security management in sql servier

8/13/2019 Security Management in SQL Servier

http://slidepdf.com/reader/full/security-management-in-sql-servier 1/49

Security Management in SQL Server

Chapter-1: Introduction

Oracle today announced that it has been named the leading Relational Database

Management Systems (RDBMS) vendor in India and Asia Pacific excluding Japan (APEJ)1,

based on first half 2007 Asia Pacific software revenues by IDC. In IDC‘s ―Asia/Pacific Semi-

Annual Software Tracker, September 2007‖ report, Oracle is the Asia Pacific market leader with

53 percent market share, growing 19 percent year-over-year to reach US$373million in software

revenue in first half 2007. It has strengthened its market share lead by nearly four percent over its

second half 2006 figure of 50 percent. The company commands more than double the market

share of its nearest competitor in the RDBMS market who has 21 percent. In India, Oracle leads

the RDBMS market with 63 percent market share. This is nearly thrice that of its nearest

competitor who only has 23 percent share.

―Oracle has, through a sustained flow of innovation, continued to develop and strengthen

its undis puted relational database market share leadership in Asia Pacific,‖ said SPS Grover, vice

president, Technology Sales, Oracle India. ―With Oracle Database 11g, we expect to continue

revolutionizing the database world. Customers will benefit from unique features such as active

standbys, real application testing and compression of all data types which will have a dramaticimpact on the performance, reliability and economics of their IT systems.‖ Continued

Leadership in Database Innovation with Launch of Oracle Database 11g. In Q1FY08, Oracle

launched Oracle Database 11g - with new innovative features such as Oracle Active Data Guard,

Oracle Real Application Testing and Oracle Advanced Compression. With more than 400 new

features, 36,000 person-months of development, and 15 million test hours, Oracle Database 11g

is making the management of enterprise information easier than ever, enabling customers to

know more about their business and innovate more quickly.

Oracle also recently announced a new world record price/performance result with the

TPC-C benchmark running Oracle® Database 11g on Windows. Achieving 102,454 transactions

per minute with a price/performance of $.73/tpmC, Oracle Database 11g Standard Edition One



delivered 24 percent more performance at 13 percent less cost than its nearest competitor in the

price/performance category.

Oracle Database new wins for 1HFY08 in India include Commercial Taxes Department,

Government of Rajasthan, Tamil Nadu Electricity Board and Tata Tele Services Ltd; CAIRN

INDIA, Delhi International Airport Ltd., GENPACT INDIA, High Court Of Delhi, IFCI Ltd.,

Oriental Bank of Commerce, Oxigen India Prepaid Services Pvt Ltd. and some of the new wins

for Asia Pacific, excluding Japan, include: Alcatel (Australia), Australian Institute of Health and

Welfare (Australia), Bombardier Transportation Australia Pty Ltd. (Australia), Alibaba Group

(China), AU Optronics Corp (Taiwan), Bank of East Asia (Hong Kong), China Eastern Airlines

Co. Ltd. (China), Dah Sing Bank (Hong Kong), Department of Immigration and Emigration (Sri

Lanka), GreatWall Information Industry (China), Kodeco Energy (Indonesia), Korea Exchange(Korea), PT Bank Central Asia (Indonesia), PT. Mobile-8 Telecom (Indonesia), SK Telecom

(Korea), Shell Autoserv (Thailand) Co., Shenzhen Airlines (China), Sun Hung Kai Securities

Limited (Hong Kong), Sunghwa College (Korea), Tata Steel (Thailand), Thai Nippon Steel

Engineering & Construction Corp Ltd. (Thailand), The Bank of East Asia Limited (Hong Kong),

Xiangya Hospital of Center-South University (China) and Yan Wal Yun (Thailand) to name a

few.

Despite challenging economic conditions, the enterprise software market in India is projected to

grow 13 per cent in 2012, as revenue reaches $$3.22 billion USD in 2012, according to Gartner,

Inc. India‘s enterprise software market is forecast to maintain its strong performance, with an

estimated compound annual growth rate (CAGR) of 13.6 per cent from 2009 to 2016 – the third

highest growth rate in the world. The increasing globalization of the Indian economy is leading

to a growing need for modern software with the latest features and improved functionality.

―With Indian enterprises continuing to embrace IT to improve productivity and drive growth,

penetration of ICT infrastructure has been growing rapidly during the past decade. The primary

drivers of growth have been domestic demand, the growing maturity of users and incremental

enhancements in the technology,― said Asheesh Raina, principal research analyst at Gartner.

―India also enjoys a rich presence of all international software and hardware vendors, backed by

a very strong ecosystem of system integrators, service providers and business partners. A



combination of high domestic demand, presence of global vendors and entry of new small

vendors with innovative products have made the overall ecosystem apt for robust growth.‖

In 2012, India will be the fourth largest enterprise software market in Asia/Pacific. The

country is forecast to account for 11 per cent of the region‘s total revenue o f $29.33 billion USD

for Asia/Pacific this year, the equivalent to 1.15 per cent of the total worldwide software of

market share of $280 billion USD billion. By 2016, India‘s share of the software market in

Asia/Pacific is expected to reach 12.1 per cent, representing $5.4 billion in revenue, or 1.5 per

cent of total worldwide software market revenue of $361 billion. In comparison to other

countries in the Asia/Pacific region, such as China (with 27 per cent share of regional spending

in 2011), the software market in India is still relatively small and evolving.

―End users in Asia/Pacific are expecting to increase their spending on application and

infrastructure software, with China and India being the most optimistic and leading the way for

budget increases, followed closely by Malaysia and South Korea,― said Mr. Raina.‖The high

intention to increase budgets in India is expected because of the rapidly growing economy,

globalization of operations, and ongoing investment in India as a customer service-related

outsourcing destination. Optimism regarding spending within Indian organizations reflects

confidence in India‘s regional economic performance, as well as the need to adopt better

technology to effectively compete in a tougher global environment.‖ Priority areas of software

spending include operating systems, DBMS, AIM and Application Development. In the next

five, the fastest-growing segments will be Web conferencing and team collaboration, enterprise

content management, CRM and ERP. According to Gartner, Indian enterprises are lagging

behind in terms of adoption of these tools, resulting in the fast growth of these markets.

Databases are organized collections of data that support storage, management, and retrieval of

information. Databases are qualitatively measured by accuracy, availability, usability, and

resilience. Computer software products known as database management systems (DBMS)support access to data stored in databases.

A DBMS allows organizations to develop databases for various applications by database

administrators (DBAs) and other software specialists.



Well known DBMS products include Oracle, Access, SQL Server, DB2, and MySQL. A DBMS

allows different user application programs to simultaneously access the same database. A DBMS

provides services for controlling data access, enforcing data integrity, managing concurrency

control, recovering the database after failures, as well as sustaining database security.

Relational databases are the choice for storing data such as financial and medical records,

personal information, and manufacturing data. A relational database is a collection of tables

relating to one another. Other objects are often considered part of the database because they help

to organize and structure the data.

Structured Query Language (SQL) is used to communicate with relational database management

systems. This language allows users to perform basic functions to interact with data. In addition

to basic SQL functions, the DBMS in use provides additional proprietary functions.

SQL commands are divided into two sublanguages: data definition language (DDL) and data

manipulation language (DML). Data definition language includes commands to create and

destroy databases and their objects. Once structured with DDL, administrators use data

manipulation language (DML) to insert, select, and update the data contained within the

structure.

Research Methodology

Need for the Study

Growing trend of IT industry in India has many challenges ahead to gain a consistent

pace in the dynamic and competitive business environments. To overcome such challenges the

managers need have proper forecasts, analysis and data base management systems. This requires

a well established Database and Server management system. Security parameters gain

preference in database management systems and hence the challenge is to identify a highlysecured RDBMS or DBMs. Hence, this problem/ need invite a study to understand the Security

Management Aspects of most commonly used RDBMS SQL Server.



Scope of the Study

The Study ―Security Management in SQL Server ‖ focuses on the Security management

in the SQL server and other advantages of SQL server compared to other RDBMS. This study

also focuses on the satisfaction and need for such high end security options to the databases and

the prominence of SQL Server in this case.

Objectives

To study the key decision areas Data Base Management systems.

To analyze and evaluate the performance of the present data base management plat forms

To understand the Security Management aspects in SQL Server.

Sampling

Sampling Method: The sampling method used was Convenient sampling technique.

Convenience sampling (sometimes known as grab or opportunity sampling) is a type of non

probability sampling which involves the sample being drawn from that part of the population

which is close to hand. That is, a sample population selected because it is readily available and

convenient. It may be through meeting the person or including a person in the sample when one

meets them or chosen by finding them through technological means such as the internet or

through phone.

Determination Of Sample Design: There are many IT companies in the twin cities which are

operating in domestic and international markets. Companies that majorly contribute to the high

end database management software are selected to constitute the sample. Data is collected from

the Database administrators in such companies and it is based on convenience sampling

technique.

Limitations of the Study

Geographical Limitation: The study confines only to the twin city which might note give

the forecasted results would not be apt for.

Time: The project is under taken for 8 weeks duration which is not comfortable to fulfill

the complete scope of the study.



