Security Management in SQL Server Chapter-1: Introduction

Oracle today announced that it has been named the leading Relational Database Management Systems (RDBMS) vendor in India and Asia Pacific excluding Japan (APEJ)1, based on first half 2007 Asia Pacific software revenues by IDC. In IDCs Asia/Pacific SemiAnnual Software Tracker, September 2007 report, Oracle is the Asia Pacific market leader with 53 percent market share, growing 19 percent year-over-year to reach US$373million in software revenue in first half 2007. It has strengthened its market share lead by nearly four percent over its second half 2006 figure of 50 percent. The company commands more than double the market share of its nearest competitor in the RDBMS market who has 21 percent. In India, Oracle leads the RDBMS market with 63 percent market share. This is nearly thrice that of its nearest competitor who only has 23 percent share. Oracle has, through a sustained flow of innovation, continued to develop and strengthen its undisputed relational database market share leadership in Asia Pacific, said SPS Grover, vice president, Technology Sales, Oracle India. With Oracle Database 11g, we expect to continue revolutionizing the database world. Customers will benefit from unique features such as active standbys, real application testing and compression of all data types which will have a dramatic impact on the performance, reliability and economics of their IT systems. Continued

Leadership in Database Innovation with Launch of Oracle Database 11g. In Q1FY08, Oracle launched Oracle Database 11g - with new innovative features such as Oracle Active Data Guard, Oracle Real Application Testing and Oracle Advanced Compression. With more than 400 new features, 36,000 person-months of development, and 15 million test hours, Oracle Database 11g is making the management of enterprise information easier than ever, enabling customers to know more about their business and innovate more quickly. Oracle also recently announced a new world record price/performance result with the TPC-C benchmark running Oracle Database 11g on Windows. Achieving 102,454 transactions per minute with a price/performance of $.73/tpmC, Oracle Database 11g Standard Edition One

delivered 24 percent more performance at 13 percent less cost than its nearest competitor in the price/performance category. Oracle Database new wins for 1HFY08 in India include Commercial Taxes Department, Government of Rajasthan, Tamil Nadu Electricity Board and Tata Tele Services Ltd; CAIRN INDIA, Delhi International Airport Ltd., GENPACT INDIA, High Court Of Delhi, IFCI Ltd., Oriental Bank of Commerce, Oxigen India Prepaid Services Pvt Ltd. and some of the new wins for Asia Pacific, excluding Japan, include: Alcatel (Australia), Australian Institute of Health and Welfare (Australia), Bombardier Transportation Australia Pty Ltd. (Australia), Alibaba Group (China), AU Optronics Corp (Taiwan), Bank of East Asia (Hong Kong), China Eastern Airlines Co. Ltd. (China), Dah Sing Bank (Hong Kong), Department of Immigration and Emigration (Sri Lanka), GreatWall Information Industry (China), Kodeco Energy (Indonesia), Korea Exchange (Korea), PT Bank Central Asia (Indonesia), PT. Mobile-8 Telecom (Indonesia), SK Telecom (Korea), Shell Autoserv (Thailand) Co., Shenzhen Airlines (China), Sun Hung Kai Securities Limited (Hong Kong), Sunghwa College (Korea), Tata Steel (Thailand), Thai Nippon Steel Engineering & Construction Corp Ltd. (Thailand), The Bank of East Asia Limited (Hong Kong), Xiangya Hospital of Center-South University (China) and Yan Wal Yun (Thailand) to name a few. Despite challenging economic conditions, the enterprise software market in India is projected to grow 13 per cent in 2012, as revenue reaches $$3.22 billion USD in 2012, according to Gartner, Inc. Indias enterprise software market is forecast to maintain its strong performance, with an estimated compound annual growth rate (CAGR) of 13.6 per cent from 2009 to 2016 the third highest growth rate in the world. The increasing globalization of the Indian economy is leading to a growing need for modern software with the latest features and improved functionality. With Indian enterprises continuing to embrace IT to improve productivity and drive growth, penetration of ICT infrastructure has been growing rapidly during the past decade. The primary drivers of growth have been domestic demand, the growing maturity of users and incremental enhancements in the technology, said Asheesh Raina, principal research analyst at Gartner. India also enjoys a rich presence of all international software and hardware vendors, backed by a very strong ecosystem of system integrators, service providers and business partners. A

combination of high domestic demand, presence of global vendors and entry of new small vendors with innovative products have made the overall ecosystem apt for robust growth. In 2012, India will be the fourth largest enterprise software market in Asia/Pacific. The country is forecast to account for 11 per cent of the regions total revenue o f $29.33 billion USD for Asia/Pacific this year, the equivalent to 1.15 per cent of the total worldwide software of market share of $280 billion USD billion. By 2016, Indias share of the software market in Asia/Pacific is expected to reach 12.1 per cent, representing $5.4 billion in revenue, or 1.5 per cent of total worldwide software market revenue of $361 billion. In comparison to other countries in the Asia/Pacific region, such as China (with 27 per cent share of regional spending in 2011), the software market in India is still relatively small and evolving. End users in Asia/Pacific are expecting to increase their spending on application and infrastructure software, with China and India being the most optimistic and leading the way for budget increases, followed closely by Malaysia and South Korea, said Mr. Raina.The high intention to increase budgets in India is expected because of the rapidly growing economy, globalization of operations, and ongoing investment in India as a customer service-related outsourcing destination. Optimism regarding spending within Indian organizations reflects confidence in Indias regional economic performance, as well as the need to adopt better technology to effectively compete in a tougher global environment. Priority areas of software spending include operating systems, DBMS, AIM and Application Development. In the next five, the fastest-growing segments will be Web conferencing and team collaboration, enterprise content management, CRM and ERP. According to Gartner, Indian enterprises are lagging behind in terms of adoption of these tools, resulting in the fast growth of these markets. Databases are organized collections of data that support storage, management, and retrieval of information. Databases are qualitatively measured by accuracy, availability, usability, and resilience. Computer software products known as database management systems (DBMS) support access to data stored in databases. A DBMS allows organizations to develop databases for various applications by database administrators (DBAs) and other software specialists.

Well known DBMS products include Oracle, Access, SQL Server, DB2, and MySQL. A DBMS allows different user application programs to simultaneously access the same database. A DBMS provides services for controlling data access, enforcing data integrity, managing concurrency control, recovering the database after failures, as well as sustaining database security. Relational databases are the choice for storing data such as financial and medical records, personal information, and manufacturing data. A relational database is a collection of tables relating to one another. Other objects are often considered part of the database because they help to organize and structure the data. Structured Query Language (SQL) is used to communicate with relational database management systems. This language allows users to perform basic functions to interact with data. In addition to basic SQL functions, the DBMS in use provides additional proprietary functions. SQL commands are divided into two sublanguages: data definition language (DDL) and data manipulation language (DML). Data definition language includes commands to create and destroy databases and their objects. Once structured with DDL, administrators use data manipulation language (DML) to insert, select, and update the data contained within the structure. Research Methodology Need for the Study

Growing trend of IT industry in India has many challenges ahead to gain a consistent pace in the dynamic and competitive business environments. To overcome such challenges the managers need have proper forecasts, analysis and data base management systems. This requires a well established Database and Server management system. Security parameters gain

preference in database management systems and hence the challenge is to identify a highly secured RDBMS or DBMs. Hence, this problem/ need invite a study to understand the Security Management Aspects of most commonly used RDBMS SQL Server.

Scope of the Study The Study Security Management in SQL Server focuses on the Security management in the SQL server and other advantages of SQL server compared to other RDBMS. This study also focuses on the satisfaction and need for such high end security options to the databases and the prominence of SQL Server in this case.

Objectives

To study the key decision areas Data Base Management systems. To analyze and evaluate the performance of the present data base management plat forms To understand the Security Management aspects in SQL Server.

Sampling Sampling Method: The sampling method used was Convenient sampling technique. Convenience sampling (sometimes known as grab or opportunity sampling) is a type of non probability sampling which involves the sample being drawn from that part of the population which is close to hand. That is, a sample population selected because it is readily available and convenient. It may be through meeting the person or including a person in the sample when one meets them or chosen by finding them through technological means such as the internet or through phone.

Determination Of Sample Design: There are many IT companies in the twin cities which are operating in domestic and international markets. Companies that majorly contribute to the high end database management software are selected to constitute the sample. Data is collected from the Database administrators in such companies and it is based on convenience sampling technique. Limitations of the Study

Geographical Limitation: The study confines only to the twin city which might note give the forecasted results would not be apt for.

Time: The project is under taken for 8 weeks duration which is not comfortable to fulfill the complete scope of the study.

