sql
server security interview questions
1.
What is the Guest user account in SQL Server? What login is it
mapped to it?
Ans:
The
Guest user account is created by default in all databases and is used
when explicit permissions are not granted to access an object.
It is not mapped directly to any login, but can be used by any
login. Depending on your security needs, it may make sense to
drop the Guest user account, in all databases except Master and
TempDB
2. What
is the use of BUILTIN\Administrators Group in SQL Server?
Ans:
Any
Windows login in BUILTIN\Administrators group is by default a SQL
Server system administrator. This single group can be used to manage
administrators from a Windows and SQL Server perspective
3. We
have a list of 3 SQL Server logins which are dedicated to a critical
application. We have given all required rights to those logins. Now
my question is we have to restrict the access only to these three
logins. Means there are two conditions:
a)
No other user should be able to access the database except those
three logins
b)
Even for those three logins they should be able to run their queries
only through the application. If someone login through SSMS and
trying to run a query should result into a failure.
Finally
there should be only way to running a query is from their application
using one of those three logins, there should be no other way to run
queries on that database. How do you restrict?
Ans:
IF
app_name() in(‘SQL Query Analyzer’,’Microsoft SQL Server
Management Studio’)
raiserror (…..)
Return
4.
How to resolve the orphan use problem?
Ans:
Such
a user is said to be an orphaned user of the database on that server
instance. A database user can become orphaned if the corresponding
SQL Server login is dropped. Also, a database user can become
orphaned after a database is restored or attached to a different
instance of SQL Server. Orphaning can happen if the database user is
mapped to a SID that is not present in the new server instance.
Transact-SQL
1
2
3
4
5
6
7
|
USE
<database_name>;
GO;
sp_change_users_login
@Action='Report';
GO;
|
Transact-SQL
1
2
3
4
5
6
7
8
9
10
|
USE
<database_name>;
GO
sp_change_users_login
@Action='update_one',
@UserNamePattern='<database_user>',
@LoginName='<login_name>';
GO
|
5.
What are the fixed server level roles?
Ans:
-
SysAdmin – Can perform any
activity
-
ServerAdmin – Can change server
configuration, restart, shutdown server
-
SecurityAdmin – Can manage
server level logins, also can manage db level if they have
permission on db
-
Granted: ALTER ANY LOGIN
-
ProcessAdmin – Can kill a
process on an instance
-
Granted: ALTER ANY CONNECTION,
ALTER SERVER STATE
-
DiskAdmin – Can manage the disk
files
-
Granted: ALTER RESOURCES
-
BulkAdmin – Can perform BULK
INSERT
-
Granted: ADMINISTER BULK
OPERATIONS
-
SetupAdmin – Can add and remove
linked servers
-
Granted: ALTER ANY LINKED SERVER
-
Dbcreator – Can create, alter,
drop and restore any database on the instance
-
Granted: CREATE ANY DATABASE
-
Public – Default role for newly
created login
sp_helpsrvrolemember : List
out the members mapped with the server roles
6.
What are the Database roles?
Ans:
-
db_accessadmin – Granted: ALTER
ANY USER, CREATE SCHEMA, Granted with Grant option – Connect
-
db_backupoperator – Granted:
BACKUP DATABASE, BACKUP LOG, CHECKPOINT
-
db_datareader – Granted –
SELECT
-
db_datawriter – Granted –
INSERT, UPDATE and DELETE
-
db_ddladmin – Granted – Any
DDL operation
-
db_denydatareader – Denied –
SELECT
-
db_denydatawriter – Denied –
INSERT, UPDATE and DELETE
-
db_owner – Granted with GRANT
option: CONTROL
-
db_securityadmin – Granted:
ALTER ANY APPLICATION ROLE, ALTER ANY ROLE, CREATE SCHEMA, VIEW
DEFINITION
-
dbm_monitor – Granted: VIEW most
recent status in Database Mirroring Monitor
sp_helprolemember : List
out the members mapped with the server roles
Note:
Fixed
database roles are not equivalent to their database-level permission.
