Upload
raghuram-seshabhattar
View
228
Download
0
Embed Size (px)
Citation preview
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 1/49
Security Management in SQL Server
Chapter-1: Introduction
Oracle today announced that it has been named the leading Relational Database
Management Systems (RDBMS) vendor in India and Asia Pacific excluding Japan (APEJ)1,
based on first half 2007 Asia Pacific software revenues by IDC. In IDC‘s ―Asia/Pacific Semi-
Annual Software Tracker, September 2007‖ report, Oracle is the Asia Pacific market leader with
53 percent market share, growing 19 percent year-over-year to reach US$373million in software
revenue in first half 2007. It has strengthened its market share lead by nearly four percent over its
second half 2006 figure of 50 percent. The company commands more than double the market
share of its nearest competitor in the RDBMS market who has 21 percent. In India, Oracle leads
the RDBMS market with 63 percent market share. This is nearly thrice that of its nearest
competitor who only has 23 percent share.
―Oracle has, through a sustained flow of innovation, continued to develop and strengthen
its undis puted relational database market share leadership in Asia Pacific,‖ said SPS Grover, vice
president, Technology Sales, Oracle India. ―With Oracle Database 11g, we expect to continue
revolutionizing the database world. Customers will benefit from unique features such as active
standbys, real application testing and compression of all data types which will have a dramaticimpact on the performance, reliability and economics of their IT systems.‖ Continued
Leadership in Database Innovation with Launch of Oracle Database 11g. In Q1FY08, Oracle
launched Oracle Database 11g - with new innovative features such as Oracle Active Data Guard,
Oracle Real Application Testing and Oracle Advanced Compression. With more than 400 new
features, 36,000 person-months of development, and 15 million test hours, Oracle Database 11g
is making the management of enterprise information easier than ever, enabling customers to
know more about their business and innovate more quickly.
Oracle also recently announced a new world record price/performance result with the
TPC-C benchmark running Oracle® Database 11g on Windows. Achieving 102,454 transactions
per minute with a price/performance of $.73/tpmC, Oracle Database 11g Standard Edition One
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 2/49
delivered 24 percent more performance at 13 percent less cost than its nearest competitor in the
price/performance category.
Oracle Database new wins for 1HFY08 in India include Commercial Taxes Department,
Government of Rajasthan, Tamil Nadu Electricity Board and Tata Tele Services Ltd; CAIRN
INDIA, Delhi International Airport Ltd., GENPACT INDIA, High Court Of Delhi, IFCI Ltd.,
Oriental Bank of Commerce, Oxigen India Prepaid Services Pvt Ltd. and some of the new wins
for Asia Pacific, excluding Japan, include: Alcatel (Australia), Australian Institute of Health and
Welfare (Australia), Bombardier Transportation Australia Pty Ltd. (Australia), Alibaba Group
(China), AU Optronics Corp (Taiwan), Bank of East Asia (Hong Kong), China Eastern Airlines
Co. Ltd. (China), Dah Sing Bank (Hong Kong), Department of Immigration and Emigration (Sri
Lanka), GreatWall Information Industry (China), Kodeco Energy (Indonesia), Korea Exchange(Korea), PT Bank Central Asia (Indonesia), PT. Mobile-8 Telecom (Indonesia), SK Telecom
(Korea), Shell Autoserv (Thailand) Co., Shenzhen Airlines (China), Sun Hung Kai Securities
Limited (Hong Kong), Sunghwa College (Korea), Tata Steel (Thailand), Thai Nippon Steel
Engineering & Construction Corp Ltd. (Thailand), The Bank of East Asia Limited (Hong Kong),
Xiangya Hospital of Center-South University (China) and Yan Wal Yun (Thailand) to name a
few.
Despite challenging economic conditions, the enterprise software market in India is projected to
grow 13 per cent in 2012, as revenue reaches $$3.22 billion USD in 2012, according to Gartner,
Inc. India‘s enterprise software market is forecast to maintain its strong performance, with an
estimated compound annual growth rate (CAGR) of 13.6 per cent from 2009 to 2016 – the third
highest growth rate in the world. The increasing globalization of the Indian economy is leading
to a growing need for modern software with the latest features and improved functionality.
―With Indian enterprises continuing to embrace IT to improve productivity and drive growth,
penetration of ICT infrastructure has been growing rapidly during the past decade. The primary
drivers of growth have been domestic demand, the growing maturity of users and incremental
enhancements in the technology,― said Asheesh Raina, principal research analyst at Gartner.
―India also enjoys a rich presence of all international software and hardware vendors, backed by
a very strong ecosystem of system integrators, service providers and business partners. A
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 3/49
combination of high domestic demand, presence of global vendors and entry of new small
vendors with innovative products have made the overall ecosystem apt for robust growth.‖
In 2012, India will be the fourth largest enterprise software market in Asia/Pacific. The
country is forecast to account for 11 per cent of the region‘s total revenue o f $29.33 billion USD
for Asia/Pacific this year, the equivalent to 1.15 per cent of the total worldwide software of
market share of $280 billion USD billion. By 2016, India‘s share of the software market in
Asia/Pacific is expected to reach 12.1 per cent, representing $5.4 billion in revenue, or 1.5 per
cent of total worldwide software market revenue of $361 billion. In comparison to other
countries in the Asia/Pacific region, such as China (with 27 per cent share of regional spending
in 2011), the software market in India is still relatively small and evolving.
―End users in Asia/Pacific are expecting to increase their spending on application and
infrastructure software, with China and India being the most optimistic and leading the way for
budget increases, followed closely by Malaysia and South Korea,― said Mr. Raina.‖The high
intention to increase budgets in India is expected because of the rapidly growing economy,
globalization of operations, and ongoing investment in India as a customer service-related
outsourcing destination. Optimism regarding spending within Indian organizations reflects
confidence in India‘s regional economic performance, as well as the need to adopt better
technology to effectively compete in a tougher global environment.‖ Priority areas of software
spending include operating systems, DBMS, AIM and Application Development. In the next
five, the fastest-growing segments will be Web conferencing and team collaboration, enterprise
content management, CRM and ERP. According to Gartner, Indian enterprises are lagging
behind in terms of adoption of these tools, resulting in the fast growth of these markets.
Databases are organized collections of data that support storage, management, and retrieval of
information. Databases are qualitatively measured by accuracy, availability, usability, and
resilience. Computer software products known as database management systems (DBMS)support access to data stored in databases.
A DBMS allows organizations to develop databases for various applications by database
administrators (DBAs) and other software specialists.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 4/49
Well known DBMS products include Oracle, Access, SQL Server, DB2, and MySQL. A DBMS
allows different user application programs to simultaneously access the same database. A DBMS
provides services for controlling data access, enforcing data integrity, managing concurrency
control, recovering the database after failures, as well as sustaining database security.
Relational databases are the choice for storing data such as financial and medical records,
personal information, and manufacturing data. A relational database is a collection of tables
relating to one another. Other objects are often considered part of the database because they help
to organize and structure the data.
Structured Query Language (SQL) is used to communicate with relational database management
systems. This language allows users to perform basic functions to interact with data. In addition
to basic SQL functions, the DBMS in use provides additional proprietary functions.
SQL commands are divided into two sublanguages: data definition language (DDL) and data
manipulation language (DML). Data definition language includes commands to create and
destroy databases and their objects. Once structured with DDL, administrators use data
manipulation language (DML) to insert, select, and update the data contained within the
structure.
Research Methodology
Need for the Study
Growing trend of IT industry in India has many challenges ahead to gain a consistent
pace in the dynamic and competitive business environments. To overcome such challenges the
managers need have proper forecasts, analysis and data base management systems. This requires
a well established Database and Server management system. Security parameters gain
preference in database management systems and hence the challenge is to identify a highlysecured RDBMS or DBMs. Hence, this problem/ need invite a study to understand the Security
Management Aspects of most commonly used RDBMS SQL Server.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 5/49
Scope of the Study
The Study ―Security Management in SQL Server ‖ focuses on the Security management
in the SQL server and other advantages of SQL server compared to other RDBMS. This study
also focuses on the satisfaction and need for such high end security options to the databases and
the prominence of SQL Server in this case.
Objectives
To study the key decision areas Data Base Management systems.
To analyze and evaluate the performance of the present data base management plat forms
To understand the Security Management aspects in SQL Server.
Sampling
Sampling Method: The sampling method used was Convenient sampling technique.
Convenience sampling (sometimes known as grab or opportunity sampling) is a type of non
probability sampling which involves the sample being drawn from that part of the population
which is close to hand. That is, a sample population selected because it is readily available and
convenient. It may be through meeting the person or including a person in the sample when one
meets them or chosen by finding them through technological means such as the internet or
through phone.
Determination Of Sample Design: There are many IT companies in the twin cities which are
operating in domestic and international markets. Companies that majorly contribute to the high
end database management software are selected to constitute the sample. Data is collected from
the Database administrators in such companies and it is based on convenience sampling
technique.
Limitations of the Study
Geographical Limitation: The study confines only to the twin city which might note give
the forecasted results would not be apt for.
