SQL Server Security- The Crib Sheet
For things you need to know rather than the things you want to know
- Authentication-The Login system
- Authorisation:-The Permissions System
- Assigning permissions
- Ownership chains
- User Context
Before leaping into a Security Workbench, showing how to manage security via TSQL, I thought it would be best to write a cribsheet to give a brief overview of SQL Server Security first, so that the workbench session did not have great slabs of green comments explaining all the terms....
In a production database, any access to data and processes must be restricted to just those people who require it. Generally, the DBA will also want to know who did what within the system, at any point in time.
Each production database will have its own security policy set out, agreed, and documented. This follows on logically from the analysis of the value, sensitivity and nature of the data and processes within the application. It should be updated and available for inspection as part of any audit.
SQL Server's security model is designed to give the flexibility to implement a number of different types of security policy, and allow for all the different application architectures currently in use.
Firstly, SQL Server must only have those features enabled that are absolutely necessary. This is easier to do with SQL Server 2005, but possible with all previous releases. One can cause havoc with such features as Web assistant, Ad-hoc remote queries, OLE Automation, xp_CmdShell, and xp_sendmail. It is always best to start with as many features turned off as possible, and configure the database for their use as, or when, you need them.
Individuals, or applications, require one or more logins, or memberships of a group login, with which to connect to a database. A simple public-facing website may get its data from a database via one Login, whereas an application with a variety of sensitive, financial, or personal data will have a rich hierarchy of connection types. Ideally, each person who uses an application will have an associated Login. This is not always possible or practical.
Someone with a Login, which gives access to a Server, will need a username, or alias, in each database within that server that he needs to reach. He will, in effect, need to be registered as a user of a database. Furthermore, that user needs permission to access the various objects within the database, such as tables, procedures, views and so on, or to execute code that makes structural changes to the database. Typically, this is done by assigning him to a 'Role', which then has the permissions assigned to it. As people come and go, their membership to the Role is assigned and revoked without having to fiddle with permissions.
A typical application will be used by a number of different Roles of users, the members of each Role having similar requirements; something like HR, Management-reporting, Dispatch, for example. Each Role will require different types of access to the database depending on their function in the organization.
Each Database Server can therefore manage its security at the server and database level. The 'owner' of a particular database has the power of controlling access to his database via the 'Permission system'. Only the System Administrator can override this.
SQL Server Security has grown and developed in response to the changing architecture of applications, the demands of application developers, and the requirement for simplicity for network administration. SQL Server has tried to keep backward compatibility when it has made these changes, so the result can be slightly confusing on first inspection.
Originally SQL Server had its own simple login and password system, which was completely independent of Windows security, and was logically consistent. All groupings of users was done at database level, and there was just one privileged login to administer the system. This made the adding and removal of users from the network more complex as it required this to be done with the Logins on every server as well as at the NT Domain level. Integrated security was then introduced, with its concepts of domain users and domain groups, thereby solving some of the problems. There were now, however, groups defined at network level and others, now renamed 'roles', at database level. The Server-based administration rights were then assigned, as special roles, to Logins. And the database 'Owner' rights were reworked as 'fixed database roles' that could be reassigned to other database users. However, the old 'SA' login and 'DBO' user were kept for backward-compatibility. SQL Server 2005 has introduced more complexity, such as password policies and execution contexts, in order to tighten security.
Authentication-The Login system
Types of authentication
SQL Server authentication allows the DBA to maintain security and auditing control for the database servers independently of the system manager of the underlying operating system.
The downside of SQL Server's own security is that users have to remember their password for accessing the database and use this each time they connect. They have already supplied a password to log into their PCs. These two different passwords and logins may have different lifetimes and generation rules. Also, this type of security, when used for ODBC/ADO etc, always ends up with passwords being stored in unprotected places. Worse, the passwords are transmitted unencrypted over TCP/IP.
Only SQL Server logins can be used over simple TCP/IP. A connection must have a user name and password, which can be checked against entries in the syslogins table, (sys.Server_principals in 2005) otherwise it is terminated.
'Integrated security' can only be used if SQL Server is participating in the Windows Network. The advantages are password-encryption, password-aging, domain-wide accounts and windows administration. It is based on an "access token" which contains the user's unique security ID or sid, which is then used by the client to gain access to network resources such as SQL Server without having to supply login credentials again. If a user has an access token, then it means that he has previously passed authentication checks.
SQL Server can use Windows Security, or use both Windows Security and manage its own user logins. The chances are that, unless all access to the server is from within an intranet, both will be required.
SQL Server will create some Logins automatically on installation (such as. SA), but most are subsequently created by the System administrator. A login ID is necessary for access to a database but not sufficient. It has to be granted access to the various resources on the server (Server instance in SQL Server 2005). It holds information that is relevant across databases, such as the user's default language.
