Download Administration Of Users

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
Document related concepts

Oracle Database wikipedia , lookup

Database model wikipedia , lookup

Microsoft Access wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Clusterpoint wikipedia , lookup

Relational model wikipedia , lookup

Btrieve wikipedia , lookup

Team Foundation Server wikipedia , lookup

Open Database Connectivity wikipedia , lookup

SQL wikipedia , lookup

PL/SQL wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Transcript 
Administration of Users
Dr. Gabriel
Documentation of User Administration
• Part of the administration process
• Reasons to document:
– Provide a paper trail
– Ensure administration consistency
• What to document:
–
–
–
–
–
Administration policies, staff and management
Security procedures
Procedure implementation scripts or programs
Predefined roles description
Administration staff and management
2
Documentation of User Administration
• Failure reasons:
– Lack of time
– Assumption that it’s already been done
– Non-willingness to complicate the process
3
Documentation of User Administration:
Account Access Procedures
4
Database Account Access Application
Form Sample
5
Operating System Authentication
• Many databases (including Microsoft SQL
Server 2005) depend on OS to authenticate
users
• Reasons:
– Once an intruder is inside the OS, it is easier to
access the database
– Centralize administration of users
• Users must be authenticated at each level
6
Operating System Authentication
(continued)
7
Creating Users
• Must be a standardized, well-documented, and
securely managed process
8
Creating a SQL Server User
• Create a login ID first; controls access to SQL
Server system
• Associate login ID with a database user
• Creator must be member of fixed server roles
(SYSADMIN or SECURITYADMIN)
• Two types of login IDs:
– Windows Integrated (trusted) login
– SQL Server login
9
Creating Windows Integrated Logins
• Command line:
– SP_GRANTLOGIN system stored procedure
• Will be decommissioned soon
• Use CREATE LOGIN
– CREATE LOGIN [domain\user] FROM WINDOWS (WITH
<windows_options>) ;
• Options:
– DEFAULT_DATABASE = database
(Default: master)
– DEFAULT_LANGUAGE = language
(server’s default language)
– Can be associated local, domain, group usernames
• Management Studio:
– Use the Security container
– Logins -> New Login
10
Creating SQL Server Logins
• Command line:
– SP_ADDLOGIN system stored procedure
• Will be decommissioned
• Use CREATE LOGIN
11
Creating SQL Server Logins
• CREATE LOGIN login_name { WITH <option_list1> | FROM
<sources> }
– <sources> ::=
• CERTIFICATE certname
• ASYMMETRIC KEY asym_key_name
– <option_list1> ::=
• PASSWORD = 'password' [ HASHED ] [ MUST_CHANGE ] [ ,
<option_list2> [ ,... ] ]
– <option_list2> ::=
•
•
•
•
•
•
SID = sid
DEFAULT_DATABASE = database
DEFAULT_LANGUAGE = language
CHECK_EXPIRATION = { ON | OFF}
CHECK_POLICY = { ON | OFF}
CREDENTIAL = credential_name ]
12
Creating SQL Server Logins
• Credentials
– Credentials provide a way to allow SQL Server Authentication
users to have an identity outside of SQL Server.
– Credentials can also be used when a SQL Server
Authentication user needs access to a domain resource, such
as a file location to store a backup.
– A credential can be mapped to several SQL Server logins at
the same time.
– A SQL Server login can only be mapped to one credential at a
time.
• Asymmetric key
– An asymmetric key is a securable entity at the database level.
• Certificate
– A certificate is a database-level securable that follows the
X.509 standard and supports X.509 V1 fields.
13
Creating SQL Server Logins
• Examples
– CREATE LOGIN loginname WITH PASSWORD =
‘A725skjdm,kwjd)5' MUST_CHANGE,
check_expiration=on;
– CREATE LOGIN loginname WITH PASSWORD = '
A725skjdm,kwjd)5 ', CREDENTIAL = credname;
– USE MASTER;
CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'23987hxJ#KL95234nl0zBe';
go
CREATE CERTIFICATE certname WITH SUBJECT =
‘certname in master db', EXPIRY_DATE = ‘12/31/2009'; GO
CREATE LOGIN loginname FROM CERTIFICATE certname ;
14
GO
Creating SQL Server Logins
