SlideShare ist ein Scribd-Unternehmen logo

Dealing with SQL Security from ADO.NET

Als PPT, PDF herunterladen
Fernando G. Guerrero
Fernando G. Guerrero

Those were the times when I used to talk about SQL Server and .NET development

Technologie
1 von 37
Session SAD336 Dealing with SQL Security from ADO.NET Fernando G. Guerrero SQL Server MVP .NET Technical Lead QA plc October 2002
Quick info about Fernando (2 milliseconds) • MCSD, MCSE+Internet (W2K), MCDBA, MCT, QA SQL Server MVP • This is where I work: QA, The best learning environment in Europe • Writing for SQL Sever Magazine and SQL Server Professional • This is my main web site: www.callsql.com • This is my book (so far): – Microsoft SQL Server 2000 Programming by Example (ISBN : 0789724499, co-authored with Carlos Eduardo Rojas) • Currently writing on ADO.NET and SQL Server 2000 SQL Server Magazine LIVE!
Agenda • SQL Server Authentication modes • Access to SQL Server Databases • Application security using SQL Server 2000 and ADO.NET • Note: as this is a SQL Server session, I’ll show you as much Transact-SQL code as possible, but some examples on ADO.NET, VB.NET and SQL-DMO won’t hurt you SQL Server Magazine LIVE!
SQL Server Authentication modes • SQL Server Authentication – SQL Server specific logins – Not recommended for Windows users – Specify UID/PWD in the ConnectionString • Windows integrated – Create logins for Windows groups, not users – Deny access to SQL Server by creating Windows logins in SQL Server – Specify Trusted_Connection=true in the ConnectionString SQL Server Magazine LIVE!
SQL Server Authentication • Easy to understand • Independent of the Windows Domain structure • Not too flexible • Easier to break • Connection pooling unfriendly SQL Server Magazine LIVE!
SQL Server Authentication (2) • Most applications still connect as sa and no password (or password as password) • Could provide an extra layer of authentication • IIS+NT friendly • If you write your UID/PWD in the connection string, someone could read it • Connection pooling friendly SQL Server Magazine LIVE!
How to create SQL Server logins programmatically from Visual Basic .NET (demo) SQL Server Magazine LIVE!
Windows Authentication • Easier to administer in the long run • Complex security combinations – NT Groups to reflect actual business structure – Combinations of groups give actual permissions • Comprehensive security control based on Windows NT / 2000 / .NET security: – Password policies – Location and time control – Automatic account blocking SQL Server Magazine LIVE!
Windows Authentication (2) • Grant access to lots of users in a single shot • Deny access to lots of users in a single shot too • Make code easier to deploy and maintain • You don’t write your UID/PWD in the connection string, so it is more difficult to hack SQL Server Magazine LIVE!
Connection Strings and Windows authentication in ADO.NET (demo) SQL Server Magazine LIVE!
How to create programmatically Windows logins in SQL Server 2000 from Visual Basic .NET (demo) SQL Server Magazine LIVE!
Using SQL-DMO from VB.NET to manage the authentication mode, and SQL Server security • In this demonstration you will see how to: – Change the SQL Server Authentication Mode – Manage SQL Server logins • And we will do it by using VB.NET with: – SQL-DMO – SQLCommand objects SQL Server Magazine LIVE!
The nasty error 18452 • SQL Server is configured for Windows Authentication only: – Not even the sa can login • Before changing to Mixed authentication mode, give a strong password to the sa login! SQL Server Magazine LIVE!
What if you dropped the Builtin/Administrators login? • Unless you have a valid login to access SQL Server, you are into troubles • You can start a new session using the Windows service account and create the appropriate logins • Or edit the registry and change the value of the following key to 2: – Default instance: • HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLSe rverMSSQLServerLoginMode – Named instances: • HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft SQL ServerInstanceNameMSSQLServerLoginMode SQL Server Magazine LIVE!
Fixed Server Roles • Administrative groups to easier server-wide permissions – Sysadmin: They can do anything, SQL Server permissions don’t affect them • Other roles are subsets of sysadmin, for better permissions’ granularity: – setupadmin – securityadmin – processadmin – dbcreator – diskadmin SQL– bulkadmin LIVE! Server Magazine
How to use Server Roles from ADO.NET • Simply put: you don’t • The connection gets automatically server role membership according to the login used to connect to SQL Server • To get the permission path used to connect to SQL Server, execute: – xp_logininfo [DomainNameUserName] SQL Server Magazine LIVE!
Getting role membership information • Use the IS_SRVROLEMEMBER function • Execute the sp_helpsrvrolemember stored procedure • Use the ListMembers method from SQL-DMO • Execute this query for actual logins defined in SQL Server: SELECT 'ServerRole' = spv.name FROM master.dbo.spt_values spv JOIN master.dbo.sysxlogins lgn ON spv.low = 0 AND spv.type = 'SRV' AND lgn.srvid IS NULL AND spv.number & lgn.xstatus = spv.number WHERE lgn.sid = SUSER_SID('LoginName') SQL Server Magazine LIVE!