Time: The project is under taken for 8 weeks duration which is not comfortable to fulfill
the complete scope of the study.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 6/49
Chapter -2: Conceptual Framework & Literature Review
SQL Server
Microsoft SQL Server is a relational database management system developed byMicrosoft. As a database, it is a software product whose primary function is to store and retrieve
data as requested by other software applications, be it those on the same computer or those
running on another computer across a network (including the Internet). There are at least a dozen
different editions of Microsoft SQL Server aimed at different audiences and for workloads
ranging from small single-machine applications to large Internet-facing applications with many
concurrent users. Its primary query languages are T-SQL and ANSI SQL.
Origin
Prior to version 7.0 the code base for MS SQL Server was sold by Sybase SQL Server to
Microsoft, and was Microsoft's entry to the enterprise-level database market, competing against
Oracle, IBM, and, later, Sybase. Microsoft, Sybase and Ashton-Tate originally worked together
to create and market the first version named SQL Server 1.0 for OS/2 (about 1989) which was
essentially the same as Sybase SQL Server 3.0 on Unix, VMS, etc. Microsoft SQL Server 4.2
was shipped around 1992 (available bundled with IBM OS/2 version 1.3). Later Microsoft SQL
Server 4.21 for Windows NT was released at the same time as Windows NT 3.1. Microsoft SQL
Server v6.0 was the first version designed for NT, and did not include any direction from Sybase.
About the time Windows NT was released in July 1993, Sybase and Microsoft parted ways and
each pursued its own design and marketing schemes. Microsoft negotiated exclusive rights to all
versions of SQL Server written for Microsoft operating systems. (In 1996 Sybase changed the
name of its product to Adaptive Server Enterprise to avoid confusion with Microsoft SQL
Server.) Until 1994, Microsoft's SQL Server carried three Sybase copyright notices as an
indication of its origin.
SQL Server 7.0 and SQL Server 2000 included modifications and extensions to the Sybase code
base, adding support for the IA-64 architecture. By SQL Server 2005 the legacy Sybase code had
been completely rewritten.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 7/49
Since the release of SQL Server 2000, advances have been made in performance, the client IDE
tools, and several complementary systems that are packaged with SQL Server 2005. These
include:
an extract-transform-load (ETL) tool (SQL Server Integration Services or SSIS)
a Reporting Server
an OLAP and data mining server (Analysis Services)
several messaging technologies, specifically Service Broker and Notification Services.
SQL Server 2005:
SQL Server 2005 (formerly codenamed "Yukon") released in October 2005. It included native
support for managing XML data, in addition to relational data. For this purpose, it defined an
xml data type that could be used either as a data type in database columns or as literals in
queries. XML columns can be associated with XSD schemas; XML data being stored is verified
against the schema. XML is converted to an internal binary data type before being stored in the
database. Specialized indexing methods were made available for XML data. XML data is
queried using XQuery; SQL Server 2005 added some extensions to the T-SQL language to allow
embedding XQuery queries in T-SQL. In addition, it also defines a new extension to XQuery,called XML DML, that allows query-based modifications to XML data. SQL Server 2005 also
allows a database server to be exposed over web services using Tabular Data Stream (TDS)
packets encapsulated within SOAP (protocol) requests. When the data is accessed over web
services, results are returned as XML.
Common Language Runtime (CLR) integration was introduced with this version, enabling one to
write SQL code as Managed Code by the CLR. For relational data, T-SQL has been augmented
with error handling features (try/catch) and support for recursive queries with CTEs (CommonTable Expressions). SQL Server 2005 has also been enhanced with new indexing algorithms,
syntax and better error recovery systems. Data pages are checksummed for better error
resiliency, and optimistic concurrency support has been added for better performance.
Permissions and access control have been made more granular and the query processor handles
concurrent execution of queries in a more efficient way. Partitions on tables and indexes are
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 8/49
supported natively, so scaling out a database onto a cluster is easier. SQL CLR was introduced
with SQL Server 2005 to let it integrate with the .NET Framework.
SQL Server 2005 introduced "MARS" (Multiple Active Results Sets), a method of allowing
usage of database connections for multiple purposes.
SQL Server 2005 introduced DMVs (Dynamic Management Views), which are specialized
views and functions that return server state information that can be used to monitor the health of
a server instance, diagnose problems, and tune performance.
Service Pack 1 (SP1) of SQL Server 2005 introduced Database Mirroring, a high availability
option that provides redundancy and failover capabilities at the database level. Failover can be
performed manually or can be configured for automatic failover. Automatic failover requires a
witness partner and an operating mode of synchronous (also known as high-safety or full safety).
SQL Server 2008:
SQL Server 2008 (formerly codenamed "Katmai") was released on August 6, 2008 and aims to
make data management self-tuning, self organizing, and self maintaining with the development
of SQL Server Always On technologies, to provide near-zero downtime. SQL Server 2008 also
includes support for structured and semi-structured data, including digital media formats for
pictures, audio, video and other multimedia data. In current versions, such multimedia data can
be stored as BLOBs (binary large objects), but they are generic bitstreams. Intrinsic awareness of
multimedia data will allow specialized functions to be performed on them. According to Paul
Flessner, senior Vice President, Server Applications, Microsoft Corp., SQL Server 2008 can be a
data storage backend for different varieties of data: XML, email, time/calendar, file, document,
spatial, etc as well as perform search, query, analysis, sharing, and synchronization across all
data types.
Other new data types include specialized date and time types and a Spatial data type for location-
dependent data. Better support for unstructured and semi-structured data is provided using the
new FILESTREAM data type, which can be used to reference any file stored on the file system.
Structured data and metadata about the file is stored in SQL Server database, whereas the
unstructured component is stored in the file system. Such files can be accessed both via Win32
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 9/49
file handling APIs as well as via SQL Server using T-SQL; doing the latter accesses the file data
as a BLOB. Backing up and restoring the database backs up or restores the referenced files as
well. SQL Server 2008 also natively supports hierarchical data, and includes T-SQL constructs
to directly deal with them, without using recursive queries.
The Full-text search functionality has been integrated with the database engine. According to a
Microsoft technical article, this simplifies management and improves performance.
Spatial data will be stored in two types. A "Flat Earth" (GEOMETRY or planar) data type
represents geospatial data which has been projected from its native, spherical, coordinate system
into a plane. A "Round Earth" data type (GEOGRAPHY) uses an ellipsoidal model in which the
Earth is defined as a single continuous entity which does not suffer from the singularities such as
the international dateline, poles, or map projection zone "edges". Approximately 70 methods are
available to represent spatial operations for the Open Geospatial Consortium Simple Features for
SQL, Version 1.1.
SQL Server includes better compression features, which also helps in improving scalability. It
enhanced the indexing algorithms and introduced the notion of filtered indexes. It also includes
Resource Governor that allows reserving resources for certain users or workflows. It also
includes capabilities for transparent encryption of data (TDE) as well as compression of backups.
SQL Server 2008 supports the ADO.NET Entity Framework and the reporting tools, replication,
and data definition will be built around the Entity Data Model. SQL Server Reporting Services
will gain charting capabilities from the integration of the data visualization products from
Dundas Data Visualization, Inc., which was acquired by Microsoft. On the management side,
SQL Server 2008 includes the Declarative Management Framework which allows configuring
policies and constraints, on the entire database or certain tables, declaratively. The version of
SQL Server Management Studio included with SQL Server 2008 supports IntelliSense for SQL
queries against a SQL Server 2008 Database Engine. SQL Server 2008 also makes the databasesavailable via Windows PowerShell providers and management functionality available as
Cmdlets, so that the server and all the running instances can be managed from Windows
PowerShell.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 10/49
SQL Server 2008 R2:
SQL Server 2008 R2 (10.50.1600.1, formerly codenamed "Kilimanjaro") was announced at
TechEd 2009, and was released to manufacturing on April 21, 2010. SQL Server 2008 R2 adds
certain features to SQL Server 2008 including a master data management system branded as
Master Data Services, a central management of master data entities and hierarchies. Also Multi
Server Management, a centralized console to manage multiple SQL Server 2008 instances and
services including relational databases, Reporting Services, Analysis Services & Integration
Services.
SQL Server 2008 R2 includes a number of new services, including PowerPivot for Excel and
SharePoint, Master Data Services, StreamInsight, Report Builder 3.0, Reporting Services Add-in
for SharePoint, a Data-tier function in Visual Studio that enables packaging of tiered databases
as part of an application, and a SQL Server Utility named UC (Utility Control Point), part of
AMSM (Application and Multi-Server Management) that is used to manage multiple SQL
Servers.
The first SQL Server 2008 R2 service pack (10.50.2500, Service Pack 1) was released on July
11, 2011.
The second SQL Server 2008 R2 service pack (10.50.4000, Service Pack 2) was released on July
26, 2012.
SQL Server 2012:
At the 2011 Professional Association for SQL Server (PASS) summit on October 11, Microsoft
announced that the next major version of SQL Server (codenamed "Denali"), would be SQL
Server 2012. It was released to manufacturing on March 6, 2012. SQL Server 2012 Service Pack
1 was released to manufacturing on November 9, 2012.
It was announced to be the last version to natively support OLE DB and instead to prefer ODBC
for native connectivity.
SQL Server 2012's new features and enhancements include AlwaysOn SQL Server Failover
Cluster Instances and Availability Groups which provides a set of options to improve database
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 11/49
availability, Contained Databases which simplify the moving of databases between instances,
new and modified Dynamic Management Views and Functions, programmability enhancements
including new spatial features, metadata discovery, sequence objects and the THROW statement,
performance enhancements such as ColumnStore Indexes as well as improvements to OnLine
and partition level operations and security enhancements including provisioning during setup,
new permissions, improved role management, and default schema assignment for groups.
