30/1/2019 Librería

Lab Answer Key: Module 1: SQL Server Security

Lab:EsteAuthenticating
d
Users
oc
um
en
to
pe
rte
No ne lui
Exercise
es 1:sgCreate
tá uil
l
ce Logins
a
np erm Lu
erm oc is
orr Gu
itid ea ille
as @ rm
las gm oC
rre co ail o
Task 1: Prepare the Lab
pia Environment
s
.co
m aL
sin op
au era
tor .
iza
ció
n .
1. Ensure that the 20764C-MIA-DC and 20764C-MIA-SQL virtual machines are
both running, and then log on to 20764C-MIA-SQL as
ADVENTUREWORKS\Student with the password Pa55w.rd.
Es
te
do
c
2. In theumD:\Labfiles\Lab01\Starter
en folder, right-click Setup.cmd, and then click
to
ert p
Run
N aslu administrator.
en
e
oe isg ce
stá uil aL
np ler uis
erm mo
3. In the User GControl
itid Account dialog box, click Yes, and wait for the script to
co uil
rre le as a@ rm
las gm oC
finish. co
pia
ail
.co
orr
ea
ss m Lo
in pe
au ra.
tor
iza
ció
n .

Task 2: Verify the Authentication Mode

Es
te
d
1. StartocuSQL
me Server Management Studio, and connect to the MIA-SQL database
nto
pe Windows authentication.
engine usingrte
No lui ne
es sg ce
tán u ille aL
pe Explorer, is rm u
2. In Object
rm
i
oc
or right-click
Gu
i
the MIA-SQL instance, and click then Properties.
tid rea lle
as @ rm
las gm oC
op rre
il.c - MIA-SQL c a o
3. In the Server Properties
ias om aL dialog box, on the Security page, verify
sin op
ra. au e
that SQL Server and Windows
tor
i
Authentication mode is selected, and then
za
ció
click OK. n .

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 1/10
30/1/2019 Librería

Task 3: Create Logins Based on Windows Authentication

1. In Object Explorer, under MIA-SQL, expand Security, and expand Logins to

view the existing logins in the instance.
Es
2. Right-click
te
do Logins, and click New Login.
cu
me
nto
pe
3. In
N
the Login
l
rte- New dialog box, on the General page, in the Login name box,
n
oe uis ec
uil g e
typestáADVENTUREWORKS\WebApplicationSvc.
np ler
m
aL
ui
erm oc sG
itid uilorr
as ler ea
l @ mo
4. Ensure Windows as
co authentication
gm
ail Co
rre
is selected.
pia .co a
ss m Lo
in pe
au ra.
5. In the Default databasetorlist, iza click AdventureWorks, and then click OK.
ció
n.
6. In Object Explorer, right-click Logins, and then click New Login.

7. In the Login - New dialog box, on the General page, click Search.
Es
te
do
8. In thecumSelect
e User or Group dialog box, click Object Types.
nto
pe
rte
No lui ne
9. In ethe
stá Object
sgu
i
Types
ce
a L dialog box, select Groups, and then click OK.
np l ler uis
erm m oc
orr Gu
itid e ille
10. In the Select as User @
las
a orgm
Group rm
o C dialog box, click Locations.
co ail orr
pia .co ea
ss m Lo
11. In the Locations dialog i n a box, expand pe Entire Directory, click
uto ra.
riz
ac
adventurework.msft, and then ión
.
click OK.

12. In the Select User, Service Account, or Group dialog box, in the Enter the
object name to select box, type IT_Support, click Check Names, and then
Es
click
te OK.
do
cu
me
nto
pe
13. In
N
the Login
l
rte- New dialog box, ensure that Windows authentication is
n
oe uis ec
stá gu ea
selected.
np ille
rm Lu
is
erm oc Gu
itid orr ille
as ea rm
l @ o
14. In the Default sdatabase
a
co
g m ail list,Coclickrre
AdventureWorks, and then click OK.
pia .co a
ss m Lo
in pe
au ra.
tor
iza
ció
n.

Task 4: Create Logins Based on SQL Server Authentication

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 2/10
30/1/2019 Librería

1. Right-click Logins, and click New Login.

2. In the Login - New dialog box, on the General page, in the Login name box,
type SalesSupport.

3. Click SQL Server authentication, and in the Password and Confirm

Es
te
do
Password boxes, type Pa55w.rd.
cu
m en
to
pe
rt
4. Confirm
N oe l uisthat eEnforcene
ce password policy is selected. Clear the Enforce
stá g uil aL
np ler uis check box. The User must change password at
password erm expiration mo
co Gu next
itid rre ille
login check box a a rm
s las will gautomatically
@
ma oC be cleared.
co i l orr
pia .co ea
ss m Lo
in pe
5. In the Default database au list, click AdventureWorks,
tor
ra. and then click OK.
iza
ció
n.
6. Leave SQL Server Management Studio open for the next exercise.