Chapter -2: Conceptual Framework & Literature Review SQL Server

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database, it is a software product whose primary function is to store and retrieve data as requested by other software applications, be it those on the same computer or those running on another computer across a network (including the Internet). There are at least a dozen different editions of Microsoft SQL Server aimed at different audiences and for workloads ranging from small single-machine applications to large Internet-facing applications with many concurrent users. Its primary query languages are T-SQL and ANSI SQL. Origin Prior to version 7.0 the code base for MS SQL Server was sold by Sybase SQL Server to Microsoft, and was Microsoft's entry to the enterprise-level database market, competing against Oracle, IBM, and, later, Sybase. Microsoft, Sybase and Ashton-Tate originally worked together to create and market the first version named SQL Server 1.0 for OS/2 (about 1989) which was essentially the same as Sybase SQL Server 3.0 on Unix, VMS, etc. Microsoft SQL Server 4.2 was shipped around 1992 (available bundled with IBM OS/2 version 1.3). Later Microsoft SQL Server 4.21 for Windows NT was released at the same time as Windows NT 3.1. Microsoft SQL Server v6.0 was the first version designed for NT, and did not include any direction from Sybase. About the time Windows NT was released in July 1993, Sybase and Microsoft parted ways and each pursued its own design and marketing schemes. Microsoft negotiated exclusive rights to all versions of SQL Server written for Microsoft operating systems. (In 1996 Sybase changed the name of its product to Adaptive Server Enterprise to avoid confusion with Microsoft SQL Server.) Until 1994, Microsoft's SQL Server carried three Sybase copyright notices as an indication of its origin. SQL Server 7.0 and SQL Server 2000 included modifications and extensions to the Sybase code base, adding support for the IA-64 architecture. By SQL Server 2005 the legacy Sybase code had been completely rewritten.

Since the release of SQL Server 2000, advances have been made in performance, the client IDE tools, and several complementary systems that are packaged with SQL Server 2005. These include: an extract-transform-load (ETL) tool (SQL Server Integration Services or SSIS) a Reporting Server an OLAP and data mining server (Analysis Services) several messaging technologies, specifically Service Broker and Notification Services.

SQL Server 2005: SQL Server 2005 (formerly codenamed "Yukon") released in October 2005. It included native support for managing XML data, in addition to relational data. For this purpose, it defined an xml data type that could be used either as a data type in database columns or as literals in queries. XML columns can be associated with XSD schemas; XML data being stored is verified against the schema. XML is converted to an internal binary data type before being stored in the database. Specialized indexing methods were made available for XML data. XML data is queried using XQuery; SQL Server 2005 added some extensions to the T-SQL language to allow embedding XQuery queries in T-SQL. In addition, it also defines a new extension to XQuery, called XML DML, that allows query-based modifications to XML data. SQL Server 2005 also allows a database server to be exposed over web services using Tabular Data Stream (TDS) packets encapsulated within SOAP (protocol) requests. When the data is accessed over web services, results are returned as XML. Common Language Runtime (CLR) integration was introduced with this version, enabling one to write SQL code as Managed Code by the CLR. For relational data, T-SQL has been augmented with error handling features (try/catch) and support for recursive queries with CTEs (Common Table Expressions). SQL Server 2005 has also been enhanced with new indexing algorithms, syntax and better error recovery systems. Data pages are checksummed for better error resiliency, and optimistic concurrency support has been added for better performance. Permissions and access control have been made more granular and the query processor handles concurrent execution of queries in a more efficient way. Partitions on tables and indexes are

supported natively, so scaling out a database onto a cluster is easier. SQL CLR was introduced with SQL Server 2005 to let it integrate with the .NET Framework. SQL Server 2005 introduced "MARS" (Multiple Active Results Sets), a method of allowing usage of database connections for multiple purposes. SQL Server 2005 introduced DMVs (Dynamic Management Views), which are specialized views and functions that return server state information that can be used to monitor the health of a server instance, diagnose problems, and tune performance. Service Pack 1 (SP1) of SQL Server 2005 introduced Database Mirroring, a high availability option that provides redundancy and failover capabilities at the database level. Failover can be performed manually or can be configured for automatic failover. Automatic failover requires a witness partner and an operating mode of synchronous (also known as high-safety or full safety). SQL Server 2008: SQL Server 2008 (formerly codenamed "Katmai") was released on August 6, 2008 and aims to make data management self-tuning, self organizing, and self maintaining with the development of SQL Server Always On technologies, to provide near-zero downtime. SQL Server 2008 also includes support for structured and semi-structured data, including digital media formats for pictures, audio, video and other multimedia data. In current versions, such multimedia data can be stored as BLOBs (binary large objects), but they are generic bitstreams. Intrinsic awareness of multimedia data will allow specialized functions to be performed on them. According to Paul Flessner, senior Vice President, Server Applications, Microsoft Corp., SQL Server 2008 can be a data storage backend for different varieties of data: XML, email, time/calendar, file, document, spatial, etc as well as perform search, query, analysis, sharing, and synchronization across all data types. Other new data types include specialized date and time types and a Spatial data type for locationdependent data. Better support for unstructured and semi-structured data is provided using the new FILESTREAM data type, which can be used to reference any file stored on the file system. Structured data and metadata about the file is stored in SQL Server database, whereas the unstructured component is stored in the file system. Such files can be accessed both via Win32

file handling APIs as well as via SQL Server using T-SQL; doing the latter accesses the file data as a BLOB. Backing up and restoring the database backs up or restores the referenced files as well. SQL Server 2008 also natively supports hierarchical data, and includes T-SQL constructs to directly deal with them, without using recursive queries. The Full-text search functionality has been integrated with the database engine. According to a Microsoft technical article, this simplifies management and improves performance. Spatial data will be stored in two types. A "Flat Earth" (GEOMETRY or planar) data type represents geospatial data which has been projected from its native, spherical, coordinate system into a plane. A "Round Earth" data type (GEOGRAPHY) uses an ellipsoidal model in which the Earth is defined as a single continuous entity which does not suffer from the singularities such as the international dateline, poles, or map projection zone "edges". Approximately 70 methods are available to represent spatial operations for the Open Geospatial Consortium Simple Features for SQL, Version 1.1. SQL Server includes better compression features, which also helps in improving scalability. It enhanced the indexing algorithms and introduced the notion of filtered indexes. It also includes Resource Governor that allows reserving resources for certain users or workflows. It also includes capabilities for transparent encryption of data (TDE) as well as compression of backups. SQL Server 2008 supports the ADO.NET Entity Framework and the reporting tools, replication, and data definition will be built around the Entity Data Model. SQL Server Reporting Services will gain charting capabilities from the integration of the data visualization products from Dundas Data Visualization, Inc., which was acquired by Microsoft. On the management side, SQL Server 2008 includes the Declarative Management Framework which allows configuring policies and constraints, on the entire database or certain tables, declaratively. The version of SQL Server Management Studio included with SQL Server 2008 supports IntelliSense for SQL queries against a SQL Server 2008 Database Engine. SQL Server 2008 also makes the databases available via Windows PowerShell providers and management functionality available as Cmdlets, so that the server and all the running instances can be managed from Windows PowerShell.

SQL Server 2008 R2: SQL Server 2008 R2 (10.50.1600.1, formerly codenamed "Kilimanjaro") was announced at TechEd 2009, and was released to manufacturing on April 21, 2010. SQL Server 2008 R2 adds certain features to SQL Server 2008 including a master data management system branded as Master Data Services, a central management of master data entities and hierarchies. Also Multi Server Management, a centralized console to manage multiple SQL Server 2008 instances and services including relational databases, Reporting Services, Analysis Services & Integration Services. SQL Server 2008 R2 includes a number of new services, including PowerPivot for Excel and SharePoint, Master Data Services, StreamInsight, Report Builder 3.0, Reporting Services Add-in for SharePoint, a Data-tier function in Visual Studio that enables packaging of tiered databases as part of an application, and a SQL Server Utility named UC (Utility Control Point), part of AMSM (Application and Multi-Server Management) that is used to manage multiple SQL Servers. The first SQL Server 2008 R2 service pack (10.50.2500, Service Pack 1) was released on July 11, 2011. The second SQL Server 2008 R2 service pack (10.50.4000, Service Pack 2) was released on July 26, 2012. SQL Server 2012: At the 2011 Professional Association for SQL Server (PASS) summit on October 11, Microsoft announced that the next major version of SQL Server (codenamed "Denali"), would be SQL Server 2012. It was released to manufacturing on March 6, 2012. SQL Server 2012 Service Pack 1 was released to manufacturing on November 9, 2012. It was announced to be the last version to natively support OLE DB and instead to prefer ODBC for native connectivity. SQL Server 2012's new features and enhancements include AlwaysOn SQL Server Failover Cluster Instances and Availability Groups which provides a set of options to improve database

availability, Contained Databases which simplify the moving of databases between instances, new and modified Dynamic Management Views and Functions, programmability enhancements including new spatial features, metadata discovery, sequence objects and the THROW statement, performance enhancements such as ColumnStore Indexes as well as improvements to OnLine and partition level operations and security enhancements including provisioning during setup, new permissions, improved role management, and default schema assignment for groups. SQL Server 2014: SQL Server 2014 is still in Community Technology Preview stage. As of November, 2013 there have been two such revisions, CTP1 and CTP2. SQL Server 2014 will provide a new in-memory capability for tables that can fit entirely in memory (also known as Hekaton). Whilst small tables may be entirely resident in memory in all versions of SQL Server, they also may reside on disk, so work is involved in reserving RAM, writing evicted pages to disk, loading new pages from disk, locking the pages in ram while they are being operated on, and many other tasks. By treating a table as guaranteed to be entirely resident in memory much of the 'plumbing' of diskbased databases can be avoided. For disk-based SQL Server applications, it also provides SSD bufferpool extension, which can improve application performance transparently by leveraging SSD as the intermediate memory hierarchy between DRAM and spinning media. SQL Server 2014 also enhances AlwaysOn (HADR) solution by increasing the readable secondaries count and sustaining read operations upon secondary-primary disconnections, and it provides new hybrid disaster recovery and backup solutions with Windows Azure, enabling customers to use their existing skills with the on-premises product offerings to take advantage of Microsofts global datacenters. In addition, it takes advantage of new Windows Server 2012 and Windows Server 2012 R2 capabilities for database application scalability in a physical or virtual environment.