SQL Server 2014:
SQL Server 2014 is still in Community Technology Preview stage. As of November, 2013 there
have been two such revisions, CTP1 and CTP2. SQL Server 2014 will provide a new in-memory
capability for tables that can fit entirely in memory (also known as Hekaton). Whilst small tables
may be entirely resident in memory in all versions of SQL Server, they also may reside on disk,
so work is involved in reserving RAM, writing evicted pages to disk, loading new pages from
disk, locking the pages in ram while they are being operated on, and many other tasks. By
treating a table as guaranteed to be entirely resident in memory much of the 'plumbing' of disk-
based databases can be avoided.
For disk-based SQL Server applications, it also provides SSD bufferpool extension, which can
improve application performance transparently by leveraging SSD as the intermediate memory
hierarchy between DRAM and spinning media.
SQL Server 2014 also enhances AlwaysOn (HADR) solution by increasing the readable
secondaries count and sustaining read operations upon secondary-primary disconnections, and it
provides new hybrid disaster recovery and backup solutions with Windows Azure, enabling
customers to use their existing skills with the on-premises product offerings to take advantage of
Microsoft‘s global datacenters. In addition, it takes advantage of new Windows Server 2012 and
Windows Server 2012 R2 capabilities for database application scalability in a physical or virtual
environment.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 12/49
Editions of SQL Server:
Main Stream editions;
Datacenter
SQL Server 2008 R2 Datacenter is the full-featured edition of SQL Server and is designed for
datacenters that need the high levels of application support and scalability. It supports 256
logical processors and virtually unlimited memory. Comes with StreamInsight Premium edition.
The Datacenter edition has been retired in SQL Server 2012, all its features are available in SQL
Server 2012 Enterprise Edition.
Enterprise:
SQL Server Enterprise Edition includes both the core database engine and add-on services, with
a range of tools for creating and managing a SQL Server cluster. It can manage databases as
large as 524 petabytes and address 2 terabytes of memory and supports 8 physical processors.
SQL Server 2012 Enterprise Edition supports 160 physical processors.
Standard:
SQL Server Standard edition includes the core database engine, along with the stand-alone
services. It differs from Enterprise edition in that it supports fewer active instances (number of
nodes in a cluster) and does not include some high-availability functions such as hot-add
memory (allowing memory to be added while the server is still running), and parallel indexes.
SQL Server Web Edition is a low-TCO option for Web hosting.
Business Intelligence:
Introduced in SQL Server 2012 and focusing on Self Service and Corporate Business
Intelligence. It includes the Standard Edition capabilities and Business Intelligence tools:
PowerPivot, Power View, the BI Semantic Model, Master Data Services, Data Quality Services
and xVelocity in-memory analytics.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 13/49
Work Group:
SQL Server Workgroup Edition includes the core database functionality but does not include the
additional services. Note that this edition has been retired in SQL Server 2012.
Express
SQL Server Express Edition is a scaled down, free edition of SQL Server, which includes the
core database engine. While there are no limitations on the number of databases or users
supported, it is limited to using one processor, 1 GB memory and 4 GB database files (10 GB
database files from SQL Server Express 2008 R2). It is intended as a replacement for MSDE.
Two additional editions provide a superset of features not in the original Express Edition. The
first is SQL Server Express with Tools, which includes SQL Server Management Studio Basic.
SQL Server Express with Advanced Services adds full-text search capability and reporting
services.
Architecture:
The protocol layer implements the external interface to SQL Server. All operations that can be
invoked on SQL Server are communicated to it via a Microsoft-defined format, called Tabular
Data Stream (TDS). TDS is an application layer protocol, used to transfer data between a
database server and a client. Initially designed and developed by Sybase Inc. for their Sybase
SQL Server relational database engine in 1984, and later by Microsoft in Microsoft SQL Server,
TDS packets can be encased in other physical transport dependent protocols, including TCP/IP,
Named pipes, and Shared memory. Consequently, access to SQL Server is available over these
protocols. In addition, the SQL Server API is also exposed over web services.
Data Storage:
Data storage is a database, which is a collection of tables with typed columns. SQL Server
supports different data types, including primary types such as Integer, Float, Decimal, Char
(including character strings), Varchar (variable length character strings), binary (for unstructured
blobs of data), Text (for textual data) among others. The rounding of floats to integers uses either
Symmetric Arithmetic Rounding or Symmetric Round Down (Fix) depending on arguments:
SELECT Round(2.5, 0) gives 3.Microsoft SQL Server also allows user-defined composite types
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 14/49
(UDTs) to be defined and used. It also makes server statistics available as virtual tables and
views (called Dynamic Management Views or DMVs). In addition to tables, a database can also
contain other objects including views, stored procedures, indexes and constraints, along with a
transaction log. A SQL Server database can contain a maximum of 231 objects, and can span
multiple OS-level files with a maximum file size of 260 bytes. The data in the database are
stored in primary data files with an extension .mdf. Secondary data files, identified with a .ndf
extension, are used to store optional metadata. Log files are identified with the .ldf extension.
Storage space allocated to a database is divided into sequentially numbered pages, each 8 KB in
size. A page is the basic unit of I/O for SQL Server operations. A page is marked with a 96-byte
header which stores metadata about the page including the page number, page type, free space on
the page and the ID of the object that owns it. Page type defines the data contained in the page -
data stored in the database, index, allocation map which holds information about how pages are
allocated to tables and indexes, change map which holds information about the changes made to
other pages since last backup or logging, or contain large data types such as image or text. While
page is the basic unit of an I/O operation, space is actually managed in terms of an extent which
consists of 8 pages. A database object can either span all 8 pages in an extent ("uniform extent")
or share an extent with up to 7 more objects ("mixed extent"). A row in a database table cannot
span more than one page, so is limited to 8 KB in size. However, if the data exceeds 8 KB and
the row contains Varchar or Varbinary data, the data in those columns are moved to a new page
(or possibly a sequence of pages, called an Allocation unit) and replaced with a pointer to the
data.
For physical storage of a table, its rows are divided into a series of partitions (numbered 1 to n).
The partition size is user defined; by default all rows are in a single partition. A table is split into
multiple partitions in order to spread a database over a cluster. Rows in each partition are stored
in either B-tree or heap structure. If the table has an associated index to allow fast retrieval of
rows, the rows are stored in-order according to their index values, with a B-tree providing the
index. The data is in the leaf node of the leaves, and other nodes storing the index values for the
leaf data reachable from the respective nodes. If the index is non-clustered, the rows are not
sorted according to the index keys. An indexed view has the same storage structure as an indexed
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 15/49
table. A table without an index is stored in an unordered heap structure. Both heaps and B-trees
can span multiple allocation units.
Buffer Management:
SQL Server buffers pages in RAM to minimize disc I/O. Any 8 KB page can be buffered in-
memory, and the set of all pages currently buffered is called the buffer cache. The amount of
memory available to SQL Server decides how many pages will be cached in memory. The buffer
cache is managed by the Buffer Manager. Either reading from or writing to any page copies it to
the buffer cache. Subsequent reads or writes are redirected to the in-memory copy, rather than
the on-disc version. The page is updated on the disc by the Buffer Manager only if the in-
memory cache has not been referenced for some time. While writing pages back to disc,
asynchronous I/O is used whereby the I/O operation is done in a background thread so that other
operations do not have to wait for the I/O operation to complete. Each page is written along with
its checksum when it is written. When reading the page back, its checksum is computed again
and matched with the stored version to ensure the page has not been damaged or tampered with
in the meantime.
Concurrency and Locking:
SQL Server allows multiple clients to use the same database concurrently. As such, it needs to
control concurrent access to shared data, to ensure data integrity — when multiple clients update
the same data, or clients attempt to read data that is in the process of being changed by another
client. SQL Server provides two modes of concurrency control: pessimistic concurrency and
optimistic concurrency. When pessimistic concurrency control is being used, SQL Server
controls concurrent access by using locks. Locks can be either shared or exclusive. Exclusive
lock grants the user exclusive access to the data — no other user can access the data as long as the
lock is held. Shared locks are used when some data is being read — multiple users can read from
data locked with a shared lock, but not acquire an exclusive lock. The latter would have to wait
for all shared locks to be released. Locks can be applied on different levels of granularity — on
entire tables, pages, or even on a per-row basis on tables. For indexes, it can either be on the
entire index or on index leaves. The level of granularity to be used is defined on a per-database
basis by the database administrator. While a fine grained locking system allows more users to
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 16/49
use the table or index simultaneously, it requires more resources. So it does not automatically
turn into higher performing solution. SQL Server also includes two more lightweight mutual
exclusion solutions — latches and spinlocks — which are less robust than locks but are less
resource intensive. SQL Server uses them for DMVs and other resources that are usually not
busy. SQL Server also monitors all worker threads that acquire locks to ensure that they do not
end up in deadlocks — in case they do, SQL Server takes remedial measures, which in many
cases is to kill one of the threads entangled in a deadlock and rollback the transaction it started.
To implement locking, SQL Server contains the Lock Manager. The Lock Manager maintains an
in-memory table that manages the database objects and locks, if any, on them along with other
metadata about the lock. Access to any shared object is mediated by the lock manager, which
either grants access to the resource or blocks it.