Es
te
Result:doAfter
cu
me this exercise, you should have verified the authentication modes
supported byntothe
pe MIA-SQL instance, and created three logins.
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as rm ea
Exercise 2: Create
las
c
Database
@
gm
a
o C Users
o op il.c rre
ias om aL
sin op
au era
tor .
iza
ció
Task 1: Use Automatic User Creation
n. and Mapping

1. In SQL Server Management Studio, in Object Explorer, under MIA-SQL, under

Es
Security,
te
d under Logins, right-click
oc
me u
ADVENTUREWORKS\WebApplicationSvc,
nto and then click Properties.
pe
rte
No lui ne
ea sg c
2. In ethe
stá Login
n
u
ille Properties
rm Lu - ADVENTUREWORKS\WebApplicationSvc dialog
pe oc is
rm
orr uil G
box, on the
itid User
as eMapping
a@ ler page, in the Users mapped to this login section, in
mlas gm oC
co
the AdventureWorks orr row, select the Map check box, and then click
adatabase
il.c
pia o ea
ss m Lo
in pe
OK. au
tor
ra.
iza
ció
n.
3. In Object Explorer, under MIA-SQL expand Databases, expand
AdventureWorks, expand Security, and then expand Users. Notice that a

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 3/10
30/1/2019 Librería

user called ADVENTUREWORKS\WebApplicationSvc has been created in

the database.

Task E2:
ste Create a User and Map It to a Login
d oc
um
en
to
pe
rte
No luiec n
1. In ethe sg
stá AdventureWorks
uil
l
ea database, under Security, right-click Users, and then
np erm Lu
erm oc is
click NewitiUser.
orr Gu
d e ille
as a@ rm
las gm oC
co ail orr
.co
2. In the Database pUser
ias
s - Newm
ea
dialog
Lo box, on the General page, verify that SQL
p in era
uto a .
user with login is selected.
riz
a ció
n.
3. In the User name box, type ServiceUser.

4. In the Login name box, type SalesSupport, and then click OK.
Es
te
do
cu
5. Under mMIA-SQL,
en under Security, under Logins, right-click SalesSupport, and
to
ert p
then
N click
lu Properties.
en
e
oe isg ce
stá uil aL
np ler uis
erm mo
6. In the Login Gu - SalesSupport dialog box, on the User Mapping
itid Properties
co
rre ille
as a@ rm
oC las
page, verify thatcothe glogin
ma
il is mapped
orr to the ServiceUser user in
.co ea pia
ss m Lo
AdventureWorks, and
i n a the default
uto
peschema
ra. is dbo, and then click OK.
riz
ac
ión
.

Task 3: Create a User Using Transact-SQL

Es
te
do
cu
me
nto
1. In SQL Server
pe
rte Management Studio, on the toolbar, click New Query.
No lui ne
es sg ce
tán u ille aL
uis rm
2. In the pquery
erm window,
oc
o type
Gu the following Transact-SQL statement:
itid rre ille
as a@ rm
las gm oC
co ail orr
pia .co ea
ss m Lo
in pe
USE AdventureWorks;
au
t
ra.
ori
za
GO ció
n .
CREATE USER [ITSupport] FOR LOGIN [ADVENTUREWORKS\IT_Support]

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 4/10
30/1/2019 Librería

WITH DEFAULT_SCHEMA=[dbo]
GO

3. Click Execute.
Es
te
do
4. In Object
cu
m
Explorer, in the AdventureWorks database, under Security, right-
en
to
click Users pethen click Refresh, verify that the ITSupport user appears.
rt
No lui en
sg ec
es u ea
tán ille Lu
pe rm is
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
rre co ail o
Result: At the end ofpithis
as exercise,
.co
m ayou
Lo
will have created three database users
sin pe
and mapped them to the logins au
to you created ra. in the previous exercise.
riz
ac
ión
.

Exercise 3: Correct Application Login Issues

Es
te
do
um c
Task 1: Carryen Out an Initial Test
t op
ert
No lui en
sg ec
es u ea
tán ille Lu
pe sG rm i
1. On the Start oc
iti page,
orr typeuil cmd, and then press Enter to start an instance of the
rm
da l ea erm
las oC s @
Windows Command
co
gPrompt.
ma
i or
pia l.c rea
ss om Lo
in pe
au a. r
2. At the Command Prompt,
tor type
iza the following command, and then press Enter:
ció
n.