Editions of SQL Server: Main Stream editions; Datacenter SQL Server 2008 R2 Datacenter is the full-featured edition of SQL Server and is designed for datacenters that need the high levels of application support and scalability. It supports 256 logical processors and virtually unlimited memory. Comes with StreamInsight Premium edition. The Datacenter edition has been retired in SQL Server 2012, all its features are available in SQL Server 2012 Enterprise Edition. Enterprise: SQL Server Enterprise Edition includes both the core database engine and add-on services, with a range of tools for creating and managing a SQL Server cluster. It can manage databases as large as 524 petabytes and address 2 terabytes of memory and supports 8 physical processors. SQL Server 2012 Enterprise Edition supports 160 physical processors. Standard: SQL Server Standard edition includes the core database engine, along with the stand-alone services. It differs from Enterprise edition in that it supports fewer active instances (number of nodes in a cluster) and does not include some high-availability functions such as hot-add memory (allowing memory to be added while the server is still running), and parallel indexes. SQL Server Web Edition is a low-TCO option for Web hosting. Business Intelligence: Introduced in SQL Server 2012 and focusing on Self Service and Corporate Business Intelligence. It includes the Standard Edition capabilities and Business Intelligence tools: PowerPivot, Power View, the BI Semantic Model, Master Data Services, Data Quality Services and xVelocity in-memory analytics.

Work Group: SQL Server Workgroup Edition includes the core database functionality but does not include the additional services. Note that this edition has been retired in SQL Server 2012. Express SQL Server Express Edition is a scaled down, free edition of SQL Server, which includes the core database engine. While there are no limitations on the number of databases or users supported, it is limited to using one processor, 1 GB memory and 4 GB database files (10 GB database files from SQL Server Express 2008 R2). It is intended as a replacement for MSDE. Two additional editions provide a superset of features not in the original Express Edition. The first is SQL Server Express with Tools, which includes SQL Server Management Studio Basic. SQL Server Express with Advanced Services adds full-text search capability and reporting services. Architecture: The protocol layer implements the external interface to SQL Server. All operations that can be invoked on SQL Server are communicated to it via a Microsoft-defined format, called Tabular Data Stream (TDS). TDS is an application layer protocol, used to transfer data between a database server and a client. Initially designed and developed by Sybase Inc. for their Sybase SQL Server relational database engine in 1984, and later by Microsoft in Microsoft SQL Server, TDS packets can be encased in other physical transport dependent protocols, including TCP/IP, Named pipes, and Shared memory. Consequently, access to SQL Server is available over these protocols. In addition, the SQL Server API is also exposed over web services. Data Storage: Data storage is a database, which is a collection of tables with typed columns. SQL Server supports different data types, including primary types such as Integer, Float, Decimal, Char (including character strings), Varchar (variable length character strings), binary (for unstructured blobs of data), Text (for textual data) among others. The rounding of floats to integers uses either Symmetric Arithmetic Rounding or Symmetric Round Down (Fix) depending on arguments: SELECT Round(2.5, 0) gives 3.Microsoft SQL Server also allows user-defined composite types

(UDTs) to be defined and used. It also makes server statistics available as virtual tables and views (called Dynamic Management Views or DMVs). In addition to tables, a database can also contain other objects including views, stored procedures, indexes and constraints, along with a transaction log. A SQL Server database can contain a maximum of 231 objects, and can span multiple OS-level files with a maximum file size of 260 bytes. The data in the database are stored in primary data files with an extension .mdf. Secondary data files, identified with a .ndf extension, are used to store optional metadata. Log files are identified with the .ldf extension. Storage space allocated to a database is divided into sequentially numbered pages, each 8 KB in size. A page is the basic unit of I/O for SQL Server operations. A page is marked with a 96-byte header which stores metadata about the page including the page number, page type, free space on the page and the ID of the object that owns it. Page type defines the data contained in the page data stored in the database, index, allocation map which holds information about how pages are allocated to tables and indexes, change map which holds information about the changes made to other pages since last backup or logging, or contain large data types such as image or text. While page is the basic unit of an I/O operation, space is actually managed in terms of an extent which consists of 8 pages. A database object can either span all 8 pages in an extent ("uniform extent") or share an extent with up to 7 more objects ("mixed extent"). A row in a database table cannot span more than one page, so is limited to 8 KB in size. However, if the data exceeds 8 KB and the row contains Varchar or Varbinary data, the data in those columns are moved to a new page (or possibly a sequence of pages, called an Allocation unit) and replaced with a pointer to the data. For physical storage of a table, its rows are divided into a series of partitions (numbered 1 to n). The partition size is user defined; by default all rows are in a single partition. A table is split into multiple partitions in order to spread a database over a cluster. Rows in each partition are stored in either B-tree or heap structure. If the table has an associated index to allow fast retrieval of rows, the rows are stored in-order according to their index values, with a B-tree providing the index. The data is in the leaf node of the leaves, and other nodes storing the index values for the leaf data reachable from the respective nodes. If the index is non-clustered, the rows are not sorted according to the index keys. An indexed view has the same storage structure as an indexed

table. A table without an index is stored in an unordered heap structure. Both heaps and B-trees can span multiple allocation units. Buffer Management: SQL Server buffers pages in RAM to minimize disc I/O. Any 8 KB page can be buffered inmemory, and the set of all pages currently buffered is called the buffer cache. The amount of memory available to SQL Server decides how many pages will be cached in memory. The buffer cache is managed by the Buffer Manager. Either reading from or writing to any page copies it to the buffer cache. Subsequent reads or writes are redirected to the in-memory copy, rather than the on-disc version. The page is updated on the disc by the Buffer Manager only if the inmemory cache has not been referenced for some time. While writing pages back to disc, asynchronous I/O is used whereby the I/O operation is done in a background thread so that other operations do not have to wait for the I/O operation to complete. Each page is written along with its checksum when it is written. When reading the page back, its checksum is computed again and matched with the stored version to ensure the page has not been damaged or tampered with in the meantime. Concurrency and Locking: SQL Server allows multiple clients to use the same database concurrently. As such, it needs to control concurrent access to shared data, to ensure data integritywhen multiple clients update the same data, or clients attempt to read data that is in the process of being changed by another client. SQL Server provides two modes of concurrency control: pessimistic concurrency and optimistic concurrency. When pessimistic concurrency control is being used, SQL Server controls concurrent access by using locks. Locks can be either shared or exclusive. Exclusive lock grants the user exclusive access to the datano other user can access the data as long as the lock is held. Shared locks are used when some data is being readmultiple users can read from data locked with a shared lock, but not acquire an exclusive lock. The latter would have to wait for all shared locks to be released. Locks can be applied on different levels of granularityon entire tables, pages, or even on a per-row basis on tables. For indexes, it can either be on the entire index or on index leaves. The level of granularity to be used is defined on a per-database basis by the database administrator. While a fine grained locking system allows more users to