Chapter -2: Conceptual Framework & Literature Review

SQL Server

Microsoft SQL Server is a relational database management system developed byMicrosoft. As a database, it is a software product whose primary function is to store and retrieve

data as requested by other software applications, be it those on the same computer or those

running on another computer across a network (including the Internet). There are at least a dozen

different editions of Microsoft SQL Server aimed at different audiences and for workloads

ranging from small single-machine applications to large Internet-facing applications with many

concurrent users. Its primary query languages are T-SQL and ANSI SQL.

Origin

Prior to version 7.0 the code base for MS SQL Server was sold by Sybase SQL Server to

Microsoft, and was Microsoft's entry to the enterprise-level database market, competing against

Oracle, IBM, and, later, Sybase. Microsoft, Sybase and Ashton-Tate originally worked together

to create and market the first version named SQL Server 1.0 for OS/2 (about 1989) which was

essentially the same as Sybase SQL Server 3.0 on Unix, VMS, etc. Microsoft SQL Server 4.2

was shipped around 1992 (available bundled with IBM OS/2 version 1.3). Later Microsoft SQL

Server 4.21 for Windows NT was released at the same time as Windows NT 3.1. Microsoft SQL

Server v6.0 was the first version designed for NT, and did not include any direction from Sybase.

About the time Windows NT was released in July 1993, Sybase and Microsoft parted ways and

each pursued its own design and marketing schemes. Microsoft negotiated exclusive rights to all

versions of SQL Server written for Microsoft operating systems. (In 1996 Sybase changed the

name of its product to Adaptive Server Enterprise to avoid confusion with Microsoft SQL

Server.) Until 1994, Microsoft's SQL Server carried three Sybase copyright notices as an

indication of its origin.

SQL Server 7.0 and SQL Server 2000 included modifications and extensions to the Sybase code

base, adding support for the IA-64 architecture. By SQL Server 2005 the legacy Sybase code had

been completely rewritten.



Since the release of SQL Server 2000, advances have been made in performance, the client IDE

tools, and several complementary systems that are packaged with SQL Server 2005. These

include:

an extract-transform-load (ETL) tool (SQL Server Integration Services or SSIS)

a Reporting Server

an OLAP and data mining server (Analysis Services)

several messaging technologies, specifically Service Broker and Notification Services.

SQL Server 2005:

SQL Server 2005 (formerly codenamed "Yukon") released in October 2005. It included native

support for managing XML data, in addition to relational data. For this purpose, it defined an

xml data type that could be used either as a data type in database columns or as literals in

queries. XML columns can be associated with XSD schemas; XML data being stored is verified

against the schema. XML is converted to an internal binary data type before being stored in the

database. Specialized indexing methods were made available for XML data. XML data is

queried using XQuery; SQL Server 2005 added some extensions to the T-SQL language to allow

embedding XQuery queries in T-SQL. In addition, it also defines a new extension to XQuery,called XML DML, that allows query-based modifications to XML data. SQL Server 2005 also

allows a database server to be exposed over web services using Tabular Data Stream (TDS)

packets encapsulated within SOAP (protocol) requests. When the data is accessed over web

services, results are returned as XML.

Common Language Runtime (CLR) integration was introduced with this version, enabling one to

write SQL code as Managed Code by the CLR. For relational data, T-SQL has been augmented

with error handling features (try/catch) and support for recursive queries with CTEs (CommonTable Expressions). SQL Server 2005 has also been enhanced with new indexing algorithms,

syntax and better error recovery systems. Data pages are checksummed for better error

resiliency, and optimistic concurrency support has been added for better performance.

Permissions and access control have been made more granular and the query processor handles

concurrent execution of queries in a more efficient way. Partitions on tables and indexes are



supported natively, so scaling out a database onto a cluster is easier. SQL CLR was introduced

with SQL Server 2005 to let it integrate with the .NET Framework.

SQL Server 2005 introduced "MARS" (Multiple Active Results Sets), a method of allowing

usage of database connections for multiple purposes.

SQL Server 2005 introduced DMVs (Dynamic Management Views), which are specialized

views and functions that return server state information that can be used to monitor the health of

a server instance, diagnose problems, and tune performance.

Service Pack 1 (SP1) of SQL Server 2005 introduced Database Mirroring, a high availability

option that provides redundancy and failover capabilities at the database level. Failover can be

performed manually or can be configured for automatic failover. Automatic failover requires a

witness partner and an operating mode of synchronous (also known as high-safety or full safety).

SQL Server 2008:

SQL Server 2008 (formerly codenamed "Katmai") was released on August 6, 2008 and aims to

make data management self-tuning, self organizing, and self maintaining with the development

of SQL Server Always On technologies, to provide near-zero downtime. SQL Server 2008 also

includes support for structured and semi-structured data, including digital media formats for

pictures, audio, video and other multimedia data. In current versions, such multimedia data can

be stored as BLOBs (binary large objects), but they are generic bitstreams. Intrinsic awareness of

multimedia data will allow specialized functions to be performed on them. According to Paul

Flessner, senior Vice President, Server Applications, Microsoft Corp., SQL Server 2008 can be a

data storage backend for different varieties of data: XML, email, time/calendar, file, document,

spatial, etc as well as perform search, query, analysis, sharing, and synchronization across all

data types.

Other new data types include specialized date and time types and a Spatial data type for location-

dependent data. Better support for unstructured and semi-structured data is provided using the

new FILESTREAM data type, which can be used to reference any file stored on the file system.

Structured data and metadata about the file is stored in SQL Server database, whereas the

unstructured component is stored in the file system. Such files can be accessed both via Win32



file handling APIs as well as via SQL Server using T-SQL; doing the latter accesses the file data

as a BLOB. Backing up and restoring the database backs up or restores the referenced files as

well. SQL Server 2008 also natively supports hierarchical data, and includes T-SQL constructs

to directly deal with them, without using recursive queries.

The Full-text search functionality has been integrated with the database engine. According to a

Microsoft technical article, this simplifies management and improves performance.

Spatial data will be stored in two types. A "Flat Earth" (GEOMETRY or planar) data type

represents geospatial data which has been projected from its native, spherical, coordinate system

into a plane. A "Round Earth" data type (GEOGRAPHY) uses an ellipsoidal model in which the

Earth is defined as a single continuous entity which does not suffer from the singularities such as

the international dateline, poles, or map projection zone "edges". Approximately 70 methods are

available to represent spatial operations for the Open Geospatial Consortium Simple Features for

SQL, Version 1.1.

SQL Server includes better compression features, which also helps in improving scalability. It

enhanced the indexing algorithms and introduced the notion of filtered indexes. It also includes

Resource Governor that allows reserving resources for certain users or workflows. It also

includes capabilities for transparent encryption of data (TDE) as well as compression of backups.

SQL Server 2008 supports the ADO.NET Entity Framework and the reporting tools, replication,

and data definition will be built around the Entity Data Model. SQL Server Reporting Services

will gain charting capabilities from the integration of the data visualization products from

Dundas Data Visualization, Inc., which was acquired by Microsoft. On the management side,

SQL Server 2008 includes the Declarative Management Framework which allows configuring

policies and constraints, on the entire database or certain tables, declaratively. The version of

SQL Server Management Studio included with SQL Server 2008 supports IntelliSense for SQL

queries against a SQL Server 2008 Database Engine. SQL Server 2008 also makes the databasesavailable via Windows PowerShell providers and management functionality available as

Cmdlets, so that the server and all the running instances can be managed from Windows

PowerShell.



SQL Server 2008 R2:

SQL Server 2008 R2 (10.50.1600.1, formerly codenamed "Kilimanjaro") was announced at

TechEd 2009, and was released to manufacturing on April 21, 2010. SQL Server 2008 R2 adds

certain features to SQL Server 2008 including a master data management system branded as

Master Data Services, a central management of master data entities and hierarchies. Also Multi

Server Management, a centralized console to manage multiple SQL Server 2008 instances and

services including relational databases, Reporting Services, Analysis Services & Integration

Services.

SQL Server 2008 R2 includes a number of new services, including PowerPivot for Excel and

SharePoint, Master Data Services, StreamInsight, Report Builder 3.0, Reporting Services Add-in

for SharePoint, a Data-tier function in Visual Studio that enables packaging of tiered databases

as part of an application, and a SQL Server Utility named UC (Utility Control Point), part of

AMSM (Application and Multi-Server Management) that is used to manage multiple SQL

Servers.

The first SQL Server 2008 R2 service pack (10.50.2500, Service Pack 1) was released on July

11, 2011.

The second SQL Server 2008 R2 service pack (10.50.4000, Service Pack 2) was released on July

26, 2012.

SQL Server 2012:

At the 2011 Professional Association for SQL Server (PASS) summit on October 11, Microsoft

announced that the next major version of SQL Server (codenamed "Denali"), would be SQL

Server 2012. It was released to manufacturing on March 6, 2012. SQL Server 2012 Service Pack

1 was released to manufacturing on November 9, 2012.

It was announced to be the last version to natively support OLE DB and instead to prefer ODBC

for native connectivity.

SQL Server 2012's new features and enhancements include AlwaysOn SQL Server Failover

Cluster Instances and Availability Groups which provides a set of options to improve database



availability, Contained Databases which simplify the moving of databases between instances,

new and modified Dynamic Management Views and Functions, programmability enhancements

including new spatial features, metadata discovery, sequence objects and the THROW statement,

performance enhancements such as ColumnStore Indexes as well as improvements to OnLine

and partition level operations and security enhancements including provisioning during setup,

new permissions, improved role management, and default schema assignment for groups.

