Building a Secure Access & SQL Server Solution with Anders Ebro

Slide Note
Embed
Share

Anders Ebro, a Principal consultant with Exacto A/S, shares insights on building a secure access and SQL server solution. With a background in SQL development and experience in managing sensitive data, Anders emphasizes the importance of security aspects such as limiting access to sensitive data, role-based data updating, and account hacking prevention. The article also delves into security components at the server and database levels, showcasing practical examples and low-budget security solutions.

lyl_boy
lyl_boy Follow

Uploaded on Sep 30, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Anders Ebro Building a Secure Access & SQL Server Solution

  2. Before we get started How many of you use SQL server every day?

  3. Security can be complex

  4. Background - Anders Ebro Principal consultant with Exacto A/S for 3 years Based out of Denmark, with 18 employees, recently opened two branches in Germany Full time Access/SQL server developer for 11 years, 7 of those using SQL server Last few years expanded with Excel/SQL interfaces Access/Excel/SQL based Incentives tool to handle performance review (and bonus payout) at a financial institution 25.000 employees 800 users (Managers) 100 local admin (Local HR) 15 super admin (Rewards Team and Group HR) XXX million worth of bonus assigned Sensitive data (salary)

  5. Security covers many aspects Ensure that access to our sensitive data is limited Ensure that users can only update data according to their role (user / manager / admin) Limit what can happen in case of an account being hacked (don t give every users more rights than they need to do their job)

  6. Application Security versus SQL server security DEMO! What makes Access different? Direct user access This is not just remote controlling Access. A user might open up SQL server management studio and do the same

  7. Security Components At the SERVER level, we must define a LOGIN At the DATABASE level, we must define a USER account which is tied to a single login We can then define permissions (SELECT, INSERT, UPDATE, DELETE, EXECUTE) or role membership for that user account

  8. Imagine we have lots of users Both are members of AD group: sales_people DEMO Billy Badger (BB) John Johnson (JJ)

  9. Low Budget/low security solution We can grant the user membership of the built in database roles db_dataReader and db_dataWriter giving them full access READ/WRITE to all tables in our database. Similar to access Custom User roles DEMO

  10. TESTING IS KEY! How can we fake being another user (Because our own user has full rights)? Windows has a program called Runas which can be used to execute under a different security context. Within SQL server we can use Execute as in SQL is great for testing on- server stuff, but we really need to test our app. The syntax is simply C:\Windows\System32\runas.exe /user:AEC-T480S\JJ "C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE \"C:\Users\aec\OneDrive\Presentations\Sql Server Security\Access App.accdb Run Access App as JJ

  11. You just made friends with IT Now IT can manage users, by adding or removing them from the AD group sales_people without having to even touch the database.

  12. Permissions Grant RIGHTS on OBJECTS to PRINCIPAL Rights: Insert (C) Select (R) Update (U) Delete (D) Execute (Procs and functions) (Other .)

  13. Permissions Grant RIGHTS on OBJECTS to PRINCIPAL Objects: Tables Views Stored Procedures Functions Schemas Single columns in a table Other?

  14. Permissions Don t grant rights directly on users Grant RIGHTS on OBJECTS to PRINCIPAL Principal: User (Windows user or Windows Group) Custom Role Other?

  15. Keeping app in synch So for a good user experience, the interface should adapt (Allow Edits/Allow Additions/Allow Deletions) If you have multiple roles, and need to know if the user is member of a role:

  16. Column level security Grant select (sales_id,sales_amount) on tbl_sales Grant update (sales_amount) on tbl_sales DEMO

  17. Row Level Security By using Views Security Policy RLS (SQL Server 2016+) Wait as admin, I can no longer view the table.. Admin Override

  18. When simple (CRUD) isnt enough The more critical the data, or the more complex the update operation, the more likely we need a stored proc View for browsing Temp table for single record view Stored proc for updating Requery with position return when done DEMO

  19. New Development We usually ask IT to have: A new database created on their server A user with db_owner membership to the database A test-user with regular access to the database Development is done either on our own server, and then ported, or done via VPN (usually if there are integration requirements, or GDPR restrictions)

  20. Thank you for listening Followup questions: aec@exacto.dk

Related


Understanding Modern Performance in SQL Server

Understanding Modern Performance in SQL Server

les_la
Turkish Statistical Institute SQL Fundamentals Overview

Turkish Statistical Institute SQL Fundamentals Overview

alm_sin
Understanding PL/SQL Benefits and Objectives

Understanding PL/SQL Benefits and Objectives

omar_c
Utilizing UK Spatial Data in SQL Server 2008 R2 Reporting Services

Utilizing UK Spatial Data in SQL Server 2008 R2 Reporting Services

kaer212
Understanding SQL Server Database Recovery Models and Backup Strategies

Understanding SQL Server Database Recovery Models and Backup Strategies

fabienbe
Disk and I/O Tuning on Microsoft SQL Server by Kevin Kline

Disk and I/O Tuning on Microsoft SQL Server by Kevin Kline

greenaway_k
SQL Server Polybase: Data Virtualization Overview

SQL Server Polybase: Data Virtualization Overview

morrell_c
Understanding SQL Server Memory Architecture and Debugging Memory Issues