use the table or index simultaneously, it requires more resources. So it does not automatically turn into higher performing solution. SQL Server also includes two more lightweight mutual exclusion solutionslatches and spinlockswhich are less robust than locks but are less resource intensive. SQL Server uses them for DMVs and other resources that are usually not busy. SQL Server also monitors all worker threads that acquire locks to ensure that they do not end up in deadlocksin case they do, SQL Server takes remedial measures, which in many cases is to kill one of the threads entangled in a deadlock and rollback the transaction it started. To implement locking, SQL Server contains the Lock Manager. The Lock Manager maintains an in-memory table that manages the database objects and locks, if any, on them along with other metadata about the lock. Access to any shared object is mediated by the lock manager, which either grants access to the resource or blocks it. SQL Server also provides the optimistic concurrency control mechanism, which is similar to the multiversion concurrency control used in other databases. The mechanism allows a new version of a row to be created whenever the row is updated, as opposed to overwriting the row, i.e., a row is additionally identified by the ID of the transaction that created the version of the row. Both the old as well as the new versions of the row are stored and maintained, though the old versions are moved out of the database into a system database identified as Tempdb. When a row is in the process of being updated, any other requests are not blocked (unlike locking) but are executed on the older version of the row. If the other request is an update statement, it will result in two different versions of the rowsboth of them will be stored by the database, identified by their respective transaction IDs. Data Retrieval: The main mode of retrieving data from an SQL Server database is querying for it. The query is expressed using a variant of SQL called T-SQL, a dialect Microsoft SQL Server shares with Sybase SQL Server due to its legacy. The query declaratively specifies what is to be retrieved. It is processed by the query processor, which figures out the sequence of steps that will be necessary to retrieve the requested data. The sequence of actions necessary to execute a query is called a query plan. There might be multiple ways to process the same query. For example, for a query that contains a join statement and a select statement, executing join on both the tables and then executing select on the results would give the same result as selecting from each table and

then executing the join, but result in different execution plans. In such case, SQL Server chooses the plan that is expected to yield the results in the shortest possible time. This is called query optimization and is performed by the query processor itself. SQL Server includes a cost-based query optimizer which tries to optimize on the cost, in terms of the resources it will take to execute the query. Given a query, then the query optimizer looks at the database schema, the database statistics and the system load at that time. It then decides which sequence to access the tables referred in the query, which sequence to execute the operations and what access method to be used to access the tables. For example, if the table has an associated index, whether the index should be used or not - if the index is on a column which is not unique for most of the columns (low "selectivity"), it might not be worthwhile to use the index to access the data. Finally, it decides whether to execute the query concurrently or not. While a concurrent execution is more costly in terms of total processor time, because the execution is actually split to different processors might mean it will execute faster. Once a query plan is generated for a query, it is temporarily cached. For further invocations of the same query, the cached plan is used. Unused plans are discarded after some time. SQL Server also allows stored procedures to be defined. Stored procedures are parameterized TSQL queries, that are stored in the server itself (and not issued by the client application as is the case with general queries). Stored procedures can accept values sent by the client as input parameters, and send back results as output parameters. They can call defined functions, and other stored procedures, including the same stored procedure (up to a set number of times). They can be selectively provided access to. Unlike other queries, stored procedures have an associated name, which is used at runtime to resolve into the actual queries. Also because the code need not be sent from the client every time (as it can be accessed by name), it reduces network traffic and somewhat improves performance. Execution plans for stored procedures are also cached as necessary. SQL CLR: Microsoft SQL Server 2005 includes a component named SQL CLR ("Common Language Runtime") via which it integrates with .NET Framework. Unlike most other applications that use .NET Framework, SQL Server itself hosts the .NET Framework runtime, i.e., memory, threading

and resource management requirements of .NET Framework are satisfied by SQLOS itself, rather than the underlying Windows operating system. SQLOS provides deadlock detection and resolution services for .NET code as well. With SQL CLR, stored procedures and triggers can be written in any managed .NET language, including C# and VB.NET. Managed code can also be used to define UDT's (user defined types), which can persist in the database. Managed code is compiled to CLI assemblies and after being verified for type safety, registered at the database. After that, they can be invoked like any other procedure. However, only a subset of the Base Class Library is available, when running code under SQL CLR. Most APIs relating to user interface functionality are not available. When writing code for SQL CLR, data stored in SQL Server databases can be accessed using the ADO.NET APIs like any other managed application that accesses SQL Server data. However, doing that creates a new database session, different from the one in which the code is executing. To avoid this, SQL Server provides some enhancements to the ADO.NET provider that allows the connection to be redirected to the same session which already hosts the running code. Such connections are called context connections and are set by setting context connection parameter to true in the connection string. SQL Server also provides several other enhancements to the ADO.NET API, including classes to work with tabular data or a single row of data as well as classes to work with internal metadata about the data stored in the database. It also provides access to the XML features in SQL Server, including XQuery support. These enhancements are also available in T-SQL Procedures in consequence of the introduction of the new XML Data type (query, value, nodes functions). Services: SQL Server also includes an assortment of add-on services. While these are not essential for the operation of the database system, they provide value added services on top of the core database management system. These services either run as a part of some SQL Server component or outof-process as Windows Service and presents their own API to control and interact with them. Service Broker: Used inside an instance, programming environment. For cross instance applications, Service Broker communicates over TCP/IP and allows the different components to be synchronized

together, via exchange of messages. The Service Broker, which runs as a part of the database engine, provides a reliable messaging and message queuing platform for SQL Server applications. Replication: SQL Server Replication Services are used by SQL Server to replicate and synchronize database objects, either in entirety or a subset of the objects present, across replication agents, which might be other database servers across the network, or database caches on the client side. Replication follows a publisher/subscriber model, i.e., the changes are sent out by one database server ("publisher") and are received by others ("subscribers"). SQL Server supports three different types of replication. Transaction Replication: Each transaction made to the publisher database (master database) is synced out to subscribers, who update their databases with the transaction. Transactional replication synchronizes databases in near real time. Merge Replication: Changes made at both the publisher and subscriber databases are tracked, and periodically the changes are synchronized bi-directionally between the publisher and the subscribers. If the same data has been modified differently in both the publisher and the subscriber databases, synchronization will result in a conflict which has to be resolved - either manually or by using pre-defined policies. rowguid needs to be configured on a column if merge replication is configured. Snapshot: Snapshot replication publishes a copy of the entire database (the then-snapshot of the data) and replicates out to the subscribers. Further changes to the snapshot are not tracked.

Analytical Services: SQL Server Analysis Services adds OLAP and data mining capabilities for SQL Server databases. The OLAP engine supports MOLAP, ROLAP and HOLAP storage modes for data. Analysis Services supports the XML for Analysis standard as the underlying communication protocol. The cube data can be accessed using MDX and LINQ queries. Data mining specific functionality is exposed via the DMX query language. Analysis Services includes various algorithms - Decision trees, clustering algorithm, Naive Bayes algorithm, time series analysis, sequence clustering algorithm, linear and logistic regression analysis, and neural networks - for use in data mining. Reporting Services: SQL Server Reporting Services is a report generation environment for data gathered from SQL Server databases. It is administered via a web interface. Reporting services features a web services interface to support the development of custom reporting applications. Reports are created as RDL files. Reports can be designed using recent versions of Microsoft Visual Studio (Visual Studio.NET 2003, 2005, and 2008) with Business Intelligence Development Studio, installed or with the included Report Builder. Once created, RDL files can be rendered in a variety of formats including Excel, PDF, CSV, XML, TIFF (and other image formats), and HTML Web Archive. Notification: Originally introduced as a post-release add-on for SQL Server 2000, Notification Services was bundled as part of the Microsoft SQL Server platform for the first and only time with SQL Server 2005. SQL Server Notification Services is a mechanism for generating data-driven notifications, which are sent to Notification Services subscribers. A subscriber registers for a specific event or transaction (which is registered on the database server as a trigger); when the event occurs, Notification Services can use one of three methods to send a message to the subscriber informing about the occurrence of the event. These methods include SMTP, SOAP, or by writing to a file in the file system. Notification Services was discontinued by Microsoft with

the release of SQL Server 2008 in August 2008, and is no longer an officially supported component of the SQL Server database platform. Integration Services: SQL Server Integration Services is used to integrate data from different data sources. It is used for the ETL capabilities for SQL Server for data warehousing needs. Integration Services includes GUI tools to build data extraction workflows integration various functionality such as extracting data from various sources, querying data, transforming data including aggregating, duplication and merging data, and then loading the transformed data onto other sources, or sending e-mails detailing the status of the operation as defined by the user. Full Text Search Service: SQL Server Full Text Search service is a specialized indexing and querying service for unstructured text stored in SQL Server databases. The full text search index can be created on any column with character based text data. It allows for words to be searched for in the text columns. While it can be performed with the SQL LIKE operator, using SQL Server Full Text Search service can be more efficient. Full allows for inexact matching of the source string, indicated by a Rank value which can range from 0 to 1000 - a higher rank means a more accurate match. It also allows linguistic matching ("inflectional search"), i.e., linguistic variants of a word (such as a verb in a different tense) will also be a match for a given word (but with a lower rank than an exact match). Proximity searches are also supported, i.e., if the words searched for do not occur in the sequence they are specified in the query but are near each other, they are also considered a match. T-SQL exposes special operators that can be used to access the FTS capabilities. The Full Text Search engine is divided into two processes - the Filter Daemon process (msftefd.exe) and the Search process (msftesql.exe). These processes interact with the SQL Server. The Search process includes the indexer (that creates the full text indexes) and the full text query processor. The indexer scans through text columns in the database. It can also index through binary columns, and use iFilters to extract meaningful text from the binary blob (for example, when a Microsoft Word document is stored as an unstructured binary file in a database). The iFilters are hosted by the Filter Daemon process. Once the text is extracted, the

