Login or Sign Up to become a member!
LessThanDot Sit Logo

LessThanDot

Data Management

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot friendfeed Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Your profile

    Tools

    Tag cloud

    azure book business intelligence ctp database dates denali dmv functions gotcha high availability how to howto indexing mirroring performance sql sql friday sql server sql server 2000 sql server 2005 sql server 2008 sql server 2008 r2 sql server 2012 sql server denali sql server integration services ssis t-sql tip trick

    Authors

    Main Categories

    Search

    XML Feeds

    What is RSS?

    Google Ads

    « The History of SQL Server Integration ServicesParsing the Address field to its individual components »
    3
    comments

    Security Auditing a Database

    by David Forck (thirster42) on Oct 08, 2010 in categories Microsoft SQL Server Admin, Microsoft SQL Server
    Instapaper

    Earlier this week I decided that I wanted to generate a report that shows me how the security is set up on my databases. I'm mainly intersted in my database roles and how they're set up, and logins assigned to the database. So I did some snooping around and generated 3 queries for myself.

    tsql
    Line number Off | Hide | Select all
    1. select
    2.     dpr.name,
    3.     dpr.principal_id,
    4.     dpr.type,
    5.     dpr.type_desc,
    6.     dp.class,
    7.     dp.class_desc,
    8.     dp.major_id,
    9.     dp.minor_id,
    10.     dp.grantee_principal_id,
    11.     dp.permission_name,
    12.     case dp.state
    13.         when 'g' then 'granted'
    14.         when 'd' then 'denied'
    15.         else 'n/a'
    16.     end AS [state],
    17.     ao.name as ObjectName,
    18.     sc.name as SchemaName,
    19.     case class_desc
    20.         when 'OBJECT_OR_COLUMN' then ao.name
    21.         when 'SCHEMA' then sc.name
    22.     end AS PermissionObject
    23. from sys.database_principals dpr
    24.     left outer join sys.database_permissions dp
    25.         on dpr.principal_id=dp.grantee_principal_id
    26.     left outer join sys.all_objects ao
    27.         on dp.major_id=ao.object_id
    28.     left outer join sys.schemas sc
    29.         on dp.major_id=sc.schema_id
    30. where dpr.type='r'
    31.     and class_desc>''
    32.     and dpr.principal_id>0
    33. order by name

    This query displays all rights explicitly granted and denied in the database to database roles.

    In this query, name is the name of the database role. Type and type_desc describe what the grantee principal id is. class and class_desc describes what is having a right granted to it. Permission_name shows the permission, and state shows if that permission is being granted or denied. Object name is the object that is having a right granted, schema name is the schema name that's being granted a right.

    tsql
    Line number Off | Hide | Select all
    1. select
    2.     dpr.name,
    3.     dpr.principal_id,
    4.     dpr.type,
    5.     dpr.type_desc,
    6.     dp.class,
    7.     dp.class_desc,
    8.     dp.major_id,
    9.     dp.minor_id,
    10.     dp.grantee_principal_id,
    11.     dp.permission_name,
    12.     case dp.state
    13.         when 'g' then 'granted'
    14.         when 'd' then 'denied'
    15.         else 'n/a'
    16.     end AS [state],
    17.     ao.name as ObjectName,
    18.     sc.name as SchemaName,
    19.     case class_desc
    20.         when 'OBJECT_OR_COLUMN' then ao.name
    21.         when 'SCHEMA' then sc.name
    22.     end AS PermissionObject
    23. from sys.database_principals dpr
    24.     left outer join sys.database_permissions dp
    25.         on dpr.principal_id=dp.grantee_principal_id
    26.     left outer join sys.all_objects ao
    27.         on dp.major_id=ao.object_id
    28.     left outer join sys.schemas sc
    29.         on dp.major_id=sc.schema_id
    30. where dpr.type in
    31. (
    32.     'S',
    33.     'G',
    34.     'U'
    35. )

    This query shows all of the rights explicitly granted/denied to logins.

    tsql
    Line number Off | Hide | Select all
    1. SELECT
    2.     dpm.name as Member,
    3.     dpg.name as Grp
    4.   FROM ardb.[sys].[sysmembers] sm
    5.     left outer join sys.database_principals dpm
    6.         on sm.memberuid=dpm.principal_id
    7.     left outer join sys.database_principals dpg
    8.         on sm.groupuid=dpg.principal_id

    This query shows all of the database roles and all of the logins assigned to the roles. Grp is the database role and Member is the login name.