SQL Server 2014:

SQL Server 2014 is still in Community Technology Preview stage. As of November, 2013 there

have been two such revisions, CTP1 and CTP2. SQL Server 2014 will provide a new in-memory

capability for tables that can fit entirely in memory (also known as Hekaton). Whilst small tables

may be entirely resident in memory in all versions of SQL Server, they also may reside on disk,

so work is involved in reserving RAM, writing evicted pages to disk, loading new pages from

disk, locking the pages in ram while they are being operated on, and many other tasks. By

treating a table as guaranteed to be entirely resident in memory much of the 'plumbing' of disk-

based databases can be avoided.

For disk-based SQL Server applications, it also provides SSD bufferpool extension, which can

improve application performance transparently by leveraging SSD as the intermediate memory

hierarchy between DRAM and spinning media.

SQL Server 2014 also enhances AlwaysOn (HADR) solution by increasing the readable

secondaries count and sustaining read operations upon secondary-primary disconnections, and it

provides new hybrid disaster recovery and backup solutions with Windows Azure, enabling

customers to use their existing skills with the on-premises product offerings to take advantage of

Microsoft‘s global datacenters. In addition, it takes advantage of new Windows Server 2012 and

Windows Server 2012 R2 capabilities for database application scalability in a physical or virtual

environment.



Editions of SQL Server:

Main Stream editions;

Datacenter

SQL Server 2008 R2 Datacenter is the full-featured edition of SQL Server and is designed for

datacenters that need the high levels of application support and scalability. It supports 256

logical processors and virtually unlimited memory. Comes with StreamInsight Premium edition.

The Datacenter edition has been retired in SQL Server 2012, all its features are available in SQL

Server 2012 Enterprise Edition.

Enterprise:

SQL Server Enterprise Edition includes both the core database engine and add-on services, with

a range of tools for creating and managing a SQL Server cluster. It can manage databases as

large as 524 petabytes and address 2 terabytes of memory and supports 8 physical processors.

SQL Server 2012 Enterprise Edition supports 160 physical processors.

Standard:

SQL Server Standard edition includes the core database engine, along with the stand-alone

services. It differs from Enterprise edition in that it supports fewer active instances (number of

nodes in a cluster) and does not include some high-availability functions such as hot-add

memory (allowing memory to be added while the server is still running), and parallel indexes.

SQL Server Web Edition is a low-TCO option for Web hosting.

Business Intelligence:

Introduced in SQL Server 2012 and focusing on Self Service and Corporate Business

Intelligence. It includes the Standard Edition capabilities and Business Intelligence tools:

PowerPivot, Power View, the BI Semantic Model, Master Data Services, Data Quality Services

and xVelocity in-memory analytics.



Work Group:

SQL Server Workgroup Edition includes the core database functionality but does not include the

additional services. Note that this edition has been retired in SQL Server 2012.

Express

SQL Server Express Edition is a scaled down, free edition of SQL Server, which includes the

core database engine. While there are no limitations on the number of databases or users

supported, it is limited to using one processor, 1 GB memory and 4 GB database files (10 GB

database files from SQL Server Express 2008 R2). It is intended as a replacement for MSDE.

Two additional editions provide a superset of features not in the original Express Edition. The

first is SQL Server Express with Tools, which includes SQL Server Management Studio Basic.

SQL Server Express with Advanced Services adds full-text search capability and reporting

services.

Architecture:

The protocol layer implements the external interface to SQL Server. All operations that can be

invoked on SQL Server are communicated to it via a Microsoft-defined format, called Tabular

Data Stream (TDS). TDS is an application layer protocol, used to transfer data between a

database server and a client. Initially designed and developed by Sybase Inc. for their Sybase

SQL Server relational database engine in 1984, and later by Microsoft in Microsoft SQL Server,

TDS packets can be encased in other physical transport dependent protocols, including TCP/IP,

Named pipes, and Shared memory. Consequently, access to SQL Server is available over these

protocols. In addition, the SQL Server API is also exposed over web services.

Data Storage:

Data storage is a database, which is a collection of tables with typed columns. SQL Server

supports different data types, including primary types such as Integer, Float, Decimal, Char

(including character strings), Varchar (variable length character strings), binary (for unstructured

blobs of data), Text (for textual data) among others. The rounding of floats to integers uses either

Symmetric Arithmetic Rounding or Symmetric Round Down (Fix) depending on arguments:

SELECT Round(2.5, 0) gives 3.Microsoft SQL Server also allows user-defined composite types



(UDTs) to be defined and used. It also makes server statistics available as virtual tables and

views (called Dynamic Management Views or DMVs). In addition to tables, a database can also

contain other objects including views, stored procedures, indexes and constraints, along with a

transaction log. A SQL Server database can contain a maximum of 231 objects, and can span

multiple OS-level files with a maximum file size of 260 bytes. The data in the database are

stored in primary data files with an extension .mdf. Secondary data files, identified with a .ndf

extension, are used to store optional metadata. Log files are identified with the .ldf extension.

Storage space allocated to a database is divided into sequentially numbered pages, each 8 KB in

size. A page is the basic unit of I/O for SQL Server operations. A page is marked with a 96-byte

header which stores metadata about the page including the page number, page type, free space on

the page and the ID of the object that owns it. Page type defines the data contained in the page -

data stored in the database, index, allocation map which holds information about how pages are

allocated to tables and indexes, change map which holds information about the changes made to

other pages since last backup or logging, or contain large data types such as image or text. While

page is the basic unit of an I/O operation, space is actually managed in terms of an extent which

consists of 8 pages. A database object can either span all 8 pages in an extent ("uniform extent")

or share an extent with up to 7 more objects ("mixed extent"). A row in a database table cannot

span more than one page, so is limited to 8 KB in size. However, if the data exceeds 8 KB and

the row contains Varchar or Varbinary data, the data in those columns are moved to a new page

(or possibly a sequence of pages, called an Allocation unit) and replaced with a pointer to the

data.

For physical storage of a table, its rows are divided into a series of partitions (numbered 1 to n).

The partition size is user defined; by default all rows are in a single partition. A table is split into

multiple partitions in order to spread a database over a cluster. Rows in each partition are stored

in either B-tree or heap structure. If the table has an associated index to allow fast retrieval of

rows, the rows are stored in-order according to their index values, with a B-tree providing the

index. The data is in the leaf node of the leaves, and other nodes storing the index values for the

leaf data reachable from the respective nodes. If the index is non-clustered, the rows are not

sorted according to the index keys. An indexed view has the same storage structure as an indexed



table. A table without an index is stored in an unordered heap structure. Both heaps and B-trees

can span multiple allocation units.

Buffer Management:

SQL Server buffers pages in RAM to minimize disc I/O. Any 8 KB page can be buffered in-

memory, and the set of all pages currently buffered is called the buffer cache. The amount of

memory available to SQL Server decides how many pages will be cached in memory. The buffer

cache is managed by the Buffer Manager. Either reading from or writing to any page copies it to

the buffer cache. Subsequent reads or writes are redirected to the in-memory copy, rather than

the on-disc version. The page is updated on the disc by the Buffer Manager only if the in-

memory cache has not been referenced for some time. While writing pages back to disc,

asynchronous I/O is used whereby the I/O operation is done in a background thread so that other

operations do not have to wait for the I/O operation to complete. Each page is written along with

its checksum when it is written. When reading the page back, its checksum is computed again

and matched with the stored version to ensure the page has not been damaged or tampered with

in the meantime.

Concurrency and Locking:

SQL Server allows multiple clients to use the same database concurrently. As such, it needs to

control concurrent access to shared data, to ensure data integrity — when multiple clients update

the same data, or clients attempt to read data that is in the process of being changed by another

client. SQL Server provides two modes of concurrency control: pessimistic concurrency and

optimistic concurrency. When pessimistic concurrency control is being used, SQL Server

controls concurrent access by using locks. Locks can be either shared or exclusive. Exclusive

lock grants the user exclusive access to the data — no other user can access the data as long as the

lock is held. Shared locks are used when some data is being read — multiple users can read from

data locked with a shared lock, but not acquire an exclusive lock. The latter would have to wait

for all shared locks to be released. Locks can be applied on different levels of granularity — on

entire tables, pages, or even on a per-row basis on tables. For indexes, it can either be on the

entire index or on index leaves. The level of granularity to be used is defined on a per-database

basis by the database administrator. While a fine grained locking system allows more users to



use the table or index simultaneously, it requires more resources. So it does not automatically

turn into higher performing solution. SQL Server also includes two more lightweight mutual

exclusion solutions — latches and spinlocks — which are less robust than locks but are less

resource intensive. SQL Server uses them for DMVs and other resources that are usually not

busy. SQL Server also monitors all worker threads that acquire locks to ensure that they do not

end up in deadlocks — in case they do, SQL Server takes remedial measures, which in many

cases is to kill one of the threads entangled in a deadlock and rollback the transaction it started.

To implement locking, SQL Server contains the Lock Manager. The Lock Manager maintains an

in-memory table that manages the database objects and locks, if any, on them along with other

metadata about the lock. Access to any shared object is mediated by the lock manager, which

either grants access to the resource or blocks it.

