Sie sind auf Seite 1von 51

Simple Steps for Securing SQL Server Written By : Eli Leiba

03-2014 03ALL Rights Reserved.

1) Service configuration for security 2) Logins an !B "sers #) $et%or& security ') (acets )) Login *ut+entication mo es ,) Server -oles .) !atabase an *pplication -oles /) Server an !atabase 0ermissions 1) 2bjects Encryption an *u iting 13) !!L 4riggers 11) 0B5

6+oosing an account for running SQL Server

2pen t+e Server 6onfiguration page in t+e assistant7 W+en it opens8 you %ill see t+e Service *ccounts tab7 9f your SQL Server instance is alrea y installe 8 you can access t+e service account properties using SQL Server 6onfiguration 5anager8 foun in t+e 6onfiguration 4ools menu un er 5icrosoft SQL Server 23127

Log on as a service7

2n your local server8 open t+e * ministrative tools menu fol er an clic& on Local Security 0olicy7 9n t+e Local 0olicies no e8 select "ser -ig+ts *ssignment7 9n t+e policies list8 go to Log on as a service7 !ouble:clic& on it8 an a t+e account using t+e * "ser or ;roup777button7 6lic& on 2<

!isabling SQL Server Bro%ser

4+e SQL Server Bro%ser service starts automatically %+en you install SQL Server in a cluster8 or as a name instance7 9ts job is to communicate t+e presence of an SQL Server instance on t+e mac+ine8 an to sen to t+e client t+e 460 port on %+ic+ a name instance is listening7 4o +i e t+e presence of an instance of SQL Server8 you can stop it or configure it so t+at it oes not respon to broa cast re=uests7

!isabling SQL Server Bro%ser

>o% to o it? 9f you up ate an installation of SQL Server8 or installe it in a cluster or as a name instance8 t+e SQL Server Bro%ser service is starte automatically7 @ou can c+ec& %+et+er t+e service is running or not8 an isable it by follo%ing t+ese steps: 2pen SQL Server 6onfiguration 5anager8 select t+e SQL Server Services tab8 an ouble:clic& on t+e SQL Server Bro%ser service7 2n t+e Log 2n tab8 clic& on Stop to stop t+e service

6reating atabase users an mapping t+em to logins

Logins ensure aut+entication an access to server resources7 4o access a atabase8 t+ey must map to a user insi e t+e atabase7 4+e user is t+e security principal for a atabase7 *ccess to atabase objects is grante to a user8 not to a login7

EAten e 0rotection
2pen SQL Server 6onfiguration 5anager8 an go to t+e SQL Server net%or& 6onfiguration no e7 -ig+t:clic& on 0rotocols for Byour instanceC7 2pen t+e 0roperties %in o%8 an go to t+e * vance page7 9f all your client computers support EAten e 0rotection for *ut+entication8 c+oose t+e -e=uire for t+e EAten e 0rotection property ot+er%ise8 c+oose *llo%e 7 9f t+e SQL Server service is &no%n by several S0$s Dt+at is8 t+e server +as several names)8 * t+em in t+e *ccepte $4L5 S0$s boA8 separate by semicolons7 (or more information about t+e S0$8 see t+e "se <erberos for aut+entication recipe7

Limiting functionalities E ApFcm s+ell an 20E$-2WSE4

(irst8 letGs see +o% to c+ec& an c+ange t+e status of t+ese features using a facet: 9n SQL Server 5anagement Stu io8 rig+t:clic& on t+e Server no e in 2bject EAplorer7 6lic& on (acets7 9n t+e Hie% (acets ialog boA8 select t+e Surface *rea 6onfiguration facet7 6+ec& t+at t+e * >oc-emoteQueriesEnable 8 2le*utomationEnable an I06m S+ellEnable facet properties are set to (alse7 6+ange t+eir state if nee e