SQL Server also provides the optimistic concurrency control mechanism, which is similar to the
multiversion concurrency control used in other databases. The mechanism allows a new version
of a row to be created whenever the row is updated, as opposed to overwriting the row, i.e., a
row is additionally identified by the ID of the transaction that created the version of the row.
Both the old as well as the new versions of the row are stored and maintained, though the old
versions are moved out of the database into a system database identified as Tempdb. When a row
is in the process of being updated, any other requests are not blocked (unlike locking) but are
executed on the older version of the row. If the other request is an update statement, it will result
in two different versions of the rows — both of them will be stored by the database, identified by
their respective transaction IDs.
Data Retrieval:
The main mode of retrieving data from an SQL Server database is querying for it. The query is
expressed using a variant of SQL called T-SQL, a dialect Microsoft SQL Server shares with
Sybase SQL Server due to its legacy. The query declaratively specifies what is to be retrieved. Itis processed by the query processor, which figures out the sequence of steps that will be
necessary to retrieve the requested data. The sequence of actions necessary to execute a query is
called a query plan. There might be multiple ways to process the same query. For example, for a
query that contains a join statement and a select statement, executing join on both the tables and
then executing select on the results would give the same result as selecting from each table and
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 17/49
then executing the join, but result in different execution plans. In such case, SQL Server chooses
the plan that is expected to yield the results in the shortest possible time. This is called query
optimization and is performed by the query processor itself.
SQL Server includes a cost-based query optimizer which tries to optimize on the cost, in terms of
the resources it will take to execute the query. Given a query, then the query optimizer looks at
the database schema, the database statistics and the system load at that time. It then decides
which sequence to access the tables referred in the query, which sequence to execute the
operations and what access method to be used to access the tables. For example, if the table has
an associated index, whether the index should be used or not - if the index is on a column which
is not unique for most of the columns (low "selectivity"), it might not be worthwhile to use the
index to access the data. Finally, it decides whether to execute the query concurrently or not.
While a concurrent execution is more costly in terms of total processor time, because the
execution is actually split to different processors might mean it will execute faster. Once a query
plan is generated for a query, it is temporarily cached. For further invocations of the same query,
the cached plan is used. Unused plans are discarded after some time.
SQL Server also allows stored procedures to be defined. Stored procedures are parameterized T-
SQL queries, that are stored in the server itself (and not issued by the client application as is the
case with general queries). Stored procedures can accept values sent by the client as input
parameters, and send back results as output parameters. They can call defined functions, and
other stored procedures, including the same stored procedure (up to a set number of times). They
can be selectively provided access to. Unlike other queries, stored procedures have an associated
name, which is used at runtime to resolve into the actual queries. Also because the code need not
be sent from the client every time (as it can be accessed by name), it reduces network traffic and
somewhat improves performance. Execution plans for stored procedures are also cached as
necessary.
SQL CLR:
Microsoft SQL Server 2005 includes a component named SQL CLR ("Common Language
Runtime") via which it integrates with .NET Framework. Unlike most other applications that use
.NET Framework, SQL Server itself hosts the .NET Framework runtime, i.e., memory, threading
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 18/49
and resource management requirements of .NET Framework are satisfied by SQLOS itself,
rather than the underlying Windows operating system. SQLOS provides deadlock detection and
resolution services for .NET code as well. With SQL CLR, stored procedures and triggers can be
written in any managed .NET language, including C# and VB.NET. Managed code can also be
used to define UDT's (user defined types), which can persist in the database. Managed code is
compiled to CLI assemblies and after being verified for type safety, registered at the database.
After that, they can be invoked like any other procedure. However, only a subset of the Base
Class Library is available, when running code under SQL CLR. Most APIs relating to user
interface functionality are not available.
When writing code for SQL CLR, data stored in SQL Server databases can be accessed using the
ADO.NET APIs like any other managed application that accesses SQL Server data. However,
doing that creates a new database session, different from the one in which the code is executing.
To avoid this, SQL Server provides some enhancements to the ADO.NET provider that allows
the connection to be redirected to the same session which already hosts the running code. Such
connections are called context connections and are set by setting context connection parameter to
true in the connection string. SQL Server also provides several other enhancements to the
ADO.NET API, including classes to work with tabular data or a single row of data as well as
classes to work with internal metadata about the data stored in the database. It also provides
access to the XML features in SQL Server, including XQuery support. These enhancements are
also available in T-SQL Procedures in consequence of the introduction of the new XML Data
type (query, value, nodes functions).
Services:
SQL Server also includes an assortment of add-on services. While these are not essential for the
operation of the database system, they provide value added services on top of the core database
management system. These services either run as a part of some SQL Server component or out-of-process as Windows Service and presents their own API to control and interact with them.
Service Broker:
Used inside an instance, programming environment. For cross instance applications, Service
Broker communicates over TCP/IP and allows the different components to be synchronized
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 19/49
together, via exchange of messages. The Service Broker, which runs as a part of the database
engine, provides a reliable messaging and message queuing platform for SQL Server
applications.
Replication:
SQL Server Replication Services are used by SQL Server to replicate and synchronize database
objects, either in entirety or a subset of the objects present, across replication agents, which
might be other database servers across the network, or database caches on the client side.
Replication follows a publisher/subscriber model, i.e., the changes are sent out by one database
server ("publisher") and are received by others ("subscribers"). SQL Server supports three
different types of replication.
Transaction Replication:
Each transaction made to the publisher database (master database) is synced out to subscribers,
who update their databases with the transaction. Transactional replication synchronizes databases
in near real time.
Merge Replication:
Changes made at both the publisher and subscriber databases are tracked, and periodically the
changes are synchronized bi-directionally between the publisher and the subscribers. If the same
data has been modified differently in both the publisher and the subscriber databases,
synchronization will result in a conflict which has to be resolved - either manually or by using
pre-defined policies. rowguid needs to be configured on a column if merge replication is
configured.
Snapshot:
Snapshot replication publishes a copy of the entire database (the then-snapshot of the data) and
replicates out to the subscribers. Further changes to the snapshot are not tracked.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 20/49
Analytical Services:
SQL Server Analysis Services adds OLAP and data mining capabilities for SQL Server
databases. The OLAP engine supports MOLAP, ROLAP and HOLAP storage modes for data.
Analysis Services supports the XML for Analysis standard as the underlying communication
protocol. The cube data can be accessed using MDX and LINQ queries. Data mining specific
functionality is exposed via the DMX query language. Analysis Services includes various
algorithms - Decision trees, clustering algorithm, Naive Bayes algorithm, time series analysis,
sequence clustering algorithm, linear and logistic regression analysis, and neural networks - for
use in data mining.
Reporting Services:
SQL Server Reporting Services is a report generation environment for data gathered from SQL
Server databases. It is administered via a web interface. Reporting services features a web
services interface to support the development of custom reporting applications. Reports are
created as RDL files.
Reports can be designed using recent versions of Microsoft Visual Studio (Visual Studio.NET
2003, 2005, and 2008) with Business Intelligence Development Studio, installed or with the
included Report Builder. Once created, RDL files can be rendered in a variety of formats
including Excel, PDF, CSV, XML, TIFF (and other image formats), and HTML Web Archive.
Notification:
Originally introduced as a post-release add-on for SQL Server 2000, Notification Services was
bundled as part of the Microsoft SQL Server platform for the first and only time with SQL
Server 2005. SQL Server Notification Services is a mechanism for generating data-driven
notifications, which are sent to Notification Services subscribers. A subscriber registers for a
specific event or transaction (which is registered on the database server as a trigger); when the
event occurs, Notification Services can use one of three methods to send a message to the
subscriber informing about the occurrence of the event. These methods include SMTP, SOAP, or
by writing to a file in the file system. Notification Services was discontinued by Microsoft with
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 21/49
the release of SQL Server 2008 in August 2008, and is no longer an officially supported
component of the SQL Server database platform.
Integration Services:
SQL Server Integration Services is used to integrate data from different data sources. It is used
for the ETL capabilities for SQL Server for data warehousing needs. Integration Services
includes GUI tools to build data extraction workflows integration various functionality such as
extracting data from various sources, querying data, transforming data including aggregating,
duplication and merging data, and then loading the transformed data onto other sources, or
sending e-mails detailing the status of the operation as defined by the user.
Full Text Search Service:
SQL Server Full Text Search service is a specialized indexing and querying service for
unstructured text stored in SQL Server databases. The full text search index can be created on
any column with character based text data. It allows for words to be searched for in the text
columns. While it can be performed with the SQL LIKE operator, using SQL Server Full Text
Search service can be more efficient. Full allows for inexact matching of the source string,
indicated by a Rank value which can range from 0 to 1000 - a higher rank means a more accurate
match. It also allows linguistic matching ("inflectional search"), i.e., linguistic variants of a word
(such as a verb in a different tense) will also be a match for a given word (but with a lower rank
than an exact match). Proximity searches are also supported, i.e., if the words searched for do not
occur in the sequence they are specified in the query but are near each other, they are also
considered a match. T-SQL exposes special operators that can be used to access the FTS
capabilities.