• Management Studio:
– Security container
– Logins -> New Login
– SQL Server Authentication option
• System view
– sys.syslogins
15
Creating SQL Server Users
• CREATE USER user_name
[ { { FOR | FROM }
{ LOGIN login_name |
CERTIFICATE cert_name |
ASYMMETRIC KEY asym_key_name } |
WITHOUT LOGIN ]
[ WITH DEFAULT_SCHEMA = schema_name ]
16
Creating SQL Server Users
• Schemas
– A schema is a collection of database entities
that form a single namespace.
– A namespace is a set in which every element
has a unique name.
– For example, to avoid name collisions, no two
tables in the same schema can have the same
name.
• Two tables can have the same name only if they
are in separate schemas.
– Default: dbo
17
Creating SQL Server Users
• CREATE SCHEMA schema_name_clause [
<schema_element> [ , ...n ] ]
<schema_name_clause> ::=
{
schema_name |
AUTHORIZATION owner_name |
schema_name AUTHORIZATION owner_name
}
<schema_element> ::= { table_definition |
view_definition | grant_statement
revoke_statement | deny_statement }
18
Creating SQL Server Users
• Schema Example
– CREATE SCHEMA Sprockets
AUTHORIZATION Annik
CREATE TABLE NineProngs (source int, cost
int, partnumber int)
GRANT SELECT TO Mandar
DENY SELECT TO Prasanna;
GO
• System view
– sys.schemas
19
Creating SQL Server Users
• Create USER Examples
– CREATE USER username
FOR LOGIN loginname;
– CREATE USER username
FOR LOGIN loginname WITH
DEFAULT_SCHEMA = schemaname;
• System view
– sys.sysusers
20
Removing/Modifying Users
• Simple process
• Make a backup first
• Obtain a written request (for auditing purposes)
21
SQL Server: Removing Windows
Integrated Logins
• Command line: SP_DENYLOGIN system
stored procedure
– Will be decommissioned
– Use ALTER LOGIN instead
• ALTER LOGIN loginname DISABLE
22
SQL Server: Modifying Windows
Integrated Login Attributes
• Command line:
– SP_DEFAULTDB system stored procedure
• Will be decommissioned
• Use ALTER LOGIN instead
– SP_DEFAULTLANGUAGE stored procedure
• Will be decommissioned
• Use ALTER LOGIN instead
• Management Studio:
– Expand the security container
– Select desired login
– Properties (on the Action Menu)
23
SQL Server: Removing/Modifying SQL
Server Logins
• ALTER LOGIN login_name {
<status_option> | WITH <set_option> [ ,... ] }
<status_option> ::= ENABLE | DISABLE
<set_option> ::=
PASSWORD = 'password' [ OLD_PASSWORD =
'oldpassword' | <secadmin_pwd_opt> [
<secadmin_pwd_opt> ] ] |
DEFAULT_DATABASE = database |
DEFAULT_LANGUAGE = language |
NAME = login_name |
CHECK_POLICY = { ON | OFF } |
CHECK_EXPIRATION = { ON | OFF } |
CREDENTIAL = credential_name |
NO CREDENTIAL
<secadmin_pwd_opt> ::= MUST_CHANGE | UNLOCK
24
SQL Server: Removing/Modifying SQL
Server Logins
• Examples
– Enabling a disabled login
• ALTER LOGIN loginname ENABLE;
– Changing the password of a login
• ALTER LOGIN loginname WITH PASSWORD =
'3948wJ698FFF7';
– Changing the name of a login
• ALTER LOGIN loginname WITH NAME =
newname;
25
SQL Server: Removing/Modifying SQL
Server Logins
• DROP LOGIN
– DROP LOGIN loginname
• Management Studio:
– Highlight the desired login
– Right click and Choose Delete
26
Modifying Users
• ALTER USER
– Renames a database user or changes its default
schema
– Examples:
• ALTER USER username WITH NAME =
newname
• ALTER USER username WITH
DEFAULT_SCHEMA = newschema
27
Database Links
• Connection from one database to another:
allow DDL and SQL statements
• Types: PUBLIC and PRIVATE
• Authentication Methods:
– CURRENT USER
– FIXED USER
– CONNECT USER
28
Linked Servers
• Linked servers are used to handle distributed
queries
• Allow you to connect to almost any:
– Object Linking and Embedding Database
(OLEDB)
– Open Database Connectivity (ODBC)
29
Linked Servers
– You can use stored procedures and catalog views to
manage linked server definitions:
• Create a linked server definition by running
sp_addlinkedserver.
• View information about the linked servers defined in a
specific instance of SQL Server by running a query against
the sys.servers system catalog views.
• Delete a linked server definition by running sp_dropserver.
You can also use this stored procedure to remove a remote
server.