Sqlcmd -S MIA-SQL -U LegacySalesLogin -P t0ps3cr3t

Es
te
do
cu
m
3. Notice that
en
to the error message presented to the sqlcmd is generic, reporting
pe
ten r
that
No login
e
lui failed
sg ecbut giving no further details.
e
stá uil aL
np ler uis
erm mo
uil co G
4. itid
In SQL Serveras Management m Studio, in Object Explorer, expand Management¸
rre ler
a@
las gm oC
co
expand SQL Server ail orr then double-click the log file whose name
pia Logs,.co and ea
ss m Lo
in pe
begins Current. au
tor
ra.
iza
ció
n .
5. In the Log File Viewer - MIA SQL dialog box, in the right-hand pane, look for
the topmost log entry that begins Login failed for user ‘LegacySalesLogin’.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 5/10
30/1/2019 Librería

The error message states that there was a problem evaluating the login’s
password.

6. Notice that the next line in the log file contains the following error number:

Es
te
Error:
do
c
18456, Severity: 14, State: 7.
um
en
to
pe
rte
No lui ne
es sg ce
tán u ille a
The documentation
pe rm
o
Lu for error 18456 indicates that a State value of 7 is caused
is
rm co Gu
itid rre ille
when: as
las
a@
gm
rm
oC
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
Login is disabled, iza the
and password is incorrect.
ció
n.

7. In the Log File Viewer - MIA SQL dialog box, click Close.
Es
te
d
Theologin
cu
m cannot connect because the account is disabled, and the wrong
en
to
password is
pe being used.
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
Task 2: Enable the Loginin
au
pe
ra.
tor
iza
ció
n.

1. In Object Explorer, under MIA-SQL, under Security, under Logins, right-click

LegacySalesLogin, and then click Properties.
Es
t
2. Inethe
do Login Properties - LegacySalesLogin dialog box, on the Status page,
cu
me
nto
click Enabled,
pe and then click OK.
rte
No lui ne
es sg
ce
tán u aL
ille
3. In Command
pe
rm
r mPrompt,
oc
uis type the following command,
Gu
and then press Enter:
itid o rre ille
as a@ rm
las gm oC
co ail orr
pia .co ea
ss m Lo
Sqlcmd -S MIA-SQL in -U LegacySalesLogin pe -P t0ps3cr3t
au ra.
tor
iza
ció
n.

4. Notice that the error message presented to the sqlcmd is generic, reporting

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 6/10
30/1/2019 Librería

that the login failed but giving no further details.

5. In SQL Server Management Studio, in Object Explorer, under Management¸

under SQL Server Logs, double-click the log file whose name begins Current.

6. In the Log File Viewer - MIA SQL dialog box, in the right-hand pane, look for
Es
te
thedtopmost
oc
u log entry that begins Login failed for user ‘LegacySalesLogin’.
me
n
Read thetorest
pe of the entry to determine the cause of the login failure. Notice that
r
N lu ten
oe
the isgfailedebecause
ce
slogin
tá uil
l a the password was not correct.
np erm Lu
erm oc is
orr Gu
itid ea ille
7. In the Log a
File rm
s las Viewer @
gm - MIA o C SQL dialog box, click Close.
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.

Task 3: Change the Login Password

Es
1. InteObject
do
c
Explorer, under MIA-SQL, under Security, under Logins, right-click
um
en
LegacySalesLogin,
to
p
and then click Properties.
ert
No lui en
sg ec
es aL u e
2. In the ille Properties
tán Login - LegacySalesLogin dialog box, on the General page,
p rm uis
erm oc Gu
itid rre ille o
in the Password
as and
a@ Confirm
rm
o
password boxes, type t0ps3cr3t, and then click
las gm Co
co ail rre
OK. pia
ss
.co
m aL
in op
au era
tor .
3. In Command Prompt, typeizathe
ció following command, and then press Enter:
n .

Sqlcmd -S MIA-SQL -U LegacySalesLogin -P t0ps3cr3t

Es
te
do
cu
me
op nt
4. Notice that ethe
rte error message indicates that the default database cannot be
No lui ne
es sg ce
opened.
tán uil
le aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
Task 4: Change the Default iza
Database
ció
n.

1. In Object Explorer, under MIA-SQL, under Security, under Logins, right-click

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 7/10
30/1/2019 Librería

LegacySalesLogin, then click Properties.

2. In the Login Properties - LegacySalesLogin dialog box, on the General page,

in the Default database list, click AdventureWorks.

