SQL Server security made easy on the server level

September 13, 2023

Today, we’re going to look at the options we have for server level security. In SQL Server we can add security on many different levels. We are not going to discus anything outside of the SQL Server like the VM or server itself or firewall etc, this will bring us too far from the subject.

In SQL Server we have the following levels of security:

Instance
Contained databases
Databases
Schemas
Objects (Like tables, views,…)
Columns
Rows

We will discuss the first two levels of security – instance and contained databases – in detail in this blog post. The other levels will be discussed in one of the following blogs. So, stay tuned for those!

To log into our SQL Server you need to have a login defined on your instance. This can either be a Windows User, Windows Group or a SQL login.

Windows Users and Groups are defined in the Active Directory of our environment. These are mainly managed by the system administrators of the environment and can be used for many different things.

SQL logins are defined in SQL Server itself. These logins can’t be used outside of SQL Server, as these are unknown to the rest of the environment.

This is also where the difference between them comes in. The SQL logins are fully managed by SQL Server itself. Windows Users and Groups are managed in Active Directory.

Picture 1: Overview SQL Instance security

What’s the best option?

It depends! But in general, we prefer the use of Windows Groups for SQL security. This allows us to give the same permissions to groups of people and easily manage this. When we use Windows Users or SQL logins, we would have to give every user their permissions separately. For small environments this might be doable, but once your environment grows it will become a nightmare to manage. So, even if your environment is currently still small, try to use AD groups as much as possible.

Keep in mind that it’s certainly not bad to sometimes add a SQL login or AD User to give permissions. If you need to give specific permissions to a user or a service account and you’re certain that nobody else will ever need the same permissions as this person, it’s perfectly fine to give specific permissions to their login.

Server roles

We now have our logins defined and people are able to login on the server, but they can’t do anything yet. How to give permissions on databases to our logins will be discussed in a future blog. We do have a couple of permissions we can give on a server level. Some of these permissions are contained in server roles that we can give to our logins. I’ll highlight a few of the most used ones, but you can find a detailed explanation for all of them under this link.

Sysadmin

Arguably the most important role we have on the server. This role means you can do everything. This role is only for your dba or dba-like people in your environment. Nobody else should need this role.

Securityadmin

Technically this role is the same as Sysadmin or should be treated the same. Logins with this role can only change permissions, so at first glance you’d think it’s not the same as Sysadmin. But being able to change permissions, also means that they can promote themselves to sysadmin. So certainly be careful handing this permission out.

Public

This role is given to every single login by default. It only has a few basic permissions by default, however, you could change these. We do not recommend granting or denying permissions through public, rather create a separate role for this.

Since SQL 2022 we have a more extensive list of roles we can give. You can also find these in the link above with an explanation.

Server Permissions

Besides roles we also have separate permissions in SQL server. We can either create our own role with permissions or give permissions directly to logins. When creating a role you can see a list of all the possible permissions we’re able to give. As an example you can see permissions we can add on server level to our role below. A complete list of all permissions can also be found on the Microsoft Docs.

Contained databases

Contained databases work a little different. Instead of letting the SQL Server handle the security, all security is handled within the database itself.

A big advantage of contained databases is that everything is contained within the database itself. If you restore a normal database on another server, you also have to move logins etc related to the database. When moving a contained database, all logins are transferred with the database itself.

Database users

We now have our login and we can give some permission on server level, but we still can’t access our database. This is where database users come in. In picture 1 you can see that we have to map our server login to a database user. We can then grant this database user certain permissions on the database itself. As a general rule, keep the name of the database user the same as the name of the login.

Most important rule you should take away from this blog, is try to work with AD groups as much as possible. In our next blog, we will dive deeper into database security and everything related to that topic. Stay tuned for that!

Author

Michael Bergs, Data Wizard at Kohera.

Kohera, Power BI

Updating your Azure SQL server OAuth2 credentials in Power BI via PowerShell for automation purposes

7 February 2024

The better way to update OAuth2 credentials in Power BI is by automating the process of updating Azure SQL Server...

Kohera

Under (memory) pressure

28 January 2024

A few weeks ago, a client asked me if they were experiencing memory pressure and how they could monitor it...

Fabric

Managing files from other devices in a Fabric Lakehouse using the Python Azure SDK

11 January 2024

In this blogpost, you’ll see how to manage files in OneLake programmatically using the Python Azure SDK. Very little coding...

SQL Server

Database specific security in SQL Server

12 October 2023

There are many different ways to secure your database. In this blog post we will give most of them a...

SQL Server

SQL Server security made easy on the server level

13 September 2023

In this blog, we’re going to look at the options we have for server level security. In SQL Server we...

Kohera, SQL Server

Microsoft SQL Server history

5 July 2023

Since its inception in 1989, Microsoft SQL Server is a critical component of many organizations' data infrastructure. As data has...

Cookie	Duration	Description
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.
pll_language	1 year	Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
ai_session	30 minutes	This is a unique anonymous session identifier cookie set by Microsoft Application Insights software to gather statistical usage and telemetry data for apps built on the Azure cloud platform.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
ai_user	1 year	Microsoft Azure sets this cookie as a unique user identifier cookie, enabling counting of the number of users accessing the application over time.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

SQL Server security made easy on the server level

What’s the best option?

Server roles

Sysadmin

Securityadmin

Public

Server Permissions

Contained databases

Database users

Author

Updating your Azure SQL server OAuth2 credentials in Power BI via PowerShell for automation purposes

Under (memory) pressure

Managing files from other devices in a Fabric Lakehouse using the Python Azure SDK

Database specific security in SQL Server

SQL Server security made easy on the server level

Microsoft SQL Server history

We are using cookies