Chapter 2 User Authentication, Authorization, and Security (9): prevents login names and users from viewing metadata, authentication

Chapter 2 User Authentication, Authorization, and Security (9): prevents login names and users from viewing metadata, authentication
Source: Workshop

Without the consent of the author, no one shall be published in the form of "original" or used for commercial purposes. I am not responsible for any legal liability.

Previous Article: http://blog.csdn.net/dba_huangzj/article/details/38944121

 

Preface:

 

Before SQL Server 2005, all servers and database metadata were visible to everyone. When the online banking system shares the SQL Server instance with the customer, it is possible to see the information of other users. Starting from 2005, you can control permissions to restrict the login name or user to view unnecessary metadata.

 

Implementation:

 

If you need to hide the DATABASE from all login names, you can remove the view any database permission on the public role:

USE master; GO REVOKE VIEW ANY DATABASE TO public;

When allowing some accounts to view all databases, you can create a user-defined server role:

USE master; CREATE SERVER ROLE [DatabaseViewer]; GO GRANT VIEW ANY DATABASE TO [DatabaseViewer]; ALTER SERVER ROLE [DatabaseViewer] ADD MEMBER [Fred];

 

Note that both master and tempdcb are always visible to all logins.

 

You cannot selectively view certain database settings. One login can either view all databases from object resource manager or all databases. If a login name is granted the view any database server permission, you can VIEW all the databases on the server in object resource manager or query all the databases in the sys. databases directory VIEW. If the login name does not have this permission but is mapped to a database user, it still cannot see all databases, but you can use sys. databases returns the database information and uses the USE database command to switch the database.

The only way to allow the database to be selectively visible is to use the login name as the database owner:

ALTER AUTHORIZATION ON DATABASE::marketing TO [Fred];

The database owner has all permissions in the database, but one database has only one owner. You cannot have multiple login names set the owner of a database at the same time.

In the database, you can define a specific database object to be visible to some users. In SSMS, right-click the [Security] node of the database and select [security object] in [user] → [attribute ], then, add a specific object, such as a table, stored procedure, or architecture, to [Search. Then, select the [authorize] column of [view definition:

 

You can also use commands. Note the script here. If you do not remember the command, you can click this button to automatically generate the Code:

use [AdventureWorks2012] GO GRANT VIEW DEFINITION ON [dbo].[AWBuildVersion] TO [test] GO

Principle:

You can use the following statement to view the metadata permissions that can be authorized:

SELECT  parent_class_desc AS parent ,         class_desc AS class ,         permission_name AS permission FROM    sys.fn_builtin_permissions(NULL) WHERE   permission_name LIKE 'VIEW%' ORDER BY CASE parent_class_desc            WHEN '' THEN 0            WHEN 'SERVER' THEN 1            WHEN 'DATABASE' THEN 2            WHEN 'SCHEMA' THEN 3          END ,         class ,         permission;

 

[View definition] Permission is a permission that can be viewed outside the scope of the server. If you want to VIEW all the definitions in the instance, you must use [view any definition] to grant this permission to log on to VIEW all the definitions in the instance, [view all databases] is suitable for login names that only need to access the database but do not need to access other objects on the server.

In the database, you can see objects with permissions. By default, a user is only a member of the public database role and has no permissions. You can use the db_datareader fixed database role to allow this user to VIEW all the tables and grant view definition to the stored procedure, function, or trigger, allowing you to see the underlying code. If you don't want others to see it, you can use with encryption when creating an object (as described later .)

Help translate (3)

Type issues:
Basic concepts-multiple choice questions;
Reasoning and simple computing: multiple choice questions. This type of problem will be clearer when you see the choice in the trial; what you can do, now is familiar with the concepts and theories mentioned in the review of the issue.
Discussion, summary, computing (? ): Prose issues
Topics will include:
Chapter 1, September May 1
1. Layer 5: what are they and what do they do?
2. Comparison layer (I created a table)
3. The common standard is HTTP. SMTP, ftp ip, and Ethernet
4. Media Access Control: Debate and control: Which one is better?
5. Error Control: Source errors and Their Remedial Measures (methods to prevent errors), focusing on the control of about 1st projection Films
Calclation's data loss is due to sudden errors (impulsive; "spike")-simple computing will be provided, and your task is to understand them and choose the right one.
Possible essays:
Describes how to use Web-based email Engineering
Chapter 1, September May 2
1. Title bar, in the TCP packet
2. Title bar, in the IP packet
3. Type of address, used on the Internet; address for alteration or resolution, especially the application address and network address
4. DHCP: What is it and how it works
5. LAN components
6. Ethernet: basic functions: How to forward and process emails; collision and response to their tasks; how to avoid more collisions after
Chapter 1 7
1. General security goals (CIA)
2. Activities or functions of basic security: identification, verification, authorization, accountability, and assurance
3. Vulnerability, exploitation, and attack
4. Defense in depth
Possible essays:
Discussing why information security/network security is a bigger problem today and 20 years ago due to improved computing/communication technology.
Chapter 2
1. Social Engineering: What is the second and how to defend against it
2. "Three Principles"-principle, easy to penetrate, principle, timeliness, effectiveness principle; Relationship and password and encryption (we employ the password and encryption, because of the above principles)
3. Stream password and Bock Password
Possible essay issues:
1. Content and relationship of network security technology
2. Types of security threats
3. Potential and cost threats
4. The password should be at least 8 characters in length, in the upstream and downstream situations, and numbers. It is easy to remember and give it to yourself, but it is hard to guess by others. Country-specific design (password that you can easily remember ).
5. Mechanism, Digital Signature
Chapter 2
All types of problems:
What is the purpose of host scanning?
What is the purpose of port scanning?
What is the purpose (job system) fingerprint?
Break the program: How to manage Vulnerabilities
Denial of Service Attack-Single message D OS attack; s murf flooding D OS attack; Distributed Denial-of-Service (D DoS) attack
Prevent DoS Attacks
Basic functions and limitations of the firewall
Packet filtering firewall; proxy firewall; comparison of two firewall Technologies
Access Control List (ACL) (slides 9-71-9-75)
Slide in learning, use the "hide" of Notes on the slide-below:

Who can help translate a piece of Computer English?

IT seems that you are an IT industry. You cannot completely understand it. As you said, only some details cannot be understood. We recommend that you only ask what you really don't understand. In this way, more people can help you solve the problem, and you don't have to spend a lot of time identifying the answers as machine translation.

For example, you must know that SW is software, not Southwest China.