Before someone with a Login ID (Except for the SA) can access a database he requires a username or role within the database, and that username/role must be granted statement permissions and Object permissions. This, traditionally, could only be granted or revoked by the SA or DBO (Database owner). In later versions of SQL Server, this can be done by anyone with the appropriate 'fixed server role', thereby allowing SA rights to be given to domain, or local, Groups of users.
Fixed Server Roles
Logins can, where necessary, be assigned to a number of fixed server roles so that the SA can delegate some, or all, of the administration task. These roles are:
- can perform any activity, and has complete control over all database functions.
- can change server configuration parameters and shut down the server.
- can add or remove linked servers, manage replication, create, alter or delete extended stored procedures, and execute some system stored procedures, such as sp_serveroption.
- can create and manage server logins and auditing, and read the error logs.
- can manage the processes running in SQL Server.
- can create, alter, and resize databases.
- can manage disk files.
One can therefore create logins using either domain or local users, and one can also create logins with Domain or local groups. You can also create logins with UserID/Password combinations for users who are not part of the Windows network. Any of these can be assigned all or some of the administration rights. On installation there will be :
- A local administrators Group
- A Local Administrator account
- An SA Login
- A Guest Login
The first three will have the SysAdmin role by default. The Guest login inherits the permissions of the ' Public' database role, and is used only where a login exists but has no access explicitly granted to the database. If you removed 'guest' from the master database, only the sa user could then log in to SQL Server! When users log in to SQL Server, they have access to the master database as the guest user.
Usernames are database objects, not server objects. Logins are given access to a database user by associating a username with a login ID. The Username then refers to the login's identity in a particular database. Additionally, all usernames other than SA, can be associated with one or more Roles. When a database is created, a DBO (Database Owner) Role is automatically created, which has full privileges inside the database. However, one can create any number of 'user' roles. A special GUEST Role can be enabled if you want anyone who can log in via a login ID to access a particular database. They will then do it via that 'guest' Role
A Database Role is a collection of database users. Instead of assigning access permissions to users, one can assign them to Roles, a collection of users who have a common set of requirements for accessing the database: This saves a great deal of work and reduces the cance of error.
If you are just using Integrated security, you can sometimes do without roles. This is because Logins can represent Domain Groups. If the Domain Group fits the grouping of users you require in your database, then you can create a username for this group of users and manage the permissions for this user as if it was a role.
Upon creating a database, you should ensure that a server login id exists for everyone who will use the database. If necessary, set their default database, in their login, to be your new database. Then you should, if necessary, create a number of Database Roles depending on the different classes of database access you will have. For each Login, (which can represent a group of users) you will need to create a Username. Then you can assign each username to a Database Role. You can subsequently assign permissions to your Roles or Users according to your security plan.
As well as this user-defined Database role (or Group as it used to be called) there are fixed Database Roles, and the Public Database Role.
Fixed Database Roles
There are several fixed, pre-defined database roles that allow various aspects of the database administration to be assigned to users. Members of fixed database roles are given specific permissions within each database, specific to that database. Being a member of a fixed database role in one database has no effect on permissions in any other database. These roles are…
- allows the user to perform any activity in the database.
- allows the user to add or remove Windows NT groups, users or SQL Server users in the database.
- allows the user to view any data from all user tables in the database.
- allows the user to add, change, or delete data from all user tables in the database.
- allows the user to make any data definition language commands in the database.
- allows the user to manage statement and object permissions in the database.
- allows the user to back up (but not restore) the database.
- will deny permission to select data in the database.
- will deny permission to change data in the database.
To allow a user to add users to the database and manage roles and permissions, the user should be a member of both the db_accessadmin role and the db_securityadmin role.
Some of these roles are of a rather specialist nature. Of these database roles, possibly the most useful are the db_denydatareader and db_denydatawriter role If the application interface consists entirely of views and stored procedures, while maintaining ownership chains and completely avoiding dynamic SQL, then it is possible to assign the db_denydatareader and db_denydatawriter role for regular users to prevent their access to the base tables.
Public Database Role
This is created when a database is created. Every database user belongs to the Public Role. The public role contains the default access permissions for any user who can access the database. This database role cannot be dropped
Application roles are the SQL Server roles created to support the security needs of an application. They allow a user to relinquish his user permissions and take on an application role. However, they are not easy to use alongside connection pooling.
Authorisation:-The Permissions System
The database user has no inherent rights or permissions other than those given to the public role. All rights must be explicitly granted or assigned to the user, the user's roles, or the public role. The permission system determines which Roles or users can access or alter data or database objects. It determines what every Role or user can do within the database. The SA bypasses the permission system, and so has unrestricted access.
Most commonly, permissions are given to use a database object such as a table, or procedure. Such object permissions allow a user, role, or Windows NT user or group to perform actions against a particular object in a database. These permissions apply only to the specific object named when granting the permission and not to all the other objects contained in the database. Object permissions enable users to give individual user accounts the rights to run specific Transact-SQL statements on an object.
