Scribd
Upload
137 views15 pages

Configuring Security For SQL Server Agent

This document discusses configuring security for SQL Server Agent. It covers understanding SQL Server Agent security, configuring credentials, and configuring proxy accounts. It defines SQL Server Agent roles and how to assign security contexts to job steps. It also discusses troubleshooting security in SQL Server Agent. The document provides instructions for configuring credentials using Transact-SQL commands to encrypt passwords. It describes managing proxy accounts through SQL Server Management Studio or system stored procedures.

Uploaded by

Phil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
137 views15 pages

Configuring Security For SQL Server Agent

This document discusses configuring security for SQL Server Agent. It covers understanding SQL Server Agent security, configuring credentials, and configuring proxy accounts. It defines SQL Server Agent roles and how to assign security contexts to job steps. It also discusses troubleshooting security in SQL Server Agent. The document provides instructions for configuring credentials using Transact-SQL commands to encrypt passwords. It describes managing proxy accounts through SQL Server Management Studio or system stored procedures.

Uploaded by

Phil
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

Module 9

Configuring Security for SQL Server


Agent
Module Overview

• Understanding SQL Server Agent Security


• Configuring Credentials
• Configuring Proxy Accounts
Lesson 1: Understanding SQL Server Agent
Security

• Overview of Security in SQL Server Agent


• SQL Server Agent Roles
• Assigning Security Contexts to SQL Server Agent
Job Steps
• Troubleshooting Security in SQL Server Agent
• Demonstration: Assigning a Security Context to
Job Steps
Overview of Security in SQL Server Agent

• SQL Server Agent is a Windows service, so a service


account is required
• Agent service account:
• A dedicated Windows domain account is recommended
• Local System and Network Service are supported, but are not
recommended
• By default, job steps that interact with the operating system
execute under the security context of the service account
SQL Server Agent Roles

• SQLAgentUserRole
• Manage own jobs

• SQLAgentReaderRole
• Manage own jobs
• View definitions for jobs owned by other users

• SQLAgentOperatorRole
• Manage own jobs
• View definitions for jobs owned by other users
• Enable and disable jobs owned by other users
Assigning Security Contexts to SQL Server Agent
Job Steps

• Transact-SQL job steps


• Typically executed in the security context of the job
owner
• Members of sysadmin impersonate the SQL Server
Agent service account, or can impersonate other
database users
• Other job step types
• Executed by sysadmin using the service account
• Other logins must use a proxy account

• Proxy accounts
• Enable a job step to impersonate a Windows identity
• Are associated with one or more job step subsystems
Troubleshooting Security in SQL Server Agent
Lesson 2: Configuring Credentials

• Overview of Credentials
• Configuring Credentials
• Managing Credentials
• Demonstration: Configuring Credentials
Overview of Credentials

• Authentication for a resource or system outside the


database engine instance
• Typically Windows user name and password
• Third-party cryptographic providers are also supported
• Example
• Saving a database backup to a UNC location may require you to
configure credentials that have access that UNC path
Configuring Credentials

• Configure credentials by using the CREATE CREDENTIAL


command or through SSMS
• Passwords are encrypted by using the master server
encryption key
• When the master server encryption key is changed,
stored password are automatically re-encrypted for the
new key
CREATE CREDENTIAL FileOperation
WITH IDENTITY = 'ADVENTUREWORKS\FileSystemServices',
SECRET = 'Pa$$w0rd';
GO
CREATE CREDENTIAL Azure_EKM
WITH IDENTITY = ‘KeyVaultID',
SECRET = ‘SomePassword';
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;
GO
Managing Credentials

• SELECT * FROM sys.credentials


• Gives a list of the currently-configured credentials in the system
• ALTER CREDENTIAL
• Both the identity and the secret are always updated

ALTER CREDENTIAL FileOperation


WITH IDENTITY = 'ADVENTUREWORKS\FileOps',
SECRET = 'Pa$$w0rd1';
GO

• DROP CREDENTIAL
Lesson 3: Configuring Proxy Accounts

• Overview of Proxy Accounts


• Managing Proxy Accounts
• Demonstration: Configuring Proxy Accounts
Overview of Proxy Accounts

• Job step subsystems:


• Proxy accounts can be associated with one or more of
the SQL Server Agent job step subsystems
• A proxy account cannot be used to run a job step using
a subsystem it does not have an association with
• Proxy account permissions:
• Being referenced as a proxy account does not change
the permissions of the credential
• Only members of sysadmin can create and use proxy
accounts by default
• Permission to use proxy accounts can be granted to
members of the SQL Server Agent fixed roles
Managing Proxy Accounts

• Proxy account configuration stored in msdb


• Proxy account catalog views:
• dbo.sysproxies
• dbo.sysproxylogin
• dbo.sysproxyloginsubsystem
• dbo.syssubsystems

• Manage proxy accounts through SSMS


• Or by using system stored procedures in msdb
• Example:
• EXEC dbo.sp_add_proxy
• (there are other ones too!)
Lab: Configuring Security for SQL Server Agent

• Exercise 1: Analyzing Security Problems in SQL


Server Agent
• Exercise 2: Configuring a Credential
• Exercise 3: Configuring a Proxy Account
• Exercise 4: Configuring and Testing the Security
Context of the Job
Logon Information
Virtual machine: 20764C-MIA-SQL
User name: ADVENTUREWORKS\Student
Password: Pa55w.rd

Estimated Time: 60 minutes

You might also like