Trying (unsuccessfully) to apply permissions to sysadmin members (demo) SQL Server Magazine LIVE!
Agenda • SQL Server Authentication modes • Access to SQL Server Databases • Application security using SQL Server 2000 and ADO.NET SQL Server Magazine LIVE!
Access to SQL Server Databases • A login gives you access to SQL Server • To access a database, you need a user on that database • Retrieve the current login using the SYSTEM_USER function • Retrieve the current user using the CURRENT_USER function • It doesn’t matter how many Windows groups you belong to: SQL Server knows you. • The dbo user SQL Server Magazine LIVE! • The guest user
Fixed Database Roles • A very important one: Public – Everybody belongs to Public – Useful to set default permissions • Other roles simplify permissions: • db_owner • db_accessadmin / db_securityadmin • db_ddladmin • db_backupoperator • db_datareader / db_denydatareader • db_datawriter / db_denydatawriter SQL Server Magazine LIVE!
Do db_owner members have all permissions they think they have? (demo) SQL Server Magazine LIVE!
Agenda • SQL Server Authentication modes • Access to SQL Server Databases • Application security using SQL Server 2000 and ADO.NET SQL Server Magazine LIVE!
Application security using SQL Server 2000 and ADO.NET • You can deny permissions to every user on all access to tables • Grant permissions to use views • Grant permissions to execute stored procedures • As long as all of them have the same owner, user will need permissions only on views / stored procedures • SQL Server won’t check permissions on underlying objects / statements • It doesn’t work with dynamic execution SQL Server Magazine LIVE!
Testing application security with views and stored procedures from ADO.NET (demo) SQL Server Magazine LIVE!
Granting and denying permissions on SQL statements • GRANT Permission TO User/Role: – CREATE DATABASE – CREATE DEFAULT – CREATE FUNCTION – CREATE PROCEDURE – CREATE RULE – CREATE TABLE – CREATE VIEW – BACKUP DATABASE – BACKUP LOG SQL Server Magazine LIVE!
Granted – Denied - Revoked • No permissions (not granted nor denied) means I’M SORRY • Granted means PERHAPS – You might o might not have final permission – Depends on membership on other roles/groups • Denied means NO WAY – You can’t perform that action, no matter what • Revoked means I FORGOT ABOUT IT – Your security record has been removed (it could have been granted or denied in the past) – Effective permissions depend on role/groups membership SQL Server Magazine LIVE!
Granting and denying permissions on specific database objects • GRANT Permission ON Object TO User/Role SQL Server Magazine LIVE!
Permissions Errors • A permission error doesn’t break connections • A permission error doesn’t break execution • A permission error doesn’t roll transactions back • So, it is up to you to check for errors on permissions and take the right action SQL Server Magazine LIVE!
SQL Server application roles • Defined at Database level • Password required • Don’t have any members • Always belong to Public role • May belong to other database roles • Need to be activated before use • Cannot be de-activated • Connection-pooling unfriendly SQL Server Magazine LIVE!
SQL Server application roles (Creation) • EXEC sp_addapprole ‘RoleName’, ‘RolePassword’ • It is considered as a special user in the database, not a group • Grant permissions to the role by using: • GRANT Permissions ON Object to AppRole • Deny permissions to the role by using: • DENY Permissions ON Object to AppRole SQL Server Magazine LIVE!
SQL Server application roles (Activation) • EXEC sp_setapprole ‘RoleName’, {Encrypt N ‘Password'}, ‘ODBC‘ • How to protect the password? – Store it in a encrypted file – Scramble it through the code and protect it against debug mode – Store it in Active Directory – Encapsulate this call in a Component SQL Server Magazine LIVE!
Using application roles from ADO.NET (demo) SQL Server Magazine LIVE!
Passport-like authentication • Your application can authenticate users from login/password data • Store open login, encrypted password • Compare encrypted passwords • Create the entire thing as system objects SQL Server Magazine LIVE!
Do you want to know more? • “Inside SQL Server 2000” (Kalen Delaney, MSPress) • “Advanced Transact-SQL for SQL Server 2000” (Itzik Ben- Gan & Tom Moreau, APress) • “SQL Server 2000 Programming” (Robert Vieira, WROX) • “Microsoft SQL Server 2000 Programming by Example” (Fernando G. Guerrero & Carlos Eduardo Rojas, QUE) • “System.Data: A Clockwork Link between VB.NET and SQL Server ” (Fernando G. Guerrero, Apress) • SQL Server 2000 Resource Kit (MSPress & TechNet) • Visit the Microsoft public newsgroups: – msnews.microsoft.com/microsoft.public.sqlserver.* SQL Server Magazine LIVE!
Thank you! Questions? • Download the source code of this session from: – http://www.callsql.com/en/articles • You can contact me at: – fernan@guerrerog.org SQL Server Magazine LIVE!
Thank you! • Please drop off your session evaluations in the basket at the back of the room! • Your comments are greatly appreciated! SQL Server Magazine LIVE!

