20764C-ENU-Handbook-Module 01
20764C-ENU-Handbook-Module 01
OF F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
Contents Part 1 / 15
Module 1: SQL Server Security
Module Overview 1-1
Lesson 1: Authenticating Connections to SQL Server 1-2
Lesson 2: Authorizing Logins to Connect to Databases 1-7
Lesson 3: Authorization Across Servers 1-10
Lesson 4: Partially Contained Databases 1-15
ModuleOverview
Protection of data within your Microsoft® SQL Server® databases is essential and
requires a working knowledge of the issues and SQL Server security features.
This module describes SQL Server security models, logins, users, partially contained
databases, and cross- server authorization.
Objectives
After completing this module, you will understand, and have a working knowledge of:
SQL Server basic concepts.
SQL Server connection authentication.
User login authorization to databases.
Partially contained databases.
Authorization across servers.
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |2 / 18
Security Hierarchies
inherited permissions can be explicitly overridden at different hierarchy levels, to fine-tune access.
This hierarchical arrangement simplifies permission management in a number of ways:
Fewer individual permissions need to be granted, reducing the risk of misconfiguration. You can set
the general permissions that are required at the highest level in the hierarchy, and only apply explicit
overriding permissions further down the hierarchy, to handle exceptional cases.
After the permissions have been set, they can be controlled through group membership. This makes it
easier to manage permissions in environments where new users arrive and existing users leave or
change roles.
Best Practice: When planning a security solution, consider the following best practices:
Provide each principal with only the permissions they actually need.
Use securable inheritance to minimize the number of implicit permissions that must be set to enable
the required level of access.
Use principal containers, such as groups or roles, to create a layer of abstraction between principals
and permissions to access securables. You can then use membership of these groups to control access
to resources via the permissions you have defined. Changes in personnel should not require changes
to permissions.
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |3 / 18
Windows Authentication
SQL Server checks the provided user name and password against the Windows user details. SQL Server
does not require a password. This is the default authentication mode. Windows user security controls
access to SQL Server. Access is granted based on an access token issued when the user logged in to the
Windows session. Because groups of users can be created in Windows, domain access administration is
simplified. Best Practice: If possible, Windows authentication should be used.
For more information on how to configure Azure firewall settings, see the Manage firewall rules using the
Azure portal section Azure SQL Database server-level and database-level firewall rules
http://aka.ms/iddzy1
For more information about ports beyond 1433 for ADO.NET 4.5, see Ports beyond 1433 for ADO.NET 4.5
in the Microsoft Azure documentation:
Note: SSMS. To create a new database user in SSMS, expand the relevant database, expand the
Security node, right-click the Users node, and then click New User. Complete the details in the
Database User - New dialog box to configure the user you require.
You can also create database users by using the CREATE USER statement.
Schemas are namespaces that are used to organize objects in the database. If no default schema is
specified when a user is created, then dbo is used.
You can remove users from a database by using the DROP USER statement or SSMS. However, you cannot
drop a database user who owns any securable object (for example, tables or views).
To resolve the different SID issue, you need to update the database user to link it to the new login on the
server by using the ALTER USER statement with the WITH LOGIN clause.
This solves the issue but, if you later restore the database on the same or a different server, the problem
will reoccur. A better way of avoiding the problem is by using the WITH SID clause when you create the
login.
Note: Managing mismatched SIDs, orphaned users (those whose logins are disconnected
when a database is moved to another SQL Server instance), impersonation and delegation are
discussed in a later lesson, Authorization Across Servers.
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |8 / 18
dbo User
The dbo user is a special user who has permissions to
perform all activities in the database. Any member of the sysadmin fixed server role (including the sa user
when using mixed mode authentication) who uses a database is mapped to the special
database user called dbo. You cannot delete the dbo database user and it is always present in every
database.
Database Ownership
Like other securable objects in SQL Server, databases also have owners—these are mapped to the dbo
user.
Changing the Database Owner
ALTER AUTHORIZATION ON DATABASE::salesdb
TO [ADVENTUREWORKS\Database_Managers];
Any schema created by a login mapped to the dbo user will automatically have dbo as its owner. By
default, objects within a schema have their owner set to NULL and inherit the owner of the schema in
which they are defined. Owners of objects have full access to the objects and do not require explicit
permissions before they can perform operations on those objects.
guest User
The guest user account enables logins that are not mapped to a database user in a particular database to
gain access to that database. Login accounts assume the identity of the guest user when the following
conditions are met:
The login has access to SQL Server, but not the database, through its own database user mapping.
The guest account has been enabled.
You can enable the guest account in a database to give anyone with a valid SQL Server login access to it.
The guest username is automatically a member of the public role. (Roles will be discussed in a later
module.)