3. On the User Mapping page, in the Users mapped to this login section, on the
Es
te
rowdofor
cu the AdventureWorks database, select the Map check box, and then
me
n
click OK.to per
No lui ten
sg ec
es ea
u
tán ille
Lu
4. In Command
p erm
r mPrompt,
oc is type the following command,
Gu and then press Enter:
itid orr ille
as e a@ rm
las gm oC
co ail orr
pia .co ea
ss m Lo
Sqlcmd -S MIA-SQL in -U LegacySalesLogin pe -P t0ps3cr3t
au ra.
tor
iza
ció
n.

5. Notice that the login attempt is successful.

6. EClose
ste the command prompt window, but leave SQL Server Management Studio
do
opencufor me the next exercise.
nto
pe
rte
No lui ne
es sgu ce
tán ille aL
pe rm uis
rm o co Gu
itid rre ille
as a @ this rm
Result: After completing las gm lab,
o C you will be able to correct application login
co ail orr
issues. p ias . co ea
sin m Lo
pe
au ra.
tor
iza
ció
n.

Exercise 4: Configure Security for Restored Databases

ste E
Task 1: Verify
do Database Users
cu
me
nto
pe
rte
No lui ne
es eunder sg c
• In Object
tán Explorer,
ille
r
aL
u
MIA-SQL, under Databases, expand InternetSales,
u
pe mo is
mi co r G
uilUsers, and note that database users with the following
expand Security,
tid
a
expand
rre
a ler
sl @ mo
sc ma a g Co
names exist in the odatabase:
pi il.c rre
aL
as om
sin op
au era
tor .
o ADVENTUREWORKS\WebApplicationSvc
iza
c ión
.
o InternetSalesApplication

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 8/10
30/1/2019 Librería

Task 2: Run the Orphaned Users Report

1. On the toolbar, click New Query.

Es
te
ocd
2. In the query
um
e
pane, type the following commands:
nto
pe
rte
No lui ne
es sg
ce
tán uaL
ille
p r m uis
USE InternetSales
erm oc
orr Gu
itid ea ille
as @ rm
EXEC sp_change_users_login
las gm oC 'Report';
co ail orr
pia .co ea
GO ss m Lo
in pe
au ra.
tor
iza
ció
n.

3. Select the query you have typed, and click Execute.

4. The InternetSalesApplication user is reported as orphaned.

Es
te
do
cu
me
nto
pe
rte
No lui ne
es sg ce
tán u ille aL
pe m is r u
Task 3: Repair
rm theoOrphaned
i
co
r
Gu
i
User
tid rea lle
as @ rm
las gm oC
co ail orr
pia .co ea
ss m Lo
in pe
1. On the toolbar, click New
au Query.
to
ra.
riz
ac
ión
.
2. In the query pane, type the following commands:

EsUSE InternetSales
te
do
c
EXECumsp_change_users_login 'Auto_Fix',
en
to
pe
'InternetSalesApplication', NULL, NULL
rte
No lui ne
es sg ce
GO tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
orr co ail
ea pia .co
ss m Lo
3. Select the query youinhave
au typed, and
pe click Execute. In the output
ra. of the query
tor
iza
reports, notice that one orphaned ció user was fixed by updating it.
n.

4. On the toolbar, click New Query.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 9/10
30/1/2019 Librería

5. In the query pane, type the following commands:

USE InternetSales
EXEC sp_change_users_login 'Report';
EsGO
te
do
cu
me
nto
pe
rte
No lui n
ec you have typed, and click Execute. Notice that no orphaned
6. Select
es
t
the
sg query
ui ea
án lle Lu
p rm is
erm reported.
users are oc Gu
iti orr ille
da ea rm
sl @ oC
as gm
rea co ail or
7. Close SQL Server .co
pia Management
ss m LStudio
o
without saving any changes.
in pe
au ra.
tor
iza
ció
n.

Result: At the end of this exercise, the

ADVENTUREWORKS\WebApplicationSvc and InternetSalesApplication logins
will Ehave
ste access to the InternetSales database.
do
cu
me
nto
pe
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.

Es
te
do
cu
me
nto
pe
rte
No lui ne
es sg ce
tán u ille aL
pe rm uis
rm oc Gu
itid orr ille
as ea rm
las @ oC
gm
co ail orr
pia .co ea
ss m Lo
in pe
au ra.
tor
iza
ció
n.

https://skillpipe.com/?lang=es-ES#/reader/book/24820548-a5cd-4cbe-80fd-0658d7f0f8c4 10/10