Understanding SQL Server Memory Architecture and Debugging Memory Issues

csum
Comprehensive Overview of SQL Commands and Language Categories

Comprehensive Overview of SQL Commands and Language Categories

orin
Unorthodox SQL Techniques Unleashed: REVENGE: The SQL

Unorthodox SQL Techniques Unleashed: REVENGE: The SQL

ryng791
Slow Control Servers and Network Configuration for SVD Management

Slow Control Servers and Network Configuration for SVD Management

sharle
Mastering SQL Server: Tips and Tricks for Efficient Database Exploration

Mastering SQL Server: Tips and Tricks for Efficient Database Exploration

boone
Understanding SQL: Major Aspects and Functionality in Database Applications

Understanding SQL: Major Aspects and Functionality in Database Applications

nojus
Understanding SQL JOIN: A Comprehensive Guide

Understanding SQL JOIN: A Comprehensive Guide

anaell
Comprehensive Overview of SQL: Commands and Categories

Comprehensive Overview of SQL: Commands and Categories

tika_3
Smooth Transition from MS Access to MS SQL Server

Smooth Transition from MS Access to MS SQL Server

khaliyah
The World of Azure Database Offerings

The World of Azure Database Offerings

kbeat
Insight into Azure Server Subscriptions for CSP - September 2018

Insight into Azure Server Subscriptions for CSP - September 2018

nilt889
Introduction to SQL: Learn the Basics and Beyond

Introduction to SQL: Learn the Basics and Beyond

ford
SQL Database Security Best Practices

SQL Database Security Best Practices

lamb_tif
Networked Server Verification Using Interaction Trees

Networked Server Verification Using Interaction Trees

kaden
Understanding ASP.NET Server Controls and Their Importance

Understanding ASP.NET Server Controls and Their Importance

osborne
Understanding Database Basics for ASP.NET Development

Understanding Database Basics for ASP.NET Development

jat_gri
Understanding Kerberos Authentication Protocol

Understanding Kerberos Authentication Protocol

bri_pr

More Related Content

SQL Server Management Studio Tips and Tricks
SQL Server Management Studio Tips and Tricks
Understanding Indexing Fundamentals in Simple SQL Server
Understanding Indexing Fundamentals in Simple SQL Server
Issues and Algorithms in Server Software Design
Issues and Algorithms in Server Software Design
SQL Part II Lecture Summary: Nested Queries, Joins, and Updates for Database Applications
SQL Part II Lecture Summary: Nested Queries, Joins, and Updates for Database Applications
Security Breach: Detecting and Exploiting SQL Injection in Contact Groups
Security Breach: Detecting and Exploiting SQL Injection in Contact Groups
SQL Tips to Enhance Data Sorting Techniques
SQL Tips to Enhance Data Sorting Techniques
Accelerating the Mobile Web with Server-Aided Dependency Resolution
Accelerating the Mobile Web with Server-Aided Dependency Resolution
Accessing and Utilizing CPCSSN Secure Research Environment (SRE)
Accessing and Utilizing CPCSSN Secure Research Environment (SRE)
Understanding Client-Server Architecture
Understanding Client-Server Architecture
Enhancing Server State Detection in OpenStack for Immediate Host Fault Reporting
Enhancing Server State Detection in OpenStack for Immediate Host Fault Reporting
Understanding Client-Server Communication with Flask in Python
Understanding Client-Server Communication with Flask in Python
Understanding Client-Server Paradigm in Distributed Systems
Understanding Client-Server Paradigm in Distributed Systems
Memory Resource Management in VMware ESX Server Overview
Memory Resource Management in VMware ESX Server Overview
Networking Solutions for Server Virtualization Challenges
Networking Solutions for Server Virtualization Challenges
Optimal Power Allocation in Server Farms: A Study on Efficiency and Performance
Optimal Power Allocation in Server Farms: A Study on Efficiency and Performance
Understanding Client/Server Computing Architecture
Understanding Client/Server Computing Architecture
Understanding Different Types of SQL Joins
Understanding Different Types of SQL Joins
Understanding SQLite and Data Storage with Room in Android Development
Understanding SQLite and Data Storage with Room in Android Development
Learn SQL Basics: History, Syntax, and Terminology
Learn SQL Basics: History, Syntax, and Terminology
SQL Queries for Database Management
SQL Queries for Database Management
Understanding SQL Triggers in Relational Databases
Understanding SQL Triggers in Relational Databases
Introduction to Database Systems and SQL Programming
Introduction to Database Systems and SQL Programming
Introduction to Tabular Data Modeling and SQL Concepts
Introduction to Tabular Data Modeling and SQL Concepts
Understanding Joins, Views, and Subqueries in SQL
Understanding Joins, Views, and Subqueries in SQL