The Full Text Search engine is divided into two processes - the Filter Daemon process
(msftefd.exe) and the Search process (msftesql.exe). These processes interact with the SQLServer. The Search process includes the indexer (that creates the full text indexes) and the full
text query processor. The indexer scans through text columns in the database. It can also index
through binary columns, and use iFilters to extract meaningful text from the binary blob (for
example, when a Microsoft Word document is stored as an unstructured binary file in a
database). The iFilters are hosted by the Filter Daemon process. Once the text is extracted, the
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 22/49
Filter Daemon process breaks it up into a sequence of words and hands it over to the indexer.
The indexer filters out noise words, i.e., words like A, And etc., which occur frequently and are
not useful for search. With the remaining words, an inverted index is created, associating each
word with the columns they were found in. SQL Server itself includes a Gatherer component that
monitors changes to tables and invokes the indexer in case of updates.
When a full text query is received by the SQL Server query processor, it is handed over to the
FTS query processor in the Search process. The FTS query processor breaks up the query into
the constituent words, filters out the noise words, and uses an inbuilt thesaurus to find out the
linguistic variants for each word. The words are then queried against the inverted index and a
rank of their accurateness is computed. The results are returned to the client via the SQL Server
process.
SQL CMD:
SQLCMD is a command line application that comes with Microsoft SQL Server, and exposes
the management features of SQL Server. It allows SQL queries to be written and executed from
the command prompt. It can also act as a scripting language to create and run a set of SQL
statements as a script. Such scripts are stored as a .sql file, and are used either for management of
databases or to create the database schema during the deployment of a database. SQLCMD was
introduced with SQL Server 2005 and this continues with SQL Server 2008. Its predecessor for
earlier versions was OSQL and ISQL, which is functionally equivalent as it pertains to TSQL
execution, and many of the command line parameters are identical, although SQLCMD adds
extra versatility.
Visual Studio: Microsoft Visual Studio includes native support for data programming with
Microsoft SQL Server. It can be used to write and debug code to be executed by SQL CLR. It
also includes a data designer that can be used to graphically create, view or edit database
schemas. Queries can be created either visually or using code. SSMS 2008 onwards, provides
intelligence for SQL queries as well.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 23/49
SQL Server Management Studio:
SQL Server Management Studio is a GUI tool included with SQL Server 2005 and later for
configuring, managing, and administering all components within Microsoft SQL Server. The tool
includes both script editors and graphical tools that work with objects and features of the server.
SQL Server Management Studio replaces Enterprise Manager as the primary management
interface for Microsoft SQL Server since SQL Server 2005. A version of SQL Server
Management Studio is also available for SQL Server Express Edition, for which it is known as
SQL Server Management Studio Express (SSMSE).
A central feature of SQL Server Management Studio is the Object Explorer, which allows the
user to browse, select, and act upon any of the objects within the server. It can be used to visually
observe and analyze query plans and optimize the database performance, among others. SQL
Server Management Studio can also be used to create a new database, alter any existing database
schema by adding or modifying tables and indexes, or analyze performance. It includes the query
windows which provide a GUI based interface to write and execute queries.
Business Intelligence Development Studio:
Business Intelligence Development Studio (BIDS) is the IDE from Microsoft used for
developing data analysis and Business Intelligence solutions utilizing the Microsoft SQL Server
Analysis Services, Reporting Services and Integration Services. It is based on the Microsoft
Visual Studio development environment but is customized with the SQL Server services-specific
extensions and project types, including tools, controls and projects for reports (using Reporting
Services), Cubes and data mining structures (using Analysis Services).
T-SQL:
T-SQL (Transact-SQL) is the Secondary means of programming and managing SQL Server. It
exposes keywords for the operations that can be performed on SQL Server, including creating
and altering database schemas, entering and editing data in the database as well as monitoring
and managing the server itself. Client applications that consume data or manage the server will
leverage SQL Server functionality by sending T-SQL queries and statements which are then
processed by the server and results (or errors) returned to the client application. SQL Server
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 24/49
allows it to be managed using T-SQL. For this it exposes read-only tables from which server
statistics can be read. Management functionality is exposed via system-defined stored procedures
which can be invoked from T-SQL queries to perform the management operation. It is also
possible to create linked Server using T-SQL. Linked server allows operation to multiple server
as one query.
SQL Native Client:
SQL Native Client is the native client side data access library for Microsoft SQL Server, version
2005 onwards. It natively implements support for the SQL Server features including the Tabular
Data Stream implementation, support for mirrored SQL Server databases, full support for all data
types supported by SQL Server, asynchronous operations, query notifications, encryption
support, as well as receiving multiple result sets in a single database session. SQL Native Client
is used under the hood by SQL Server plug-ins for other data access technologies, including
ADO or OLE DB. The SQL Native Client can also be directly used, bypassing the generic data
access layers.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 25/49
Literature Review
10must Do SQL server Security Tasks – By David Maman, GreenSQL CTO
As we roll into 2013, here's our review of the top ways organizations need to be protecting their
databases. While Microsoft's documentation does a great job covering best practices for database
programmers, that is still not enough to protect against many of today's threats. In fact, as many
as 65% of database breaches are inside jobs, that is, they are performed by someone who is
authorized to access the database.
Fortunately, by taking appropriate precautions, most of these breaches can be prevented or
detected before they get out of hand.
1. Use a dedicated server for your database: Host your SQLS2012 database on a
dedicated server. Whether it is local or in the cloud, spend the extra cash on a dedicated
server to prevent security leaks and breaches.
2. Harden the Operating System: On your dedicated server, the first step is to
implement operating system hardening. Many hardening techniques exist. At a
minimum, you need to:
Change the default ports, as described below.
Hide SQL instances from showing in the network, as described below.
Allow only network protocols that are needed.
CONNECT permission should be granted only on endpoints to logins that need to use
them.
If there is a need to work with SQL Login, install an SSL certificate from a trusted
CA rather than SQL Server's self-signed certificates.
Avoid the exposure of SQL Server to the public internet/intranet.
Change the default ports:
1. From the Start menu, choose All Programs > Microsoft SQL Server 2012 >
Configuration Tools > SQL Server Configuration Manager.
2. Expand the SQL Server 2012 Network Configuration node and select Protocols
for the SQL Server instance to be configured.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 26/49
3. In the right pane, right-click the protocol name TCP/IP and choose Properties.
4. In the TCP/IP Properties dialog box, select the IP Addresses tab.
Hide SQL Instances from showing in the network:
The SQL Server Browser service enumerates SQL Server information on the network.
Attackers can use SQL Server clients to browse the current infrastructure and retrieve a
list of running SQL Server instances.
To hide SQL instances:
1. From the Start menu, choose All Programs, Microsoft SQL Server 2012,
Configuration Tools, SQL Server Configuration Manager.
2.
Expand the SQL Server 2012 Network Configuration node and select Protocols forthe SQL Server instance to be configured.
3. Right-click Protocols for [Server\Instance Name] and choose Properties.
4. In the Hide Instance box on the Protocols for [Server\Instance Name] Properties page
selectYes.
5. Click OK .
6. Restart the services for the change to take effect.
3. Control Admin Access to the database
You should control not only the individuals who have access to the database, but also
how administrators access the database.
Administrator Privileges Control
Elevated permissions are allowed not only for sysadmin users, but also any log in with
built-inSA, and also any login with CONTROL SERVER permission. For accountability
in the database, avoid relying on the Administrators group and add only specific database
administrators to thesysadmin role. For a full description of best practices, see the official
documentation by Microsoft entitled SQL Server 2012 Security Best Practice
Whitepaper .
Quick Tips for Admin Privileges
Administrator privileges should be used only when they are really needed.
Have as few admins as possible.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 27/49
Do not use one login for more than one administrator. Each admin should have his or
her own account.
Provision admin principals explicitly.
Do not use the "BUILTIN\Administrators" Windows group.
Regularly audit to ensure only the appropriate authorized individuals have admin
access privileges.
Removing the Builtin/Administrators Group
Following is a Transact-SQL (T-SQL) syntax for removing the BUILTIN\Administrators
Windows Group from a SQL Server instance. You should use this if a group exists from
previous versions of SQL Server or using BETA code.
To remove the Builtin/Administrators Group, run the following code on each SQL Server
instance installed in the organization:
USE MASTER
IF EXISTS (SELECT * FROM sys.server_principals
WHERE name = N‘BUILTIN\Administrators‘)
DROP LOGIN [BUILTIN\Administrators]
GO
Control Admin Access Routes to the Database
Not only can you restrict the individuals who have admin access, but you can also restrict
the routes of admin control. Using a tool such as GreenSQL, you can ensure that access
to admin privileges can come only from certain IP addresses or specific computers. This
way, if someone leaves the company or if login information is compromised, it will be
impossible for anyone else to use that login data.
Managing Non-Administrative Users
It's important to manage users who do are not admin but have access to the database for
other purposes. As with system administrators, it's important to not only give different
authentication to different types of users, but also to control the routes of access to the
database.
SQL Server instance can contain many databases which were created by users who are
database owners -DBO (by default) as shown in the following image: User workshop
created the workshop database and is a member of db_owner database role.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 28/49
Best practices for non-administrator roles:
Minimize the number accounts/users that have the db_owner role for each database.
Have distinct owners for databases; not all databases should be owned by SA or by
any other user in sysadmin server role.
Control the access methods and IP addresses for access of the database on a per-role
basis.
4. Encrypt the Data Between App and SQL Server 2012
The MS SQL database comes with built-in encryption within the database. However, it is
also crucial to encrypt the data as it is passed between the app and the database.