6+oosing bet%een Win o%s an SQL aut+entication

9n SQL Server 5anagement Stu io8 in 2bject EAplorer8 connect to t+e server an rig+t:clic& on t+e instance no e at t+e top of t+e +ierarc+y7 6lic& on 0roperties7 ;o to t+e Security page7 9n t+e Server *ut+entication section8 you can c+oose bet%een t+e follo%ing options: Win o%s *ut+entication mo e accepts only Win o%s logins SQL Server an Win o%s *ut+entication mo e accepts Win o%s an SQL Server logins


6reating logins 9n SQL Server 5anagement Stu io8 connect to t+e instance %it+ t+e 2bject EAplorer8 an go to t+e Security no e at t+e server level7 -ig+t:clic& on t+e Logins no e7 6lic& on $e% login7777 9n t+e Login J $e% %in o%8 enter t+e name of your login in t+e Login teAtboA7 9t can be a local or omain Win o%s account8 in t+e form Bmac+ine or omainCKBaccountC8 or a SQL Server account8 in t+e form of a vali SQL Server i entifier name7 * vali SQL Server i entifier name starts %it+ a letter an no special c+aracters7


6reating logins
@ou coul create more compleA names an use LM to protect it8 but %e recommen you against oing t+at @ou can use t+e Searc+ button to bro%se your Win o%s accounts7 9f you c+oose to create a SQL Server aut+entication account8 t+en enter an confirm t+e pass%or you %ill +ave t+e follo%ing t+ree options to consi er


6reating logins
Enforce pass%or policy: 9t enforces Win o%s pass%or policies7 See t+e >o% it %or&s777section for etails7 Enforce pass%or eApiration: 9t eApires t+e pass%or accor ing to t+e pass%or policies7 "ser must c+ange pass%or at neAt login: 4+is option is self eAplanatory7 4+e user %ill nee to use a ;rap+ical "ser 9nterface D;"9) to enter t+e ne% pass%or 7 SQL Server 5anagement Stu io can be use


c+ec& state of login @ou can c+ec& t+e state of your logins by using t+e L2;9$0-20E-4@ function7 4+e syntaA is L2;9$0-20E-4@ DGloginFnameG 8 GpropertyFnameG)8 an propertyFnameis a string specifying t+e property to return


c+ec& state of login

!E6L*-E Nlogin as sysname O G(re GP SELE64 L2;9$0-20E-4@ DNlogin 8 GBa 0ass%or 6ountG) as LBa 0ass%or 6ountM8 L2;9$0-20E-4@ DNlogin 8 GBa 0ass%or 4imeG) as LLast Ba 0ass%or 4imeM8 L2;9$0-20E-4@ DNlogin 8 G!ays"ntilEApirationG) as L$b of ays before eApirationM8 L2;9$0-20E-4@ DNlogin 8 G>istoryLengt+G) as L$b of pass%or s in +istoryM8 L2;9$0-20E-4@ DNlogin 8 G9sEApire G) as Lis eApire M8 L2;9$0-20E-4@ DNlogin 8 G9sLoc&e G) as Lis loc&e M8 L2;9$0-20E-4@ DNlogin 8 G0ass%or LastSet4ime G) as L0ass%or Last Set 4imeMP


-enaming t+e sa login

4o isable t+e sa login8 use t+e follo%ing comman : *L4E- L2;9$ LsaM !9S*BLEP 4o rename it8 use t+e follo%ing comman : *L4E- L2;9$ LsaM W94> $*5E O LaFveryFunusualFnameMP 9f you rename sa8 you can al%ays i entify it later: its principalFi is 18 an its S9! is 3A317 SELE64 Q (-25 sys7s=lFlogins W>E-E principalFi O 1P


"sing fiAe server roles bul&a min : 6an run B"L< 9$SE-4comman s7 !bcreator : 6an create8 alter8 rop8 an restore any atabase7 !is&a min : 6an manage files on t+e is&7 But it nee s permissions to alter a atabase to a or c+ange files or filegroups insi e7 !is&a min alone is not very useful7 0rocessa min : 6an vie% an &ill sessions7 * regular login can vie% only its o%n session for eAample8 by running SELE64 Q (-25 sys7 mFeAecFsessionsP7 Being processa min8 it can see ot+er processes as %ell8 an issue a <9LL comman to terminate t+eir session7


