which have extended property support along with their correspoinding levels.

Extended properties cannot be defined for following objects:

• Objects outside database scope
• Objects not listed in above list (pretty obvious).
• Unnamed objects such as partition functions.
• System-defined objects.

This was an introductory blog for Extended Properties. In upcoming blogs, I will write about the usability aspect along with relevant examples. Stay tuned….!

If backups are taken in silence can a recovery still take place?

SQL Studies

My friend Andy Mallon (b/t) is hosting T-SQL Tuesday this month. In case you aren’t aware T-SQL Tuesday is a blog party started by Adam Machanic (b/t) almost 7 years ago. Each month someone selects a topic and hosts the “party”. Then whoever is interested posts a blog on that topic. It can be a great way to get a good grounding on a subject as seen by a bunch of different bloggers or start your own blog.

Regardless, Andy’s topic this month is We’re still dealing with the same problems. The idea is that we’ve been dealing with the same problems for 20 years or more. Of course this being T-SQL Tuesday he wants a database spin.

So let’s talk backups.

We take backups for multiple reasons. One of the big reasons is to help us fix day to day…

View original post 219 more words

SSMS’s Clipboard Manager

SQL Studies

The other day Richie Rump (b/t) mentioned something called a clipboard manager on twitter. I’ll admit I had to ask what exactly they meant, but once it was described to me I realized it was something I’d wanted off and on for years. Basically it’s a tool that stores multiple copies in an extended clipboard. So you can copy several pieces of text over time and then paste the one you want. Justin Dearing (b/t) and Richie mentioned a Clipboard Manager called Ditto Clipboard Manager. Kendal Van Dyke (b/t) however mentioned one built into SSMS! Now, it only covers what’s currently in the clipboard and what’s been copied in SSMS but since I spend most of my time in SSMS (I even frequently use it as a text editor) that’s just fine. Once you’ve copied several…

View original post 28 more words

Common mistake using try/catch constructs

As per BOL, A TRY…CATCH construct catches all execution errors that have a severity higher than 10 that do not close the database connection. This is a common thing which a developer ignores and get into a trap. Let’s try to understand with an example code.
Here is a sample code, where exception raised by select statement executed in try block will never be caught by catch block:

create table test_tbl
 (id int);
go

begin try
 select *
 from test_t; -- mistakenly typed wrong table name
end try

begin catch
 print 'In catch block - exception handled!';
end catch

-- #Output
-- Msg 208, Level 16, State 1, Line 2
-- Invalid object name 'test_t'.

Here is another example, showing the correct usage of try/catch construct – using divide-by-zero error.

begin try
    select 1/0; -- divide by zero error
end try

begin catch
    print 'In catch block - exception handled!';
end catch 

-- #Output
-- (0 row(s) affected)
-- In catch block - exception handled!

 

Please refer below link for more details:  Books On-Line

Happy Learning!

Oracle: Export (EXPDP) schema without data

Here is the quick tip to export schema without data. This is doable with option “CONTENT=METADATA_ONLY”.

Here is the sample example for the same.

EXPDP user_name/password DIRECTORY=backup_directory SCHEMAS=schema_name TABLESPACE=tablespace_name CONTENT=metadata_only

Go thru the following link for more details -> EXPDP (CONTENT)

Merry Christmas