Furthermore, it's important to limit access to this information.
Best practices for encryption:
Ensure that DBAs and other people using the database do not have access to
sensitive information.
When sending information to users who do not need to know the actual content,
mask the sensitive information.
Limit the amount of information that can be drawn from the database by those
who have access to the database.
Set up rules to identify authorized and unauthorized use of data, including the IP
addresses and routes for accessing data, not username-only authentication. Set up encryption keys between applications and the database.
Implement cell-level encryption
Implement Transparent Data Encryption Encrypt high-value and sensitive data.
Use symmetric keys to encrypt data, and asymmetric keys or certificates to
protect the symmetric keys.
Password-protect keys and remove master key encryption for the most secure
configuration.
Always back up the service master key, database master keys, and certificates by
using the key-specific DDL statements.
Always back up your database to back up your symmetric and asymmetric keys.
Perform SSL configuration
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 29/49
Cell Level Encryption
Follow the SQL Server 2012 has an encryption hierarchy, as shown below.
The top-level resource in the SQL Server encryption hierarchy is the Service
Master Key, which is encrypted by the Windows Data Protection API. Encrypt all
Service Master Keys.
Next is the Database Master Key. This key can be used to create certificates and
asymmetric keys.
Third are certificates and asymmetric keys. Both can be used to create symmetric
keys or encrypt data directly.
Finally, symmetric keys can also be used to encrypt data.
5. TDE – Transparent Data Encryption in SQL Server 2012 (Database Level
Encryption)
TDE provides real time encryption of data and log files. It is important to mention that
this is database level encryption. Data is encrypted before it is written to disk and
decrypted when it is read from disk. The "transparent" aspect of TDE is that the
encryption is performed by the database engine and SQL Server clients are completely
unaware of it. There is absolutely no code that needs to be written to perform the
encryption and decryption.
The database is prepared for TDE, and then the encryption is turned on at the databaselevel via an ALTER DATBASE command. With TDE, the backup files are also
encrypted when using just the standard BACKUP command.
6. Reduce the potential attack surface
Attack Surface refers to the potential entrances for attack. It's advisable only to enable the
features that are essential for any given database.
SQL Server comes with several features that administrators can choose to install during
the installation process:
Database Engine
Reporting Services
Integration Services
Analysis Services Engine
Notification Services
Documentation and Samples
(Sample databases & codes)
Analyze your needs and install only the features you need.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 30/49
Surface Area Reduction Practices
Use the Surface Area Configuration Tool or sp_configure as described below.
Do not install sample databases and sample codes on SQL servers in the
production environment.
Use only development and test environments for sample databases and sample
code on SQL servers.
Use the Configuration tools such as sp_configure or SQL Server Surface Area
Configuration tool (described below) to enable only needed features.
When upgrading from SQL Server 2000 to 2005 and higher, review the
configuration settings and turn off features such as the xp_cmdshell. The upgrade
process does not change these settings by default.
Turn off unnecessary services by setting them to disabled or manual startup.
Disable unneeded system stored procedures as described below
Use SQL Server Surface Area Configuration to enforce a standard policy for
extended procedure usage.
Document each exception to the standard policy.
Do not remove the system stored procedures by dropping them.
Do not DENY all users/administrators access to the extended procedures.
7.
Implement Strong Authentication Use Windows Authentication mode, described below, when possible.
Use Mixed Mode Authentication, described below, only for legacy applications
and non-Windows users.
SQL Authentication mode is described below, but it is NOT the recommended
mode. It should be used only when in mixed mode, to leverage complex
passwords and the SQL Server /2012 password and lockout policies
Maintain a strong password policy for the SA account and change the password
periodically.
Do not manage SQL Server using the sa login account. Assign sysadmin privilege
to a knows user or group.
When using Mixed Mode Authentication beware that potential attackers are aware
of the SA user. Knowing the SA user makes cracking the database one step easier.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 31/49
To avoid this, in mixed mode, the SA account must be renamed. Before renaming
make sure there is at least one additional account with administrator privileges, to
access the SQL Account.
Mixed Mode: SQL Server & Windows Authentication
The SQL authentication mechanism is based on accounts that are managed inside the
SQL server, including the password policy.
Mixed authentication (SQL Server and Windows Authentication mode) is still required if
there is a need to support legacy applications, or if specific applications require mixed
mode, or clients are coming in from platforms other than Windows and a need for
separation of duties exists.
Configuring SQL Server Authentication Modes
To select or change the server authentication mode, follow these steps:
1. In SQL Server Management, right-click on a SQL Server and click Properties.
2. On the Security page, select the desired server authentication mode under Server
Authentication and click OK .
3. In the SQL Server Management Studio dialog box, click OK to acknowledge the need to
restart SQL Server.
4. In Object Explorer, right-click on a desired server and then click Restart.
5. If the SQL Server Agent is running, restart the agent.
Using Windows authentication is a more secure choice. However, if mixed mode
authentication is required, you must make sure to leverage complex passwords and the
SQL Server 2012 password and lockout policies to further bolster security.
Here is an example of password policy for SQL accounts:
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 32/49
The password must contain uppercase & lowercase letters. The password must
contain numbers & alphanumeric characters. The password must contain non-
alphanumeric characters such as &, ^,%,*,$ etc.
Do not use common known passwords that are easy to guess such as: admin,
password, sa, administrator, sysadmin etc.
Passwords contain a minimum of 8 characters.
SQL Server 2005 and on do not allows blank password for the SA account. If you
are using earlier version of SQL, set a password for SQL accounts and also for the
SA account according to according to password policy.
Note: If Windows Authentication mode is selected during installation, the SA login is
disabled by default. If the authentication mode is switched to SQL Server mixed
mode after the installation, the SA account is still disabled and must be manually
enabled. It is a best practice to reset the password when the mode is switched.
8. Perform Regular and Reliable Auditing
For reliable auditing it is necessary to use a third-party tool such as Green SQL. Many
companies think of auditing as something that must be done to comply with regulation.
However, it's also an important internal security precaution in and of itself, and should be
performed regularly. Therefore, it's recommended to choose a third-party auditing tool
that is quick and simple to use.
Additional Instructions
Auditing is scenario-specific. Balance the need for auditing with the overhead of
generating addition data. Audit successful logins in addition to unsuccessful
logins if you store highly sensitive data.
Enable C2 auditing or Common Criteria compliance only if required by selectingthe appropriate checkbox (Those options should be selected only if there is a need
to comply with these security standards)
Auditing Mechanism in SQL Server
SQL Server security auditing monitors and tracks activity to log files that can be
viewed through Windows application logs or SQL Server Management Studio.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 33/49
SQL Server offers the following four security levels with regards to security:
None — Disables auditing (no events are logged)
Successful Logins Only — Audits all successful login attempts
Failed Logins Only — Audits all failed login attempts
Both Failed and Successful Logins — Audits all login attempts
The default mode is: Failed Logins Only. It is recommended to set the auditing mode to
be Both Failed and Successful Logins.
Configuring SQL Server Security Logs for Auditing
To configure security login auditing for both failed and successful logins:
1. In SQL Server Management Studio, right-click on a desired SQL Server and then
clickProperties.
2. On the Security page under Login Auditing, select the desired auditing criteria
option button, such as Both Failed and Successful Logins, and click OK.
3. Restart the SQL Server Database Engine and SQL Server Agent to make the
auditing changes effective.
9. Update Patches Regularly
Security updates and patches are constantly being released by Microsoft. Install these
updates made available for SQL Server and the operating system. These patches can be
manually downloaded and installed, or they can be automatically applied by using
Microsoft Update. It's recommended to test updates before applying to production
systems, therefore many admins prefer not to use auto update.
Best practices for Patch Updates
Always stay as current as possible.
Enable automatic updates whenever feasible, but test them before applying to
production systems.
10. Manage Contained Databases for SQL Server 2012 Only
A contained database is a database that is isolated from other databases and from the
instance of SQL Server that hosts the database. This situation requires additional security
steps. It's important to enable partially contained databases delegates control over access
to the instance of SQL Server to the owners of the database.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 34/49
Chapter -3: Company Profile
Data wise
DATAWISE specializes in providing high-end research, consulting and business analyticssolutions to customers all over the world. We appreciate that it is not always possible to plan,
anticipate and provide for all types of business needs. And that is why we are here. Our team has
a deep understanding of the business environment across a number of industries, and we help in
bridging companies' need gap through the application of research and analytical approaches.
DATAWISE is focused on providing you with that additional support that you may require from
time to time. Whether it is assistance in strategic planning, business execution, providing
decision support solutions, helping in creating new product solutions, helping in understandingyour business performance, supporting your manpower augmentation needs, or even acting as
your surrogate – we are there with you all the way!
Mr. Vinay Kumar is a graduate from the Indian Institute of Management, Ahmedabad and also
has a PhD in Marketing. He has more than 20 years of experience, in the field of consulting,
finance, coaching and mentoring. Among various companies in the past, he has worked with the
RPG group, Ernst & Young, Netjets, and Apollo Hospitals. His core strengths are in strategy,
business planning, market planning and process improvement.
Mr. Vijay Kumar is a graduate from Indian Institute of Management, Calcutta. He has more than
18 years of experience in the field of Strategic Research, Retail Banking, IT solution design and
implementation, and Marketing. He has worked in the BFSI sector with Citibank, Prudential
Insurance, Guy Carpenter, HDFC Bank and regional banks in Malaysia and South Africa. His
core strengths include Customer Lifecycle Management, Marketing program design and
execution. He represents DATAWISE in the New York market.
