Today, we’re going to look at the options we have for server level security. In SQL Server we can add security on many different levels. We are not going to discus anything outside of the SQL Server like the VM or server itself or firewall etc, this will bring us too far from the subject.
In SQL Server we have the following levels of security:
We will discuss the first two levels of security – instance and contained databases – in detail in this blog post. The other levels will be discussed in one of the following blogs. So, stay tuned for those!
To log into our SQL Server you need to have a login defined on your instance. This can either be a Windows User, Windows Group or a SQL login.
Windows Users and Groups are defined in the Active Directory of our environment. These are mainly managed by the system administrators of the environment and can be used for many different things.
SQL logins are defined in SQL Server itself. These logins can’t be used outside of SQL Server, as these are unknown to the rest of the environment.
This is also where the difference between them comes in. The SQL logins are fully managed by SQL Server itself. Windows Users and Groups are managed in Active Directory.
Picture 1: Overview SQL Instance security
It depends! But in general, we prefer the use of Windows Groups for SQL security. This allows us to give the same permissions to groups of people and easily manage this. When we use Windows Users or SQL logins, we would have to give every user their permissions separately. For small environments this might be doable, but once your environment grows it will become a nightmare to manage. So, even if your environment is currently still small, try to use AD groups as much as possible.
Keep in mind that it’s certainly not bad to sometimes add a SQL login or AD User to give permissions. If you need to give specific permissions to a user or a service account and you’re certain that nobody else will ever need the same permissions as this person, it’s perfectly fine to give specific permissions to their login.
We now have our logins defined and people are able to login on the server, but they can’t do anything yet. How to give permissions on databases to our logins will be discussed in a future blog. We do have a couple of permissions we can give on a server level. Some of these permissions are contained in server roles that we can give to our logins. I’ll highlight a few of the most used ones, but you can find a detailed explanation for all of them under this link.
Arguably the most important role we have on the server. This role means you can do everything. This role is only for your dba or dba-like people in your environment. Nobody else should need this role.
Technically this role is the same as Sysadmin or should be treated the same. Logins with this role can only change permissions, so at first glance you’d think it’s not the same as Sysadmin. But being able to change permissions, also means that they can promote themselves to sysadmin. So certainly be careful handing this permission out.
This role is given to every single login by default. It only has a few basic permissions by default, however, you could change these. We do not recommend granting or denying permissions through public, rather create a separate role for this.
Since SQL 2022 we have a more extensive list of roles we can give. You can also find these in the link above with an explanation.
Besides roles we also have separate permissions in SQL server. We can either create our own role with permissions or give permissions directly to logins. When creating a role you can see a list of all the possible permissions we’re able to give. As an example you can see permissions we can add on server level to our role below. A complete list of all permissions can also be found on the Microsoft Docs.
Contained databases work a little different. Instead of letting the SQL Server handle the security, all security is handled within the database itself.
A big advantage of contained databases is that everything is contained within the database itself. If you restore a normal database on another server, you also have to move logins etc related to the database. When moving a contained database, all logins are transferred with the database itself.
We now have our login and we can give some permission on server level, but we still can’t access our database. This is where database users come in. In picture 1 you can see that we have to map our server login to a database user. We can then grant this database user certain permissions on the database itself. As a general rule, keep the name of the database user the same as the name of the login.
Most important rule you should take away from this blog, is try to work with AD groups as much as possible. In our next blog, we will dive deeper into database security and everything related to that topic. Stay tuned for that!
Michael Bergs, Data Wizard at Kohera.
Cookie | Duration | Description |
---|---|---|
ARRAffinity | session | ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user. |
ARRAffinitySameSite | session | This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category. |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
elementor | never | The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
pll_language | 1 year | Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way. |
Cookie | Duration | Description |
---|---|---|
_ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
_ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
_gat_gtag_UA_* | 1 minute | Google Analytics sets this cookie to store a unique user ID. |
_gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
ai_session | 30 minutes | This is a unique anonymous session identifier cookie set by Microsoft Application Insights software to gather statistical usage and telemetry data for apps built on the Azure cloud platform. |
CONSENT | 2 years | YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. |
vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
Cookie | Duration | Description |
---|---|---|
ai_user | 1 year | Microsoft Azure sets this cookie as a unique user identifier cookie, enabling counting of the number of users accessing the application over time. |
VISITOR_INFO1_LIVE | 5 months 27 days | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. |
YSC | session | Youtube sets this cookie to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt-remote-device-id | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt.innertube::nextId | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
WFESessionId | session | No description available. |