Permissions can be given or revoked for users and Roles. Permissions given directly to users take precedence over permissions assigned to Roles to which the user belongs. When creating a permission system, it is often best to set up the more general permissions first. Start with the 'public' Role first and then set up the other Roles, finally doing the overrides for individual users where necessary.
The permission system has a hierarchy of users for which permissions are automatically given.
The SA account is actually a Login rather than a database user. The System Administrator is able to perform server-wide tasks. The System Administrator bypasses the entire permission system and can therefore repair any damage done to the permission system. It can also perform tasks that are not specific to a particular database
Only the System Administrator can create a device, Mirror a device, stop a process, shut down SQL Server, Reconfigure SQL Server, perform all DBCC operations or maintain extended stored procedures. Normally, only the SA creates or alters databases, though this permission can be delegated
A DBO has full permission to do anything inside a database that he owns. By default, the SA becomes the owner of a database that he creates, but ownership can be assigned. There can be only one DBO for each database. Other than the SA, only a DBO can restore a database and transaction log, delete a database, use DBCC commands, impersonate a database user, issue a checkpoint, grant or revoke statement permissions or alter a database. The DBO user has all the rights that members of the db_owner role have. The dbo is the only database user who can add a user to the db_owner fixed database role. In addition, if a user is the dbo, when he or she creates an object, the owner of the object will be dbo of that object, as one might expect. This is not true for members of the db_owner fixed database role. Unless they qualify their object names with the dbo owner name, the owner's name will be his or her username.
Normally, a db_owner role member could restore a database, but the information on who belongs to the db_owner role is stored within the database itself. If the database is damaged to the point where this information is lost, only the DBO can restore the database.
If a user is a member of the db_owner role but not the dbo, he can still be prevented from accessing parts of the database if DENY permissions have been set. This does not apply to the the dbo, because the dbo bypasses all permissions checks within the database.
Other DBO roles can be assigned to other users, such as creating objects and Backing up a database or transaction log
By default, a user who creates an object is the owner of the object. Whoever creates a database object, the DBOO. Or Database Object Owner, is granted all permissions on that object.. Every other user is denied access until they are granted permissions. A user who creates a database object is the DBOO of that object. Members of the db_owner and db_ddladmin fixed database roles can create objects as themselves, with their usernames being given as owner, or can qualify the object name as being owned by the dbo.
If the database designer has been able to define an interface based on Stored Procedures, or views, then the permission system will be simple, requiring fewer permissions to be set. The Database administrator will have set up users and Roles and will be able to assign 'Execute' permission to just those procedures that are appropriate for that Role or user. As long as the tables accessed, updated or inserted-into by the stored procedure have the same ownership as the stored procedure, (unbroken ownership chain) then permission need not be assigned to the tables. A stored procedure can even update a system table as long as the creator of the stored procedure has the requisite permission when the procedure was created, and the database is configured to allow such a thing. Security can be further enhanced by denying all access by application users to the base tables with db_denydatareader and db_denydatawriter .
If the Database administrator is unfortunate enough to be associated with a database which requires direct access to tables or views, then permissions for 'Select', 'Insert;, ;Update' and 'delete' access will need to be assigned directly to the tables that hold your data. They will also entail using column-level permissions, which can overly complicate the security administration model.
If you ever need to grant permission on individual columns of a table, it is usually quicker to create a view, and grant permission on the view. This is carried forward to the individual columns of the tables that make up the view.
It is so unusual for 'Statement permissions' to be assigned that it need not be considered here. However, large development projects may involve the assignment and revoking of permissions to create database objects such as tables, views, procedures, functions, rules and defaults.
Object-level permissions can be to:
- -Select data from a table view or column
- -Insert new data into a table or view
- -Update existing data in a table view or column
- -Delete rows from a table
- -Execute a stored procedure, or a function
- -allows references to tables that are not owned by the user to be set up directly without select permission
- View Definition
- - (SQL Server 2005 only) Allows the viewing of the metadata.
SQL Server 2005 also provides 'Send', 'Receive', 'Take Ownership' and 'View Definition' object-level permissions
Sometimes, a developer will come up against the problem of 'ownership chains'. When a view or stored procedure is used, permissions are only checked for the contributing objects if there is a change of ownership somewhere along the chain. The most common time this happens is when 'Dynamic SQL' is executed by an Execute() or sp_executeSQL. And the user executing the procedure has no permission to access the objects involved. This is known as a Broken Ownership chain, because more than one user owns objects in a dependency chain.
When SQL Server is running, it needs a 'user context' in which to run. This is the user account that SQL Server uses to access resources on the machine and network. When SQL Server is installed, it is set up with the LocalSystem account, which cannot access the domain. This can be changed for a Domain account if required for backing up to a network disk, or for setting up replication. It is a good idea to use an account where the password is set to 'Password never expires'.. SQL Executive will need a domain account in order to publish data for replication.
Having briefly described a 'helicopter view' of SQL Server security, we will follow this account with a practical Workbench session to check on practical ways of enforcing security