This document discusses partially contained databases in SQL Server. It begins with an introduction to partially contained databases and their benefits for improved dependency management and transition between environments. It then covers features that are contained within or outside the application model, how to enable partial containment on a database, authentication of contained users, and the consistent collation model. It demonstrates how to identify containment and threats against partially contained databases. Resources for further information are provided, with an invitation for questions.
2. ABOUT ME
• Sr. SQL Server Consultant at KOHERA
• Webmaster & board member at SQLUG.BE
• Co-organiser at SQLServerDays.be
• Microsoft Extended Expert Team member
• MCP, MCTS, MCITP, MCT
• steve@sqlug.be
• Blog.steveverschaeve.be
• @sql_lazywriter
3. AGENDA
• What is a (partially) contained database
• Features within/outside Application Model
• Authentication
• Collation
• Identifying database containment
• Threats against partially contained databases
• Demos
• Resources
• Q&A
4. WHAT IS A (PARTIALLY) CONTAINED DATABASE
• Scenario: Deploy to production; HA & DR
DB DB
Backup/Copy/Restore
Instance A Instance B
?
Logins
Linked Servers
Agent jobs
…
5. WHAT IS A (PARTIALLY) CONTAINED DATABASE
• Improved dependency management
• Include all settings + metadata
• No login authentication at database engine level
• Isolated from the database engine
• Improved transition between environments
• Not yet fully contained
• Moving to SQL Azure
• Fully contained
• Uncontained features disabled
by default
• All SQL Server editions
6. FEATURES WITHIN/OUTSIDE APPLICATION MODEL
Within the Application Model [1] Outside the Application Model [2]
Contained Non-Contained
System Views Catalog Views
sys.indexes, sys.types, … sys.servers, sys.server_role_members…
Data Types T-SQL
All data types excluding CLR data types Backup, Restore, Set Ansi_Nulls, …
Dynamic Management Views Built-in Functions
sys.dm_db_uncontained_entities @@servername, loginproperty, …
T-SQL System Functions
Having, Rollback Transaction, … sys.fn_get_sql, sys.fn_cdc_get_min_lsn, ...
Built-in Functions Other
@@rowcount, Getdate, IsNull, … Linked servers, Full-Text Search, Synonyms, …
System Stored Procedures Replication, Change data capture, Change
sp_helptext, sp_columns, sp_addrole, … tracking
DBCC Statements
CHECKDB, SHOW_STATISTICS, …
7. ENABLE PARTIALLY CONTAINED DATABASES
• Instance level
EXEC sys.sp_configure N’contained database authentication’,N’1’;
GO
• Database level
CREATE DATABASE [PartialCDB] CONTAINMENT = PARTIAL [NONE];
GO
• New syntax
ALTER DATABASE CURRENT ...
9. AUTHENTICATION
• Contained users connect without server level authenticating
• Contained SQL User with password syntax
CREATE USER Giselle WITH PASSWORD = ‘xyz’;
GO
• Multiple users with same name for different
databases
• Normal users tied to login coexist with
contained users in same database [1]
11. COLLATION
• Two types of collation: DATABASE_DEFAULT & CATALOG_DEFAULT
• New catalog collation Latin1_General_100_CI_AS_WS_KS
• Syntax
CREATE TABLE T1 (Name nvarchar(max) COLLATE CATALOG_DEFAULT);
GO
• Same collation for all contained databases and instances
• Cannot be changed
16. THREATS AGAINST PART. CONTAINED DATABASES
• Who can change containment settings
• Users in a converted DB can create new users with password
• Prevent a DB from being contained
• Prevent connections from users with passwords
• No rechecked passwords
• Users with password cannot use Kerberos authentication
• Offline dictionary attack
• Auto_Close database property
http://specialops.sqlpass.org
17. RESOURCES
• SQL Server v.Next(Denali): Contained Databases (Aaron Bertrand)
• SQL Server 2012: Sometimes Partial Is Preferable (Denny Cherry)
• Partially Contained Databases (TechNet)
• SQL Server 2012 Partially Contained Databases (Steve Verschaeve)
• Contained Database Authentication in depth (Lyudmila Fokina)