Chapter 10 Security and Auditing on SQL Server

Table 10-1: System procedures for adding users to SQL Server and databases
System procedure	Task	Executed by	Where
sp_addlogin	Create new logins, assign default databases, assign password	SSO	Any database
sp_addgroup	Create groups	DBO or SA	User database
sp_adduser	Add users to database, assign groups	DBO or SA	User database

Dropping Logins, Users, and Groups

The following system procedures allow a System Administrator or Database Owner to drop logins, users and groups.

Table 10-2: Dropping logins, users, and groups
System procedure	Task	Executed by	Where
sp_droplogin	Drop login account from SQL Server	SA	masterdatabase
sp_dropuser	Drop user from database	DBO or SA	User database
sp_dropgroup	Drop group from database	DBO or SA	User database

Locking SQL Server Logins

You cannot drop the login account for a user who owns database objects. The sp_locklogin account allows you to lock the account, denying the user access to the server, without having to drop and re-create the objects.

Table 10-3: Locking Logins
System procedure	Task	Executed by	Where
sp_locklogin	Lock a SQL Server login	SA or SSO	Any database

Changing User Information

Additional system procedures allow you to change the information added with the commands discussed earlier in this chapter. For example, sp_modifylogin and sp_password change default databases and passwords for SQL Server users. The system procedures described in Table 10-4 change aspects of users' logins and database usage.

Table 10-4: System procedures for changing user information
System procedure	Task	Executed by	Where
sp_password	Change another user's passwordChange own password	SSOUser	Any database
sp_changegroup	Change group assignment of a user	SA or DBO	User database
sp_modifylogin	Change a login account's default database, default language, or full name	SA	Any database

Using Aliases in Databases

The alias mechanism allows you to treat more than one person as the same user inside a database, so that they all have the same privileges. An alias is often used so that several users can assume the role of database owner or object owner. The alias mechanism can also be used to set up a collective user identity, within which the identities of individual users can be traced using auditing.

For example, say several vice presidents want to use a database with identical privileges and ownerships. One way to accomplish this is to add a login named "vp" to SQL Server and the database; each vice president logs in as "vp". The problem with this method is that there is no way to tell the individual users apart. The other approach is to alias all the vice presidents, each of whom has his or her own SQL Server account, to the database user name "vp".

The following system procedures manage aliases:

Table 10-5: System procedures for managing aliases

System procedure Task Executed by Where

sp_addalias Add an alias for a user DBO or SA User database

sp_dropalias Drop an alias DBO or SA User database

Table 10-5: System procedures for managing aliases
System procedure	Task	Executed by	Where
sp_addalias	Add an alias for a user	DBO or SA	User database
sp_dropalias	Drop an alias	DBO or SA	User database

Getting Information About Users

The following procedures allow users to obtain information about users, groups and current SQL Server usage.

Table 10-6: System procedures that report on SQL Server users and groups
Procedure	Function
sp_who	Reports on current SQL Server users and processes
sp_displaylogin	Displays information about login accounts
sp_helpuser	Reports on users and aliases in a database
sp_helpgroup	Reports on groups within a database

By default, all users can execute these system procedures.

User Permissions

SQL Server's protection system is controlled through the use of the SQL commands grant and revoke. These two commands specify which users or groups of users can issue specific commands and perform specific operations on which tables, views, or columns.

Some Transact-SQL commands can be issued at any time by any user, with no grant permission required. Other Transact-SQL commands can be used only by users of certain status (for example, only by the System Administrator). Permission to use certain commands is not transferable with grant.

By using the with grant option clause to the grant command, the Database Owner or System Administrator can give other users the ability to grant permission to access database objects. For example, if the Database Owner grants select permission on the titles table to user "mary" specifying with grant option, user "mary" can grant the same permission to other users. A similar option for the revoke command, cascade, revokes permissions from "mary" and from everyone to whom "mary" granted permission.

Permissions to Create and Access Objects

There are two categories of permissions:

Permissions for the commands select, update, insert, delete, and execute are called object access permissions because these commands always specify database objects, and allow users to access or change data.

These are the objects to which the object access permissions can apply:

Table 10-7: Object access permissions

Command Objects

select table, view, columns

update table, view, columns

insert table, view

delete table, view

execute stored procedure

Table 10-7: Object access permissions
Command	Objects
select	table, view, columns
update	table, view, columns
insert	table, view
delete	table, view
execute	stored procedure

Here is an example:

grant select on titles to mary

revoke select on titles(advance) from mary

This sequence of commands gives user "mary" access to all of the columns in the titles table except the advance column.