– You can also define linked servers by using SQL Server
Management Studio.
• In the Object Explorer, right-click Server Objects, select
New, and select Linked Server.
• You can delete a linked server definition by right-clicking the
linked server name and selecting Delete.
30
Linked Servers
• sp_addlinkedserver [ @server= ] 'server' [ ,
[ @srvproduct= ] 'product_name' ]
[,
[ @provider= ] 'provider_name' ]
[,
[ @datasrc= ] 'data_source' ]
[,
[ @location= ] 'location' ]
[,
[ @provstr= ] 'provider_string' ]
[,
[ @catalog= ] 'catalog' ]
31
Linked Servers
• Examples:
– Linking to other SQL servers
• USE master;
GO
EXEC sp_addlinkedserver 'SEATTLESales',
N'SQL Server'
GO
• EXEC sp_addlinkedserver
@server='S1_instance1', @srvproduct='',
@provider='SQLNCLI', @datasrc='S1\instance1'
32
Linked Servers
• Examples:
– Linking to Access DB
• EXEC sp_addlinkedserver
@server = 'SEATTLE Mktg',
@provider = 'Microsoft.Jet.OLEDB.4.0',
@srvproduct = 'OLE DB Provider for Jet',
@datasrc =
'C:\MSOffice\Access\Samples\Northwind.mdb'
33
Linked Servers
• Examples:
– Linking to Oracle
• EXEC sp_addlinkedserver
@server = 'LONDON Mktg',
@srvproduct = 'Oracle',
@provider = 'MSDAORA',
@datasrc = 'MyServer'
GO
34
Linked Servers
• SP_DROPSERVER
– Removes a server from the list of known remote
and linked servers on the local instance of SQL
Server.
– sp_dropserver [ @server = ] 'server'
[,
[ @droplogins = ] { 'droplogins' | NULL} ]
• related remote and linked server logins for server
must also be removed if droplogins is specified.
– Example:
• sp_dropserver 'ACCOUNTS', 'droplogins';
35
Linked Servers
• When you execute a distributed query against a linked
server, include a fully qualified, four-part table name for
each data source to query. This four-part name should
be in the form
linked_server_name.catalog.schema.object_name
• OPENQUERY function
– Executes the specified pass-through query on the
specified linked server
– Ex:
• SELECT * FROM OPENQUERY(LinkedServerName,
'SELECT name, id FROM joe.titles')
36
Linked Servers
• SP_ADDLINKEDSRVLOGIN
– Creates or updates a mapping between logins
on the local instance of SQL Server and remote
logins on the linked server.
– sp_addlinkedsrvlogin
[ @rmtsrvname = ] 'rmtsrvname'
[,
[ @useself = ] 'useself' ]
[,
[ @locallogin = ] 'locallogin' ]
[,
[ @rmtuser = ] 'rmtuser' ]
[,[
@rmtpassword = ] 'rmtpassword' ]
37
Linked Servers
• SP_ADDLINKEDSRVLOGIN
– Creates or updates a mapping between logins on the
local instance of SQL Server and remote logins on the
linked server.
– sp_addlinkedsrvlogin
[ @rmtsrvname = ] 'rmtsrvname'
[,
[ @useself = ] 'useself' ]
[,
[ @locallogin = ] 'locallogin' ]
[,
[ @rmtuser = ] 'rmtuser' ]
[ , [ @rmtpassword = ]
'rmtpassword' ]
– Example:
• EXEC sp_addlinkedsrvlogin 'Accounts', 'false',
'Domain\Mary', 'MaryP', 'd89q3w4u'
38
Practices for DB Administrators and
Managers
• Manage:
– Accounts
– Data files
– Memory
• Administrative tasks:
– Backup
– Recovery
– Performance tuning
39
Best Practices
•
•
•
•
Follow company’s policies and procedures
Always document and create logs
Educate users
Keep abreast of database and security
technology
• Review and modify procedures
40
Best Practices (continued)
• For SQL server:
– Create a local windows group called DBA
– Grant login access for this group to SQL server
instance
– Make the trusted login a sys admin
– Use local Windows or domain Windows accounts
• What about DB logins for Internet applications?
•
•
•
•
Block direct access to database tables
Limit and restrict access to the server
Use strong passwords
Patches, patches, patches
41
Questions ?
42
Related documents
Architecture Design - People
Architecture Design - People
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
CS 4620 Syllabus
CS 4620 Syllabus
MS-SQL-Developer - Metro Staffing Solutions
MS-SQL-Developer - Metro Staffing Solutions
Predefined Elements (CI) | PDF
Predefined Elements (CI) | PDF
Patient Online: Records Access Information Leaflet
Patient Online: Records Access Information Leaflet
How to Run SQL Script in SQL Management Studio
How to Run SQL Script in SQL Management Studio
wildlife - Seasalt
wildlife - Seasalt