/*create a SQL Server authenticated login called LoginName,CHECK_POLICY=ON默认就是on可以不需要,但CHECK_EXPIRATIONl默认是off*/
CREATE LOGIN LoginName WITH PASSWORD = ‘StRonGPassWord1’, CHECK_POLICY=ON,
CHECK_EXPIRATION=ON;
/*To grant a Windows account access to your SQL Server*/
CREATE LOGIN [Domain\AccountName] FROM WINDOWS;
/*add the login ‘‘MyLogin’’ to the sysadmin role*/
EXEC sp_addsrvrolemember ‘MyLogin’, ‘sysadmin’;
/*LOGINPROPERTY检查账户的各属性*/
SELECT LOGINPROPERTY(‘MyLogin’, ‘IsMustChange’);
/*查看登录账户的server的id和sid*/
SELECT name, principal_id, sid FROM sys.server_principals;
/*查看数据库用户的id和sid*/
SELECT name, principal_id, sid FROM sys.database_principals;
/*赋与用户使用profiler的权限*/
GRANT ALTER TRACE TO [LoginName]
/*创建credential(凭据)*/
CREATE CREDENTIAL [WindowsAdmin]
WITH IDENTITY = N‘MyDomain\Administrator’,
SECRET = N‘password’
/*创建角色*/
CREATE ROLE [WebUsers] AUTHORIZATION [SalesManager]
/*创建用户*/
CREATE USER [LoginName] FOR LOGIN [LoginName]
/*给一个角色添加用户,N表示unicode字符*/
EXEC sp_addrolemember N‘db_datawriter’, N‘LoginName’
/*赋与用户或角色权限*/
GRANT CREATE TABLE TO [LoginName]
GRANT EXECUTE ON SprocName to [LoginName]
/*在某一schema上的执行权限*/
GRANT ALTER ON SCHEMA::[dbo] TO [SchemaExampleLogin]
GO
/*创建schema*/
CREATE SCHEMA [TestSchema] AUTHORIZATION [SchemaExampleLogin]
/*改变对像的schema*/
CREATE SCHEMA SecondSchema
GO
ALTER SCHEMA SecondSchema TRANSFER TestSchema.TestTable
GO
ALTER SCHEMA SecondSchema TRANSFER TestSchema.TableDesignerTest
GO
/*Change the schema owner*/
ALTER AUTHORIZATION ON SCHEMA::TestSchema TO dbo
GO
/*授与对某用户的模拟权限,一般不要模拟权限太大的用户,如这个dbo*/
GRANT IMPERSONATE ON USER::dbo TO SchemaExampleLogin;
/*execute as 示例,此存储过程运行结束,对用户的模拟也将结束*/
ALTER PROC DynamicSQLExample
@OrderBy Varchar(20)
AS
EXECUTE AS USER = ‘dbo’
DECLARE @strSQL varchar(255)
SET @strSQL = ‘SELECT * FROM dbo.TestTableProblem ’
SET @strSQL = @strSQL + ‘ORDER BY ’ + @OrderBy
EXEC (@strSQL)
SELECT USER_NAME() as LoginNm,
USER_NAME() as UserNm,
ORIGINAL_LOGIN() as OriginalLoginNm;
GO
/*login context switch 模拟一个登录,使用完这个权限后,要使用revert将权限返回*/
EXECUTE AS login = ‘SomeLogin’
/*fn_my_permissions函数查询权限示例*/
SELECT * FROM fn_my_permissions(‘TestSchema’, ‘SCHEMA’)
SELECT * FROM fn_my_permissions(‘dbo.TestTableProblem’, ‘OBJECT’)
EXECUTE AS Login = ‘SomeLogin’
SELECT *
FROM fn_my_permissions(NULL, ‘SERVER’)
REVERT
/*user也可以换成login看是否可以模拟login*/
SELECT * FROM fn_my_permissions(‘SchemaExamplelogin’, ‘USER’);
/*一个给数据加密的例子*/
use testdb
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '123456'
go
CREATE CERTIFICATE [CertTest]
WITH SUBJECT = 'User defined subject. This key will protect the secret data.'
go
CREATE SYMMETRIC KEY [SymKeyTest]
WITH ALGORITHM = TRIPLE_DES --AES_128 Fine too
ENCRYPTION BY CERTIFICATE [CertTest]
go
OPEN SYMMETRIC KEY [SymKeyTest]
DECRYPTION BY CERTIFICATE [CertTest]
DECLARE @Key_Guid AS UNIQUEIDENTIFIER
SET @Key_Guid = key_guid( 'SymKeyTest')
insert into t1(name) values(ENCRYPTBYKEY(@key_guid,N'encrypt test1'))
insert into t1(name) values(ENCRYPTBYKEY(@key_guid,N'encrypt test2'))
select * from t1
select convert(nvarchar(200),DECRYPTBYKEY(name)) from t1
go
CLOSE SYMMETRIC KEY SymKeyTest
/*拒绝对某列查询*/
DENY SELECT (CardNumber) on dbo.CustomerCreditCards to LowPrivLogin
/*开启数据库的tde*/
USE master
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘2008TDEexample’
CREATE CERTIFICATE CertForAdventureWorks2008
WITH SUBJECT = ‘Certificate for AdventureWorks2008 TDE’
GO
BACKUP CERTIFICATE CertForAdventureWorks2008
TO FILE = ‘CertForAdventureWorks2008.cer’
WITH PRIVATE KEY ( FILE = ‘CertForAdventureWorks2008.key’ ,
ENCRYPTION BY PASSWORD = ‘2008TDEexample’ )
GO
USE AdventureWorks2008
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CertForAdventureWorks2008
GO
ALTER DATABASE AdventureWorks2008
SET ENCRYPTION ON
GO
/*开启sqlserver的ekm providers*/
sp_configure ‘show advanced’, 1
GO
RECONFIGURE
GO
sp_configure ‘EKM provider enabled’, 1
GO
RECONFIGURE
GO
/*创建审核对像audit*/
use master;
CREATE SERVER AUDIT [Audit-EmployeeQueries]
TO FILE
(FILEPATH = N‘C:\Program Files\Microsoft SQL Server\MSSQL10.SQL2008\MSSQL\Log\’);
/*创建审核规范*/
CREATE SERVER AUDIT SPECIFICATION [ServerAuditSpec-FailedLogins]
FOR SERVER AUDIT [Audit-FailedLogins]
ADD (FAILED_LOGIN_GROUP)
WITH (STATE = ON)
GO
/*创建针对数据库表的select审核规范*/
USE [AdventureWorks2008]
GO
CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpec-EmployeesTable]
FOR SERVER AUDIT [Audit-EmployeeQueries]
ADD (SELECT ON OBJECT::[HumanResources].[Employee] BY [public])
WITH (STATE = ON)
GO