Empfohlen

Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data? Information Technology Society Nepal
 
Nick harris-sic-2011
Nick harris-sic-2011Nick harris-sic-2011
Nick harris-sic-2011Seattle Interactive Conference
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debuggingMaarten Smeets
 
Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)David Chou
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesMichael Collier
 
Administrators manual
Administrators manualAdministrators manual
Administrators manualScrumDesk
 
WebLogic Scripting Tool made Cool!
WebLogic Scripting Tool made Cool!WebLogic Scripting Tool made Cool!
WebLogic Scripting Tool made Cool!Maarten Smeets
 
Backup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureBackup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureDatavail
 

Empfohlen

Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data? Information Technology Society Nepal
 
Nick harris-sic-2011
Nick harris-sic-2011Nick harris-sic-2011
Nick harris-sic-2011Seattle Interactive Conference
 
WebLogic authentication debugging
WebLogic authentication debuggingWebLogic authentication debugging
WebLogic authentication debuggingMaarten Smeets
 
Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)Java on Windows Azure (Cloud Computing Expo 2010)
Java on Windows Azure (Cloud Computing Expo 2010)David Chou
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesMichael Collier
 
Administrators manual
Administrators manualAdministrators manual
Administrators manualScrumDesk
 
WebLogic Scripting Tool made Cool!
WebLogic Scripting Tool made Cool!WebLogic Scripting Tool made Cool!
WebLogic Scripting Tool made Cool!Maarten Smeets
 
Backup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureBackup and Restore SQL Server Databases in Microsoft Azure
Backup and Restore SQL Server Databases in Microsoft AzureDatavail
 
Sql Azure - Sql Saturday Kansas City
Sql Azure - Sql Saturday Kansas CitySql Azure - Sql Saturday Kansas City
Sql Azure - Sql Saturday Kansas CityAaron King
 
SQL201W MySQL SQL Manual
SQL201W MySQL SQL ManualSQL201W MySQL SQL Manual
SQL201W MySQL SQL ManualDan D'Urso
 
Windows azure camp
Windows azure campWindows azure camp
Windows azure campAbhishek Sur
 
Js Saturday 2013 your jQuery could perform better
Js Saturday 2013 your jQuery could perform betterJs Saturday 2013 your jQuery could perform better
Js Saturday 2013 your jQuery could perform betterIvo Andreev
 
Windows azure camp - Kolkata
Windows azure camp - KolkataWindows azure camp - Kolkata
Windows azure camp - KolkataAbhijit Jana
 
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DECWEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DECncodeit123
 
Microsoft Offical Course 20410C_04
Microsoft Offical Course 20410C_04Microsoft Offical Course 20410C_04
Microsoft Offical Course 20410C_04gameaxt
 
Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03gameaxt
 
Oracle sql demo
Oracle sql demoOracle sql demo
Oracle sql demoRamkumarsenram
 
Advanced Zen
Advanced ZenAdvanced Zen
Advanced ZenInterSystems Corporation
 
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...Shahzad
 
Introduction to MySQL - Part 1
Introduction to MySQL - Part 1Introduction to MySQL - Part 1
Introduction to MySQL - Part 1webhostingguy
 
Sql server dba certification
Sql server dba certificationSql server dba certification
Sql server dba certificationsssql
 