Permissions for other commands are called object creation permissions because they give the user permission to create database objects. They can be granted only by a System Administrator or a Database Owner, and do not take the with grant option clause. These commands are:
- create database
- create default
- create procedure
- create rule
- create schema
- create table
- create view
  
  For example:
```
grant create table to mary
```

Each database has its own independent protection system. Being granted permission to use a certain command in one database has no effect in other databases. The create database command can be granted only by a System Administrator, and only to users of the master database.

If you try to use a command or database object for which you have not been assigned permission, SQL Server responds with an error message.

The Permission Hierarchy

The different types of SQL Server users exist in a hierarchy, with users having the System Administrator role at the top.

Database Owners are next in the hierarchy. System Administrators and Database Owners can grant and revoke object creation permissions to other users (so that they become the next level: database object owners).

At the next lower level are the owners of database objects (tables, views, and stored procedures), who control access permission on their objects. For example, a user who creates (and therefore owns) a table automatically has all of the object access permissions that apply to that table¯select, insert, update, and delete. No other users have any permissions on the table until the owner specifically grants them with the grant command.

At the bottom of the hierarchy are the other database users (also known as "public"). Permissions are granted to or revoked from them by object owners, Database Owners, and/or the System Administrator. These users are specified by user name, by group name, or as members of "public".

Views and Stored Procedures as Security Mechanisms

Views and stored procedures can serve as security mechanisms. Users can be granted permission on a view or on a stored procedure even if they have no permissions on objects the view or procedure references. Permissions on views and stored procedures are checked when the object is used, not when the view or procedure is created.

Views

Through a view, users can query and modify only the data they can see. The rest of the data is neither visible nor accessible.

Permission to access data in a view must be explicitly granted or revoked, regardless of the set of permissions in force on the view's underlying table(s). Data in an underlying table that is not included in the view is hidden from users who are authorized to access the view but not the underlying table.

By defining different views and selectively granting permissions on them, an owner can restrict a user (or any combination of users) to different subsets of data:

Access can be restricted to a subset of the rows of a base table (a value-dependent subset). For example, you might define a view that contains only the rows for business and psychology books, in order to keep information about other types of books hidden from some users.
Access can be restricted to a subset of the columns of a base table (a value-independent subset). For example, you might define a view that contains all the rows of the titles table, but omits the royalty and advance columns, since this information is sensitive.
Access can be restricted to a row-and-column subset of a base table.
Access can be restricted to the rows that qualify for a join of more than one base table. For example, you might define a view that joins the titles, authors, and titleauthor tables in order to display the names of the authors and the books they have written. This view would hide personal data about authors and financial information about the books.
Access can be restricted to a statistical summary of data in a base table. For example, you might define a view that contains only the average price of each type of book.
Access can be restricted to a subset of another view, or to some combination of views and base tables.
Control over data that can be inserted or updated through a view can be controlled by the with check option clause of the create view command.

Stored Procedures

Users with permission to execute a stored procedure can do so even if they do not have permissions on tables or views referenced in it. For example, a user might be given permission to execute a stored procedure that updates a row-and-column subset of a specified table, even though that user does not have any other permissions on that table.

Auditing in SQL Server

Auditing records security-related system activity in an audit trail, which can be used to detect penetration of the system and misuse of resources. By examining the audit trail, System Security Officers can inspect patterns of access to objects in databases, and can monitor the activity of specific users. Audit records are traceable to specific users, enabling the audit system to act as a deterrent to users attempting to misuse the system.

SQL Server can be configured to provide an audit trail for events such as:

Server logins and logouts
Use of any commands that require a special role
Use of commands that reference a specified object or database
Deletion of objects
Execution of stored procedures and triggers
Any actions performed by a specified user

New Auditing System in Forthcoming Releases

Note
These auditing changes do not affect System 11.0 auditing, but are described only to alert you to changes in future releases that may impact your installation.

In the next major releases of SQL Server, the auditing system will provide these enhancements:

Support for multiple audit tables. This capability enables installations to archive and process audit data with no manual intervention and with no loss of audit records.
The capability to audit additional events, including the creation of objects; the binding and unbinding of rules, defaults, and messages; all actions by individual users; and all actions performed with a particular role active.
The addition of a single flag for auditing a set of server-wide security-relevant events.
A new, streamlined, user interface available for the System Security Officer to control auditing. In the new interface, which will replace the current auditing interface, a single system procedure provides the capability to set all auditing options.

