SQL Server 2000 Security
SQL Server 2000 Security
Authentication
Authorization
Authorization is resource-respective
Authentication
Validates username and password and assures (to some degree) that the person is who
they say they are
Authorization
Password Expirations
Automatic password expiration allows you to make the user change their password every
so often
We can build this into the application or use Windows Authentication (more later)
DELL
1
Password Expiration
At first glance it appears that there is no down-side to using password expiration
There are two major down-sides:
Tech support calls go WAY up (users forget passwords when they change very often)
Users will start using incredibly predictable passwords (opening a security hole)
Password Length
This can only be handled by making your (front-end) application the single entry point of
the database
You can set the minimum password length for all passwords within the system
For each additional alphanumeric character the password is increased exponentially by a
factor of 36
Minimum lengths greater than 5 or 6 characters will make users very unhappy
Password Content
If you have a password that is at least four characters long there are over 1,000,000
possibilities
To make things harder for an attacker (to avoid dictionary attacks) you can require that
users enter at least one character and one number
To avoid dictionary attacks you should provide a maximum number of login attempts
For example three unsuccessful attempts will cause the account to be disabled (requiring
an administrator to enable it)
Using Windows Authentication there is a policy for this
Security is expensive if you have a small budget you can use the free hash and symmetric
algorithms available to you
If you have the budget, always go with the more secure asymmetric - smart card
combination. There are other ways as well
DELL
2
Security Options
Windows Authentication
SQL Server 2000 Authentication
Mixed Authentication
Windows Authentication
DELL
3