Rabu, 04 Februari 2009

Managing SQL Server 2005 Security

SQL Server 2005 supports Windows and mixed authentication modes and is closely integrated with it. In this mode access is granted based on a security token assigned during successful domain logon by a Windows account and the SQL Server is requested access subsequently. The precondition is that both must belong to the same windows environment. The Active Directory domain environment provides an additional level of protection of the Kerberos protocol. This protocol governs the behaviour of the Windows authentication mechanism. In the mixed mode SQL Server Authentication can also be used. The credentials are verified from the repository maintained by the SQL Server. The increased security has made redundant the need to maintain separate set of accounts. However, the SQL Server logins have been improved with encryption of SQL Generated Certificates for communications that involve MADC client software based on .NET provider.

A very significant enhancement to SQL Server 2005 is the ability to manage account passwords and lockout properties. This can be within the local and domain based group policies. The DBA can impose restrictions on password complexity, password expiration and account lockout. The following complexities can be imposed:

The length of the password can be set to be minimum 6 characters.
The password can contain uppercase characters, lowercase character, numbers and non-alphanumeric characters.
The password cannot be “Admin”, “Administrator”, “Password” etc
The Password expiration can be determined by the values of “Maximum password age” and the lockout behaviour can be determined by “Account lockout duration”, “Account lockout threshold”, “Reset account lockout counter after”. ALTER LOGIN T-SQL statement can be used to unlock locked password.

The DBA uses the CHECK_EXPIRATION and CHECK_POLICY clauses while creating new logins with the CREATE LOGIN T-SQL statement. While CHECK_EXPIRATION controls the password expiration, CHECK_POLICY controls account lockout settings. Both have to be set ON or OFF. Other combinations are not supported. The syntax would be as under:

CREATE LOGIN xxx
WITH
PASSWORD = 'CHANGEPASS' MUST_CHANGE,
CHECK_EXPIRATION = ON, CHECK_POLICY = ON

The enforcement of the password policy for the existing logins can be verified by the DBA from the catalog view outputs. This can be verified in the graphical user interface of SQL Server Management Studio.

The endpoints in SQL Server 2005 are versatile with different transport and payload protocols, listening ports, authentication modes and permissions. When creating or modifying HTTP endpoints using the CREATE ENDPOINT and ALTER ENDPOINT statements the preferred login type is designated by the LOGIN_TYPE option(which can be WINDOWS or MIXED values). While WINDOWS is default, the MIXED mode will have to be configured to operate over a Secure Socket Layer channel. The login credentials must be specified in the Web Services Security headers preceding the SOAP requests of the client application.

The HTTP authentication mechanism can be assigned an Integrated, Digest or Basic value if the communication is SOAP based. The INTEGRATED mechanism applies windows based Kerberos or NTLM authentication protocol when establishing the HTTP communication between the client and server. The SQL Server account must be associated with Service Principal Name for the mutual Kerberos authentication to work. DIGEST is a hashing algorithm applied to user’s windows credentials on the client side. This is compared with the result of the same algorithm being applied on the server side.

BASIC compares the Windows BASE 64





source :http://www.exforsys.com

-------------------------------------------------------

Trik Gambar Bergerak

Trik Gambar-dimouse

Trik hapus pwd mysql

Trik insertin to db

Trik jadi root dilinux

Trik jam-distatus-bar

Trik Koneksi-ke database

Trik Koneksi-msql-php

Trik lihat-database-mysql

Trik membahas-fungsi-else

Trik member-area