Blog Post

Understanding the Three A’s of Security for SQL Server

,

Do you know what the “Three A’s of Security” are and how they apply to Microsoft SQL Server? Let’s look at them as they are important for managing security properly on a given Microsoft SQL Server.

Authentication

Authentication is determining who a person/process is.

When a connection is made, it’s important to know what account is making that connection. Authentication is the process of validating who that connection is. There are two types of authentication with respect to users connecting to SQL Server:

  • SQL Server’s build-in logins
  • Windows logins

In the first case, SQL Server has stored logins with passwords and if SQL Server is set to mixed mode authentication, these logins can be used to make a connection to a given SQL Server. More on mixed mode authentication in another post. In the second case, a Windows user can connect to SQL Server. This access can either be granted by to the Windows user directly or via a Windows security group.

Obviously, there are times when SQL Server is able to authenticate a connection but that connection isn’t allowed access to any resources, to include simply logging in to the SQL Server itself. That leads us to the next A.

Authorization

Authorization is determining what a person/process is allowed to do.

Once SQL Server knows who the connection is, the next question is what should that connection have access to? This is authorization. The initial check is to see if the account in question should even be able to log in to the SQL Server. If it does have that permission (you’ll see it as CONNECT SQL if you look at the permissions), the next question is what other permissions should it have. This can be at the server level and it can be within the individual databases.

Auditing

Auditing is keeping track of what happens for a person/process.

Auditing is the record keeping involved with tracking various security events. For instance, SQL Server can track both successful and failed logins. Typically, it’s recommended that at least failed logins be tracked. SQL Server can, depending on the edition, audit just about anything you want to track. We’ll cover auditing in more detail in later posts.

 

Rate

You rated this post out of 5. Change rating

Share

Tags

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads