Scribd
Upload
40 views

SQL Server 2000 Security

This document discusses security basics for SQL Server 2000, including authentication, authorization, and specific security measures. It defines authentication as validating a user's identity and authorization as checking permissions. It then covers setting one account per user, password expiration and complexity policies, limiting login attempts, and encrypting stored user IDs and passwords. Built-in authentication methods for SQL Server 2000 are also summarized, including Windows Authentication, SQL Server Authentication, and Mixed Authentication.

Uploaded by

Birhanu Atnafu
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
40 views

SQL Server 2000 Security

This document discusses security basics for SQL Server 2000, including authentication, authorization, and specific security measures. It defines authentication as validating a user's identity and authorization as checking permissions. It then covers setting one account per user, password expiration and complexity policies, limiting login attempts, and encrypting stored user IDs and passwords. Built-in authentication methods for SQL Server 2000 are also summarized, including Windows Authentication, SQL Server Authentication, and Mixed Authentication.

Uploaded by

Birhanu Atnafu
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

SQL Server 2000 Security Basics

Within a security system there are two major aspects

Authentication

Authorization

There are times when people confuse the two

Authentication should be centralized

Authorization is resource-respective

Authentication
Validates username and password and assures (to some degree) that the person is who
they say they are

Authorization

Check whether or not a user has permissions to perform a given task


There are many aspects of security in SQL Server. We will look at:
One account for each user
Password Expirations
Password Length and Content
Number of Login Attempts
Storing the User ID and Password

One Account Per User


Each individual user of the application should have their own login account. This
allows

Individual Access Permissions


Non-repudiation
(Assuming they dont give their password out)
Which should be a direct security offense

One Account Per User


Do not create global user accounts
If you have a need for security, spend the extra time and precision
By separating user accounts (one per user) you allow the ability to audit suspicious
accounts (individually)

Password Expirations

Automatic password expiration allows you to make the user change their password every
so often

If their password has been compromised it will no longer be so


This is not possible in (Native) SQL Server 2000

We can build this into the application or use Windows Authentication (more later)

DELL
1

Password Expiration
At first glance it appears that there is no down-side to using password expiration
There are two major down-sides:

Tech support calls go WAY up (users forget passwords when they change very often)
Users will start using incredibly predictable passwords (opening a security hole)

Password Length
This can only be handled by making your (front-end) application the single entry point of
the database
You can set the minimum password length for all passwords within the system
For each additional alphanumeric character the password is increased exponentially by a
factor of 36
Minimum lengths greater than 5 or 6 characters will make users very unhappy

Password Content

If you have a password that is at least four characters long there are over 1,000,000
possibilities
To make things harder for an attacker (to avoid dictionary attacks) you can require that
users enter at least one character and one number

(Also not available but could be implemented through an application)

Number of Login Attempts

To avoid dictionary attacks you should provide a maximum number of login attempts
For example three unsuccessful attempts will cause the account to be disabled (requiring
an administrator to enable it)
Using Windows Authentication there is a policy for this

Storing User ID and Password

Usernames and passwords should never be hard-coded into the application


If you choose to store the information on a physical disk (most common)ENCRYPT it
There will be a day that your system is compromised (usually by internal staff)

Storing User ID and Password

There are some options available for encryption


You can use a Hash function (MD5)
You can use a symmetrical algorithm (AES)
You can use smart cards or an asymmetrical algorithm (RSA)
As for storing this information always choose the most secure way possible

Storing User ID and Password

Security is expensive if you have a small budget you can use the free hash and symmetric
algorithms available to you
If you have the budget, always go with the more secure asymmetric - smart card
combination. There are other ways as well

DELL
2

Security Options

SQL Server provides some built-in security options.

Built-in authentication methods in SQL Server 2000 include:

Windows Authentication
SQL Server 2000 Authentication
Mixed Authentication

Windows Authentication

The user logs into a windows machine (or domain)


A trusted connection is established using NTLM (NT Lan Manager)
The user is not required to log in to SQL Server at all (single sign-on)
You can assign (grant) rights to users of a Domain or Computer

The type of things you can define include:

The right to login


The right to access a particular database
The right to perform tasks on the objects of the particular database

DELL
3

You might also like