SQL Server also provides the optimistic concurrency control mechanism, which is similar to the

multiversion concurrency control used in other databases. The mechanism allows a new version

of a row to be created whenever the row is updated, as opposed to overwriting the row, i.e., a

row is additionally identified by the ID of the transaction that created the version of the row.

Both the old as well as the new versions of the row are stored and maintained, though the old

versions are moved out of the database into a system database identified as Tempdb. When a row

is in the process of being updated, any other requests are not blocked (unlike locking) but are

executed on the older version of the row. If the other request is an update statement, it will result

in two different versions of the rows — both of them will be stored by the database, identified by

their respective transaction IDs.

Data Retrieval:

The main mode of retrieving data from an SQL Server database is querying for it. The query is

expressed using a variant of SQL called T-SQL, a dialect Microsoft SQL Server shares with

Sybase SQL Server due to its legacy. The query declaratively specifies what is to be retrieved. Itis processed by the query processor, which figures out the sequence of steps that will be

necessary to retrieve the requested data. The sequence of actions necessary to execute a query is

called a query plan. There might be multiple ways to process the same query. For example, for a

query that contains a join statement and a select statement, executing join on both the tables and

then executing select on the results would give the same result as selecting from each table and



then executing the join, but result in different execution plans. In such case, SQL Server chooses

the plan that is expected to yield the results in the shortest possible time. This is called query

optimization and is performed by the query processor itself.

SQL Server includes a cost-based query optimizer which tries to optimize on the cost, in terms of

the resources it will take to execute the query. Given a query, then the query optimizer looks at

the database schema, the database statistics and the system load at that time. It then decides

which sequence to access the tables referred in the query, which sequence to execute the

operations and what access method to be used to access the tables. For example, if the table has

an associated index, whether the index should be used or not - if the index is on a column which

is not unique for most of the columns (low "selectivity"), it might not be worthwhile to use the

index to access the data. Finally, it decides whether to execute the query concurrently or not.

While a concurrent execution is more costly in terms of total processor time, because the

execution is actually split to different processors might mean it will execute faster. Once a query

plan is generated for a query, it is temporarily cached. For further invocations of the same query,

the cached plan is used. Unused plans are discarded after some time.

SQL Server also allows stored procedures to be defined. Stored procedures are parameterized T-

SQL queries, that are stored in the server itself (and not issued by the client application as is the

case with general queries). Stored procedures can accept values sent by the client as input

parameters, and send back results as output parameters. They can call defined functions, and

other stored procedures, including the same stored procedure (up to a set number of times). They

can be selectively provided access to. Unlike other queries, stored procedures have an associated

name, which is used at runtime to resolve into the actual queries. Also because the code need not

be sent from the client every time (as it can be accessed by name), it reduces network traffic and

somewhat improves performance. Execution plans for stored procedures are also cached as

necessary.

SQL CLR:

Microsoft SQL Server 2005 includes a component named SQL CLR ("Common Language

Runtime") via which it integrates with .NET Framework. Unlike most other applications that use

.NET Framework, SQL Server itself hosts the .NET Framework runtime, i.e., memory, threading



and resource management requirements of .NET Framework are satisfied by SQLOS itself,

rather than the underlying Windows operating system. SQLOS provides deadlock detection and

resolution services for .NET code as well. With SQL CLR, stored procedures and triggers can be

written in any managed .NET language, including C# and VB.NET. Managed code can also be

used to define UDT's (user defined types), which can persist in the database. Managed code is

compiled to CLI assemblies and after being verified for type safety, registered at the database.

After that, they can be invoked like any other procedure. However, only a subset of the Base

Class Library is available, when running code under SQL CLR. Most APIs relating to user

interface functionality are not available.

When writing code for SQL CLR, data stored in SQL Server databases can be accessed using the

ADO.NET APIs like any other managed application that accesses SQL Server data. However,

doing that creates a new database session, different from the one in which the code is executing.

To avoid this, SQL Server provides some enhancements to the ADO.NET provider that allows

the connection to be redirected to the same session which already hosts the running code. Such

connections are called context connections and are set by setting context connection parameter to

true in the connection string. SQL Server also provides several other enhancements to the

ADO.NET API, including classes to work with tabular data or a single row of data as well as

classes to work with internal metadata about the data stored in the database. It also provides

access to the XML features in SQL Server, including XQuery support. These enhancements are

also available in T-SQL Procedures in consequence of the introduction of the new XML Data

type (query, value, nodes functions).

Services:

SQL Server also includes an assortment of add-on services. While these are not essential for the

operation of the database system, they provide value added services on top of the core database

management system. These services either run as a part of some SQL Server component or out-of-process as Windows Service and presents their own API to control and interact with them.

Service Broker:

Used inside an instance, programming environment. For cross instance applications, Service

Broker communicates over TCP/IP and allows the different components to be synchronized



together, via exchange of messages. The Service Broker, which runs as a part of the database

engine, provides a reliable messaging and message queuing platform for SQL Server

applications.

Replication:

SQL Server Replication Services are used by SQL Server to replicate and synchronize database

objects, either in entirety or a subset of the objects present, across replication agents, which

might be other database servers across the network, or database caches on the client side.

Replication follows a publisher/subscriber model, i.e., the changes are sent out by one database

server ("publisher") and are received by others ("subscribers"). SQL Server supports three

different types of replication.

Transaction Replication:

Each transaction made to the publisher database (master database) is synced out to subscribers,

who update their databases with the transaction. Transactional replication synchronizes databases

in near real time.

Merge Replication:

Changes made at both the publisher and subscriber databases are tracked, and periodically the

changes are synchronized bi-directionally between the publisher and the subscribers. If the same

data has been modified differently in both the publisher and the subscriber databases,

synchronization will result in a conflict which has to be resolved - either manually or by using

pre-defined policies. rowguid needs to be configured on a column if merge replication is

configured.

Snapshot:

Snapshot replication publishes a copy of the entire database (the then-snapshot of the data) and

replicates out to the subscribers. Further changes to the snapshot are not tracked.



Analytical Services:

SQL Server Analysis Services adds OLAP and data mining capabilities for SQL Server

databases. The OLAP engine supports MOLAP, ROLAP and HOLAP storage modes for data.

Analysis Services supports the XML for Analysis standard as the underlying communication

protocol. The cube data can be accessed using MDX and LINQ queries. Data mining specific

functionality is exposed via the DMX query language. Analysis Services includes various

algorithms - Decision trees, clustering algorithm, Naive Bayes algorithm, time series analysis,

sequence clustering algorithm, linear and logistic regression analysis, and neural networks - for

use in data mining.

Reporting Services:

SQL Server Reporting Services is a report generation environment for data gathered from SQL

Server databases. It is administered via a web interface. Reporting services features a web

services interface to support the development of custom reporting applications. Reports are

created as RDL files.

Reports can be designed using recent versions of Microsoft Visual Studio (Visual Studio.NET

2003, 2005, and 2008) with Business Intelligence Development Studio, installed or with the

included Report Builder. Once created, RDL files can be rendered in a variety of formats

including Excel, PDF, CSV, XML, TIFF (and other image formats), and HTML Web Archive.

Notification:

Originally introduced as a post-release add-on for SQL Server 2000, Notification Services was

bundled as part of the Microsoft SQL Server platform for the first and only time with SQL

Server 2005. SQL Server Notification Services is a mechanism for generating data-driven

notifications, which are sent to Notification Services subscribers. A subscriber registers for a

specific event or transaction (which is registered on the database server as a trigger); when the

event occurs, Notification Services can use one of three methods to send a message to the

subscriber informing about the occurrence of the event. These methods include SMTP, SOAP, or

by writing to a file in the file system. Notification Services was discontinued by Microsoft with



the release of SQL Server 2008 in August 2008, and is no longer an officially supported

component of the SQL Server database platform.

Integration Services:

SQL Server Integration Services is used to integrate data from different data sources. It is used

for the ETL capabilities for SQL Server for data warehousing needs. Integration Services

includes GUI tools to build data extraction workflows integration various functionality such as

extracting data from various sources, querying data, transforming data including aggregating,

duplication and merging data, and then loading the transformed data onto other sources, or

sending e-mails detailing the status of the operation as defined by the user.

Full Text Search Service:

SQL Server Full Text Search service is a specialized indexing and querying service for

unstructured text stored in SQL Server databases. The full text search index can be created on

any column with character based text data. It allows for words to be searched for in the text

columns. While it can be performed with the SQL LIKE operator, using SQL Server Full Text

Search service can be more efficient. Full allows for inexact matching of the source string,

indicated by a Rank value which can range from 0 to 1000 - a higher rank means a more accurate

match. It also allows linguistic matching ("inflectional search"), i.e., linguistic variants of a word

(such as a verb in a different tense) will also be a match for a given word (but with a lower rank

than an exact match). Proximity searches are also supported, i.e., if the words searched for do not

occur in the sequence they are specified in the query but are near each other, they are also

considered a match. T-SQL exposes special operators that can be used to access the FTS

capabilities.

The Full Text Search engine is divided into two processes - the Filter Daemon process

(msftefd.exe) and the Search process (msftesql.exe). These processes interact with the SQLServer. The Search process includes the indexer (that creates the full text indexes) and the full

text query processor. The indexer scans through text columns in the database. It can also index

through binary columns, and use iFilters to extract meaningful text from the binary blob (for

example, when a Microsoft Word document is stored as an unstructured binary file in a

database). The iFilters are hosted by the Filter Daemon process. Once the text is extracted, the



Filter Daemon process breaks it up into a sequence of words and hands it over to the indexer.

