* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download SQL Server Procedures
Survey
Document related concepts
Extensible Storage Engine wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Relational algebra wikipedia , lookup
Concurrency control wikipedia , lookup
Oracle Database wikipedia , lookup
Tandem Computers wikipedia , lookup
Ingres (database) wikipedia , lookup
Microsoft Access wikipedia , lookup
Team Foundation Server wikipedia , lookup
Database model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Clusterpoint wikipedia , lookup
Relational model wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Transcript
Configuring Hardened SQL for MessageStats Hardened SQL Explained Hardening a SQL Server simply means limiting access to the SQL Server, its services and hardware. This is done in several ways ranging from logically revoking access to any accounts to physically placing the server in a locked/vaulted room. The services that impact MessageStats by this type of lock down include: MSSQLServer (regular SQL Server services) and SQLAGENTxx (SQL Agent). For more information on SQL Hardening the following link talks more deeply it and the various ways to lock down and prevents attacks: http://msdn2.microsoft.com/en-us/library/aa302434.aspx. MessageStats was designed and tested against the most common out of the box configuration of SQL server. The hardened environment does not necessarily have a predictable set of configuration options to consider. The remainder of this document addresses some of the ways SQL security has been locked down and some ways to configure it so that MessageStats functions properly. MessageStats Implications MessageStats communicates with SQL Server for gathering and reports and SQL Server Agent for database maintenance functions such as defragmentation, reindexing and data aging. Gathering Functions: The standard installation gives the account designated for MessageStats Administration db_ddladmin, and MessageStats_Admin database roles. The MessageStats_Admin role has SELECT, DELETE, INSERT, UPDATE on tables and views and EXECUTE on user defined functions and stored procedures. This account is normally added to a Windows Group located on the SQL Server called <SQLMACHINENAME>\MessageStats Admin where <SQLMACHINENAME> is the name of the SQL Server housing the MessageStats database. Reporting Functions: The reporting site provides read access to all of the MessageStats objects. The account(s) accessing the reporting site are assigned the MessageStats_Web database role. This role has SELECT access on all tables and views and EXECUTE access to all user defined functions. This account is normally added to a Windows Group located on the SQL Server called <SQLMACHINENAME>\MessageStats Web where <SQLMACHINENAME> is the name of the SQL Server housing the MessageStats database. Database Management Functions: The database management functions are executed via the account running the MessageStats MMC client and NOT the MessageStats service account. Anyone running the MessageStats console must have access to SQL Agent functions under their own credentials and not necessarily the credentials of the MessageStats service account. Some effects of not having sufficient access rights to SQL Server Agent include a blank Page 1 of 6 Configuring Hardened SQL for MessageStats database pane when clicking on the Data Aging / Configuration or Database Maintenance / Defragment & Reindex nodes. SQL provides access to SQL Server agent read/write functions without lockdown. This means that MessageStats can inquire and deploy SQL Agent jobs. Under SQL lockdown scenarios, additional work needs to be done on the database server to ensure that the account used to manage MessageStats has sufficient privileges. The following options are available to DBAs: 1. Add the MessageStats Administration account to the sysadmins group on SQL Server 2. Give the MessageStats Administration account SQL Agent Operator role on the msdb database. In both of the above cases, the domain account used to run the MessageStats console must be either in a windows group on the SQL Server, or manually added to the SQL Server logins. The next section describes the three step by step processes for providing SQL access to the MessageStats Administration account in SQL 2005 (similar steps are available for SQL 2000). SQL Server Procedures Giving the MessageStats Administration account direct access to SQL Server (bypassing the standard MessageStats Admin Windows Group): 1. Start SQL Server Management Studio 2. Locate the SQL Server housing the MessageStats database. 3. Right click and choose New Login on the security / Logins node Page 2 of 6 Configuring Hardened SQL for MessageStats 4. Click on the General node and type the MessageStats administration account information including the domain and account on the right side of the dialogue. 5. Click on the User Mapping node on the left side, and then be sure to place a check beside the MessageStats database (top right of the dialogue), and checks beside db_ddladmin and MessageStats_Admin database roles (on the bottom right of the dialogue) 6. Click OK until all dialogues are complete. Adding the MessageStats Administration account to the sysadmins group: 1. Start SQL Server Management Studio 2. Locate the SQL Server housing the MessageStats database. 3. Right click and choose properties on the security / Logins / <SQLMACHINE>\MessageStats Admin node where <SQLMACHINE> is the name of the SQL Server. Page 3 of 6 Configuring Hardened SQL for MessageStats 4. Click on the server roles node and place a check beside the sysadmin server role located on the right side of the display. 5. Click OK until all dialogues are complete. Giving the MessageStats Administration account SQL Agent Operator role on the msdb database.: 1. Start SQL Server Management Studio 2. Locate the SQL Server housing the MessageStats database. 3. Right click and choose properties on the security / Logins / <SQLMACHINE>\MessageStats Admin node where <SQLMACHINE> is the name of the SQL Server. Page 4 of 6 Configuring Hardened SQL for MessageStats 4. Click on the user mapping node and place a check beside the msdb database. 5. Also place a check beside the SQL Agent Operator Role located on the bottom of the same dialogue. Page 5 of 6 Configuring Hardened SQL for MessageStats 6. Click OK until all dialogues have closed. Page 6 of 6