Java EE 6, Eclipse @ EclipseCon
Java EE 6, Eclipse @ EclipseConJava EE 6, Eclipse @ EclipseCon
Java EE 6, Eclipse @ EclipseConLudovic Champenois
 
Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Tomislav Lulic
 
ZubZib Black Coffee #9 - ASP.NET Identity
ZubZib Black Coffee #9 - ASP.NET IdentityZubZib Black Coffee #9 - ASP.NET Identity
ZubZib Black Coffee #9 - ASP.NET IdentityNon Intanon
 
Solid q universidad empresa 2011 10 27
Solid q universidad empresa 2011 10 27Solid q universidad empresa 2011 10 27
Solid q universidad empresa 2011 10 27Fernando G. Guerrero
 
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...Fernando G. Guerrero
 
Itinerarios de Grado de Ingenieria Informatica EPS Alicante
Itinerarios de Grado de Ingenieria Informatica EPS AlicanteItinerarios de Grado de Ingenieria Informatica EPS Alicante
Itinerarios de Grado de Ingenieria Informatica EPS AlicanteFernando G. Guerrero
 
Concurrency problems and locking techniques in SQL Server 2000 and VB.NET
Concurrency problems and locking techniques in SQL Server 2000 and VB.NETConcurrency problems and locking techniques in SQL Server 2000 and VB.NET
Concurrency problems and locking techniques in SQL Server 2000 and VB.NETFernando G. Guerrero
 
New gTLDs between two rounds: trade mark challenges
New gTLDs between two rounds: trade mark challenges New gTLDs between two rounds: trade mark challenges
New gTLDs between two rounds: trade mark challengesFernando G. Guerrero
 
Vda305 concurrency guerrero
Vda305 concurrency guerreroVda305 concurrency guerrero
Vda305 concurrency guerreroFernando G. Guerrero
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sql Azure - Sql Saturday Kansas City
Sql Azure - Sql Saturday Kansas CitySql Azure - Sql Saturday Kansas City
Sql Azure - Sql Saturday Kansas CityAaron King
 
SQL201W MySQL SQL Manual
SQL201W MySQL SQL ManualSQL201W MySQL SQL Manual
SQL201W MySQL SQL ManualDan D'Urso
 
Windows azure camp
Windows azure campWindows azure camp
Windows azure campAbhishek Sur
 
Js Saturday 2013 your jQuery could perform better
Js Saturday 2013 your jQuery could perform betterJs Saturday 2013 your jQuery could perform better
Js Saturday 2013 your jQuery could perform betterIvo Andreev
 
Windows azure camp - Kolkata
Windows azure camp - KolkataWindows azure camp - Kolkata
Windows azure camp - KolkataAbhijit Jana
 
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DECWEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DECncodeit123
 
Microsoft Offical Course 20410C_04
Microsoft Offical Course 20410C_04Microsoft Offical Course 20410C_04
Microsoft Offical Course 20410C_04gameaxt
 
Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03gameaxt
 
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...Shahzad
 
Introduction to MySQL - Part 1
Introduction to MySQL - Part 1Introduction to MySQL - Part 1
Introduction to MySQL - Part 1webhostingguy
 
Sql server dba certification
Sql server dba certificationSql server dba certification
Sql server dba certificationsssql
 
Java EE 6, Eclipse @ EclipseCon
Java EE 6, Eclipse @ EclipseConJava EE 6, Eclipse @ EclipseCon
Java EE 6, Eclipse @ EclipseConLudovic Champenois
 
Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Tomislav Lulic
 
ZubZib Black Coffee #9 - ASP.NET Identity
ZubZib Black Coffee #9 - ASP.NET IdentityZubZib Black Coffee #9 - ASP.NET Identity
ZubZib Black Coffee #9 - ASP.NET IdentityNon Intanon
 

Was ist angesagt? (16)

Sql Azure - Sql Saturday Kansas City
Sql Azure - Sql Saturday Kansas CitySql Azure - Sql Saturday Kansas City
Sql Azure - Sql Saturday Kansas City
 
SQL201W MySQL SQL Manual
SQL201W MySQL SQL ManualSQL201W MySQL SQL Manual
SQL201W MySQL SQL Manual
 
Windows azure camp
Windows azure campWindows azure camp
Windows azure camp
 
Js Saturday 2013 your jQuery could perform better
Js Saturday 2013 your jQuery could perform betterJs Saturday 2013 your jQuery could perform better
Js Saturday 2013 your jQuery could perform better
 
