Download SQL Server Procedures

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
Document related concepts

Extensible Storage Engine wikipedia , lookup

DBase wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Relational algebra wikipedia , lookup

Concurrency control wikipedia , lookup

Oracle Database wikipedia , lookup

Tandem Computers wikipedia , lookup

Database wikipedia , lookup

Ingres (database) wikipedia , lookup

Microsoft Access wikipedia , lookup

Team Foundation Server wikipedia , lookup

Database model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Btrieve wikipedia , lookup

Null (SQL) wikipedia , lookup

Clusterpoint wikipedia , lookup

Relational model wikipedia , lookup

Open Database Connectivity wikipedia , lookup

SQL wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

PL/SQL wikipedia , lookup

Transcript 
Configuring Hardened SQL for MessageStats
Hardened SQL Explained
Hardening a SQL Server simply means limiting access to the SQL Server, its services
and hardware. This is done in several ways ranging from logically revoking access to
any accounts to physically placing the server in a locked/vaulted room. The services that
impact MessageStats by this type of lock down include: MSSQLServer (regular SQL
Server services) and SQLAGENTxx (SQL Agent). For more information on SQL
Hardening the following link talks more deeply it and the various ways to lock down and
prevents attacks: http://msdn2.microsoft.com/en-us/library/aa302434.aspx.
MessageStats was designed and tested against the most common out of the box
configuration of SQL server. The hardened environment does not necessarily have a
predictable set of configuration options to consider. The remainder of this document
addresses some of the ways SQL security has been locked down and some ways to
configure it so that MessageStats functions properly.
MessageStats Implications
MessageStats communicates with SQL Server for gathering and reports and SQL Server
Agent for database maintenance functions such as defragmentation, reindexing and data
aging.
Gathering Functions:
The standard installation gives the account designated for MessageStats Administration
db_ddladmin, and MessageStats_Admin database roles. The MessageStats_Admin role
has SELECT, DELETE, INSERT, UPDATE on tables and views and EXECUTE on user
defined functions and stored procedures. This account is normally added to a Windows
Group located on the SQL Server called <SQLMACHINENAME>\MessageStats Admin
where <SQLMACHINENAME> is the name of the SQL Server housing the
MessageStats database.
Reporting Functions:
The reporting site provides read access to all of the MessageStats objects. The account(s)
accessing the reporting site are assigned the MessageStats_Web database role. This role
has SELECT access on all tables and views and EXECUTE access to all user defined
functions. This account is normally added to a Windows Group located on the SQL
Server called <SQLMACHINENAME>\MessageStats Web where
<SQLMACHINENAME> is the name of the SQL Server housing the MessageStats
database.
Database Management Functions:
The database management functions are executed via the account running the
MessageStats MMC client and NOT the MessageStats service account. Anyone running
the MessageStats console must have access to SQL Agent functions under their own
credentials and not necessarily the credentials of the MessageStats service account.
Some effects of not having sufficient access rights to SQL Server Agent include a blank
Page 1 of 6
Configuring Hardened SQL for MessageStats
database pane when clicking on the Data Aging / Configuration or Database Maintenance
/ Defragment & Reindex nodes.
SQL provides access to SQL Server agent read/write functions without lockdown. This
means that MessageStats can inquire and deploy SQL Agent jobs. Under SQL lockdown
scenarios, additional work needs to be done on the database server to ensure that the
account used to manage MessageStats has sufficient privileges. The following options
are available to DBAs:
1. Add the MessageStats Administration account to the sysadmins group on SQL
Server
2. Give the MessageStats Administration account SQL Agent Operator role on the
msdb database.
In both of the above cases, the domain account used to run the MessageStats console
must be either in a windows group on the SQL Server, or manually added to the SQL
Server logins.
The next section describes the three step by step processes for providing SQL access to
the MessageStats Administration account in SQL 2005 (similar steps are available for
SQL 2000).
SQL Server Procedures
Giving the MessageStats Administration account direct access to SQL Server (bypassing
the standard MessageStats Admin Windows Group):
1. Start SQL Server Management Studio
2. Locate the SQL Server housing the MessageStats database.
3. Right click and choose New Login on the security / Logins node
Page 2 of 6
Configuring Hardened SQL for MessageStats
4. Click on the General node and type the MessageStats administration account
information including the domain and account on the right side of the dialogue.
5. Click on the User Mapping node on the left side, and then be sure to place a check
beside the MessageStats database (top right of the dialogue), and checks beside
db_ddladmin and MessageStats_Admin database roles (on the bottom right of the
dialogue)
6. Click OK until all dialogues are complete.
Adding the MessageStats Administration account to the sysadmins group:
1. Start SQL Server Management Studio
2. Locate the SQL Server housing the MessageStats database.
3. Right click and choose properties on the security / Logins /
<SQLMACHINE>\MessageStats Admin node where <SQLMACHINE> is the
name of the SQL Server.
Page 3 of 6
Configuring Hardened SQL for MessageStats
4. Click on the server roles node and place a check beside the sysadmin server role
located on the right side of the display.
5. Click OK until all dialogues are complete.
Giving the MessageStats Administration account SQL Agent Operator role on the msdb
database.:
1. Start SQL Server Management Studio
2. Locate the SQL Server housing the MessageStats database.
3. Right click and choose properties on the security / Logins /
<SQLMACHINE>\MessageStats Admin node where <SQLMACHINE> is the
name of the SQL Server.
Page 4 of 6
Configuring Hardened SQL for MessageStats
4. Click on the user mapping node and place a check beside the msdb database.
5. Also place a check beside the SQL Agent Operator Role located on the bottom of
the same dialogue.
Page 5 of 6
Configuring Hardened SQL for MessageStats
6. Click OK until all dialogues have closed.
Page 6 of 6
Related documents
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
MidRange Concepts - Fox Valley Technical College
MidRange Concepts - Fox Valley Technical College
Database Lab
Database Lab
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034
wildlife - Seasalt
wildlife - Seasalt
How to Import MDB files to SQL Server 2008 R2
How to Import MDB files to SQL Server 2008 R2
6. Database Management Systems
6. Database Management Systems
PPT - ETH Systems Group
PPT - ETH Systems Group
ADVANCED DBMS Paper Code: ETCS
ADVANCED DBMS Paper Code: ETCS
Assignment: SQL #2 Putting Data into the Database
Assignment: SQL #2 Putting Data into the Database
here
here
Candidate Key
Candidate Key
Database Courseware: Functionality and Classroom Usage
Database Courseware: Functionality and Classroom Usage