The indexer filters out noise words, i.e., words like A, And etc., which occur frequently and are

not useful for search. With the remaining words, an inverted index is created, associating each

word with the columns they were found in. SQL Server itself includes a Gatherer component that

monitors changes to tables and invokes the indexer in case of updates.

When a full text query is received by the SQL Server query processor, it is handed over to the

FTS query processor in the Search process. The FTS query processor breaks up the query into

the constituent words, filters out the noise words, and uses an inbuilt thesaurus to find out the

linguistic variants for each word. The words are then queried against the inverted index and a

rank of their accurateness is computed. The results are returned to the client via the SQL Server

process.

SQL CMD:

SQLCMD is a command line application that comes with Microsoft SQL Server, and exposes

the management features of SQL Server. It allows SQL queries to be written and executed from

the command prompt. It can also act as a scripting language to create and run a set of SQL

statements as a script. Such scripts are stored as a .sql file, and are used either for management of

databases or to create the database schema during the deployment of a database. SQLCMD was

introduced with SQL Server 2005 and this continues with SQL Server 2008. Its predecessor for

earlier versions was OSQL and ISQL, which is functionally equivalent as it pertains to TSQL

execution, and many of the command line parameters are identical, although SQLCMD adds

extra versatility.

Visual Studio: Microsoft Visual Studio includes native support for data programming with

Microsoft SQL Server. It can be used to write and debug code to be executed by SQL CLR. It

also includes a data designer that can be used to graphically create, view or edit database

schemas. Queries can be created either visually or using code. SSMS 2008 onwards, provides

intelligence for SQL queries as well.



SQL Server Management Studio:

SQL Server Management Studio is a GUI tool included with SQL Server 2005 and later for

configuring, managing, and administering all components within Microsoft SQL Server. The tool

includes both script editors and graphical tools that work with objects and features of the server.

SQL Server Management Studio replaces Enterprise Manager as the primary management

interface for Microsoft SQL Server since SQL Server 2005. A version of SQL Server

Management Studio is also available for SQL Server Express Edition, for which it is known as

SQL Server Management Studio Express (SSMSE).

A central feature of SQL Server Management Studio is the Object Explorer, which allows the

user to browse, select, and act upon any of the objects within the server. It can be used to visually

observe and analyze query plans and optimize the database performance, among others. SQL

Server Management Studio can also be used to create a new database, alter any existing database

schema by adding or modifying tables and indexes, or analyze performance. It includes the query

windows which provide a GUI based interface to write and execute queries.

Business Intelligence Development Studio:

Business Intelligence Development Studio (BIDS) is the IDE from Microsoft used for

developing data analysis and Business Intelligence solutions utilizing the Microsoft SQL Server

Analysis Services, Reporting Services and Integration Services. It is based on the Microsoft

Visual Studio development environment but is customized with the SQL Server services-specific

extensions and project types, including tools, controls and projects for reports (using Reporting

Services), Cubes and data mining structures (using Analysis Services).

T-SQL:

T-SQL (Transact-SQL) is the Secondary means of programming and managing SQL Server. It

exposes keywords for the operations that can be performed on SQL Server, including creating

and altering database schemas, entering and editing data in the database as well as monitoring

and managing the server itself. Client applications that consume data or manage the server will

leverage SQL Server functionality by sending T-SQL queries and statements which are then

processed by the server and results (or errors) returned to the client application. SQL Server



allows it to be managed using T-SQL. For this it exposes read-only tables from which server

statistics can be read. Management functionality is exposed via system-defined stored procedures

which can be invoked from T-SQL queries to perform the management operation. It is also

possible to create linked Server using T-SQL. Linked server allows operation to multiple server

as one query.

SQL Native Client:

SQL Native Client is the native client side data access library for Microsoft SQL Server, version

2005 onwards. It natively implements support for the SQL Server features including the Tabular

Data Stream implementation, support for mirrored SQL Server databases, full support for all data

types supported by SQL Server, asynchronous operations, query notifications, encryption

support, as well as receiving multiple result sets in a single database session. SQL Native Client

is used under the hood by SQL Server plug-ins for other data access technologies, including

ADO or OLE DB. The SQL Native Client can also be directly used, bypassing the generic data

access layers.



Literature Review

10must Do SQL server Security Tasks – By David Maman, GreenSQL CTO

As we roll into 2013, here's our review of the top ways organizations need to be protecting their

databases. While Microsoft's documentation does a great job covering best practices for database

programmers, that is still not enough to protect against many of today's threats. In fact, as many

as 65% of database breaches are inside jobs, that is, they are performed by someone who is

authorized to access the database.

Fortunately, by taking appropriate precautions, most of these breaches can be prevented or

detected before they get out of hand.

1. Use a dedicated server for your database: Host your SQLS2012 database on a

dedicated server. Whether it is local or in the cloud, spend the extra cash on a dedicated

server to prevent security leaks and breaches.

2. Harden the Operating System: On your dedicated server, the first step is to

implement operating system hardening. Many hardening techniques exist. At a

minimum, you need to:

Change the default ports, as described below.

Hide SQL instances from showing in the network, as described below.

Allow only network protocols that are needed.

CONNECT permission should be granted only on endpoints to logins that need to use

them.

If there is a need to work with SQL Login, install an SSL certificate from a trusted

CA rather than SQL Server's self-signed certificates.

Avoid the exposure of SQL Server to the public internet/intranet.

Change the default ports:

1. From the Start menu, choose All Programs > Microsoft SQL Server 2012 >

Configuration Tools > SQL Server Configuration Manager.

2. Expand the SQL Server 2012 Network Configuration node and select Protocols

for the SQL Server instance to be configured.



3. In the right pane, right-click the protocol name TCP/IP and choose Properties.

4. In the TCP/IP Properties dialog box, select the IP Addresses tab.

Hide SQL Instances from showing in the network:

The SQL Server Browser service enumerates SQL Server information on the network.

Attackers can use SQL Server clients to browse the current infrastructure and retrieve a

list of running SQL Server instances.

To hide SQL instances:

1. From the Start menu, choose All Programs, Microsoft SQL Server 2012,

Configuration Tools, SQL Server Configuration Manager.

2.

Expand the SQL Server 2012 Network Configuration node and select Protocols forthe SQL Server instance to be configured.

3. Right-click Protocols for [Server\Instance Name] and choose Properties.

4. In the Hide Instance box on the Protocols for [Server\Instance Name] Properties page

selectYes.

5. Click OK .

6. Restart the services for the change to take effect.

3. Control Admin Access to the database

You should control not only the individuals who have access to the database, but also

how administrators access the database.

Administrator Privileges Control

Elevated permissions are allowed not only for sysadmin users, but also any log in with

built-inSA, and also any login with CONTROL SERVER permission. For accountability

in the database, avoid relying on the Administrators group and add only specific database

administrators to thesysadmin role. For a full description of best practices, see the official

documentation by Microsoft entitled SQL Server 2012 Security Best Practice

Whitepaper .

Quick Tips for Admin Privileges

Administrator privileges should be used only when they are really needed.

Have as few admins as possible.



Do not use one login for more than one administrator. Each admin should have his or

her own account.

Provision admin principals explicitly.

Do not use the "BUILTIN\Administrators" Windows group.

Regularly audit to ensure only the appropriate authorized individuals have admin

access privileges.

Removing the Builtin/Administrators Group

Following is a Transact-SQL (T-SQL) syntax for removing the BUILTIN\Administrators

Windows Group from a SQL Server instance. You should use this if a group exists from

previous versions of SQL Server or using BETA code.

To remove the Builtin/Administrators Group, run the following code on each SQL Server

instance installed in the organization:

USE MASTER

IF EXISTS (SELECT * FROM sys.server_principals

WHERE name = N‘BUILTIN\Administrators‘)

DROP LOGIN [BUILTIN\Administrators]

GO

Control Admin Access Routes to the Database

Not only can you restrict the individuals who have admin access, but you can also restrict

the routes of admin control. Using a tool such as GreenSQL, you can ensure that access

to admin privileges can come only from certain IP addresses or specific computers. This

way, if someone leaves the company or if login information is compromised, it will be

impossible for anyone else to use that login data.

Managing Non-Administrative Users

It's important to manage users who do are not admin but have access to the database for

other purposes. As with system administrators, it's important to not only give different

authentication to different types of users, but also to control the routes of access to the

database.

SQL Server instance can contain many databases which were created by users who are

database owners -DBO (by default) as shown in the following image: User workshop

created the workshop database and is a member of db_owner database role.



Best practices for non-administrator roles:

Minimize the number accounts/users that have the db_owner role for each database.

Have distinct owners for databases; not all databases should be owned by SA or by

any other user in sysadmin server role.

Control the access methods and IP addresses for access of the database on a per-role

basis.

4. Encrypt the Data Between App and SQL Server 2012

The MS SQL database comes with built-in encryption within the database. However, it is

also crucial to encrypt the data as it is passed between the app and the database.

Furthermore, it's important to limit access to this information.