"sing fiAe server roles Securitya min : 6an create an c+ange a login8 but cannot create a server role8 or give permissions to a login %+ic+ +e oes not +imself possess7 Servera min : 6an c+ange t+e instance properties an stopRrestart it7 Setupa min : 6an create an manage lin&e servers7 sysa min : >as full a ministrative privileges on t+e instance an all attac+e atabases7 $o permission can be enie to a sysa min member7 9ssuing an eAplicit eny on any securable to it %ill +ave no effect7

"sing fiAe server roles 4o see role members+ip8 you can use t+e follo%ing =uery: SELE64 role7name as role8 role7isFfiAe Frole8 login7name as login (-25 sys7serverFroleFmembers srm S29$ sys7serverFprincipals role 2$ srm7roleFprincipalFi O role7principalFi S29$ sys7serverFprincipals login 2$ srm7memberFprincipalFi O login7principalFi P


;iving granular server privileges

Before SQL Server 233)8 t+e only %ay to grant SQL Server a ministrative privileges to logins %as by a ing t+em in fiAe server roles8 as %e +ave seen in t+e previous recipe7 SQL Server 233) intro uce a set of granular server privileges8 %+ic+ allo%s us to irectly grant precise an %ell: efine permissions to logins at t+e server level7 We %ill see +o% to o it7


;iving granular server privileges

2pen a login 0roperties %in o%8 an go to t+e Securable page7 4+ere8 you can give eAplicit server permissions8 an see t+e effective permissions7 5ost of t+em are on t+e form *L4E- *$@7778 %+ic+ means permissions to create8 alter8 an rop *llo%ing logins to run a SQL trace SQL 4race is a server functionality t+at allo%s us to trace events raise by t+e SQL Server mo ules7 4races are usually efine an eAecute by using t+e SQL 0rofiler tool7 Before SQL Server 233)8 only members of t+e sysa min server role %ere able to run a trace7 $o%8 t+e *L4E- 4-*6E permission allo%s non: sysa min logins to o it: ;-*$4 *L4E- 4-*6E 42 L(re MP

6reating an using user: efine server roles

9n SQL Server 23128 you are no longer limite to fiAe server rolesP you can create user: efine * ministrative roles8 %+ic+ allo% you to efine your o%n presets for a ministrative permissions7 9n t+e SS5S 2bject EAplorer8 go to t+e Security no e an rig+t:clic& on t+e Server -oles no e7 6lic& on $e% Server -oleT7 Enter a ne% role name7 @ou can t+en give permissions on one or several object types


6reating atabase users an mapping t+em to logins

E Logins ensure aut+entication an access to server resources7 4o access a atabase8 t+ey E must map to a user insi e t+e atabase7 4+e user is t+e security principal for a atabase7 E *ccess to atabase objects is grante to a user8 not to a login7


6reating atabase users an mapping t+em to logins 4+ere are t%o %ays to create a atabase user in t+e SS5S grap+ical tools8 eit+er in t+e login 0roperties page at t+e server level or insi e a atabase in t+e SecurityR"sers no e7 We %ill follo% t+e secon pat+ +ere8 %+ic+ is as follo%s: 9n t+e SQL Server 5anagement Stu io 2bject EAplorer8 clic& on t+e !atabases no e of your instance8 an enter t+e esire atabase name7 6lic& on t+e Security no e7 -ig+t:clic& on t+e "sers no e an c+oose $e% "serT7


0reventing logins an users to see meta ata Before SQL Server 233)8 all server an atabase meta ata %as visible to everybo y7 9t %as a problem8 for eAample8 to %eb: +osting companies %+o s+are a SQL Server instance %it+ customers7 Everybo y coul see t+e presence of ot+er customer atabases on t+e server7