Filter Daemon process breaks it up into a sequence of words and hands it over to the indexer. The indexer filters out noise words, i.e., words like A, And etc., which occur frequently and are not useful for search. With the remaining words, an inverted index is created, associating each word with the columns they were found in. SQL Server itself includes a Gatherer component that monitors changes to tables and invokes the indexer in case of updates. When a full text query is received by the SQL Server query processor, it is handed over to the FTS query processor in the Search process. The FTS query processor breaks up the query into the constituent words, filters out the noise words, and uses an inbuilt thesaurus to find out the linguistic variants for each word. The words are then queried against the inverted index and a rank of their accurateness is computed. The results are returned to the client via the SQL Server process. SQL CMD: SQLCMD is a command line application that comes with Microsoft SQL Server, and exposes the management features of SQL Server. It allows SQL queries to be written and executed from the command prompt. It can also act as a scripting language to create and run a set of SQL statements as a script. Such scripts are stored as a .sql file, and are used either for management of databases or to create the database schema during the deployment of a database. SQLCMD was introduced with SQL Server 2005 and this continues with SQL Server 2008. Its predecessor for earlier versions was OSQL and ISQL, which is functionally equivalent as it pertains to TSQL execution, and many of the command line parameters are identical, although SQLCMD adds extra versatility. Visual Studio: Microsoft Visual Studio includes native support for data programming with Microsoft SQL Server. It can be used to write and debug code to be executed by SQL CLR. It also includes a data designer that can be used to graphically create, view or edit database schemas. Queries can be created either visually or using code. SSMS 2008 onwards, provides intelligence for SQL queries as well.

SQL Server Management Studio: SQL Server Management Studio is a GUI tool included with SQL Server 2005 and later for configuring, managing, and administering all components within Microsoft SQL Server. The tool includes both script editors and graphical tools that work with objects and features of the server. SQL Server Management Studio replaces Enterprise Manager as the primary management interface for Microsoft SQL Server since SQL Server 2005. A version of SQL Server Management Studio is also available for SQL Server Express Edition, for which it is known as SQL Server Management Studio Express (SSMSE). A central feature of SQL Server Management Studio is the Object Explorer, which allows the user to browse, select, and act upon any of the objects within the server. It can be used to visually observe and analyze query plans and optimize the database performance, among others. SQL Server Management Studio can also be used to create a new database, alter any existing database schema by adding or modifying tables and indexes, or analyze performance. It includes the query windows which provide a GUI based interface to write and execute queries. Business Intelligence Development Studio: Business Intelligence Development Studio (BIDS) is the IDE from Microsoft used for developing data analysis and Business Intelligence solutions utilizing the Microsoft SQL Server Analysis Services, Reporting Services and Integration Services. It is based on the Microsoft Visual Studio development environment but is customized with the SQL Server services-specific extensions and project types, including tools, controls and projects for reports (using Reporting Services), Cubes and data mining structures (using Analysis Services). T-SQL: T-SQL (Transact-SQL) is the Secondary means of programming and managing SQL Server. It exposes keywords for the operations that can be performed on SQL Server, including creating and altering database schemas, entering and editing data in the database as well as monitoring and managing the server itself. Client applications that consume data or manage the server will leverage SQL Server functionality by sending T-SQL queries and statements which are then processed by the server and results (or errors) returned to the client application. SQL Server

allows it to be managed using T-SQL. For this it exposes read-only tables from which server statistics can be read. Management functionality is exposed via system-defined stored procedures which can be invoked from T-SQL queries to perform the management operation. It is also possible to create linked Server using T-SQL. Linked server allows operation to multiple server as one query. SQL Native Client: SQL Native Client is the native client side data access library for Microsoft SQL Server, version 2005 onwards. It natively implements support for the SQL Server features including the Tabular Data Stream implementation, support for mirrored SQL Server databases, full support for all data types supported by SQL Server, asynchronous operations, query notifications, encryption support, as well as receiving multiple result sets in a single database session. SQL Native Client is used under the hood by SQL Server plug-ins for other data access technologies, including ADO or OLE DB. The SQL Native Client can also be directly used, bypassing the generic data access layers.

Literature Review
10must Do SQL server Security Tasks By David Maman, GreenSQL CTO As we roll into 2013, here's our review of the top ways organizations need to be protecting their databases. While Microsoft's documentation does a great job covering best practices for database programmers, that is still not enough to protect against many of today's threats. In fact, as many as 65% of database breaches are inside jobs, that is, they are performed by someone who is authorized to access the database. Fortunately, by taking appropriate precautions, most of these breaches can be prevented or detected before they get out of hand. 1. Use a dedicated server for your database: Host your SQLS2012 database on a dedicated server. Whether it is local or in the cloud, spend the extra cash on a dedicated server to prevent security leaks and breaches. 2. Harden the Operating System: On your dedicated server, the first step is to implement operating system hardening. Many hardening techniques exist. At a minimum, you need to: Change the default ports, as described below. Hide SQL instances from showing in the network, as described below. Allow only network protocols that are needed. CONNECT permission should be granted only on endpoints to logins that need to use them. If there is a need to work with SQL Login, install an SSL certificate from a trusted CA rather than SQL Server's self-signed certificates. Avoid the exposure of SQL Server to the public internet/intranet.

Change the default ports: 1. From the Start menu, choose All Programs > Microsoft SQL Server 2012 > Configuration Tools > SQL Server Configuration Manager. 2. Expand the SQL Server 2012 Network Configuration node and select Protocols for the SQL Server instance to be configured.

3. In the right pane, right-click the protocol name TCP/IP and choose Properties. 4. In the TCP/IP Properties dialog box, select the IP Addresses tab. Hide SQL Instances from showing in the network: The SQL Server Browser service enumerates SQL Server information on the network. Attackers can use SQL Server clients to browse the current infrastructure and retrieve a list of running SQL Server instances. To hide SQL instances: 1. From the Start menu, choose All Programs, Microsoft SQL Server 2012, 2. 3. 4. 5. 6. Configuration Tools, SQL Server Configuration Manager. Expand the SQL Server 2012 Network Configuration node and select Protocols for the SQL Server instance to be configured. Right-click Protocols for [Server\Instance Name] and choose Properties. In the Hide Instance box on the Protocols for [Server\Instance Name] Properties page selectYes. Click OK. Restart the services for the change to take effect.

3. Control Admin Access to the database You should control not only the individuals who have access to the database, but also how administrators access the database. Administrator Privileges Control Elevated permissions are allowed not only for sysadmin users, but also any log in with built-inSA, and also any login with CONTROL SERVER permission. For accountability in the database, avoid relying on the Administrators group and add only specific database administrators to thesysadmin role. For a full description of best practices, see the official documentation by Microsoft entitled SQL Server 2012 Security Best Practice Whitepaper. Quick Tips for Admin Privileges

Administrator privileges should be used only when they are really needed. Have as few admins as possible.

Do not use one login for more than one administrator. Each admin should have his or her own account.

Provision admin principals explicitly. Do not use the "BUILTIN\Administrators" Windows group. Regularly audit to ensure only the appropriate authorized individuals have admin access privileges.

Removing the Builtin/Administrators Group Following is a Transact-SQL (T-SQL) syntax for removing the BUILTIN\Administrators Windows Group from a SQL Server instance. You should use this if a group exists from previous versions of SQL Server or using BETA code. To remove the Builtin/Administrators Group, run the following code on each SQL Server instance installed in the organization: USE MASTER IF EXISTS (SELECT * FROM sys.server_principals WHERE name = NBUILTIN\Administrators) DROP LOGIN [BUILTIN\Administrators] GO Control Admin Access Routes to the Database Not only can you restrict the individuals who have admin access, but you can also restrict the routes of admin control. Using a tool such as GreenSQL, you can ensure that access to admin privileges can come only from certain IP addresses or specific computers. This way, if someone leaves the company or if login information is compromised, it will be impossible for anyone else to use that login data. Managing Non-Administrative Users It's important to manage users who do are not admin but have access to the database for other purposes. As with system administrators, it's important to not only give different authentication to different types of users, but also to control the routes of access to the database. SQL Server instance can contain many databases which were created by users who are database owners -DBO (by default) as shown in the following image: User workshop created the workshop database and is a member of db_owner database role.

Best practices for non-administrator roles:

Minimize the number accounts/users that have the db_owner role for each database. Have distinct owners for databases; not all databases should be owned by SA or by any other user in sysadmin server role.

Control the access methods and IP addresses for access of the database on a per-role basis.