For example, the db_owner fixed
database role has the CONTROL DATABASE permission. But granting the
CONTROL DATABASE permission does not make a user a member of
the db_owner fixed
database role.
7.
What are the security related catalog views?
Where
the security related information stored on?
Ans:
-
Server
Level:
-
Sys.server_permissions
-
Sys.server_principals
-
Sys.server_role_members
-
Sys.sql_logins
8.
What are the extra roles available in msdb?
Ans:
-
db_ssisadmin: Equals to sysadmin
-
db_ssisoperator:
Import/Delete/Change Role of own packages
-
db_ssisltduser: Only can view and
execute the packages
-
dc_admin : Can administrate and
use the data collector
-
dc_operator: Can administrate and
use the data collector
-
dc_proxy : Can administrate and
use the data collector
-
PolicyAdministratorRole: can
perform all configuration and maintenance activities on Policy-Based
Management policies and conditions.
-
ServerGroupAdministratorRole : Can
administrate the registered server group
-
ServerGroupReaderRole: Can view
and the registered server group
-
dbm_monitor:
Created in the msdb database
when the first database is registered in Database Mirroring Monitor
9.
If you lose rights to your SQL Server instance what are the options
to connect to SQL SERVER Instance?
Ans:
Option1:
Use the Dedicated Administrator Connection
Option2:
Use BUILTIN\Administrators Group
Option3:
Change Registry Values
10.
What objects does the fn_my_permissions function reports
on?
Ans:
-
SERVER
-
DATABASE
-
SCHEMA
-
OBJECT
-
USER
-
LOGIN
-
ROLE
-
APPLICATION ROLE
-
TYPE
-
MESSAGE TYPE
-
ASYMMETRIC KEY
-
SYMMETRIC KEY
-
CERTIFICATE
-
SERVICE
-
REMOTE SERVICE BINDING
-
FULLTEXT CATALOG
-
ASSEMBLY
-
CONTRACT
-
ENDPOINT
-
ROUTE
-
XML SCHEMA COLLECTION
SELECT
* FROM fn_my_permissions(NULL, ‘SERVER’);
SELECT
* FROM fn_my_permissions(‘AdventureWorks’, ‘DATABASE’);
SELECT
* FROM fn_my_permissions(‘Employee’, ‘OBJECT’)
11.
Name three of the features managed by the Surface Area Configuration
tool.
Ans:
12.
What options are available to audit login activity?
Ans:
-
Custom solution with your
application to log all logins into a centralized table
-
Enable login auditing at the
instance level in Management Studio
-
Execute Profiler to capture logins
into the instance
-
Leverage a third party product
13.
How to perform backup for Certificates in sql server?
Ans:
14.
Name 3 of the features that the SQL Server built-in function
LOGINPROPERTY performs on standard logins.
Ans:
-
Date when the password was set
-
Locked out standard login
-
Expired password
-
Must change password at next login
-
Count of consecutive failed login
attempts
-
Time of the last failed login
attempt
-
Amount of time since the password
policy has been applied to the login
-
Date when the login was locked out
-
Password hash
15.
How can SQL Server instances be hidden?
Ans:
To
hide a SQL Server instance, we need to make a change in SQL Server
Configuration Manager. To do this launch SQL Server Configuration
Manager and do the following: select the instance of SQL Server,
right click and select Properties. After selecting properties you
will just set Hide Instance to “Yes” and click OK or Apply. After
the change is made, you need to restart the instance of SQL Server to
not expose the name of the instance.
16.
Is Profiler the only tool that has the ability to audit and identify
DDL events?
Ans:
No.
In SQL Server 2005 DDL triggers were introduced to audit CREATE,
ALTER and DROP events for relational (stored procedures, functions,
views, etc.) and security (certificates, logins, server, etc.)
objects.
17.
What are some of the pros and cons of not dropping the SQL Server
BUILTIN\Administrators Group?
Ans:
Pros:
Cons:
18.
What is SQL Injection and why is it a problem?
Ans:
SQL
Injection is an exploit where unhandled\unexpected SQL commands are
passed to SQL Server in a malicious manner. It is a problem
because unknowingly data can be stolen, deleted, updated, inserted or
corrupted.