User tokens are created to authorize user credentials. The following code returns a row for each server
principal that is part of the user token:
Viewing User Tokens
SELECT * FROM sys.user_token;
For more information about: sys.login_token, see sys.login_token (Transact-SQL) in sys.login_token (Transact-SQL)
http://aka.ms/Qmwvd2
For more information about sys.user_token, see sys.user_token (Transact-SQL) in Microsoft Docs:
sys.user_token (Transact-SQL) http://aka.ms/Lx2e6w
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |10 / 18
Delete. To delete a linked server, you right-click the server and click Delete.
Stored procedures and catalog views can also be used to manage linked server connections:
sp_addlinkedserver. Creates a linked server definition.
sys.servers. You can query the system catalog views to return linked server details.
sp_dropserver. Deletes a linked server definition and can be used to remove references to remote
servers. Note that you can also drop remote logins using this stored procedure, as shown in the
following example.
sp_addlinkedsrvlogin and sp_droplinkedsrvlogin. These stored procedures allow you to map and
remove logins between your SQL Server instance and other server security accounts. See below for
further details.
The following code example shows how the sp_addlinkedserver and sp_dropserver can be used to
create and drop a linked server for RemoteServer:
Create and Drop a Linked Server Connection
-- Create linked server ---Drop linked server and
remove the default login
USE master
mapping
GO
USE master
EXEC sp_addlinkedserver
GO
@server='RemoteServer',
EXEC sp_dropserver
@srvproduct='', 'RemoteServer', ‘droplogins’;
@provider='SQLOLEDB', GO
@datasrc='r:\datasource\RemoteServer';
GO
Note: Fully Qualified Naming. The four-part name format is required in a distributed query
when referring to a linked server: linked_server_name.catalog.schema.object_name.
Linked Server Security
For linked server connections to operate, a login mapping must be created. You can use the system stored
procedure sp_addlinkedsrvlogin to map logins. You can drop a connection using
sp_droplinkedsrvlogin. Note that you can also use sp_dropserver to remove mapped logins as
described above.
When you run a stored procedure that queries a remote server or a distributed query linked server, there
must be a mapping between the requesting instance and the data sources.
Note: Windows Authentication Mode should be used if possible. However, some data
sources might not allow Windows Authentication Mode—for these, you can set up a Windows
authenticated login locally and map this to a specific login on the data source.
Create and Drop a Mapped Login to a Remote Server
-- Add a remote login mapping
USE master
GO
EXEC sp_addlinkedsrvlogin 'RemoteServer', 'false', 'LocalDomain\LocalUserName',
'RemoteUserName', 'Pa55w.rd';
GO
You can test linked server connections in SQL Server Management Studio by right-clicking on the linked
server and clicking Test Connection in the Properties dialog box.
For more information about linked servers, see: Linked Servers (Database Engine) http://aka.ms/jmfec7
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |12 / 18
Delegation Requirements
Client. The following list summarizes the client (USER1) requirements:
o Access Permissions. USER1 must have Windows Authenticated logins for SQL1 and SQL2.
o Client Device. Must use TCP/IP or named pipes.
o Active Directory. The Active Directory Account is sensitive and cannot be delegated property
must not be checked for USER1.
Middle Tier. The following list summarizes the SQL1 requirements:
o Domain Admin. SQL1 requires a registered Service Principal Number (SPN).
o Delegation. The active SQL Server account must be trusted for delegation. See below for more
details.
o Server Device. Must use TCP/IP or named pipes.
o Linked Server. SQL2 must be configured as a linked server on SQL1.
Database Tier. The following list summarizes the SQL2 requirements:
o Server Device. Must use TCP/IP or named pipes.
o Domain Admin. SQL2 requires a registered SPN.
For more information about double-hop, see Configuring Linked Servers for Delegation in Microsoft
TechNet:
Delegation
You have already seen how delegation works in the
previous topic Typical “Double-Hop” Problem. In this case, a SQL Server request used a forward identity to
execute on a remote server.
Impersonation
Impersonation is carried out on the remote server in a similar way to if it were executed on the local
server.
There are three methods used for impersonation:
Windows Authentication. This uses a Windows identity token using Kerberos or the Security
Support Provider Interface. The supplied identity token can then be cached on the service for use in
impersonation.
Service-For-User (S4U). Impersonation is carried out using a Windows identity token obtained from
Kerberos extensions. S4U is used when clients use non-Windows authentication.
Note: The process account must have the Act as part of the operating system access right.
LogonUser API. An identity token can be requested and obtained from the LogonUser API. You can
use this Windows API to access remote services but delegation trust is not used.
EXECUTE AS Example
SELECT SUSER_SNAME(), USER_NAME();
For more information about using EXECUTE AS, see EXECUTE AS (Transact-SQL) in Microsoft Docs:
Orphaned Users
USE <MyMovedDatabase>;
GO;
SELECT dp.type_desc, dp.SID, dp.name AS user_name
FROM sys.database_principals AS dp
LEFT JOIN sys.server_principals AS sp
ON dp.SID = sp.SID
WHERE sp.SID IS NULL
AND authentication_type_desc = 'INSTANCE';
2. Resolve Orphaned Users. If any orphaned users are returned, you need to create logins for them
with Transact-SQL as in the following code example:
To resolve orphaned users, you use the CREATE LOGIN statement with the SID for the orphaned user:
3. Database Owner (dbo). You can use Transact-SQL to relink an orphaned dbo:
To change dbo to MyUser in the destination database, you use the ALTER AUTHORIZATION statement.