The next major releases of SQL Server will not support sp_auditoption, sp_auditlogin, sp_auditdatabase, sp_auditobject, and sp_auditsproc. Functions provided by these system procedures will be provided by the new system procedure sp_audit. The new auditing system will continue to allow users to add their own audit records with sp_addauditrecord.

The Audit System

The audit system consists of:

The sybsecurity database
System procedures that set the various auditing options
The audit queue, to which audit records are sent before they are written to the audit trail

The sybsecurity Database

Essential to auditing in SQL Server is the sybsecurity database. It is created as part of the auditing installation process. It contains all system tables found in the model database and two additional system tables:

sysaudits the audit trail
sysauditoptions contains the global auditing choices

The Auditing System Procedures

Auditing is managed with the following system procedures:

Table 10-8: System procedures used to manage auditing options
System procedure	Description
sp_auditoption	Enables and disables system-wide auditing and global audit options.
sp_auditdatabase	Establishes auditing of different types of events within a database, or of references to objects within that database from another database.
sp_auditobject	Establishes selective auditing of accesses to tables and views.
sp_auditsproc	Audits the execution of stored procedures and triggers.
sp_auditlogin	Audits a user's attempts to access tables and views, or the text of commands that the user executes.
sp_addauditrecord	Allows users to enter user-defined audit records (comments) into the audit trail.

The Audit Queue

When an audited event occurs, an audit record first goes to the in-memory audit queue, where it is held until it can be processed by the audit process and added to the audit trail. You can configure the size of the audit queue with sp_configure.

Establishing Auditing

The System Security Officer manages the audit system. Only a user who has been granted that role can:

Execute any of the auditing system procedures (with the exception of sp_addauditrecord)
Read the audit trail
Access the audit database

The System Security Officer who is going to manage the audit system must be granted access to the sybsecurity database.

Auditing can be established at two levels:

At the server level, to audit specific activities on the entire server
At the database level, to audit specific events within a specific database

Server-Level Auditing Options

At the server level, the System Security Officer can establish auditing for any combination of these events:

Logins
Logouts
Actions by individual login accounts in all databases on the server, including failed and/or successful accesses to views and tables and the text of the user's commands
Server boots
Remote procedure calls
Use of the set role command
Commands that require special server roles, such as the System Administrator role, the System Security Officer role, or the Operator role
Fatal errors
Ad hoc additions to the audit trail

Database-Level Auditing Options

You can activate selective auditing at the database level to detect:

Use of the drop, grant, revoke, and truncate table commands within a database
Use of the drop database and use commands on a database
Execution of SQL commands from within another database that reference the audited database

Within a specific database, you can also:

Activate auditing of accesses to specified tables or views
Set default audit settings that will be applied to all future tables and views in the database
Audit successful or failed attempts to access an object, or both successful and failed attempts
Specify what kind of queries to audit: selects, inserts, updates and deletes, in any combination
Establish auditing for stored procedures and triggers

Example: Auditing a Stored Procedure

This example illustrates how to audit a stored procedure that updates an accounts table. The procedure takes two arguments, an account number and an amount, like this:

update_acct 23475, 200.00

The update_acct procedure (without any error checking) is simple:

create proc update_acct  @acct int,

                         @amount smallmoney

as

update acct set amount = amount + @amount

where acct = @acct

To initiate auditing on successful executions of this procedure, the System Security Officer uses sp_auditsproc:

sp_auditsproc update_acct, pubs2, ok

Here is a query that returns auditing information about the procedure from sysaudits:

select eventtime, loginame, extrainfo

from sysaudits

where objname = "upd_acct"

order by eventtime

For stored procedures, sysaudits stores the arguments to the procedure in the extrainfo field, so it is easy to trace all activity performed on the table by auditing the procedure.

eventtime           loginname     extrainfo

------------------- ------------- --------------------

Oct 19 1993  4:44PM henry         23475, 200.00

Oct 19 1993  4:49PM lulu          22376, -30.89

Oct 19 1993  4:49PM lulu          22376, 1057.23

Oct 19 1993  4:55PM carol         67892, 98.73

[Top] [Prev] [Next] [Bottom]