@ou can no% control meta ata visibility 7By efault8 visibility is limite to principals %+o o%n or +ave some permission on an objectP for eAample8 a login can see logins +e +as *L4E permissions on8 or t+e login %+o is a grantor for +im8 or a login +e o%ns7 But t+e list of atabases is still visible for every login7 4+is can be c+ange


0reventing logins an users to see meta ata

9f you %ant to +i e atabases to all logins8 remove t+e H9EW *$@ !*4*B*SE permission from t+e public server role in t+e role properties or by co e: "SE masterP ;2 -EH2<E H9EW *$@ !*4*B*SE 42 publicP 4o allo% only some logins to vie% all atabases8 you can create a user: efine server role8 as follo%s: "SE masterP 6-E*4E SE-HE- -2LE L!atabaseHie%erMP ;2 ;-*$4 H9EW *$@ !*4*B*SE 42 L!atabaseHie%erMP *L4E- SE-HE- -2LE L!atabaseHie%erM *!! 5E5BE- L(re MP


"n erstan ing permissions

*L4E- 0ermission to mo ify t+e objectGs efinition 62$$E64 0ermission to access t+e atabase or connect to t+e en point !ELE4E 0ermission to elete t+e object EIE6"4E 0ermission to eAecute t+e store proce ure or t+e function 950E-S2$*4E 0ermission to ta&e t+e i entity of a principal8 by t+e means of an EIE6"4E *S comman 9$SE-4 0ermission to insert ata into t+e table or vie%


"n erstan ing permissions

-E(E-E$6ES 0ermission to reference t+e object in a foreign &ey efinition8 or to eclare a vie% or function W94> S6>E5*B9$!9$; referencing t+e object SELE64 0ermission to issue a SELE64 comman against t+e object or column 4*<E 2W$E-S>90 0ermission to become t+e o%ner of t+e object "0!*4E 0ermission to up ate t+e ata H9EW !E(9$9492$ 0ermission to vie% t+e efinition Dstructure) of t+e object


6reating an using atabase roles !atabase:level roles allo% us to group atabase permissions li&e server:level roles o for server permissions7 Similarly8 you +ave a set of fiAe atabase roles available 9n SQL server 5anagement Stu io8 in 2bject EAplorer8 enter into a atabase8 an go to t+e Security no e an t+e !atabase -oles no e7 >ere8 you %ill fin t+e follo%ing fiAe atabase roles:

bFaccessa min 6an create an mo ify atabase users8 also on containe atabases7 6an create a sc+ema7 bFbac&upoperator 6an bac& up t+e atabase an issue a manual c+ec&point7 bF atarea er >as SELE64 permission for all selectable objects in t+e atabase7


6reating an using atabase roles

bF ata%riter >as 9$SE-48 "0!*4E8 an !ELE4E permissions on every table an vie% in t+e atabase7 9t oes not allo% to SELE64 by itself7 bF la min >as permissions to 6-E*4E8 *L4E-8 an !-20 any object in t+e atabase7 bF eny atarea er 9s eAplicitly enie to SELE64any table8 vie%8 or function in t+e atabase7 bF eny ata%riter 9s eAplicitly enie to 9$SE-48 "0!*4E8 or !ELE4E in any table or vie% in t+e atabase7 bFo%ner >as all privileges in t+e atabase7 bFsecuritya min 6an manage security upon objects8 assign permissions to users or roles8 create sc+ema8 an vie% efinition of all objects


6reating an using application roles !atabase roles are use to manage access an permissions insi e a atabase7 !atabase role members are atabase users t+at can connect to SQL Server by means of a client soft%are8 suc+ as SS5S7 But letGs say you %oul li&e to grant more privileges to a specific user8 but only %+en +e connects t+roug+ an application8 not %+en +e uses SS5S7 4+e first solution t+at comes to min is to use a e icate SQL login for t+e application8 but t+is +as ra%bac&sU you %oul nee to use SQL Server aut+entication8 an you %oul not be able to i entify %+ic+ user is connecte by using SQL Server7 4+ey %oul all be aut+enticate by t+e same application login7