19.
How can SQL Injection be stopped?
Ans:
Development\DBA
-
Validate the SQL commands that are
being passed by the front end
-
Validate the length and data type
per parameter
-
Convert dynamic SQL to stored
procedures with parameters
-
Prevent any commands from
executing with the combination of or all of the following commands:
semi-colon, EXEC, CAST, SET, two dashes, apostrophe, etc.
-
Based on your front end
programming language determine what special characters should be
removed before any commands are passed to SQL Server
Network
Administration
-
Prevent traffic from particular IP
addresses or domains
-
Review the firewall settings to
determine if SQL Injection attacks can prevented
-
Remove old web pages and
directories that are no longer in use because these can be crawled
and exploited
-
Research products or services to
scan your code and web site on a regular basis to prevent the issue
20.
How to recover from SQL Injection?
Ans:
If
for some reason the resolution implemented does not resolve the
problem and the SQL Injection attack occurs again, the quickest path
may be to do the following:
-
Shut down the web sites
-
Review the IIS logs to determine
the commands issued and which web page\command has the vulnerability
-
Convert the code to determine
which tables were affected and the command issued
-
Find and replace the string in
your tables
-
Correct the web page\command that
has the vulnerability
-
Test to validate the issue no
longer occurs
-
Deploy the web page\command
-
Re-enable the web sites
21.
How to enforce Security in SQL SERVER?
Ans:
By
providing strong Passwords, Limited the access to make sure right
people have access to the right data, Creating Customized database
roles, server roles and assign privileges and by choosing the correct
authentication mode etc.
A
DBA should be careful in providing security…..General precautions
includes:
-
Minimize the number of sysadmins
allowed to access SQL Server.
-
Give users the least amount of
permissions they need to perform their job.
-
Use stored procedures or views to
allow users to access data instead of letting them directly access
tables.
-
When possible, use Windows
Authentication logins instead of SQL Server logins.
-
Don’t grant permissions to the
public database role.
-
Remove user login IDs who no
longer need access to SQL Server.
-
Avoid creating network shares on
any SQL Server.
-
Turn on login auditing so you can
see who has succeeded, and failed, to login.
-
Ensure that your SQL Servers are
behind a firewall and are not exposed directly to the Internet.
-
Using server, database and
application roles to control access to the data
-
Securing the physical database
files using NTFS permissions
-
Using an un guessable SA password
-
Restricting physical access to the
SQL Server
-
Disabling the Guest account
-
Isolating SQL Server from the web
server
-
Choose either of the service to
run SQL Server (Local User – Not an Admin , Domain User – Not an
Admin)
-
Restrict the remote administration
(TC)
-
If SQL Server authentication is
used, the credentials are secured over the network by using IPSec or
SSL, or by installing a database server certificate.
-
Do not use DBO users as
application logins
-
Firewall restrictions ensure that
only the SQL Server listening port is available on the database
server.
-
Remove the SQL guest user account.
-
Remove the BUILTIN\Administrators
server login.
-
Apply the latest security updates
/ patches
We
have plenty of features in SQL SERVER to enforce the security. The
major features include:
In
addition to these features we have some more added in SQL SERVER
2008, like Policy Based Management, Security Audit, Improved
Encryption, Backup Security etc.
When
we talk about the security we have to consider the bellow
-
Patches and Updates
-
Services
-
Protocols
-
Accounts
-
Files and Directories
-
Shares
-
Ports
-
Registry
-
Auditing and Logging
-
SQL Server Security
-
SQL Server Logins, Users, and
Roles
-
SQL Server Database Objects
22. You
are delegating permissions on your SQL Server to other
administrators. You have local, single server jobs on one server that
you would like to allow another administer to start, stop, and view
the history for, but not delete history. This administrator will own
the jobs. Which role should you assign?
Ans:
SQLAgentUserRole
SQL
Server provides 3 fixed roles for the agent service that limit
privileges for administrators. The SQLAgentUserRole is designed for
local jobs (not multiserver) that allow the member to work with their
owned jobs (edit, start, stop, view history) without deleting the
history of any job.