Mr. Raghu Patri is a graduate from Goa University. He has more than 20 years of experience in
the IT and ITeS domain. He has been associated with NIIT for over a decade in the education
field apart from providing solutions to corporate bodies like Nestle, Titan Industries and Cipla.
His core strengths are in IT strategy, planning and development, and process planning and
implementation.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 35/49
Advisory Board
Mr. Sunder Rao is a graduate in Personnel Management, and Law from Andhra University. He
has also completed the #TP 2 tier course from IIM Ahmedabad. He is extremely versatile, and
has successfully managed the change in the background of newly started Companies, and
transformation of organization culture. People Management and related processes are the main
strengths.
Mr. Rohit Das is a management graduate and has a vast experience of 19 years with varied
industries ranging from FMCG, Durables to Fashion, Lifestyle and Pharma. He has worked with
leading organizations like TATA, Electrolux, Mondregon Corporation Cooperative of Spain,
Pepsi, Videocon Group, Apollo etc. He has held key positions across, with the last 12 years
working in the Top Management Positions. His core strengths are in strategy, market planning,
and sales management.
Mr. K. Srinivas Rao is a human capital strategist, with considerable background in Human
Capital Value Chain. He has 16 years of expertise in the areas of leading Core HR Functions
(Leadership development, Performance Management including C&B, Employee
Communication, HR Technology), Change Management (Organization design and development,
Aligning Org. Cultural to Strategy, Organizational Effectiveness Assessment) and M&A
Integration (Integration, Restructuring, Downsizing).
He is currently Partner at the Global Peo ple Advisory & Research Firm ‗The Strategist‘.
Previous to this he was heading Strategy - HR at Satyam Computer Services. He has held
management roles at all levels in CATS (Computer Associates-TCG), Baan Info Systems, Ernst
& Young, Videocon International.
Offerings of Data Wise
School Teacher Evaluation Program –
STEPSTEPTM is a summative and formative evaluation program for School Teachers, conceptualized
and designed by DATAWISE Management Services. The program was conceived as a result of
DATAWISE‘s identification of high potential for application of decision support systems in the
area of secondary education in India. The STEPTM is based on extensive research and offers a
robust, unbiased and data driven teacher assessment program. DATAWISE has collaborated
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 36/49
with Teacher‘s Academy, which is known for its presence and expertise in the area of teacher
training to provide the formative structure to the STEPTM and hence to make it a comprehensive,
one-stop teacher evaluation system.
The STEPTM creates an objective, summative evaluation structure for teachers working in the
Indian secondary education level. The evaluation is based on identification of strengths and
weaknesses of the teachers on various researched dimensions. These dimensions are identified as
having highest impact on a teacher‘s performance. Further the dimensions have weights
associated with them based on the correlation they have with teacher performance.
OPTILOX
The growth of organized retail and the search for optimum retail space is giving retailers a toughtime. Moreover, selection of a poor location is likely to do more damage to the reputation and the
performance of the retail unit. In the retail industry which is increasingly cluttered with new
players and formats, the ability to assure and increase footfalls has gained much more
significance.
Minimizing cost, while being an immediate concern, is not as big a problem as maximizing
profit by getting targeted customers attracted to the retail outlet. OPTILOX is designed to help
retail outlets select the optimum site location for their retail stores in order to maximize customer
footfalls.
OPTILOX is unique software based behavioral analytics model which takes behavioral approach
towards site selection and therefore assists in sales maximization unlike most site selection
methods which primarily concentrate on using logistic or cost based approaches. OPTILOX is
based on a design initially conceptualized by Arthur D. Little. We are the first and only company
to provide this approach customized to the Indian retail needs.
OPTILOX relies on an in-house analytical tool which maps retail consumer behavior to the
requirements of retailers. The model is designed as a flexible tool which can be
customized to account for the parameterized needs of any retail business. OPTILOX is ideal
for premium showrooms, grocery outlets, franchisees, banks/ ATM‘s, pharmacy, petroleum
outlets, entertainment house, concept retail, multi-format retails, coffee shops, etc. For retailers
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 37/49
looking to expand, OPTILOX presents an ideal solution for mapping customer behavior to their
current retail stores whereas for new retail outlets, OPTILOX also helps in identifying the ideal
customer profile.
ServQual
ServQual is determined to serve its clients in improving their service delivery. It uses
sophisticated analytical tools to predict customer expectations and behavior through data driven
analysis. SERVQUAL helps in calculation of the score for expectation statement and perception
statement using the questionnaire method. This data will help in calculation of the gap score for
each parameter.
SERV-QUAL has designed various methods of analyzing your customer satisfaction.
• Feedback Form
• In-Depth Interview
• Mystery Shopping
• Focus Groups
CREST
CREST is a customer segmentation process that recognizes the cyclical nature of customer needs
and identifies customers with the greatest future revenue potential for appropriate strategies to be
evolved to best serve the needs of this segment. CREST also identifies the customers who
generate the most value for your business, and qualify for continued high-impact service
offerings. At the same time, the segmentation exercise highlights value destroyers, customers
who yield low margins, have limited future potential and demand disproportionately large
maintenance resources. The sizing of these segments can be fine-tuned to meet channel
capacities and serve up the best opportunities for customer outreach programs.
CREST segmentation divides your customer base into six actionable segments
– Prize: High-value, loyal customers with significant upside potential – Protect: High-value, loyal customers – Promote: Loyal customers with significant future potential – Preserve: Stable-value customers – Prevent: High- and Medium-value customers at risk of attrition – Prune: Low-value, high maintenance customers with limited future potential
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 38/49
Chapter -4: Data Interpretation
1. Do you use SQL Server at your organization for database purposes? Yes/ No
S.NoSQL Server
No. of
respondents1 Yes 148
2 No 2
Interpretation:
Most of the respondents say that they use the SQL Server at their organization for marketing
decision making. Very few do not use it in their organization.
1. Which software do you prefer for Marketing Decision Making?
a. Sybase b. SAP Modules
c. SQL Server d. Any specialized software
Interpretation:
Majority of the respondents prefer SAP Modules for their Marketing Decision Making. Nearly
equal members prefer Sybase for the same. The remaining respondents use SQL Server and other
tools.
34%
39%
11%
16%
Preferred Software
Sybase
SAP Modules
SQL Server
Other
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 39/49
2. If you are using SQL Server please specify your level of satisfaction in making following
marketing decision using the applications in SQL Server?
Mark 5 if you are Highly Satisfied
Mark 4 if you are Satisfied
Mark 3 if you are neither satisfied nor dissatisfied
Mark 2 if you are Dissatisfied
Mark 1 if you are Highly Dissatisfied
i. Analytics in Database Management
Interpretation:
Most of the respondents (87) are disssatisfied in understanding and implementing Analytics in
Database management while using SQL Server. 35 of them are neither satisfied nor dissatisfied
and few of them (28) are satisfied with the Analytics.
ii. Security in database management
Interpretation: Most of the respondents (115) are satisfied with the Security aspects while
using SQL Server. Few respondents (35) are neither satisfied nor dissatisfied with these Security
aspects. There are almost none who are dissatisfied with the same.
0
50
Highly
dissatisfied
Dissatisfied Neutral Satisfied Highly
satisfied
43 45
35
25
3
Analytics in Database Management
0
50
100
0 0
35 32
83
Security in database management
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 40/49
iii. Access Controls
Interpretation:
Most of the respondents (101) are satisfied with the Access controls using SQL Server. Few
respondents (35) are neither satisfied nor dissatisfied with the SQL Server regarding Access
controls aspects and the remaining respondents (14) are dissatisfied with the same.
iv. Hierarchy aspects in Data Management
Interpretation: Most of the respondents (119) are satisfied with the Hierarchy in data
management in SQL Server. Few respondents (24) are neither satisfied nor dissatisfied with the
SQL Server regarding and very few respondents (7) are dissatisfied with the same.
0
20
40
60
Highly
dissatisfied
Dissatisfied Neutral satisfied Highly
satisfied
1
13
35
60
41
Access Controls
0
50
100
1 6
24
5663
Hierarchy
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 41/49
v. RDBMS Tools and Commands
Interpretation: Most of the respondents (107) are satisfied with the RDBMS Tools and
Commands and their applications in SQL Server. Few respondents (33) are neither satisfied nor
dissatisfied with the SQL Server regarding these aspects and very few respondents (10) are
dissatisfied with the same.
vi. Programming and Query Management
Interpretation:
Most of the respondents (123) are satisfied with the programming and query management
aspects in SQL Server. Few respondents (16) are neither satisfied nor dissatisfied with the SQL
Server regarding these aspects and very few respondents (11) are dissatisfied with the same.
0
10
20
30
40
50
6070
Highly
Dissatisfied
Dissatisfied Neutral satisfied Highly
satisfied
28
33
44
63
Tools and Commands
0
50
100
150
011 16
118
5
Programming and Querries
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 42/49
vii. Pricing and Licensing Aspects
Interpretation:
Many respondents (101) are not satisfied with the Pricing and licensing issues in SQL Server.
Few respondents (29) gave a neutral response and very few respondents (20) are satisfied with
the same.
viii. Overall Satisfaction
Interpretation:
Only some of the respondents (43) are not satisfied with the features in SQL Server.