Windows azure camp - Kolkata
Windows azure camp - KolkataWindows azure camp - Kolkata
Windows azure camp - Kolkata
 
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DECWEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
WEBLOGIC ADMINISTRATION 11g NEW BATCH STARTS FROM 16 DEC
 
Microsoft Offical Course 20410C_04
Microsoft Offical Course 20410C_04Microsoft Offical Course 20410C_04
Microsoft Offical Course 20410C_04
 
Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03Microsoft Offical Course 20410C_03
Microsoft Offical Course 20410C_03
 
Oracle sql demo
Oracle sql demoOracle sql demo
Oracle sql demo
 
Advanced Zen
Advanced ZenAdvanced Zen
Advanced Zen
 
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
Software architecture to analyze licensing needs for pcms- pegasus cargo ma...
 
Introduction to MySQL - Part 1
Introduction to MySQL - Part 1Introduction to MySQL - Part 1
Introduction to MySQL - Part 1
 
Sql server dba certification
Sql server dba certificationSql server dba certification
Sql server dba certification
 
Java EE 6, Eclipse @ EclipseCon
Java EE 6, Eclipse @ EclipseConJava EE 6, Eclipse @ EclipseCon
Java EE 6, Eclipse @ EclipseCon
 
Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?Što danas zamjenjuje Small Business Server?
Što danas zamjenjuje Small Business Server?
 
ZubZib Black Coffee #9 - ASP.NET Identity
ZubZib Black Coffee #9 - ASP.NET IdentityZubZib Black Coffee #9 - ASP.NET Identity
ZubZib Black Coffee #9 - ASP.NET Identity
 

Andere mochten auch

Solid q universidad empresa 2011 10 27
Solid q universidad empresa 2011 10 27Solid q universidad empresa 2011 10 27
Solid q universidad empresa 2011 10 27Fernando G. Guerrero
 
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...Fernando G. Guerrero
 
Itinerarios de Grado de Ingenieria Informatica EPS Alicante
Itinerarios de Grado de Ingenieria Informatica EPS AlicanteItinerarios de Grado de Ingenieria Informatica EPS Alicante
Itinerarios de Grado de Ingenieria Informatica EPS AlicanteFernando G. Guerrero
 
Concurrency problems and locking techniques in SQL Server 2000 and VB.NET
Concurrency problems and locking techniques in SQL Server 2000 and VB.NETConcurrency problems and locking techniques in SQL Server 2000 and VB.NET
Concurrency problems and locking techniques in SQL Server 2000 and VB.NETFernando G. Guerrero
 
New gTLDs between two rounds: trade mark challenges
New gTLDs between two rounds: trade mark challenges New gTLDs between two rounds: trade mark challenges
New gTLDs between two rounds: trade mark challengesFernando G. Guerrero
 
Arquitectura bioclimatica ing zulma cabrera
Arquitectura bioclimatica ing zulma cabreraArquitectura bioclimatica ing zulma cabrera
Arquitectura bioclimatica ing zulma cabreraEduardo Soracco
 

Andere mochten auch (8)

Solid q universidad empresa 2011 10 27
Solid q universidad empresa 2011 10 27Solid q universidad empresa 2011 10 27
Solid q universidad empresa 2011 10 27
 
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
Achieve the Impossible: Use INSTEAD OF triggers in SQL Server 2000 to Deal Tr...
 
Itinerarios de Grado de Ingenieria Informatica EPS Alicante
Itinerarios de Grado de Ingenieria Informatica EPS AlicanteItinerarios de Grado de Ingenieria Informatica EPS Alicante
Itinerarios de Grado de Ingenieria Informatica EPS Alicante
 
Concurrency problems and locking techniques in SQL Server 2000 and VB.NET
Concurrency problems and locking techniques in SQL Server 2000 and VB.NETConcurrency problems and locking techniques in SQL Server 2000 and VB.NET
Concurrency problems and locking techniques in SQL Server 2000 and VB.NET
 
New gTLDs between two rounds: trade mark challenges
New gTLDs between two rounds: trade mark challenges New gTLDs between two rounds: trade mark challenges
New gTLDs between two rounds: trade mark challenges
 
Vda305 concurrency guerrero
Vda305 concurrency guerreroVda305 concurrency guerrero
Vda305 concurrency guerrero
 
