Module 3 - Implement a Secure Environment Flashcards
What does AD and Azure AD Provide
Both provide Authentication services and ID Management
What does AD use to provide Authentication and what is used for Querying AD
AD uses Kerberos to provide Authentication using tickets and queries via LDAP (Lightweight Directory Access Protocol)
What Protocols does AZ AD use
HTTPS protocols like, SAML and OpenID Connect for Authentication along with OAUTH for Authorizaion
How would you go about providing AZ AD services to an on-prem Windows Server
You would need to configure AZ AD Connect to connect AD IDs with AZ AD
What are the modes of AuthN in SQL and which is considered most secure and why
Windows Mode and SQL Mode (Windows and Mixed)
Windows is more secure as SQL allows login info to be seen in plain text when passed over the network.
Describe SQL Authentication
SQL logon stored in master DB (or user DB if using contained users)
Describe Windows Authentication in the context of SQL Server
Connect to SQL using AD Credentials
Windows also allows for easier management of user turnover
True or False - Azure SQL Database supports SQL AuthN and AZ AD AuthN giving users the ability to log into SQL with the same credentials as pother resources such as the Azure portal of O365
True
How can you connect to on prem devices using the same AZ AD Credentials
AZ AD can be configured to sync with on-prem AD allowsing access to on-prem and AZ resources
True or False AZ AD cannot provide MFA services
False
What are the headlines around the Azure AD Admin Config within the portal for a DB resource
Allows admin access to all DBs in server
Best practice is to make this a group
Grants special sysadmin type access
Can be set via ARM using Portal, PowerShell or CLI - not at the DB level though
What is a Security Principal
An entitiy that can request access which you can (usually) grant access to.
Do security principals exist at the Server or DB level + are security principals individuals or collections
Security principals exist at either the server level or the database level and can be either individuals or collections
What are the 3 scopes for securables
Server,
Database,
Schema
What is a Schema
A schema is a collection of objects within a DB allowing objects to be grouped into seperate name spaces
What is a securable
A securable is the resource (i.e. a table in a database)
When no Schema is specified in a query which order will schemas be looked in
1st = users default schema
2nd = DBO
If not in either of those an error will be returned
When writing queries best practice dictates to specify a schema.
If no schema is specified when creating a an object it will go where? And what happens if the user cannot create objects at that location
A create statement with no defined schema will go into the users default schema - if the user does not have permission for this access will be denied.
Which DB are (SQL and Windows) Logins stored in
Master
Where are contained users stored and What Authentication can they use?
Stored in the UserDB
AuthN with SQL Auth, Win Auth, AZ AD Auth
What is the pre-requisite to using contained users and what is the default state of this for the DB Variants
Database must be configured for “Partial Containment”
Default in AZ,
Optional Setting in OnPrem/IaaS
Why is it best practice in Azure SQL DB to use Contained users
These users only have access to the DB set up in
What are some of the headlines on Database and Server Roles
Effectively Security groups sharing common permissions
Built in Roles are decided by Microsoft with ability to add custom roles at Server or DB level
Server Roles cannot be granted access to DB objects directly
Server Roles are only available in IaaS, On Prem and MI
Describe Application Roles
A user is not a member of an App role, the app role is activated by using the password.
Once active app role permissions are applied to a user until de-activated
What does the role db_accessadmin do
The db_accessadmin allows creation of other users in DB, no access to Schema, Tables of Data within database
What does the role db_backupoperator do
The db_backupoperator role allows users to backup the Database (obviously not applicable with Azure SQL DB)
What does the Role db_datareader do
The db_datareader rol;e allows read from every table/view in DB
What does the role db_datawriter do
The db_datawriter role allows insert/update/delete to all tables and views in the DB
What does the role db_ddladmin do
The db_ddladmin role allows the creation and modification of objects in the DB with no read/write access to the data itself
What does the role db_denydatareader do
Prevents reading of any Db data when a user has had access through other roles or directly granted
What does the role db_denydatawriter do
Prevents writing of any data to DB when a user has had access through other roles or directly granted.
What does the role db_owner do
Allows user to perform any action in database and cannot be denied
What does the role db_security admin do
Grants access to other users - no access to data itself but can grant access to tables
What does the public database role do?
Default role without permissions unless you assign some to it - however all users including guest (if enabled) have access to this role.
What should you do if you have more granular security requirements than the fixed database roles provide
Use Custom Database roles
What 2 additional database roles does Azure SQL DB have and where are they stored
DBManager
Login Manager
Both stored in Master DB
What does the Azure SQL DB role DBManager allow?
Allows members to create DBs (similar to the dbcreator fixed server role)
What does the Azure SQL DB role LoginManager allow?
Allows creation of additional logins at th eserver level (Similar to the security admin fixed server role)
What does the fixed server role SysAdmin allow
Sysadmin allows member to perform any action on server
What does the fixed server role ServerAdmin allow
ServerAdmin allows member to change server wide config and shutdown the server
What does the fixed server role SecurityAdmin allow
SecurityAdmin allows the management of logins and well as grand and revoke of Server and DB level permissions
What does the fixed server role ProcessAdmin allow
ProccessAdmin allows member to kill processes in SQL Server