Books Video icon An illustration of two cells of a film strip. Video Audio icon An illustration of an audio speaker. Audio Software icon An illustration of a 3. Software Images icon An illustration of two photographs. Images Donate icon An illustration of a heart shape Donate Ellipses icon An illustration of text ellipses.
Screenshot - Install - 1. Screenshot - Install - 2. Screenshot - Install - 3. EMBED for wordpress. Want more? This means that anyone who can capture network traffic carrying client authentication information can easily retrieve it. If you are forced to resort to using SQL Authentication when your clients are running legacy operating systems such as Windows 98 or Me, or are not part of the same or trusted domain , to protect passwords from being easily captured and exposed, you should always encrypt communication between SQL server and its clients with the built-in feature of Multiprotocol Net Library or by implementing SSL for details, refer to the first article of this series.
Windows domain environment provides a number of additional advantages over SQL Server authentication mechanism. For both local and domain Windows accounts, you can implement account policies, enforcing password complexity, maximum and minimum age, history, as well as lockout settings.
This mitigates the effectiveness of brute force attacks. Note, however, that the highest level of security is provided by Kerberos authentication, which requires that login accounts reside in a Windows or native mode Active Directory domain and that client computers run Windows or later. NTLM authentication protocol used in legacy operating systems is inherently less secure and can be exploited using a number of popular hacking utilities such as L0phtcrack - currently available as LC4.
If you cannot switch to Kerberos, you should implement NTLM v2 much more resilient than its predecessor , following instructions in the Microsoft Knowledge Base article Another benefit of operating in the native Active Directory environment is the ability to use delegation. In order to understand its functionality, you need to first get familiar with another, closely related feature called impersonation, much more prevalent in Windows operating systems.
Its primary purpose is to allow system processes and applications to run tasks on behalf of a user. Impersonation is employed whenever a user starts a new process or application, so their tasks execute in the user's security context and their security boundaries reflect the user's privileges.
This way, when a user launches a Command Prompt or Windows Explorer, capabilities of each program are limited by what the user account is allowed to do. However, impersonation has its limitations.
While it works fine for processes operating on the same system on which a user is logged on, remote processes processes created on systems remote to the user can take advantage of impersonation only when accessing their local resources resources residing on the same remote computer. In other words, if a user X logged on to a computer A launches a process impersonating this user on a computer B, than this process is not capable to access resources on a computer C in the security context of the same user i.
In the context of SQL Server operations, this creates a problem with linked servers for more information on linked servers, refer to the Books Online where local and linked servers are set up with Windows Authentication mode. Ideally, in the scenario where all SQL Servers authenticate against the same Active Directory domain or two Active Directory domains linked by trust relationships and a user logged on to the first server wants to run a distributed query against a linked server, the same user's credentials should be used to connect to it.
Unfortunately, creating such configuration is not possible with impersonation. In order to accomplish this goal, you need to resort to delegation. Several important conditions need to be satisfied in order for delegation to work properly. First of all, since delegation is the function of Kerberos authentication protocol, your server and user accounts need to reside in a native mode Active Directory domain or trusted domains Windows or User accounts that will be connecting to linked servers need to be trusted for delegation this is enabled from the Account tab of the user's account Properties dialog box in the Active Directory Users and Computers console.
Accounts of SQL servers involved in distributed queries must be trusted for delegation this is done by checking the 'Trust computer for delegation' checkbox on the General tab of each computer's account Properties dialog box in the Active Directory Users and Computers console. You also need to ensure that there exists a Service Principal Name SPN associated with each SQL Server instance with a unique port for each instance, if multiple instances are installed on the same computer.
If the SQL Server service runs in the security context of the Local System account, then a temporary SPN is created every time the service starts, so no additional configuration is needed.
This concludes our coverage of authentication related topics. In our next article, we will look closer into configuration of SQL Server service accounts and their impact on server security. The way these credentials are provided depends on the authentication mode, which can be set to one of the following: Download Sql Server SQL Server authentication - in this case, SQL Server requires that a user specifies a name and password at the time when connection is attempted.
The login name and one-way hash of the password need to match one of entries in the sysxlogins table for the login attempt to be successful. Windows authentication - in this case, SQL Server does not prompt a user for credentials, but instead it uses an access token assigned at the time the user logged on using a Windows account. The token contains a security identifier SID which uniquely identifies the user, as well as SIDs of local or domain groups that the user is a member of.
SQL compares all of the SIDs stored in the token against entries in the sysxlogin table and, depending on the outcome, it grants or denies login privileges.
0コメント