Udf eficientes
Udf eficientesUdf eficientes
Udf eficientes
 
Arquitectura bioclimatica ing zulma cabrera
Arquitectura bioclimatica ing zulma cabreraArquitectura bioclimatica ing zulma cabrera
Arquitectura bioclimatica ing zulma cabrera
 

Ähnlich wie Dealing with SQL Security from ADO.NET

Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETFernando G. Guerrero
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101IDERA Software
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...SpanishPASSVC
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
6232 b 01
6232 b 016232 b 01
6232 b 01stamal
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersTobias Koprowski
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 securityRam Kedem
 
Sql dba 2008 r2 online training
Sql dba 2008 r2 online trainingSql dba 2008 r2 online training
Sql dba 2008 r2 online trainingsssql
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsHostway|HOSTING
 
Sql server 2012 dba online training
Sql server 2012 dba online trainingSql server 2012 dba online training
Sql server 2012 dba online trainingsqlmasters
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012Michael Noel
 
Online sql dba training
Online sql dba trainingOnline sql dba training
Online sql dba trainingssmasters
 
Professional sql server dba online training
Professional sql server dba online trainingProfessional sql server dba online training
Professional sql server dba online trainingsssql
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Michael Noel
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
 
Trainmesfottech - Sql Server DBA Training Course Content
Trainmesfottech - Sql Server DBA Training Course ContentTrainmesfottech - Sql Server DBA Training Course Content
Trainmesfottech - Sql Server DBA Training Course ContentTrainmesofttech
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 

Ähnlich wie Dealing with SQL Security from ADO.NET (20)

Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
 
Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101Geek Sync | SQL Security Principals and Permissions 101
Geek Sync | SQL Security Principals and Permissions 101
 
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
24 HOP edición Español -Diferentes técnicas de administración de logins y usu...
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Partially Contained Databases
Partially Contained DatabasesPartially Contained Databases
Partially Contained Databases
 
6232 b 01
6232 b 016232 b 01
6232 b 01
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
Lesson 5 security
Lesson 5 securityLesson 5 security
Lesson 5 security
 
Sql dba 2008 r2 online training
Sql dba 2008 r2 online trainingSql dba 2008 r2 online training
Sql dba 2008 r2 online training
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite Things
 
Sql server 2012 dba online training
Sql server 2012 dba online trainingSql server 2012 dba online training
Sql server 2012 dba online training
 
SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012SharePoint Security in an Insecure World - AUSPC 2012
SharePoint Security in an Insecure World - AUSPC 2012
 
A to z for sql azure databases
A to z for sql azure databasesA to z for sql azure databases
A to z for sql azure databases
 
Online sql dba training
Online sql dba trainingOnline sql dba training
Online sql dba training
 
Professional sql server dba online training
Professional sql server dba online trainingProfessional sql server dba online training
Professional sql server dba online training
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 
Trainmesfottech - Sql Server DBA Training Course Content
Trainmesfottech - Sql Server DBA Training Course ContentTrainmesfottech - Sql Server DBA Training Course Content
Trainmesfottech - Sql Server DBA Training Course Content
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
 

Kürzlich hochgeladen

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Dealing with SQL Security from ADO.NET