6reating an using application roles *pplication roles allo% you to &eep using Win o%s aut+entication8 t+us properly i entifying t+e users of t+e application8 %+ile escalating permissions for t+e application nee s 9n SQL Server 5anagement Stu io8 in 2bject EAplorer8 enter your atabase an go to Security J -oles7 -ig+t:clic& on t+e *pplication -olesno e7 Select $e% *pplication -ole7777 9n t+e *pplication -ole J $e%8 enter a role name8 a pass%or 8 an optionally a efault sc+ema D bo is t+e efault if you leave it empty)7 9n t+e Securables page8 manage permissions for t+e role as you %oul o %it+ atabase roles7


6reating an using application roles

4o create t+e application role by 4:SQL8 use t+e follo%ing comman : 6-E*4E *00L96*492$ -2LE 5ar&eting-eports W94> 0*SSW2-! O $G* compleA pass%or pleaseGP 4o use t+e application role in your application8 use t+e spFsetapprolesystem:store proce ure to c+ange t+e conteAt of t+e session: EIE6 spFsetapprole Nrolename O G5ar&eting-eportsG8 Npass%or O $G* compleA pass%or pleaseGP *fter t+e eAecution of t+is proce ure8 t+e current session %ill be run un er t+e conteAt of t+e application role an be grante t+e roleGs privileges instea of t+e original atabase userGs permissions7


"sing sc+emas for security 4+e *$S9 SQL stan ar efines t+ese containing levels: t+e server level8 t+e catalog level8 an t+e sc+ema level7 Since version 233)8 SQL server implements all t+ree levels7 9n SQL Server8 t+e catalog is t+e atabase8 an it oes not irectly contain objects8 suc+ as tables or vie%s8 but puts sc+emas in bet%een8 an t+e sc+emas contain t+e objects7 Every atabase object nee s to be insi e a sc+ema7 4+e efault sc+ema in SQL Server8 in %+ic+ all objects are create if not specifie ot+er%ise8 is name bo7


"sing sc+emas for security * sc+ema can be compare to a namespace in object:oriente languages8 suc+ as 6V or Sava7 9t allo%s +aving objects of t+e same name in t+e same atabase8 in ifferent sc+emas7 9t is useful for isolating objects t+at relate to t+e same project or business an to simplify permissions7 Because a permission given at a level of t+e object +ierarc+y applies to all c+il ren objects8 granting a permission on t+e sc+ema applies to all objects insi e t+e sc+ema7 *s an eAample8 t+e follo%ing comman grants EIE6"4E permissions on all proce ures an functions insi e t+e bo sc+ema to t+e user fre : ;-*$4 EIE6"4E 2$ sc+ema:: bo 42 fre P


0rotecting ata t+roug+ vie%s an store proce ures W+en you reference an object in a vie% or a co e object8 suc+ as a store proce ure or a function8 t+e permissions can be set on t+e vie% or t+e proce ure8 an revo&e on t+e object reference 7 4+is allo%s protecting un erlying tables against irect =ueries7 @ou must un erstan +o% it %or&s in or er to implement it correctly7 4+atGs t+e purpose of t+is recipe7


0rotecting ata t+roug+ vie%s an store proce ures

(irst8 %e create a vie% referencing t+e 0rospect table8 as follo%s: 6-E*4E H9EW bo7v0rospect *S SELE64 (irst$ame8 $ame8 0+one8 6ell0+one8 email8 o%ner (-25 bo70rospect W>E-E L2%nerM O 6"--E$4F"SEW94> 6>E6< 20492$P 4+en8 %e grant some permissions to t+e !25*9$Kmar&etinggroup: ;-*$4 SELE648 "0!*4E8 9$SE-4 2$ 2BSE64:: bo7v0rospect 42 L!25*9$Kmar&etingMP We can also ma&e sure t+at !25*9$Kmar&eting +as no permission on t+e un erlying table: -EH2<E SELE648 "0!*4E8 9$SE-4 2$ 2BSE64:: bo70rospect 42 L!25*9$Kmar&etingMP