23.What
is application role in SQL Server database security?
Ans:
Application
roles are database level roles like database roles. We can create
them and assign permissions to them just like regular database roles
but we can’t map users with them. Instead, we provide a password to
unlock access to the database. Here it is how it works:
-
Create a login on SQL Server for
application user
-
Create an application role on the
corresponding database.
-
Give the application role password
to the user
-
User will have access to login to
SQL Server but doesn’t have any access to the database including
public role.
-
He/she just need to provide the
password to unlock the access to the database
-
EXEC sp_addapprole
‘App_Role_Name’, ‘Password’
-
Once
it is executed successfully the user will get all rights that your
app role have on that database.
24.
What are the new security features added in SQL Server 2012?
Ans:
Default
Schema for Windows Group Logins: Let’s
say we have a Windows account [MyDomain\ WinAdmin]. If someone from
this group logged in [MyDomain\User1] and tried to create an object
then there will be a new schema created like [MyDomain\User1].Table.
This issue got fixed in 2012. In 2012 we can assign a default schema
for the Windows Group accounts.
User
Defined Server Roles: Till
2008 R2 we have user defined roles at database level, 2012 allows us
to create a Server level user defined roles which gives us more
control in handling security.
Contained
Database: Easier
database migrations as it contains user and login information on same
database instead of in Master.
Data
Protection: Supporting
Hash Algorithm-256 (SHA-256) and SHA-512.
Auditing: Native
support/feature for auditing the database environment by creating the
Audit specifications. We can also create user defined audits. Ex: We
can create an Audit specification to trace all events for a specific
login and write all these event details into Audit Log. We can also
filter the events.
25.What
is the new security features added in SQL Server 2014?
Ans:
Functionality
Enhancement for TDE: In
2014 Transparent Data Encryption takes the normal backup and then
applies the Encryption before writing it to the disk. It allows
backup compression is useful when TDE enabled. TDE applies on
compressed backup.
CONNECT
ANY DATABASE: This
is a new server level permission which can allow a login to connect
all existing and future databases in the instance. This can be
helpful when we need to give permissions for audit purpose.
IMPERSONATE
ANY LOGIN: This
is a new server level permission which gives us more control in
giving/denying impersonate access to logins.
SELECT
ALL USER SECURABLES: A
new server level permission. When granted, a login such as an auditor
can view data in all databases that the user can connect to.
26.
What is the new Security features added in SQL Server 2016?
Ans:
Always
Encrypted:
-
This is a new feature which is
useful for managing highly sensitive data
-
Unlike TDE it encrypts data at
rest means physical files (Data, Log and Backup), data in memory and
data in communication channels.
-
TEMPDB is uninvolved from
encryption
-
Encryption can be applied to
column level.
-
A driver that encrypts and
decrypts the data as it is sent to the database server is installed
on the client.
-
Application connection string must
be changed.
Row
Level Security:
-
This is first introduced in Azure
SQL Database. Now it’s part of on-premises feature from SQL Server
2016.
-
Data need not be encrypted but we
can restrict the users to see the sensitive data. No master keys or
certificates required as there is no encryption
-
Row-level security is based on a
table-valued function which evaluates user access to the table based
on a security policy that is applied to the table.
-
The access levels only applies to
SELECT, UPDATE, DELETE operations but anyone who is having INSERT
permissions can insert rows.
-
Only problem with this is using
user defined functions to control user access which is a huge
disadvantage from performance prospect.
-
Dynamic Data Masking:
-
Masks data at select time based on
user or database roles (Mainly for Read-only Users).
-
It actually doesn’t change the
data but mask data based on the user who access that data.
-
For example I have a columns
called “CredNo” to store customer creditcard number. If I mask
this column then it will be viewed as 22XXXXXXXXXX56.
-
But as I said data is not modified
only this logic applied and data is masked based on the user/role.
-
A SYSADMIN or db_owner can view
the actual data.
-
We can use 4 different types of
functions to mask data; Email, Partial, Default, Random