    Now, these three queries gave me a good starting point, but to run these you have to go to each database. And if i want to query different servers (i've got 3, a dev, a test, and a prod) to make sure they're similer, i'd have to connect to each server. So, I created a couple of stored procedures and threw those into a reporting services report. Now, i can go to the report, query a sever and a database, and then compare it to another server and database.

    here's the script to create the sp's that i made.

    tsql
    Line number Off | Hide | Select all
    1. -- =============================================
    2. -- Author:      David Forck DF
    3. -- Create date: 01Oct10
    4. -- Description: Report to show database role membership
    5. -- =============================================
    6. CREATE PROCEDURE [dbo].[RoleMembership]
    7.     -- Add the parameters for the stored procedure here
    8.     @servername varchar(max),
    9.     @databasename nvarchar(max)
    10. AS
    11. BEGIN
    12.     -- SET NOCOUNT ON added to prevent extra result sets from
    13.     -- interfering with SELECT statements.
    14.     SET NOCOUNT ON;
    15.  
    16.     -- Insert statements for procedure here
    17.  
    18.  
    19.  
    20.  
    21. declare @sql varchar(max),
    22.     @database varchar(max),
    23.     @server varchar(max),
    24.     @string varchar(max)
    25.  
    26.  
    27.  
    28. select @server= name from sys.servers where name=@servername
    29.  
    30. select @database= name from sys.databases where name=@databasename
    31.  
    32. set @string=@server+'.'+@database
    33.  
    34.  
    35.  
    36. set @sql='
    37. SELECT
    38.     dpm.name as Member,
    39.     dpg.name as Grp
    40.  FROM ' + @string + '.[sys].[sysmembers] sm
    41.     left outer join ' + @string + '.sys.database_principals dpm
    42.         on sm.memberuid=dpm.principal_id
    43.     left outer join ' + @string + '.sys.database_principals dpg
    44.         on sm.groupuid=dpg.principal_id
    45. '
    46.  
    47. --print @databasename
    48. --print @sql
    49.  
    50. exec(@sql)
    51.  
    52.  
    53.  
    54.  
    55.  
    56.  
    57. END
    58.  
    59.  
    60. GO
    61.  
    62.  
    63. -- =============================================
    64. -- Author:      David Forck DF
    65. -- Create date: 01Oct10
    66. -- Description: security report for logins
    67. -- =============================================
    68. CREATE PROCEDURE [dbo].[LoginSecurity]
    69.     -- Add the parameters for the stored procedure here
    70.     @servername varchar(max),
    71.     @databasename nvarchar(max)
    72.    
    73. AS
    74. BEGIN
    75.     -- SET NOCOUNT ON added to prevent extra result sets from
    76.     -- interfering with SELECT statements.
    77.     SET NOCOUNT ON;
    78.  
    79.     -- Insert statements for procedure here
    80.  
    81.  
    82.  
    83. declare @sql varchar(max),
    84.     @database varchar(max),
    85.     @server varchar(max),
    86.     @string varchar(max)
    87.  
    88. select @server= name from sys.servers where name=@servername
    89.  
    90. select @database= name from sys.databases where name=@databasename
    91.  
    92. set @string=@server+'.'+@database
    93.  
    94.  
    95. set @sql='
    96. select
    97.     dpr.name,
    98.     dpr.principal_id,
    99.     dpr.type,
    100.     dpr.type_desc,
    101.     dp.class,
    102.     dp.class_desc,
    103.     dp.major_id,
    104.     dp.minor_id,
    105.     dp.grantee_principal_id,
    106.     dp.permission_name,
    107.     case dp.state
    108.         when ''g'' then ''granted''
    109.         when ''d'' then ''denied''
    110.         else ''n/a''
    111.     end AS [state],
    112.     ao.name as ObjectName,
    113.     sc.name as SchemaName,
    114.     case class_desc
    115.         when ''OBJECT_OR_COLUMN'' then ao.name
    116.         when ''SCHEMA'' then sc.name
    117.     end AS PermissionObject
    118. from ' + @string + '.sys.database_principals dpr
    119.     left outer join ' + @string + '.sys.database_permissions dp
    120.         on dpr.principal_id=dp.grantee_principal_id
    121.     left outer join ' + @string + '.sys.all_objects ao
    122.         on dp.major_id=ao.object_id
    123.     left outer join ' + @string + '.sys.schemas sc
    124.         on dp.major_id=sc.schema_id
    125. where dpr.type in
    126. (
    127.     ''S'',
    128.     ''G'',
    129.     ''U''
    130. )
    131. '
    132.  
    133. --print @databasename
    134. --print @sql
    135.  
    136. exec(@sql)
    137.  
    138. END
    139.  
    140.  
    141.  
    142.  
    143. -- =============================================
    144. -- Author:      David Forck DF
    145. -- Create date: 01Oct10
    146. -- Description: Stored procedure that generates a security report per database for database roles
    147. -- =============================================
    148. CREATE PROCEDURE [dbo].[DatabaseRoleSecurity]
    149.     -- Add the parameters for the stored procedure here
    150.     @servername varchar(max),
    151.     @databasename varchar(max)
    152.    
    153. AS
    154. BEGIN
    155.     -- SET NOCOUNT ON added to prevent extra result sets from
    156.     -- interfering with SELECT statements.
    157.     SET NOCOUNT ON;
    158.  
    159.     -- Insert statements for procedure here
    160.  
    161.  
    162. declare @sql varchar(max),
    163.     @database varchar(max),
    164.     @server varchar(max),
    165.     @string varchar(max)
    166.  
    167.  
    168. select @server= name from sys.servers where name=@servername
    169.  
    170. select @database= name from sys.databases where name=@databasename
    171.  
    172. set @string=@server+'.'+@database
    173.  
    174.  
    175. set @sql='
    176.  
    177. select
    178.     dpr.name,
    179.     dpr.principal_id,
    180.     dpr.type,
    181.     dpr.type_desc,
    182.     dp.class,
    183.     dp.class_desc,
    184.     dp.major_id,
    185.     dp.minor_id,
    186.     dp.grantee_principal_id,
    187.     dp.permission_name,
    188.     case dp.state
    189.         when ''g'' then ''granted''
    190.         when ''d'' then ''denied''
    191.         else ''n/a''
    192.     end AS [state],
    193.     ao.name as ObjectName,
    194.     sc.name as SchemaName,
    195.     case class_desc
    196.         when ''OBJECT_OR_COLUMN'' then ao.name
    197.         when ''SCHEMA'' then sc.name
    198.     end AS PermissionObject
    199. from ' + @string + '.sys.database_principals dpr
    200.     left outer join ' + @string + '.sys.database_permissions dp
    201.         on dpr.principal_id=dp.grantee_principal_id
    202.     left outer join ' + @string + '.sys.all_objects ao
    203.         on dp.major_id=ao.object_id
    204.     left outer join ' + @string + '.sys.schemas sc
    205.         on dp.major_id=sc.schema_id
    206. where dpr.type=''r''
    207.     and class_desc>''''
    208.     and dpr.principal_id>0
    209. order by name'
    210.    
    211.  
    212. --print @database
    213. --print @server
    214. --print @string
    215. --print @sql
    216.  
    217. exec(@sql)
    218.  
    219.  
    220. END
    221.  
    222.  
    223. GO