Encrypting SQL co e objects

@ou mig+t %ant to protect your co e from being vie%e by users +aving t+e H9EW !E(9$9492$ permission8 eit+er because t+is co e contains confi ential material8 suc+ as rules or pass%or s8 or simply because you %ill s+ip t+e atabase to customers an you onGt %ant t+em to loo& into your co e7 "sually8 %e onGt consi er atabase mo ules to be confi ential7 *nyt+ing you %ant to &eep private can be put in tables %it+ proper permissions8 an possibly encrypte 7


Encrypting SQL co e objects 9n t+e follo%ing co e eAample8 %e create a store proce ure an apply t+e W94> E$6-@0492$ option to obfuscate t+e co e store in SQL Server: 6-E*4E 0-26E!"-E bo7*pply*lgorit+m W94> E$6-@0492$ *S BE;9$ SE4 $262"$4 2$P :: o somet+ing E$! ;2


"sing !!L triggers for au iting structure mo ification SQL Server allo%s creating triggers for !!L operations7 !!L D!ata !efinition Language) is t+e subset of t+e SQL language ealing %it+ manipulation of structures8 or meta ata7 4+e !!L &ey%or s are 6-E*4E8 *L4E-8 an !-207 By placing triggers on !!L operations8 you can au it t+e structural c+anges ma e on your server or in your atabases7 @ou can also bloc& t+ose c+anges %it+in t+e trigger7


"sing !!L triggers for au iting structure mo ification LetGs say t+at our goal is to au it security mo ifications in our atabases7 We %ant to centraliWe t+e au it in a e icate atabase7 We create t+e *u it atabase an t+e !!L*u it table in it: 6-E*4E !*4*B*SE *u itP ;2 "SE *u itP 6-E*4E 4*BLE bo7!!L*u it D !ataBase$ame sysname8 Event4ype sysname8 0ost4ime atetime8 Login$ame sysname8 6omman nvarc+arD2333)8 >ost$ame sysname8 *pplication$ame sysname)P

"sing !!L triggers for au iting structure mo ification

In the Marketing database, we create a trigger to monitor all security events:

USE marketing; GO !E"#E #!IGGE! tr$audit$security O% &"#"'"SE (I#) E*E U#E "S SE+, ,O! &&+$&"#"'"SE$SE U!I#-$E.E%#S "S 'EGI% &E +"!E /e as *M+ SE# /e 0 E.E%#&"#"12 I%SE!# I%#O "udit3dbo3&&+"udit 1&ata'ase%ame, Event#y4e, 5ost#ime, +ogin%ame, ommand, )ost%ame, "44lication%ame2 SE+E # &'$%"ME12 as &ata'ase%ame, /e3value1617E.E%#$I%S#"% E7Event#y4e289:6, 6sysname62 as Event#y4e,/e3value1617E.E%#$I%S#"% E75ost#ime289:6, 6datetime62 as 5ost#ime, /e3value1617E.E%#$I%S#"% E7+ogin%ame289:6, 6sysname62 as +ogin%ame, /e3value1617E.E%#$I%S#"% E7#S;+ ommand 7 ommand#e<t289:6, 6nvarchar1=>>>262 as ommand, )OS#$%"ME12 as )ost%ame, "55$%"ME12 as "44lication%ame E%&;


6onfiguring SQL Server au iting

Wit+ Server *u it8 you can easily set up an au it7 4+e au iting session %ill recor events occurring at t+e server level or at a atabase level in a file or in t+e Win o%s event log7 (irst you +ave to efine an au it8 an t+en you bin one specification t+at contains events to collect7 Server:level au iting is available in all e itions of SQL Server8 %+ile atabase:level au iting is only available in t+e Enterprise e ition