Best practices for encryption:

Ensure that DBAs and other people using the database do not have access to

sensitive information.

When sending information to users who do not need to know the actual content,

mask the sensitive information.

Limit the amount of information that can be drawn from the database by those

who have access to the database.

Set up rules to identify authorized and unauthorized use of data, including the IP

addresses and routes for accessing data, not username-only authentication. Set up encryption keys between applications and the database.

Implement cell-level encryption

Implement Transparent Data Encryption Encrypt high-value and sensitive data.

Use symmetric keys to encrypt data, and asymmetric keys or certificates to

protect the symmetric keys.

Password-protect keys and remove master key encryption for the most secure

configuration.

Always back up the service master key, database master keys, and certificates by

using the key-specific DDL statements.

Always back up your database to back up your symmetric and asymmetric keys.

Perform SSL configuration



Cell Level Encryption

Follow the SQL Server 2012 has an encryption hierarchy, as shown below.

The top-level resource in the SQL Server encryption hierarchy is the Service

Master Key, which is encrypted by the Windows Data Protection API. Encrypt all

Service Master Keys.

Next is the Database Master Key. This key can be used to create certificates and

asymmetric keys.

Third are certificates and asymmetric keys. Both can be used to create symmetric

keys or encrypt data directly.

Finally, symmetric keys can also be used to encrypt data.

5. TDE – Transparent Data Encryption in SQL Server 2012 (Database Level

Encryption)

TDE provides real time encryption of data and log files. It is important to mention that

this is database level encryption. Data is encrypted before it is written to disk and

decrypted when it is read from disk. The "transparent" aspect of TDE is that the

encryption is performed by the database engine and SQL Server clients are completely

unaware of it. There is absolutely no code that needs to be written to perform the

encryption and decryption.

The database is prepared for TDE, and then the encryption is turned on at the databaselevel via an ALTER DATBASE command. With TDE, the backup files are also

encrypted when using just the standard BACKUP command.

6. Reduce the potential attack surface

Attack Surface refers to the potential entrances for attack. It's advisable only to enable the

features that are essential for any given database.

SQL Server comes with several features that administrators can choose to install during

the installation process:

Database Engine

Reporting Services

Integration Services

Analysis Services Engine

Notification Services

Documentation and Samples

(Sample databases & codes)

Analyze your needs and install only the features you need.



Surface Area Reduction Practices

Use the Surface Area Configuration Tool or sp_configure as described below.

Do not install sample databases and sample codes on SQL servers in the

production environment.

Use only development and test environments for sample databases and sample

code on SQL servers.

Use the Configuration tools such as sp_configure or SQL Server Surface Area

Configuration tool (described below) to enable only needed features.

When upgrading from SQL Server 2000 to 2005 and higher, review the

configuration settings and turn off features such as the xp_cmdshell. The upgrade

process does not change these settings by default.

Turn off unnecessary services by setting them to disabled or manual startup.

Disable unneeded system stored procedures as described below

Use SQL Server Surface Area Configuration to enforce a standard policy for

extended procedure usage.

Document each exception to the standard policy.

Do not remove the system stored procedures by dropping them.

Do not DENY all users/administrators access to the extended procedures.

7.

Implement Strong Authentication Use Windows Authentication mode, described below, when possible.

Use Mixed Mode Authentication, described below, only for legacy applications

and non-Windows users.

SQL Authentication mode is described below, but it is NOT the recommended

mode. It should be used only when in mixed mode, to leverage complex

passwords and the SQL Server /2012 password and lockout policies

Maintain a strong password policy for the SA account and change the password

periodically.

Do not manage SQL Server using the sa login account. Assign sysadmin privilege

to a knows user or group.

When using Mixed Mode Authentication beware that potential attackers are aware

of the SA user. Knowing the SA user makes cracking the database one step easier.



To avoid this, in mixed mode, the SA account must be renamed. Before renaming

make sure there is at least one additional account with administrator privileges, to

access the SQL Account.

Mixed Mode: SQL Server & Windows Authentication

The SQL authentication mechanism is based on accounts that are managed inside the

SQL server, including the password policy.

Mixed authentication (SQL Server and Windows Authentication mode) is still required if

there is a need to support legacy applications, or if specific applications require mixed

mode, or clients are coming in from platforms other than Windows and a need for

separation of duties exists.

Configuring SQL Server Authentication Modes

To select or change the server authentication mode, follow these steps:

1. In SQL Server Management, right-click on a SQL Server and click Properties.

2. On the Security page, select the desired server authentication mode under Server

Authentication and click OK .

3. In the SQL Server Management Studio dialog box, click OK to acknowledge the need to

restart SQL Server.

4. In Object Explorer, right-click on a desired server and then click Restart.

5. If the SQL Server Agent is running, restart the agent.

Using Windows authentication is a more secure choice. However, if mixed mode

authentication is required, you must make sure to leverage complex passwords and the

SQL Server 2012 password and lockout policies to further bolster security.

Here is an example of password policy for SQL accounts:



The password must contain uppercase & lowercase letters. The password must

contain numbers & alphanumeric characters. The password must contain non-

alphanumeric characters such as &, ^,%,*,$ etc.

Do not use common known passwords that are easy to guess such as: admin,

password, sa, administrator, sysadmin etc.

Passwords contain a minimum of 8 characters.

SQL Server 2005 and on do not allows blank password for the SA account. If you

are using earlier version of SQL, set a password for SQL accounts and also for the

SA account according to according to password policy.

Note: If Windows Authentication mode is selected during installation, the SA login is

disabled by default. If the authentication mode is switched to SQL Server mixed

mode after the installation, the SA account is still disabled and must be manually

enabled. It is a best practice to reset the password when the mode is switched.

8. Perform Regular and Reliable Auditing

For reliable auditing it is necessary to use a third-party tool such as Green SQL. Many

companies think of auditing as something that must be done to comply with regulation.

However, it's also an important internal security precaution in and of itself, and should be

performed regularly. Therefore, it's recommended to choose a third-party auditing tool

that is quick and simple to use.

Additional Instructions

Auditing is scenario-specific. Balance the need for auditing with the overhead of

generating addition data. Audit successful logins in addition to unsuccessful

logins if you store highly sensitive data.

Enable C2 auditing or Common Criteria compliance only if required by selectingthe appropriate checkbox (Those options should be selected only if there is a need

to comply with these security standards)

Auditing Mechanism in SQL Server

SQL Server security auditing monitors and tracks activity to log files that can be

viewed through Windows application logs or SQL Server Management Studio.



SQL Server offers the following four security levels with regards to security:

None — Disables auditing (no events are logged)

Successful Logins Only — Audits all successful login attempts

Failed Logins Only — Audits all failed login attempts

Both Failed and Successful Logins — Audits all login attempts

The default mode is: Failed Logins Only. It is recommended to set the auditing mode to

be Both Failed and Successful Logins.

Configuring SQL Server Security Logs for Auditing

To configure security login auditing for both failed and successful logins:

1. In SQL Server Management Studio, right-click on a desired SQL Server and then

clickProperties.

2. On the Security page under Login Auditing, select the desired auditing criteria

option button, such as Both Failed and Successful Logins, and click OK.

3. Restart the SQL Server Database Engine and SQL Server Agent to make the

auditing changes effective.

9. Update Patches Regularly

Security updates and patches are constantly being released by Microsoft. Install these

updates made available for SQL Server and the operating system. These patches can be

manually downloaded and installed, or they can be automatically applied by using

Microsoft Update. It's recommended to test updates before applying to production

systems, therefore many admins prefer not to use auto update.

Best practices for Patch Updates

Always stay as current as possible.

Enable automatic updates whenever feasible, but test them before applying to

production systems.

10. Manage Contained Databases for SQL Server 2012 Only

A contained database is a database that is isolated from other databases and from the

instance of SQL Server that hosts the database. This situation requires additional security

steps. It's important to enable partially contained databases delegates control over access

to the instance of SQL Server to the owners of the database.



Chapter -3: Company Profile

Data wise

DATAWISE specializes in providing high-end research, consulting and business analyticssolutions to customers all over the world. We appreciate that it is not always possible to plan,

anticipate and provide for all types of business needs. And that is why we are here. Our team has

a deep understanding of the business environment across a number of industries, and we help in

bridging companies' need gap through the application of research and analytical approaches.

DATAWISE is focused on providing you with that additional support that you may require from

time to time. Whether it is assistance in strategic planning, business execution, providing

decision support solutions, helping in creating new product solutions, helping in understandingyour business performance, supporting your manpower augmentation needs, or even acting as

your surrogate – we are there with you all the way!

Mr. Vinay Kumar is a graduate from the Indian Institute of Management, Ahmedabad and also

has a PhD in Marketing. He has more than 20 years of experience, in the field of consulting,

finance, coaching and mentoring. Among various companies in the past, he has worked with the

RPG group, Ernst & Young, Netjets, and Apollo Hospitals. His core strengths are in strategy,

business planning, market planning and process improvement.

Mr. Vijay Kumar is a graduate from Indian Institute of Management, Calcutta. He has more than

18 years of experience in the field of Strategic Research, Retail Banking, IT solution design and

implementation, and Marketing. He has worked in the BFSI sector with Citibank, Prudential

Insurance, Guy Carpenter, HDFC Bank and regional banks in Malaysia and South Africa. His

core strengths include Customer Lifecycle Management, Marketing program design and

execution. He represents DATAWISE in the New York market.