  • 1. Session SAD336 Dealing with SQL Security from ADO.NET Fernando G. Guerrero SQL Server MVP .NET Technical Lead QA plc October 2002
  • 2. Quick info about Fernando (2 milliseconds) • MCSD, MCSE+Internet (W2K), MCDBA, MCT, QA SQL Server MVP • This is where I work: QA, The best learning environment in Europe • Writing for SQL Sever Magazine and SQL Server Professional • This is my main web site: www.callsql.com • This is my book (so far): – Microsoft SQL Server 2000 Programming by Example (ISBN : 0789724499, co-authored with Carlos Eduardo Rojas) • Currently writing on ADO.NET and SQL Server 2000 SQL Server Magazine LIVE!
  • 3. Agenda • SQL Server Authentication modes • Access to SQL Server Databases • Application security using SQL Server 2000 and ADO.NET • Note: as this is a SQL Server session, I’ll show you as much Transact-SQL code as possible, but some examples on ADO.NET, VB.NET and SQL-DMO won’t hurt you SQL Server Magazine LIVE!
  • 4. SQL Server Authentication modes • SQL Server Authentication – SQL Server specific logins – Not recommended for Windows users – Specify UID/PWD in the ConnectionString • Windows integrated – Create logins for Windows groups, not users – Deny access to SQL Server by creating Windows logins in SQL Server – Specify Trusted_Connection=true in the ConnectionString SQL Server Magazine LIVE!
  • 5. SQL Server Authentication • Easy to understand • Independent of the Windows Domain structure • Not too flexible • Easier to break • Connection pooling unfriendly SQL Server Magazine LIVE!
  • 6. SQL Server Authentication (2) • Most applications still connect as sa and no password (or password as password) • Could provide an extra layer of authentication • IIS+NT friendly • If you write your UID/PWD in the connection string, someone could read it • Connection pooling friendly SQL Server Magazine LIVE!
  • 7. How to create SQL Server logins programmatically from Visual Basic .NET (demo) SQL Server Magazine LIVE!
  • 8. Windows Authentication • Easier to administer in the long run • Complex security combinations – NT Groups to reflect actual business structure – Combinations of groups give actual permissions • Comprehensive security control based on Windows NT / 2000 / .NET security: – Password policies – Location and time control – Automatic account blocking SQL Server Magazine LIVE!
  • 9. Windows Authentication (2) • Grant access to lots of users in a single shot • Deny access to lots of users in a single shot too • Make code easier to deploy and maintain • You don’t write your UID/PWD in the connection string, so it is more difficult to hack SQL Server Magazine LIVE!
  • 10. Connection Strings and Windows authentication in ADO.NET (demo) SQL Server Magazine LIVE!
  • 11. How to create programmatically Windows logins in SQL Server 2000 from Visual Basic .NET (demo) SQL Server Magazine LIVE!
  • 12. Using SQL-DMO from VB.NET to manage the authentication mode, and SQL Server security • In this demonstration you will see how to: – Change the SQL Server Authentication Mode – Manage SQL Server logins • And we will do it by using VB.NET with: – SQL-DMO – SQLCommand objects SQL Server Magazine LIVE!
  • 13. The nasty error 18452 • SQL Server is configured for Windows Authentication only: – Not even the sa can login • Before changing to Mixed authentication mode, give a strong password to the sa login! SQL Server Magazine LIVE!
  • 14. What if you dropped the Builtin/Administrators login? • Unless you have a valid login to access SQL Server, you are into troubles • You can start a new session using the Windows service account and create the appropriate logins • Or edit the registry and change the value of the following key to 2: – Default instance: • HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLSe rverMSSQLServerLoginMode – Named instances: • HKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft SQL ServerInstanceNameMSSQLServerLoginMode SQL Server Magazine LIVE!
  • 15. Fixed Server Roles • Administrative groups to easier server-wide permissions – Sysadmin: They can do anything, SQL Server permissions don’t affect them • Other roles are subsets of sysadmin, for better permissions’ granularity: – setupadmin – securityadmin – processadmin – dbcreator – diskadmin SQL– bulkadmin LIVE! Server Magazine
  • 16. How to use Server Roles from ADO.NET • Simply put: you don’t • The connection gets automatically server role membership according to the login used to connect to SQL Server • To get the permission path used to connect to SQL Server, execute: – xp_logininfo [DomainNameUserName] SQL Server Magazine LIVE!
  • 17. Getting role membership information • Use the IS_SRVROLEMEMBER function • Execute the sp_helpsrvrolemember stored procedure • Use the ListMembers method from SQL-DMO • Execute this query for actual logins defined in SQL Server: SELECT 'ServerRole' = spv.name FROM master.dbo.spt_values spv JOIN master.dbo.sysxlogins lgn ON spv.low = 0 AND spv.type = 'SRV' AND lgn.srvid IS NULL AND spv.number & lgn.xstatus = spv.number WHERE lgn.sid = SUSER_SID('LoginName') SQL Server Magazine LIVE!
  • 18. Trying (unsuccessfully) to apply permissions to sysadmin members (demo) SQL Server Magazine LIVE!