    Now, if you get to looking, the verification of the server name and database is actually running on the server that's hosting the sp's. I could have spent some more time and changed this to do this dynamically, but most of my servers have a similer database list. So, keep that in mind if you use these.

    About the Author

    I have an A.S. in Computer Programming. I am currently a Database Developer (April 2008-Present) for a development group at a contract research lab, where we build in-house applications using Microsoft SQL Server (2005 and 2008) and ASP.Net 3.5. I have a part-time job (April 2007-Present) as a dba/db developer/web developer/designer. I use: SQL Server 2005/08/R2, HTML, CSS, PHP, and Java Script. Penguins are awesome, but I'm not a linux person. If you have any questions feel free to email me at dforck@gmail.com
    Social SitingsTwitterFacebookLTD RSS Feed
    1636 views
    Read More Posts by David Forck (thirster42)
    Instapaper

    3 comments

    Comment from: SQLDenis [Member] Email
    SQLDenis Are you saying that you don't run everything as sa with a '' password...what happened...burned by SQL Slammer?
    10/08/10 @ 16:05
    Comment from: David Forck (thirster42) [Member]
    lmao @denis. no. all of our sa accounts have passwords. we still have things using it though.
    10/08/10 @ 18:23
    Comment from: FFGuitar [Member] Email
    FFGuitar congrats on getting picked up by sqlserver central.
    10/18/10 @ 07:59

    Leave a comment


    Your email address will not be revealed on this site.

    Your URL will be displayed.
    (Line breaks become <br />)
    (Name, email & website)
    (Allow users to contact you through a message form (your email will not be revealed.)

    Powered by B2Evolution
    Valid XHTML | Valid CSS