4. Encrypt the Data Between App and SQL Server 2012 The MS SQL database comes with built-in encryption within the database. However, it is also crucial to encrypt the data as it is passed between the app and the database. Furthermore, it's important to limit access to this information. Best practices for encryption: Ensure that DBAs and other people using the database do not have access to sensitive information. When sending information to users who do not need to know the actual content, mask the sensitive information. Limit the amount of information that can be drawn from the database by those who have access to the database. Set up rules to identify authorized and unauthorized use of data, including the IP addresses and routes for accessing data, not username-only authentication. Set up encryption keys between applications and the database. Implement cell-level encryption Implement Transparent Data Encryption Encrypt high-value and sensitive data. Use symmetric keys to encrypt data, and asymmetric keys or certificates to protect the symmetric keys. Password-protect keys and remove master key encryption for the most secure configuration. Always back up the service master key, database master keys, and certificates by using the key-specific DDL statements. Always back up your database to back up your symmetric and asymmetric keys. Perform SSL configuration

Cell Level Encryption Follow the SQL Server 2012 has an encryption hierarchy, as shown below. The top-level resource in the SQL Server encryption hierarchy is the Service Master Key, which is encrypted by the Windows Data Protection API. Encrypt all Service Master Keys. Next is the Database Master Key. This key can be used to create certificates and asymmetric keys. Third are certificates and asymmetric keys. Both can be used to create symmetric keys or encrypt data directly. Finally, symmetric keys can also be used to encrypt data. 5. TDE Transparent Data Encryption in SQL Server 2012 (Database Level Encryption) TDE provides real time encryption of data and log files. It is important to mention that this is database level encryption. Data is encrypted before it is written to disk and decrypted when it is read from disk. The "transparent" aspect of TDE is that the encryption is performed by the database engine and SQL Server clients are completely unaware of it. There is absolutely no code that needs to be written to perform the encryption and decryption. The database is prepared for TDE, and then the encryption is turned on at the database level via an ALTER DATBASE command. With TDE, the backup files are also encrypted when using just the standard BACKUP command. 6. Reduce the potential attack surface Attack Surface refers to the potential entrances for attack. It's advisable only to enable the features that are essential for any given database. SQL Server comes with several features that administrators can choose to install during the installation process:

Database Engine Reporting Services Integration Services Analysis Services Engine

Notification Services Documentation and Samples (Sample databases & codes)

Analyze your needs and install only the features you need.

Surface Area Reduction Practices

Use the Surface Area Configuration Tool or sp_configure as described below. Do not install sample databases and sample codes on SQL servers in the production environment.

Use only development and test environments for sample databases and sample code on SQL servers.

Use the Configuration tools such as sp_configure or SQL Server Surface Area Configuration tool (described below) to enable only needed features.

When upgrading from SQL Server 2000 to 2005 and higher, review the configuration settings and turn off features such as the xp_cmdshell. The upgrade process does not change these settings by default.

Turn off unnecessary services by setting them to disabled or manual startup. Disable unneeded system stored procedures as described below Use SQL Server Surface Area Configuration to enforce a standard policy for extended procedure usage.

Document each exception to the standard policy. Do not remove the system stored procedures by dropping them. Do not DENY all users/administrators access to the extended procedures.

7. Implement Strong Authentication Use Windows Authentication mode, described below, when possible. Use Mixed Mode Authentication, described below, only for legacy applications and non-Windows users. SQL Authentication mode is described below, but it is NOT the recommended mode. It should be used only when in mixed mode, to leverage complex passwords and the SQL Server /2012 password and lockout policies Maintain a strong password policy for the SA account and change the password periodically. Do not manage SQL Server using the sa login account. Assign sysadmin privilege to a knows user or group. When using Mixed Mode Authentication beware that potential attackers are aware of the SA user. Knowing the SA user makes cracking the database one step easier.

To avoid this, in mixed mode, the SA account must be renamed. Before renaming make sure there is at least one additional account with administrator privileges, to access the SQL Account. Mixed Mode: SQL Server & Windows Authentication The SQL authentication mechanism is based on accounts that are managed inside the SQL server, including the password policy. Mixed authentication (SQL Server and Windows Authentication mode) is still required if there is a need to support legacy applications, or if specific applications require mixed mode, or clients are coming in from platforms other than Windows and a need for separation of duties exists. Configuring SQL Server Authentication Modes To select or change the server authentication mode, follow these steps: 1. In SQL Server Management, right-click on a SQL Server and click Properties. 2. On the Security page, select the desired server authentication mode under Server Authentication and click OK. 3. In the SQL Server Management Studio dialog box, click OK to acknowledge the need to restart SQL Server. 4. In Object Explorer, right-click on a desired server and then click Restart. 5. If the SQL Server Agent is running, restart the agent. Using Windows authentication is a more secure choice. However, if mixed mode authentication is required, you must make sure to leverage complex passwords and the SQL Server 2012 password and lockout policies to further bolster security. Here is an example of password policy for SQL accounts:

The password must contain uppercase & lowercase letters. The password must contain numbers & alphanumeric characters. The password must contain nonalphanumeric characters such as &, ^,%,*,$ etc.

Do not use common known passwords that are easy to guess such as: admin, password, sa, administrator, sysadmin etc.

Passwords contain a minimum of 8 characters. SQL Server 2005 and on do not allows blank password for the SA account. If you are using earlier version of SQL, set a password for SQL accounts and also for the SA account according to according to password policy.

Note: If Windows Authentication mode is selected during installation, the SA login is disabled by default. If the authentication mode is switched to SQL Server mixed mode after the installation, the SA account is still disabled and must be manually enabled. It is a best practice to reset the password when the mode is switched. 8. Perform Regular and Reliable Auditing For reliable auditing it is necessary to use a third-party tool such as Green SQL. Many companies think of auditing as something that must be done to comply with regulation. However, it's also an important internal security precaution in and of itself, and should be performed regularly. Therefore, it's recommended to choose a third-party auditing tool that is quick and simple to use. Additional Instructions

Auditing is scenario-specific. Balance the need for auditing with the overhead of generating addition data. Audit successful logins in addition to unsuccessful logins if you store highly sensitive data.

Enable C2 auditing or Common Criteria compliance only if required by selecting the appropriate checkbox (Those options should be selected only if there is a need to comply with these security standards)

Auditing Mechanism in SQL Server SQL Server security auditing monitors and tracks activity to log files that can be viewed through Windows application logs or SQL Server Management Studio.

SQL Server offers the following four security levels with regards to security:

NoneDisables auditing (no events are logged) Successful Logins OnlyAudits all successful login attempts Failed Logins OnlyAudits all failed login attempts Both Failed and Successful LoginsAudits all login attempts The default mode is: Failed Logins Only. It is recommended to set the auditing mode to be Both Failed and Successful Logins. Configuring SQL Server Security Logs for Auditing To configure security login auditing for both failed and successful logins: 1. In SQL Server Management Studio, right-click on a desired SQL Server and then clickProperties. 2. On the Security page under Login Auditing, select the desired auditing criteria option button, such as Both Failed and Successful Logins, and click OK. 3. Restart the SQL Server Database Engine and SQL Server Agent to make the auditing changes effective.

9. Update Patches Regularly Security updates and patches are constantly being released by Microsoft. Install these updates made available for SQL Server and the operating system. These patches can be manually downloaded and installed, or they can be automatically applied by using Microsoft Update. It's recommended to test updates before applying to production systems, therefore many admins prefer not to use auto update. Best practices for Patch Updates

Always stay as current as possible. Enable automatic updates whenever feasible, but test them before applying to production systems.

10. Manage Contained Databases for SQL Server 2012 Only A contained database is a database that is isolated from other databases and from the instance of SQL Server that hosts the database. This situation requires additional security steps. It's important to enable partially contained databases delegates control over access to the instance of SQL Server to the owners of the database.

Chapter -3: Company Profile Data wise

DATAWISE specializes in providing high-end research, consulting and business analytics solutions to customers all over the world. We appreciate that it is not always possible to plan, anticipate and provide for all types of business needs. And that is why we are here. Our team has a deep understanding of the business environment across a number of industries, and we help in bridging companies' need gap through the application of research and analytical approaches. DATAWISE is focused on providing you with that additional support that you may require from time to time. Whether it is assistance in strategic planning, business execution, providing decision support solutions, helping in creating new product solutions, helping in understanding your business performance, supporting your manpower augmentation needs, or even acting as your surrogate we are there with you all the way! Mr. Vinay Kumar is a graduate from the Indian Institute of Management, Ahmedabad and also has a PhD in Marketing. He has more than 20 years of experience, in the field of consulting, finance, coaching and mentoring. Among various companies in the past, he has worked with the RPG group, Ernst & Young, Netjets, and Apollo Hospitals. His core strengths are in strategy, business planning, market planning and process improvement. Mr. Vijay Kumar is a graduate from Indian Institute of Management, Calcutta. He has more than 18 years of experience in the field of Strategic Research, Retail Banking, IT solution design and implementation, and Marketing. He has worked in the BFSI sector with Citibank, Prudential Insurance, Guy Carpenter, HDFC Bank and regional banks in Malaysia and South Africa. His core strengths include Customer Lifecycle Management, Marketing program design and execution. He represents DATAWISE in the New York market. Mr. Raghu Patri is a graduate from Goa University. He has more than 20 years of experience in the IT and ITeS domain. He has been associated with NIIT for over a decade in the education field apart from providing solutions to corporate bodies like Nestle, Titan Industries and Cipla. His core strengths are in IT strategy, planning and development, and process planning and implementation.