Change dbo
ALTER AUTHORIZATION ON DATABASES::MyDatabase TO MyUser;
GO
A contained database is one that is hosted on an instance of SQL Server, but which has no dependencies
on the server instance. Because there are no dependencies, you can move the database between servers,
or use it in availability group scenarios, without having to consider external factors, such as logins.
Containment Levels
Noncontained databases rely on their SQL Server instance for many features such as metadata,
authentication, collations, and resources. Most SQL Server databases are noncontained. Partially contained
databases have fewer dependencies on the hosting SQL Server instance. Partially contained databases are
mostly managed separately from the database engine instance. Partially contained databases allow the
use of some uncontained resources that are managed by the SQL Server instance and are outside of the
particular database boundary.
Note: There is one further level of database containment: full containment. Fully contained
databases hold all the metadata, data objects, data, database object logins, user accounts, and
other resources they need to operate—this is usually held in the SQL Server Instance. These
databases are fully stand-alone. Full containment is not supported in SQL Server 2017.
The following table provides a summary of terms and their definitions:
Term Description
Database Boundary The boundary between a partially contained database and other databases, and the
SQL Server instance.
Contained Attribute Refers to an element that is held within the database boundary.
Uncontained An element that is not held within the database boundary.
Contained User This type of user is authenticated by the partially contained database.
Windows Principals The partially contained database will use Windows to authenticate these users—
they are trusted and do not require logins to be set up in the master database.
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |16 / 18
You can also change the containment level of an existing database; you can use the CONTAINMENT
parameter of the ALTER DATABASE Transact-SQL statement to enable or disable containment.
The following code shows how to enable or disable containment in an existing table:
Alter Containment
-- Convert a database to partial containment
ALTER DATABASE MyDatabase SET CONTAINMENT = PARTIAL;
Contained Users
After creating a contained database, you can create contained users for that database. These users can be
one of two types:
Users with associated password. These users are authenticated by the database; the user’s password is
stored in the database metadata.
Users that are mapped to Windows user accounts. These users exist only in the database, with no
associated server-level login, and do not require the user to maintain a separate password. Instead of
performing its own authentication, the database trusts Windows authentication.
You create contained users by using the CREATE USER statement in the context of a contained database.
For more information about contained databases, see Contained Databases in Microsoft Docs:
Administration
To manage database settings for a non contained database, an administrator will need sysadmin
privilege to change instance level settings. In a partially contained database, the administrator will have
more control over their own database. Administrators might still require access to non contained
elements.
Database Development
Development of new databases will take place away from the live environment. By using partially
contained databases, the developer can evaluate the effect that instance level elements might have on the
database.
MOC 20764C | Administering a SQL Database Infrastructure | Module 1 – SQL Server Security |18 / 18
The following considerations need to be made when designing, developing, or using partially contained
databases:
1. Cross Database Queries. Users with the same name and password on different partially contained
databases are not the same user.
2. ALTER DATABASE. Use the current option, ALTER DATABASE CURRENT.
3. Change Data Capture (CDC). CDC is not supported in partially contained databases.
4. Change Tracking (CT). CT is not supported in partially contained databases.
5. Password Policy. CREATE USER does not support bypassing the password policy. If the partially
contained database does not have a password policy, this can cause problems after migration.
6. Synonyms. Some external dependencies might be omitted and cause issues when a partially
contained database is moved.
7. Connection Strings. You must specify the database name in application connection strings.
8. Numbered Procedures. Not supported in partially contained databases.
9. Temporary Procedures. Not supported in partially contained databases.
10. Replication. Not operational in partially contained databases.
11. Collation. Partially contained databases do not rely on tempdb to hold collation details in the SQL
Server instance. Therefore, code that uses explicit collation might need to be altered to use
CATALOG_DEFAULT and not DATABASE_DEFAULT. Schema-bound objects are dependent on
collation changed built-in functions.
12. IntelliSense. An SSMS connection to a partially contained database with a contained user login does
not wholly support this feature.
13. SQL Server Data Tools (SSDT). SSDT is not aware of containment and will not inform you if
containment is not adhered to.
For further information about contained databases, see Contained Database Users – Making Your
Database Portable, Contained Database Collations, and Migrate to a Partially Contained Database in
Microsoft Docs:
Contained Database Users - Making Your Database Portable http://aka.ms/aaew1r
Contained Database Collations http://aka.ms/Cw48th
Migrate to a Partially Contained Database http://aka.ms/Udr653