  • 19. Agenda • SQL Server Authentication modes • Access to SQL Server Databases • Application security using SQL Server 2000 and ADO.NET SQL Server Magazine LIVE!
  • 20. Access to SQL Server Databases • A login gives you access to SQL Server • To access a database, you need a user on that database • Retrieve the current login using the SYSTEM_USER function • Retrieve the current user using the CURRENT_USER function • It doesn’t matter how many Windows groups you belong to: SQL Server knows you. • The dbo user SQL Server Magazine LIVE! • The guest user
  • 21. Fixed Database Roles • A very important one: Public – Everybody belongs to Public – Useful to set default permissions • Other roles simplify permissions: • db_owner • db_accessadmin / db_securityadmin • db_ddladmin • db_backupoperator • db_datareader / db_denydatareader • db_datawriter / db_denydatawriter SQL Server Magazine LIVE!
  • 22. Do db_owner members have all permissions they think they have? (demo) SQL Server Magazine LIVE!
  • 23. Agenda • SQL Server Authentication modes • Access to SQL Server Databases • Application security using SQL Server 2000 and ADO.NET SQL Server Magazine LIVE!
  • 24. Application security using SQL Server 2000 and ADO.NET • You can deny permissions to every user on all access to tables • Grant permissions to use views • Grant permissions to execute stored procedures • As long as all of them have the same owner, user will need permissions only on views / stored procedures • SQL Server won’t check permissions on underlying objects / statements • It doesn’t work with dynamic execution SQL Server Magazine LIVE!
  • 25. Testing application security with views and stored procedures from ADO.NET (demo) SQL Server Magazine LIVE!
  • 26. Granting and denying permissions on SQL statements • GRANT Permission TO User/Role: – CREATE DATABASE – CREATE DEFAULT – CREATE FUNCTION – CREATE PROCEDURE – CREATE RULE – CREATE TABLE – CREATE VIEW – BACKUP DATABASE – BACKUP LOG SQL Server Magazine LIVE!
  • 27. Granted – Denied - Revoked • No permissions (not granted nor denied) means I’M SORRY • Granted means PERHAPS – You might o might not have final permission – Depends on membership on other roles/groups • Denied means NO WAY – You can’t perform that action, no matter what • Revoked means I FORGOT ABOUT IT – Your security record has been removed (it could have been granted or denied in the past) – Effective permissions depend on role/groups membership SQL Server Magazine LIVE!
  • 28. Granting and denying permissions on specific database objects • GRANT Permission ON Object TO User/Role SQL Server Magazine LIVE!
  • 29. Permissions Errors • A permission error doesn’t break connections • A permission error doesn’t break execution • A permission error doesn’t roll transactions back • So, it is up to you to check for errors on permissions and take the right action SQL Server Magazine LIVE!
  • 30. SQL Server application roles • Defined at Database level • Password required • Don’t have any members • Always belong to Public role • May belong to other database roles • Need to be activated before use • Cannot be de-activated • Connection-pooling unfriendly SQL Server Magazine LIVE!
  • 31. SQL Server application roles (Creation) • EXEC sp_addapprole ‘RoleName’, ‘RolePassword’ • It is considered as a special user in the database, not a group • Grant permissions to the role by using: • GRANT Permissions ON Object to AppRole • Deny permissions to the role by using: • DENY Permissions ON Object to AppRole SQL Server Magazine LIVE!
  • 32. SQL Server application roles (Activation) • EXEC sp_setapprole ‘RoleName’, {Encrypt N ‘Password'}, ‘ODBC‘ • How to protect the password? – Store it in a encrypted file – Scramble it through the code and protect it against debug mode – Store it in Active Directory – Encapsulate this call in a Component SQL Server Magazine LIVE!
  • 33. Using application roles from ADO.NET (demo) SQL Server Magazine LIVE!
  • 34. Passport-like authentication • Your application can authenticate users from login/password data • Store open login, encrypted password • Compare encrypted passwords • Create the entire thing as system objects SQL Server Magazine LIVE!
  • 35. Do you want to know more? • “Inside SQL Server 2000” (Kalen Delaney, MSPress) • “Advanced Transact-SQL for SQL Server 2000” (Itzik Ben- Gan & Tom Moreau, APress) • “SQL Server 2000 Programming” (Robert Vieira, WROX) • “Microsoft SQL Server 2000 Programming by Example” (Fernando G. Guerrero & Carlos Eduardo Rojas, QUE) • “System.Data: A Clockwork Link between VB.NET and SQL Server ” (Fernando G. Guerrero, Apress) • SQL Server 2000 Resource Kit (MSPress & TechNet) • Visit the Microsoft public newsgroups: – msnews.microsoft.com/microsoft.public.sqlserver.* SQL Server Magazine LIVE!
  • 36. Thank you! Questions? • Download the source code of this session from: – http://www.callsql.com/en/articles • You can contact me at: – fernan@guerrerog.org SQL Server Magazine LIVE!
  • 37. Thank you! • Please drop off your session evaluations in the basket at the back of the room! • Your comments are greatly appreciated! SQL Server Magazine LIVE!