Mr. Raghu Patri is a graduate from Goa University. He has more than 20 years of experience in

the IT and ITeS domain. He has been associated with NIIT for over a decade in the education

field apart from providing solutions to corporate bodies like Nestle, Titan Industries and Cipla.

His core strengths are in IT strategy, planning and development, and process planning and

implementation.



Advisory Board

Mr. Sunder Rao is a graduate in Personnel Management, and Law from Andhra University. He

has also completed the #TP 2 tier course from IIM Ahmedabad. He is extremely versatile, and

has successfully managed the change in the background of newly started Companies, and

transformation of organization culture. People Management and related processes are the main

strengths.

Mr. Rohit Das is a management graduate and has a vast experience of 19 years with varied

industries ranging from FMCG, Durables to Fashion, Lifestyle and Pharma. He has worked with

leading organizations like TATA, Electrolux, Mondregon Corporation Cooperative of Spain,

Pepsi, Videocon Group, Apollo etc. He has held key positions across, with the last 12 years

working in the Top Management Positions. His core strengths are in strategy, market planning,

and sales management.

Mr. K. Srinivas Rao is a human capital strategist, with considerable background in Human

Capital Value Chain. He has 16 years of expertise in the areas of leading Core HR Functions

(Leadership development, Performance Management including C&B, Employee

Communication, HR Technology), Change Management (Organization design and development,

Aligning Org. Cultural to Strategy, Organizational Effectiveness Assessment) and M&A

Integration (Integration, Restructuring, Downsizing).

He is currently Partner at the Global Peo ple Advisory & Research Firm ‗The Strategist‘.

Previous to this he was heading Strategy - HR at Satyam Computer Services. He has held

management roles at all levels in CATS (Computer Associates-TCG), Baan Info Systems, Ernst

& Young, Videocon International.

Offerings of Data Wise

School Teacher Evaluation Program –

STEPSTEPTM is a summative and formative evaluation program for School Teachers, conceptualized

and designed by DATAWISE Management Services. The program was conceived as a result of

DATAWISE‘s identification of high potential for application of decision support systems in the

area of secondary education in India. The STEPTM is based on extensive research and offers a

robust, unbiased and data driven teacher assessment program. DATAWISE has collaborated



with Teacher‘s Academy, which is known for its presence and expertise in the area of teacher

training to provide the formative structure to the STEPTM and hence to make it a comprehensive,

one-stop teacher evaluation system.

The STEPTM creates an objective, summative evaluation structure for teachers working in the

Indian secondary education level. The evaluation is based on identification of strengths and

weaknesses of the teachers on various researched dimensions. These dimensions are identified as

having highest impact on a teacher‘s performance. Further the dimensions have weights

associated with them based on the correlation they have with teacher performance.

OPTILOX

The growth of organized retail and the search for optimum retail space is giving retailers a toughtime. Moreover, selection of a poor location is likely to do more damage to the reputation and the

performance of the retail unit. In the retail industry which is increasingly cluttered with new

players and formats, the ability to assure and increase footfalls has gained much more

significance.

Minimizing cost, while being an immediate concern, is not as big a problem as maximizing

profit by getting targeted customers attracted to the retail outlet. OPTILOX is designed to help

retail outlets select the optimum site location for their retail stores in order to maximize customer

footfalls.

OPTILOX is unique software based behavioral analytics model which takes behavioral approach

towards site selection and therefore assists in sales maximization unlike most site selection

methods which primarily concentrate on using logistic or cost based approaches. OPTILOX is

based on a design initially conceptualized by Arthur D. Little. We are the first and only company

to provide this approach customized to the Indian retail needs.

OPTILOX relies on an in-house analytical tool which maps retail consumer behavior to the

requirements of retailers. The model is designed as a flexible tool which can be

customized to account for the parameterized needs of any retail business. OPTILOX is ideal

for premium showrooms, grocery outlets, franchisees, banks/ ATM‘s, pharmacy, petroleum

outlets, entertainment house, concept retail, multi-format retails, coffee shops, etc. For retailers



looking to expand, OPTILOX presents an ideal solution for mapping customer behavior to their

current retail stores whereas for new retail outlets, OPTILOX also helps in identifying the ideal

customer profile.

ServQual

ServQual is determined to serve its clients in improving their service delivery. It uses

sophisticated analytical tools to predict customer expectations and behavior through data driven

analysis. SERVQUAL helps in calculation of the score for expectation statement and perception

statement using the questionnaire method. This data will help in calculation of the gap score for

each parameter.

SERV-QUAL has designed various methods of analyzing your customer satisfaction.

• Feedback Form

• In-Depth Interview

• Mystery Shopping

• Focus Groups

CREST

CREST is a customer segmentation process that recognizes the cyclical nature of customer needs

and identifies customers with the greatest future revenue potential for appropriate strategies to be

evolved to best serve the needs of this segment. CREST also identifies the customers who

generate the most value for your business, and qualify for continued high-impact service

offerings. At the same time, the segmentation exercise highlights value destroyers, customers

who yield low margins, have limited future potential and demand disproportionately large

maintenance resources. The sizing of these segments can be fine-tuned to meet channel

capacities and serve up the best opportunities for customer outreach programs.

CREST segmentation divides your customer base into six actionable segments

– Prize: High-value, loyal customers with significant upside potential – Protect: High-value, loyal customers – Promote: Loyal customers with significant future potential – Preserve: Stable-value customers – Prevent: High- and Medium-value customers at risk of attrition – Prune: Low-value, high maintenance customers with limited future potential



Chapter -4: Data Interpretation

1. Do you use SQL Server at your organization for database purposes? Yes/ No

S.NoSQL Server

No. of

respondents1 Yes 148

2 No 2

Interpretation:

Most of the respondents say that they use the SQL Server at their organization for marketing

decision making. Very few do not use it in their organization.

1. Which software do you prefer for Marketing Decision Making?

a. Sybase b. SAP Modules

c. SQL Server d. Any specialized software

Interpretation:

Majority of the respondents prefer SAP Modules for their Marketing Decision Making. Nearly

equal members prefer Sybase for the same. The remaining respondents use SQL Server and other

tools.

34%

39%

11%

16%

Preferred Software

Sybase

SAP Modules

SQL Server

Other



2. If you are using SQL Server please specify your level of satisfaction in making following

marketing decision using the applications in SQL Server?

Mark 5 if you are Highly Satisfied

Mark 4 if you are Satisfied

Mark 3 if you are neither satisfied nor dissatisfied

Mark 2 if you are Dissatisfied

Mark 1 if you are Highly Dissatisfied

i. Analytics in Database Management

Interpretation:

Most of the respondents (87) are disssatisfied in understanding and implementing Analytics in

Database management while using SQL Server. 35 of them are neither satisfied nor dissatisfied

and few of them (28) are satisfied with the Analytics.

ii. Security in database management

Interpretation: Most of the respondents (115) are satisfied with the Security aspects while

using SQL Server. Few respondents (35) are neither satisfied nor dissatisfied with these Security

aspects. There are almost none who are dissatisfied with the same.

0

50

Highly

dissatisfied

Dissatisfied Neutral Satisfied Highly

satisfied

43 45

35

25

3

Analytics in Database Management

0

50

100

0 0

35 32

83

Security in database management



iii. Access Controls

Interpretation:

Most of the respondents (101) are satisfied with the Access controls using SQL Server. Few

respondents (35) are neither satisfied nor dissatisfied with the SQL Server regarding Access

controls aspects and the remaining respondents (14) are dissatisfied with the same.

iv. Hierarchy aspects in Data Management

Interpretation: Most of the respondents (119) are satisfied with the Hierarchy in data

management in SQL Server. Few respondents (24) are neither satisfied nor dissatisfied with the

SQL Server regarding and very few respondents (7) are dissatisfied with the same.

0

20

40

60

Highly

dissatisfied

Dissatisfied Neutral satisfied Highly

satisfied

1

13

35

60

41

Access Controls

0

50

100

1 6

24

5663

Hierarchy



v. RDBMS Tools and Commands

Interpretation: Most of the respondents (107) are satisfied with the RDBMS Tools and

Commands and their applications in SQL Server. Few respondents (33) are neither satisfied nor

dissatisfied with the SQL Server regarding these aspects and very few respondents (10) are

dissatisfied with the same.

vi. Programming and Query Management

Interpretation:

Most of the respondents (123) are satisfied with the programming and query management

aspects in SQL Server. Few respondents (16) are neither satisfied nor dissatisfied with the SQL

Server regarding these aspects and very few respondents (11) are dissatisfied with the same.

0

10

20

30

40

50

6070

Highly

Dissatisfied

Dissatisfied Neutral satisfied Highly

satisfied

28

33

44

63

Tools and Commands

0

50

100

150

011 16

118

5

Programming and Querries



vii. Pricing and Licensing Aspects

Interpretation:

Many respondents (101) are not satisfied with the Pricing and licensing issues in SQL Server.

Few respondents (29) gave a neutral response and very few respondents (20) are satisfied with

the same.

viii. Overall Satisfaction

Interpretation:

Only some of the respondents (43) are not satisfied with the features in SQL Server.

Considerable number of respondents (55) gave a neutral response and 52 are satisfied with the

same.