Advisory Board Mr. Sunder Rao is a graduate in Personnel Management, and Law from Andhra University. He has also completed the #TP 2 tier course from IIM Ahmedabad. He is extremely versatile, and has successfully managed the change in the background of newly started Companies, and transformation of organization culture. People Management and related processes are the main strengths. Mr. Rohit Das is a management graduate and has a vast experience of 19 years with varied industries ranging from FMCG, Durables to Fashion, Lifestyle and Pharma. He has worked with leading organizations like TATA, Electrolux, Mondregon Corporation Cooperative of Spain, Pepsi, Videocon Group, Apollo etc. He has held key positions across, with the last 12 years working in the Top Management Positions. His core strengths are in strategy, market planning, and sales management. Mr. K. Srinivas Rao is a human capital strategist, with considerable background in Human Capital Value Chain. He has 16 years of expertise in the areas of leading Core HR Functions (Leadership development, Performance Management including C&B, Employee

Communication, HR Technology), Change Management (Organization design and development, Aligning Org. Cultural to Strategy, Organizational Effectiveness Assessment) and M&A Integration (Integration, Restructuring, Downsizing). He is currently Partner at the Global People Advisory & Research Firm The Strategist. Previous to this he was heading Strategy - HR at Satyam Computer Services. He has held management roles at all levels in CATS (Computer Associates-TCG), Baan Info Systems, Ernst & Young, Videocon International. Offerings of Data Wise School Teacher Evaluation Program STEP STEPTM is a summative and formative evaluation program for School Teachers, conceptualized and designed by DATAWISE Management Services. The program was conceived as a result of DATAWISEs identification of high potential for application of decision support systems in the area of secondary education in India. The STEPTM is based on extensive research and offers a robust, unbiased and data driven teacher assessment program. DATAWISE has collaborated

with Teachers Academy, which is known for its presence and expertise in the area of teacher training to provide the formative structure to the STEPTM and hence to make it a comprehensive, one-stop teacher evaluation system. The STEPTM creates an objective, summative evaluation structure for teachers working in the Indian secondary education level. The evaluation is based on identification of strengths and weaknesses of the teachers on various researched dimensions. These dimensions are identified as having highest impact on a teachers performance. Further the dimensions have weights associated with them based on the correlation they have with teacher performance. OPTILOX The growth of organized retail and the search for optimum retail space is giving retailers a tough time. Moreover, selection of a poor location is likely to do more damage to the reputation and the performance of the retail unit. In the retail industry which is increasingly cluttered with new players and formats, the ability to assure and increase footfalls has gained much more significance. Minimizing cost, while being an immediate concern, is not as big a problem as maximizing profit by getting targeted customers attracted to the retail outlet. OPTILOX is designed to help retail outlets select the optimum site location for their retail stores in order to maximize customer footfalls. OPTILOX is unique software based behavioral analytics model which takes behavioral approach towards site selection and therefore assists in sales maximization unlike most site selection methods which primarily concentrate on using logistic or cost based approaches. OPTILOX is based on a design initially conceptualized by Arthur D. Little. We are the first and only company to provide this approach customized to the Indian retail needs. OPTILOX relies on an in-house analytical tool which maps retail consumer behavior to the requirements of retailers. The model is designed as a flexible tool which can be

customized to account for the parameterized needs of any retail business. OPTILOX is ideal for premium showrooms, grocery outlets, franchisees, banks/ ATMs, pharmacy, petroleum outlets, entertainment house, concept retail, multi-format retails, coffee shops, etc. For retailers

looking to expand, OPTILOX presents an ideal solution for mapping customer behavior to their current retail stores whereas for new retail outlets, OPTILOX also helps in identifying the ideal customer profile. ServQual ServQual is determined to serve its clients in improving their service delivery. It uses sophisticated analytical tools to predict customer expectations and behavior through data driven analysis. SERVQUAL helps in calculation of the score for expectation statement and perception statement using the questionnaire method. This data will help in calculation of the gap score for each parameter. SERV-QUAL has designed various methods of analyzing your customer satisfaction. Feedback Form In-Depth Interview Mystery Shopping Focus Groups

CREST CREST is a customer segmentation process that recognizes the cyclical nature of customer needs and identifies customers with the greatest future revenue potential for appropriate strategies to be evolved to best serve the needs of this segment. CREST also identifies the customers who generate the most value for your business, and qualify for continued high-impact service offerings. At the same time, the segmentation exercise highlights value destroyers, customers who yield low margins, have limited future potential and demand disproportionately large maintenance resources. The sizing of these segments can be fine-tuned to meet channel capacities and serve up the best opportunities for customer outreach programs. CREST segmentation divides your customer base into six actionable segments Prize: High-value, loyal customers with significant upside potential Protect: High-value, loyal customers Promote: Loyal customers with significant future potential Preserve: Stable-value customers Prevent: High- and Medium-value customers at risk of attrition Prune: Low-value, high maintenance customers with limited future potential

Chapter -4: Data Interpretation

1. Do you use SQL Server at your organization for database purposes? Yes/ No S.No 1 2 SQL Server Yes No No. of respondents 148 2

Interpretation: Most of the respondents say that they use the SQL Server at their organization for marketing decision making. Very few do not use it in their organization.

1. Which software do you prefer for Marketing Decision Making? a. Sybase b. SAP Modules c. SQL Server d. Any specialized software

Preferred Software
16% Sybase 11% 39% 34% SAP Modules SQL Server Other

Interpretation: Majority of the respondents prefer SAP Modules for their Marketing Decision Making. Nearly equal members prefer Sybase for the same. The remaining respondents use SQL Server and other tools.

2. If you are using SQL Server please specify your level of satisfaction in making following marketing decision using the applications in SQL Server? Mark 5 if you are Highly Satisfied Mark 4 if you are Satisfied Mark 3 if you are neither satisfied nor dissatisfied Mark 2 if you are Dissatisfied Mark 1 if you are Highly Dissatisfied i. Analytics in Database Management Analytics in Database Management
50 43 45 35 25 3 0
Highly Dissatisfied dissatisfied Neutral Satisfied Highly satisfied

Interpretation: Most of the respondents (87) are disssatisfied in understanding and implementing Analytics in Database management while using SQL Server. 35 of them are neither satisfied nor dissatisfied and few of them (28) are satisfied with the Analytics. ii. Security in database management Security in database management
100 35 0 0 0 32 83

50

Interpretation: Most of the respondents (115) are satisfied with the Security aspects while using SQL Server. Few respondents (35) are neither satisfied nor dissatisfied with these Security aspects. There are almost none who are dissatisfied with the same.

iii.

Access Controls

Access Controls
60 60 40 20 0
Highly Dissatisfied dissatisfied Neutral satisfied Highly satisfied

35 13 1

41

Interpretation: Most of the respondents (101) are satisfied with the Access controls using SQL Server. Few respondents (35) are neither satisfied nor dissatisfied with the SQL Server regarding Access controls aspects and the remaining respondents (14) are dissatisfied with the same.

iv.

Hierarchy aspects in Data Management

Hierarchy
100 56 50 1 0 6 24 63

Interpretation: Most of the respondents (119) are satisfied with the Hierarchy in data management in SQL Server. Few respondents (24) are neither satisfied nor dissatisfied with the SQL Server regarding and very few respondents (7) are dissatisfied with the same.

v.

RDBMS Tools and Commands

Tools and Commands

70 60 50 40 30 20 10 0 63 44 33 8

Highly Dissatisfied Dissatisfied

Neutral

satisfied

Highly satisfied

Interpretation: Most of the respondents (107) are satisfied with the RDBMS Tools and Commands and their applications in SQL Server. Few respondents (33) are neither satisfied nor dissatisfied with the SQL Server regarding these aspects and very few respondents (10) are dissatisfied with the same. vi. Programming and Query Management

Programming and Querries

150 100 50 0 0 11 16 5 118

Interpretation: Most of the respondents (123) are satisfied with the programming and query management aspects in SQL Server. Few respondents (16) are neither satisfied nor dissatisfied with the SQL Server regarding these aspects and very few respondents (11) are dissatisfied with the same.

vii.

