|
The Slammer worm, SQL Injection attacks, Denial of Service attacks, and Brute Force attacks. News headlines scream the latest theft of 300,000 credit card numbers from an e-commerce web site by a group of hackers. A disgruntled employee trashes years of proprietary corporate data after learning that he is being laid off. These attacks and many others are examples of the security threats that pervade our interconnected society. System and network administrators are at the forefront of the defense against these attacks. But, with the explosion of e-commerce, database administrators must ensure the security and integrity of their database servers.
This article examines best practices that can be employed to secure Microsoft SQL Server 2000 databases. It provides an overview of the security model in SQL Server 2000 and then discusses several best practices that can be employed to secure your SQL Server 2000 database server.
What Are Best Practices and Why Should We Use Them?
Best practices are techniques, tips, and tricks that have evolved over time through research, planning, and deployment in organizations. The process of yielding best practices typically involves a series of trial-and-error stages implementing a technique or methodology and then evaluating its effectiveness. If the result is positive, the technique is kept, refined, and distributed to other members of the organization. If the result is negative, the practice is thrown out and another technique is tested. This substitution repeats until a positive result is reached. In the end, the organization is left with a group of techniques and methodologies that when employed will increase the productivity and effectiveness of the organization as a whole.
Best practices are by no means restricted to the IT world. You will often find best practices in just about every field imaginable, from healthcare to accounting to forestry.
The primary reason to use best practices in your organization is to increase your level of understanding with your products. Furthermore, using best practices saves you from spending your valuable time figuring out what everyone else already knows. In other words, do not reinvent the wheel.
To begin understanding the role of Microsoft SQL Server 2000 security best practices, it is important that you have a thorough understanding of how the security model is implemented in SQL Server. Security in SQL Server can be divided into two categories: Server and Database. Server-level security involves access and authentication to the server along with security mechanisms related to server-based administration. Database-level security is related to the databases on the server and who or what can access the objects stored in those databases.
Server Authentication
In order to use SQL Server, you must first log into the server. In order to successfully log into the server you must first be authenticated by the server. In SQL Server 2000, there are two types of authentication that can be employed. These types are Windows authentication and SQL Server authentication, or more commonly referred to as Mixed-Mode authentication.
Windows Authentication
Windows authentication is the default authentication employed by SQL Server during installation. This type of authentication requires all connections to the server to be valid Windows user accounts or groups. This level of authentication provides an extra benefit by leveraging the security model of the Windows network to authorize access to the server. Furthermore, with Windows authentication, auditing can track the user's name and what actions he or she is performing on the server. This type of authentication is highly recommended and should be employed on all SQL Server database servers.
Logins associated with Windows authentication are stored in the sysxlogins table in the master database. Don't worry though, as no password information is stored in this table along with the user or group name. During authentication, user credentials are passed to the underlying operating system for validation and authentication. If the credentials are valid, the user can access the server. If the credentials fail, then the user is denied access to the server.
Administrators or those with sufficient privileges can grant, revoke, or deny access to the SQL Server database server to individual users or groups. Users and groups are granted access to the server as opposed to having accounts created on the server.
|