6onfiguring SQL Server au iting

9n SS5S 2bject EAplorer8 go to t+e Security no e un er t+e instance no e8 an rig+t:clic& on *u its7 6lic& on $e% au itT7 4+ere8 enter a name for your au it8 an a a file pat+ %+ere t+e au it file %ill be %ritten 6lic& on 2< to create t+e server au it8 t+en rig+t:clic& on t+e no e rig+t belo%8 name Server *u it Specifications7 6lic& on $e% *u it Specification 9n t+e $e% *u it Specification %in o%8 c+oose a name8 bin t+e specification to t+e au it %e just create 8 an a relevant action types

6onfiguring SQL Server au iting

4+en8 rig+t:clic& on t+e au it specification %e just create an clic& on Enable Server *u it Specification7 -ig+t:clic& on t+e au it %e just create an clic& on Enable Server *u it7 @ou can also set au it specification at a atabase level7 ;o to a atabase8 in t+e security no e8 an rig+t:clic& on !atabase *u it Specifications7 6lic& on $e% !atabase *u it Specification7

Li&e at server level8 you can create only one specification on an au it per atabase7 So8 for an au it8 you can +ave one server au it specification8 an one atabase au it specification per atabase7 @ou can t+en vie% t+e au it log by rig+t:clic&ing on t+e au it an clic&ing on Hie% *u it Log

0olicy Base 5anagement 0olicy Base 5anagement D0B5) %as intro uce in SQL Server 233/ an %as name !eclarative 5anagement (rame%or& in t+e early ays of SQL Server 233/ evelopment7 4+ese names say it all7 Wit+ B058 you eclare policies to c+ec& or enforce on one or many SQL Servers7 9t is a %on erful tool to &eep your server consistently configure or to enforce rules suc+ as naming conventions or atabase options7 B05 is only available in Enterprise e ition 9n SS5S 2bject EAplorer8 open t+e 5anagement no e an t+e 0olicy 5anagement no e7 -ig+t:clic& on $e% 0olicy777:


0olicy Base 5anagement 9n t+e 6reate $e% 0olicy %in o%8 enter a name for your policy an in t+e 6+ec& 6on ition rop: o%n list8 select $e% 6on ition7 4+e con ition applies to a facet7 9n t+e 6reate $e% 6on ition %in o%8 select t+e Login 2ptions facet7 9n t+e EApressions gri 8 select N0ass%or 0olicyEnforce as t+e (iel 8 O as t+e 2perator8 an 4rue as t+e Halue7 6lic& 2<7 Bac& in t+e 6reate $e% 0olicy %in o%8 you %ill see in t+e *gainst 4argets list t+at t+e policy %ill be c+ec&e against every login7 6lic& on Every an select $e% 6on itionT:


0olicy Base 5anagement

9n t+e 6reate $e% 6on ition%in o%8 enter a name for your con ition8 an in t+e EApression gri 8 select NLogin4ypeas t+e (iel 8 Oas t+e 2perator8 an S=l Login as t+e Halue7 6lic& 2< Bac& in t+e 6reate $e% 0olicy %in o%8 leave t+e Evaluation 5o e as 2n !eman 8 an clic& 2<7 4+is %ill create t+e policy an a it in 2bject EAplorer7


0olicy Base 5anagement

@ou can t+en rig+t:clic& on it an select Evaluate7 4+e evaluation %in o% %ill open an t+e evaluation %ill start against all SQL Logins on your server7 9f any o not enforce t+e pass%or policies8 t+ey %ill appear %it+ an error icon7 *fter t+e evaluation8 you can c+ec& t+em an clic& on t+e *pply button7 4+e option %ill be set on t+e selecte logins an t+e evaluation %ill run again to report t+em as matc+ing7


1) 6onfiguring service an $et%or& an aut+entication mo es8 configuring (acets 2) 6reate Logins X Server -oles X c+ec& #) 6reate !atabase "sers an -oles X c+ec& ') !atabase permissions )) Store 0roce ure an Hie% Encryption ,) *u it an *u it Specifications .) !!L 4riggers /) 0B5