Pricing and Licensing Aspects

Pricing and Licensing

76 80 60 40 20 0 1 19 29 25

Interpretation: Many respondents (101) are not satisfied with the Pricing and licensing issues in SQL Server. Few respondents (29) gave a neutral response and very few respondents (20) are satisfied with the same. viii. Overall Satisfaction

Overall Satisfaction
60 40 20 0 0 5 52 55 38

Interpretation: Only some of the respondents (43) are not satisfied with the features in SQL Server. Considerable number of respondents (55) gave a neutral response and 52 are satisfied with the same.

3. Do you maintain a regularly upgraded RDBMS/DBMS? Yes/ No

S.No Regular upgradation 1 Yes 2 No

No. of respondents 136 14

Interpretation: Majority of the respondents (136) claim that they maintain a regularly updated SQL Server as and the remaining respondents do not. 4. Do you think standard RDBMS is required for proper database and server management? a. Very essential b. Essential c. May or may not be used d. Not essential e. Not at all required

Need for RDBMS/ SQL server

97 100 80 60 40 20 0
Not at all required Not May or may Essential essential not be used Very Essential

45

Interpretation: Most of the respondents (142) feel that SQL Server is really essential for effective Database Management. The remaining respondents feel that RDBMS is not mandatory for effective database management.

5. Please express your satisfaction levels in using SQL server in terms of security aspects. a. Highly satisfied b. Satisfied c. Neutral d. Dissatisified e. Highly dissatisfied

Overall Satisfaction
200 0 0 0 2 129 19

Interpretation: Almost all the respondents are satisfied using SQL Server and its security aspects. A negligible number of the respondents feel neither satisfied nor dissatisfied with SQL server. ANALYSIS Correlation Analysis
analy tics Satisfa ction level Pearson correlatio n Sig.(2tailed) N .280*
*

security

.813

Access control s 0.608

Hierarc hy aspects -.100

RDB MS tools 0.534

Quer y mgmt .637

Pric & lic -.075

Ove all 1

.001 150

.00.1 150

.0025 150

.222 150

.682 150

.004 150

.366 150

.000 150

*. Correlation is significant at the 0.05 level (2-tailed). **. Correlation is significant at the 0.01 level (2-tailed). Correlation analysis performed over the attributes explaining the satisfaction levels of various users of SQL server suggest that Security, Query management and RDBMS tools have high correlation with the overall satisfaction and indicate that these parameters satisfaction is connected to overall satisfaction, few attributes as Hierarchy an pricing cannot be considered for analysis based on its significance values. Analytics in database management has less positive correlation with overall satisfaction. Hence the data gathered and analyzed suggests that SQL is preferred or gives good amount of satisfaction to its users and their opinions are well correlating.

Chapter -5: FINDINGS AND CONCLUSION The Study Security Management in SQL Server is taken up on 150 respondents belonging to different levels in Pharmaceutical organizations gave the following finding, 98.6% of the respondents specified that they use SQL Server (SQL SERVER) for their DBMS, out of these respondents 89.3% specified that they have their updated SQL SERVER at their organizations.

Most of the respondents (87) are disssatisfied in understanding and implementing Analytics in Database management while using SQL Server. 35 of them are neither satisfied nor dissatisfied and few of them (28) are satisfied with the Analytics. Most of the respondents (115) are satisfied with the Security aspects while using SQL Server. Few respondents (35) are neither satisfied nor dissatisfied with these Security aspects. There are almost none who are dissatisfied with the same. Most of the respondents (101) are satisfied with the Access controls using SQL Server. Few respondents (35) are neither satisfied nor dissatisfied with the SQL Server regarding Access controls aspects and the remaining respondents (14) are dissatisfied with the same. Most of the respondents (119) are satisfied with the Hierarchy in data management in SQL Server. Few respondents (24) are neither satisfied nor dissatisfied with the SQL Server regarding and very few respondents (7) are dissatisfied with the same. Most of the respondents (107) are satisfied with the RDBMS Tools and Commands and their applications in SQL Server. Few respondents (33) are neither satisfied nor dissatisfied with the SQL Server regarding these aspects and very few respondents (10) are dissatisfied with the same. Most of the respondents (123) are satisfied with the programming and query management aspects in SQL Server. Few respondents (16) are neither satisfied nor dissatisfied with the SQL Server regarding these aspects and very few respondents (11) are dissatisfied with the same. Many respondents (101) are not satisfied with the Pricing and licensing issues in SQL Server. Few respondents (29) gave a neutral response and very few respondents (20) are satisfied with the same. Only some of the respondents (43) are not satisfied with the features in SQL Server. Considerable number of respondents (55) gave a neutral response and 52 are satisfied with the same. Majority of the respondents (136) claim that they maintain a regularly updated SQL Server as and the remaining respondents do not.

Most of the respondents (142) feel that SQL Server is really essential for effective Database Management. The remaining respondents feel that RDBMS is not mandatory for effective database management. Almost all the respondents are satisfied using SQL Server and its security aspects. A negligible number of the respondents feel neither satisfied nor dissatisfied with SQL server. Correlation analysis performed over the attributes explaining the satisfaction levels of various users of SQL server suggest that Security, Query management and RDBMS tools have high correlation with the overall satisfaction and indicate that these parameters satisfaction is connected to overall satisfaction, few attributes as Hierarchy an pricing cannot be considered for analysis based on its significance values. Analytics in database management has less positive correlation with overall satisfaction. Hence the data gathered and analyzed suggests that SQL is preferred or gives good amount of satisfaction to its users and their opinions are well correlating.

Conclusion Database Management systems have become an integral part of basic software requirements of any organization associated with IT in its daily operations or doing business with IT. This has created a vast market for database management systems and the industrys giants content very close to acquire maximum market shares. Data base management is not just the requirement but the maximum amount of security has become the key. Until and unless the DBMS or RDBMS is so secure and is away from all sorts of vulnerabilities and threats people are not ready to take them to manage their databases. Many aspects apart from security are also considered before making decision on DBMS. SQL server has few pitfalls and more command in this market. Security is its strength and the study has highlighted various modes of using SQL server in more secure manner. This study has enlightened the user satisfaction, technical aspects related to security in DBMS and also have visualized detailed concepts related to DBMS. In conclusion study tries to suggest that anybody who uses or manages should take up the check list of security aspects and decide which would be the best DBMS software that would help in flaw less Database administration and management. The study also recognizes that there is a growing need for human intelligence as well in the areas of Database management and server management to make organizations more successful in this arena.

Bibliography: 1. Kothari C.R., Research Methodology, 2nd Edition Wishwa prakashan. 2. Alan Bryman & Emma Bell, Business Research Methods, 2nd Edition, Oxford 3. Neelan Q Jeemchipillai: SQL Server, TMH, 2009. 4. Tom Carpenter: Microsoft SQL Server Administration, Wiley, 2010. 5. Kogent Learning: SQL server 2008, 2009.

Webliography: http://www.microsoft.com/en-in/sqlserver/solutions-technologies/mission-criticaloperations/security-and-compliance.aspx http://technet.microsoft.com/en-us/library/bb283235.aspx http://msdn.microsoft.com/en-us/library/bb669074(v=vs.110).aspx http://www.greensql.com/content/sql-server-security-best-practices http://www.techrepublic.com/article/understanding-roles-in-sql-server-security/ http://www.sqlsecurity.com/ http://www.iis.net/learn/application-frameworks/install-and-configure-php-on-iis/secureyour-sql-server-database

Annexure: Questionnaire for Security Management in SQL Server Name : ............... AgeGender (M/F)Designation/Occupation...... Overall ExperienceExperience in current organization. Email ID: ..@........................................ --------------------------------------------------------------------------------------------

1. Do you use SQL Server at your organization for database purposes? Yes/ No. 2. Which software do you prefer for Database Management? [
a. Sybase c. SQL Server b. SAP Modules d. Any other specialized Software ]

3. If you are using SQL Server please specify your level of satisfaction in using and the
applications in SQL Server?

Mark 5 if you are Highly Satisfied Mark 4 if you are Satisfied Mark 3 if you are neither satisfied nor dissatisfied Mark 2 if you are Dissatisfied Mark 1 if you are Highly Dissatisfied Sl. No. Type of Marketing Decision Satisfaction level

1. 2.

Analytics in Database Management Security in database management

3. 4. 5. 6. 7. 8.

Access Controls Hierarchy aspects RDBMS tools and commands Programming and Query management Pricing and Licensing aspects Overall satisfaction

4. Do you maintain a regularly upgraded RDBMS/DBMS? Yes/ No 5. Do you think standard RDBMS is required for proper database and server management?
[ a. Very Essential d. Not essential ] b. Essential c. May or may not be used e. Not at all required

6. Please express your satisfaction levels in using SQL server in terms of security aspects?
a. Highly Satisfied d. Dissatisfied b. Satisfied c. Neutral e. Highly Dissatisfied

7. Do you think SQL server saves Time & Cost compared to other software tools? Yes/ No 8. Request suggestions for the study and SQL Server Implementation aspects
*************** Thank you very much for your time and inputs **************