0

20

40

60

80

1

1929

76

25

Pricing and Licensing

0

20

40

60

0

52 55

38

5

Overall Satisfaction



3. Do you maintain a regularly upgraded RDBMS/DBMS? Yes/ No

S.No Regularupgradation

No. of respondents

1 Yes 1362 No 14

Interpretation:

Majority of the respondents (136) claim that they maintain a regularly updated SQL Server as

and the remaining respondents do not.

4. Do you think standard RDBMS is required for proper database and server management?

a. Very essential b. Essential c. May or may not be used

d. Not essential e. Not at all required

Interpretation:

Most of the respondents (142) feel that SQL Server is really essential for effective Database

Management. The remaining respondents feel that RDBMS is not mandatory for effective

database management.

0

20

40

60

80

100

Not at all

required

Not

essential

May or may

not be used

Essential Very

Essential

0 08

45

97

Need for RDBMS/ SQL server



5. Please express your satisfaction levels in using SQL server in terms of security aspects.

a. Highly satisfied b. Satisfied c. Neutral

d. Dissatisified e. Highly dissatisfied

Interpretation:

Almost all the respondents are satisfied using SQL Server and its security aspects. A negligible

number of the respondents feel neither satisfied nor dissatisfied with SQL server.

ANALYSIS

Correlation Analysis

*. Correlation is significant at the 0.05 level (2-tailed).

**. Correlation is significant at the 0.01 level (2-tailed).

Correlation analysis performed over the attributes explaining the satisfaction levels of various

users of SQL server suggest that Security, Query management and RDBMS tools have high

correlation with the overall satisfaction and indicate that these parameters satisfaction is

connected to overall satisfaction, few attributes as Hierarchy an pricing cannot be considered for

analysis based on its significance values. Analytics in database management has less positive

correlation with overall satisfaction. Hence the data gathered and analyzed suggests that SQL is

preferred or gives good amount of satisfaction to its users and their opinions are well correlating.

0

200

0 0 2

129

19

Overall Satisfaction

analytics

security Accesscontrol

s

Hierarchy

aspects

RDBMS

tools

Quer y

mgmt

Pric& lic

Oveall

Satisfa

ctionlevel

Pearson

correlation

.280

*

.813 0.608 -.100 0.534 .637 -.075 1

Sig.(2-tailed)

.001 .00.1 .0025 .222 .682 .004 .366 .000

N 150 150 150 150 150 150 150 150



Chapter -5: FINDINGS AND CONCLUSION

The Study ―Security Management in SQL Server ‖ is taken up on 150 respondents belonging to

different levels in Pharmaceutical organizations gave the following finding,

98.6% of the respondents specified that they use SQL Server (SQL SERVER) for their

DBMS, out of these respondents 89.3% specified that they have their updated SQL

SERVER at their organizations.

Most of the respondents (87) are disssatisfied in understanding and implementing

Analytics in Database management while using SQL Server. 35 of them are neither

satisfied nor dissatisfied and few of them (28) are satisfied with the Analytics.

Most of the respondents (115) are satisfied with the Security aspects while using SQL

Server. Few respondents (35) are neither satisfied nor dissatisfied with these Security

aspects. There are almost none who are dissatisfied with the same. Most of the respondents (101) are satisfied with the Access controls using SQL Server.

Few respondents (35) are neither satisfied nor dissatisfied with the SQL Server regarding

Access controls aspects and the remaining respondents (14) are dissatisfied with the

same.

Most of the respondents (119) are satisfied with the Hierarchy in data management in

SQL Server. Few respondents (24) are neither satisfied nor dissatisfied with the SQL

Server regarding and very few respondents (7) are dissatisfied with the same.

Most of the respondents (107) are satisfied with the RDBMS Tools and Commands and

their applications in SQL Server. Few respondents (33) are neither satisfied nor

dissatisfied with the SQL Server regarding these aspects and very few respondents (10)

are dissatisfied with the same.

Most of the respondents (123) are satisfied with the programming and query management

aspects in SQL Server. Few respondents (16) are neither satisfied nor dissatisfied with the

SQL Server regarding these aspects and very few respondents (11) are dissatisfied with

the same.

Many respondents (101) are not satisfied with the Pricing and licensing issues in SQL

Server. Few respondents (29) gave a neutral response and very few respondents (20) are

satisfied with the same.

Only some of the respondents (43) are not satisfied with the features in SQL Server.Considerable number of respondents (55) gave a neutral response and 52 are satisfied

with the same.

Majority of the respondents (136) claim that they maintain a regularly updated SQL

Server as and the remaining respondents do not.



Most of the respondents (142) feel that SQL Server is really essential for effective

Database Management. The remaining respondents feel that RDBMS is not mandatory

for effective database management.

Almost all the respondents are satisfied using SQL Server and its security aspects. A

negligible number of the respondents feel neither satisfied nor dissatisfied with SQL

server.

Correlation analysis performed over the attributes explaining the satisfaction levels of

various users of SQL server suggest that Security, Query management and RDBMS tools

have high correlation with the overall satisfaction and indicate that these parameters

satisfaction is connected to overall satisfaction, few attributes as Hierarchy an pricing

cannot be considered for analysis based on its significance values. Analytics in database

management has less positive correlation with overall satisfaction. Hence the data

gathered and analyzed suggests that SQL is preferred or gives good amount of

satisfaction to its users and their opinions are well correlating.

Conclusion

Database Management systems have become an integral part of basic software requirements of

any organization associated with IT in its daily operations or doing business with IT. This has

created a vast market for database management systems and the industry‘s gia nts content very

close to acquire maximum market shares. Data base management is not just the requirement but

the maximum amount of security has become the key. Until and unless the DBMS or RDBMS is

so secure and is away from all sorts of vulnerabilities and threats people are not ready to take

them to manage their databases.

Many aspects apart from security are also considered before making decision on DBMS. SQL

server has few pitfalls and more command in this market. Security is its strength and the study

has highlighted various modes of using SQL server in more secure manner. This study has

enlightened the user satisfaction, technical aspects related to security in DBMS and also have

visualized detailed concepts related to DBMS. In conclusion study tries to suggest that anybody

who uses or manages should take up the check list of security aspects and decide which would be

the best DBMS software that would help in flaw less Database administration and management.

The study also recognizes that there is a growing need for human intelligence as well in the areas

of Database management and server management to make organizations more successful in this

arena.



Bibliography:

1. Kothari C.R., Research Methodology, 2nd Edition Wishwa prakashan.

2. Alan Bryman & Emma Bell, Business Research Methods, 2nd Edition, Oxford

3. Neelan Q Jeemchipillai: SQL Server, TMH, 2009.

4. Tom Carpenter: Microsoft SQL Server Administration, Wiley, 2010.

5. Kogent Learning: SQL server 2008, 2009.

Webliography:

http://www.microsoft.com/en-in/sqlserver/solutions-technologies/mission-critical-

operations/security-and-compliance.aspx

http://technet.microsoft.com/en-us/library/bb283235.aspx

http://msdn.microsoft.com/en-us/library/bb669074(v=vs.110).aspx

http://www.greensql.com/content/sql-server-security-best-practices

http://www.techrepublic.com/article/understanding-roles-in-sql-server-security/

http://www.sqlsecurity.com/

http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-

your-sql-server-database

http://www.microsoft.com/en-in/sqlserver/solutions-technologies/mission-critical-operations/security-and-compliance.aspx















http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secure-your-sql-server-database
















Annexure:

Questionnaire for

Security Management in SQL Server

Name : .………………………………………………………………..............

Age………Gender (M/F)………Designation/Occupation……..………..…..

Overall Experience…………Experience in current organization………….…

Email ID: ………………………………………..@........................................

--------------------------------------------------------------------------------------------

1. Do you use SQL Server at your organization for database purposes? Yes/ No.

2. Which software do you prefer for Database Management? [ ]

a. Sybase b. SAP Modules

c. SQL Server d. Any other specialized Software

3. If you are using SQL Server please specify your level of satisfaction in using and the

applications in SQL Server?

Mark 5 if you are Highly Satisfied

Mark 4 if you are Satisfied

Mark 3 if you are neither satisfied nor dissatisfied

Mark 2 if you are Dissatisfied

Mark 1 if you are Highly Dissatisfied

Sl. No. Type of Marketing Decision Satisfactionlevel

1. Analytics in Database Management

2. Security in database management



3. Access Controls

4. Hierarchy aspects

5. RDBMS tools and commands

6. Programming and Query management

7. Pricing and Licensing aspects

8. Overall satisfaction

4. Do you maintain a regularly upgraded RDBMS/DBMS? Yes/ No

5. Do you think standard RDBMS is required for proper database and server management?

[ ]

a. Very Essential b. Essential c. May or may not be used

d. Not essential e. Not at all required

6. Please express your satisfaction levels in using SQL server in terms of security aspects?

a. Highly Satisfied b. Satisfied c. Neutral

d. Dissatisfied e. Highly Dissatisfied

7. Do you think SQL server saves Time & Cost compared to other software tools? Yes/ No

8. Request suggestions for the study and SQL Server Implementation aspects

…………………………………………………………………………………………

…………………………………………………………………………………………

…………………………………………………………………………………………

…………………………………………………………………………………………

*************** Thank you very much for your time and inputs **************

security management in sql servier

Documents