Considerable number of respondents (55) gave a neutral response and 52 are satisfied with the
same.
0
20
40
60
80
1
1929
76
25
Pricing and Licensing
0
20
40
60
0
52 55
38
5
Overall Satisfaction
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 43/49
3. Do you maintain a regularly upgraded RDBMS/DBMS? Yes/ No
S.No Regularupgradation
No. of respondents
1 Yes 1362 No 14
Interpretation:
Majority of the respondents (136) claim that they maintain a regularly updated SQL Server as
and the remaining respondents do not.
4. Do you think standard RDBMS is required for proper database and server management?
a. Very essential b. Essential c. May or may not be used
d. Not essential e. Not at all required
Interpretation:
Most of the respondents (142) feel that SQL Server is really essential for effective Database
Management. The remaining respondents feel that RDBMS is not mandatory for effective
database management.
0
20
40
60
80
100
Not at all
required
Not
essential
May or may
not be used
Essential Very
Essential
0 08
45
97
Need for RDBMS/ SQL server
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 44/49
5. Please express your satisfaction levels in using SQL server in terms of security aspects.
a. Highly satisfied b. Satisfied c. Neutral
d. Dissatisified e. Highly dissatisfied
Interpretation:
Almost all the respondents are satisfied using SQL Server and its security aspects. A negligible
number of the respondents feel neither satisfied nor dissatisfied with SQL server.
ANALYSIS
Correlation Analysis
*. Correlation is significant at the 0.05 level (2-tailed).
**. Correlation is significant at the 0.01 level (2-tailed).
Correlation analysis performed over the attributes explaining the satisfaction levels of various
users of SQL server suggest that Security, Query management and RDBMS tools have high
correlation with the overall satisfaction and indicate that these parameters satisfaction is
connected to overall satisfaction, few attributes as Hierarchy an pricing cannot be considered for
analysis based on its significance values. Analytics in database management has less positive
correlation with overall satisfaction. Hence the data gathered and analyzed suggests that SQL is
preferred or gives good amount of satisfaction to its users and their opinions are well correlating.
0
200
0 0 2
129
19
Overall Satisfaction
analytics
security Accesscontrol
s
Hierarchy
aspects
RDBMS
tools
Quer y
mgmt
Pric& lic
Oveall
Satisfa
ctionlevel
Pearson
correlation
.280
*
.813 0.608 -.100 0.534 .637 -.075 1
Sig.(2-tailed)
.001 .00.1 .0025 .222 .682 .004 .366 .000
N 150 150 150 150 150 150 150 150
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 45/49
Chapter -5: FINDINGS AND CONCLUSION
The Study ―Security Management in SQL Server ‖ is taken up on 150 respondents belonging to
different levels in Pharmaceutical organizations gave the following finding,
98.6% of the respondents specified that they use SQL Server (SQL SERVER) for their
DBMS, out of these respondents 89.3% specified that they have their updated SQL
SERVER at their organizations.
Most of the respondents (87) are disssatisfied in understanding and implementing
Analytics in Database management while using SQL Server. 35 of them are neither
satisfied nor dissatisfied and few of them (28) are satisfied with the Analytics.
Most of the respondents (115) are satisfied with the Security aspects while using SQL
Server. Few respondents (35) are neither satisfied nor dissatisfied with these Security
aspects. There are almost none who are dissatisfied with the same. Most of the respondents (101) are satisfied with the Access controls using SQL Server.
Few respondents (35) are neither satisfied nor dissatisfied with the SQL Server regarding
Access controls aspects and the remaining respondents (14) are dissatisfied with the
same.
Most of the respondents (119) are satisfied with the Hierarchy in data management in
SQL Server. Few respondents (24) are neither satisfied nor dissatisfied with the SQL
Server regarding and very few respondents (7) are dissatisfied with the same.
Most of the respondents (107) are satisfied with the RDBMS Tools and Commands and
their applications in SQL Server. Few respondents (33) are neither satisfied nor
dissatisfied with the SQL Server regarding these aspects and very few respondents (10)
are dissatisfied with the same.
Most of the respondents (123) are satisfied with the programming and query management
aspects in SQL Server. Few respondents (16) are neither satisfied nor dissatisfied with the
SQL Server regarding these aspects and very few respondents (11) are dissatisfied with
the same.
Many respondents (101) are not satisfied with the Pricing and licensing issues in SQL
Server. Few respondents (29) gave a neutral response and very few respondents (20) are
satisfied with the same.
Only some of the respondents (43) are not satisfied with the features in SQL Server.Considerable number of respondents (55) gave a neutral response and 52 are satisfied
with the same.
Majority of the respondents (136) claim that they maintain a regularly updated SQL
Server as and the remaining respondents do not.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 46/49
Most of the respondents (142) feel that SQL Server is really essential for effective
Database Management. The remaining respondents feel that RDBMS is not mandatory
for effective database management.
Almost all the respondents are satisfied using SQL Server and its security aspects. A
negligible number of the respondents feel neither satisfied nor dissatisfied with SQL
server.
Correlation analysis performed over the attributes explaining the satisfaction levels of
various users of SQL server suggest that Security, Query management and RDBMS tools
have high correlation with the overall satisfaction and indicate that these parameters
satisfaction is connected to overall satisfaction, few attributes as Hierarchy an pricing
cannot be considered for analysis based on its significance values. Analytics in database
management has less positive correlation with overall satisfaction. Hence the data
gathered and analyzed suggests that SQL is preferred or gives good amount of
satisfaction to its users and their opinions are well correlating.
Conclusion
Database Management systems have become an integral part of basic software requirements of
any organization associated with IT in its daily operations or doing business with IT. This has
created a vast market for database management systems and the industry‘s gia nts content very
close to acquire maximum market shares. Data base management is not just the requirement but
the maximum amount of security has become the key. Until and unless the DBMS or RDBMS is
so secure and is away from all sorts of vulnerabilities and threats people are not ready to take
them to manage their databases.
Many aspects apart from security are also considered before making decision on DBMS. SQL
server has few pitfalls and more command in this market. Security is its strength and the study
has highlighted various modes of using SQL server in more secure manner. This study has
enlightened the user satisfaction, technical aspects related to security in DBMS and also have
visualized detailed concepts related to DBMS. In conclusion study tries to suggest that anybody
who uses or manages should take up the check list of security aspects and decide which would be
the best DBMS software that would help in flaw less Database administration and management.
The study also recognizes that there is a growing need for human intelligence as well in the areas
of Database management and server management to make organizations more successful in this
arena.
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 47/49
Bibliography:
1. Kothari C.R., Research Methodology, 2nd Edition Wishwa prakashan.
2. Alan Bryman & Emma Bell, Business Research Methods, 2nd Edition, Oxford
3. Neelan Q Jeemchipillai: SQL Server, TMH, 2009.
4. Tom Carpenter: Microsoft SQL Server Administration, Wiley, 2010.
5. Kogent Learning: SQL server 2008, 2009.
Webliography:
http://www.microsoft.com/en-in/sqlserver/solutions-technologies/mission-critical-
operations/security-and-compliance.aspx
http://technet.microsoft.com/en-us/library/bb283235.aspx
http://msdn.microsoft.com/en-us/library/bb669074(v=vs.110).aspx
http://www.greensql.com/content/sql-server-security-best-practices
http://www.techrepublic.com/article/understanding-roles-in-sql-server-security/
http://www.sqlsecurity.com/
http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-
your-sql-server-database
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 48/49
Annexure:
Questionnaire for
Security Management in SQL Server
Name : .………………………………………………………………..............
Age………Gender (M/F)………Designation/Occupation……..………..…..
Overall Experience…………Experience in current organization………….…
Email ID: ………………………………………..@........................................
--------------------------------------------------------------------------------------------
1. Do you use SQL Server at your organization for database purposes? Yes/ No.
2. Which software do you prefer for Database Management? [ ]
a. Sybase b. SAP Modules
c. SQL Server d. Any other specialized Software
3. If you are using SQL Server please specify your level of satisfaction in using and the
applications in SQL Server?
Mark 5 if you are Highly Satisfied
Mark 4 if you are Satisfied
Mark 3 if you are neither satisfied nor dissatisfied
Mark 2 if you are Dissatisfied
Mark 1 if you are Highly Dissatisfied
Sl. No. Type of Marketing Decision Satisfactionlevel
1. Analytics in Database Management
2. Security in database management
8/13/2019 Security Management in SQL Servier
http://slidepdf.com/reader/full/security-management-in-sql-servier 49/49
3. Access Controls
4. Hierarchy aspects
5. RDBMS tools and commands
6. Programming and Query management
7. Pricing and Licensing aspects
8. Overall satisfaction
4. Do you maintain a regularly upgraded RDBMS/DBMS? Yes/ No
5. Do you think standard RDBMS is required for proper database and server management?
[ ]
a. Very Essential b. Essential c. May or may not be used
d. Not essential e. Not at all required
6. Please express your satisfaction levels in using SQL server in terms of security aspects?
a. Highly Satisfied b. Satisfied c. Neutral
d. Dissatisfied e. Highly Dissatisfied
7. Do you think SQL server saves Time & Cost compared to other software tools? Yes/ No
8. Request suggestions for the study and SQL Server Implementation aspects
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
*************** Thank you very much for your time and inputs **************