Database Authentication and Security Quiz
20 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary goal of authentication in a database environment?

  • To confirm the identity of users and applications (correct)
  • To encrypt user passwords
  • To manage user privileges
  • To grant access to all users

    • Which of the following is an example of a credential used for authentication?

  • User's IP address
  • Person’s username and password (correct)
  • Database schema name
  • Application's error logs

    • What additional measure can third-party applications provide in database authentication?

  • Automatic user registration
  • Reducing database size
  • Password encryption (correct)
  • User training on password policies

    • What is the difference between authentication and authorization?

    <p>Authentication is the process of confirming identity; authorization is granting access based on that identity.</p> Signup and view all the answers

    Which process is NOT typically associated with improving database security?

    <p>Denying privileges to all users</p> Signup and view all the answers

    What is one of the main advantages of OS level authentication?

    <p>Centralized account administration</p> Signup and view all the answers

    Which of the following statements is true about database authentication?

    <p>It requires users to have a local database account.</p> Signup and view all the answers

    What is a potential disadvantage of relying solely on database authentication?

    <p>It may lead to poor password management practices.</p> Signup and view all the answers

    What is the primary benefit of using third-party authentication methods?

    <p>It allows access without having a local database account.</p> Signup and view all the answers

    Which statement best summarizes the impact of using one authentication method exclusively?

    <p>It can lead to significant advantages and disadvantages.</p> Signup and view all the answers

    What is the primary recommended authentication mode for SQL Server?

    <p>Windows Authentication</p> Signup and view all the answers

    Which of the following best describes Mixed Mode Authentication in SQL Server?

    <p>It combines Windows Authentication with SQL Server authentication.</p> Signup and view all the answers

    In MySQL, what three pieces of information are required for user authentication?

    <p>Host name, MySQL username, user-supplied password</p> Signup and view all the answers

    Which authentication method in SQL Server is considered not as secure as Windows Authentication?

    <p>Mixed Mode Authentication</p> Signup and view all the answers

    What is the purpose of Advanced Security in Oracle databases?

    <p>To enhance authentication security and options.</p> Signup and view all the answers

    What are the most commonly enforced password attributes in database server applications?

    <p>Password complexity, failed attempts, expired passwords, password reuse</p> Signup and view all the answers

    Which of the following is NOT a common requirement for the complexity of passwords in Oracle databases?

    <p>Must be between 10 and 150 characters</p> Signup and view all the answers

    For maximum effectiveness in password policy enforcement, organizations are recommended to implement which combination?

    <p>Both written and server-defined policies</p> Signup and view all the answers

    What is the purpose of the principle of least privilege in user account management?

    <p>To restrict users to the minimum privileges necessary to perform their job functions</p> Signup and view all the answers

    Which statement about default user accounts in databases is accurate?

    <p>Default user accounts often come with predefined access levels that may be easily exploited.</p> Signup and view all the answers

    Study Notes

    Database Security - Chapter 6

    • Objectives:
      • Define and implement authentication using SQL Server, MySQL, and Oracle.
      • Define and implement authorization using SQL Server, MySQL, and Oracle.
      • Manage users based on best security practices using SQL Server, MySQL, and Oracle.
      • Identify and apply password best practices using SQL Server, MySQL, and Oracle.
      • Define and create roles using SQL Server, MySQL, and Oracle.
      • Define, grant, deny, and revoke privileges using SQL Server, MySQL, and Oracle.

    Authentication

    • Concept: A multi-layered process for confirming the identity of individuals or applications requesting access.

    • Steps: Authentication and Authorization are the two main steps to controlling data access.

    • Authentication Process: Verifying the identity of a person or application by checking if their login credentials match those created within the environment.

    • Credentials: Information used to verify identity. Examples include usernames and passwords, application's secure ID, and host names/addresses. The type of credential depends on the specific system or environment.

    • Multiple Levels: Multiple levels of verification can take place during the login process before full access is permitted.

    • Third-Party Applications: External applications can enhance database security by performing additional steps, such as password encryption.

    • Levels of Authentication: Three levels—OS, database level, and third-party. Combination of these creates security, but single-level use can have advantages and disadvantages.

    Authentication (continued)

    • Credentials: Pieces of information (e.g., username/password, secure ID, network details) used for identity verification.
    • Types: Credentials vary based on the authentication process of a specific system or environment.

    Operating System Authentication

    • Credentails: Credentials are authenticated through the operating system (OS). The OS account must be used for database access.
    • Advantages: The OS login offers convenience to the user and centralized account management.

    Database Authentication

    • Local Accounts: User credentials must be validated against the database's local account. This can involve multiple systems.
    • Password Practicies: Insufficient password standards can result in weak passwords, such as writing them down, and this can be problematic. Improved policies are important.

    Network or Third-Party Authentication

    • Alternative Processes: Third-party applications, on a network level, can further authenticate users for remote and physical environments.
    • Independent Accounts: Network accounts do not necessarily need to be tied to operating system or database accounts, but do need to be acknowledged by the third-party application.
    • Combined Approaches: Combining this type of authentication with OS and database authentication can create robust security.

    Database Vendor-Specific Authentication Components

    • SQL Server Authentication: SQL Server uses Windows Authentication and Mixed Mode Authentication.
    • Windows Authentication: Users need Windows logins for database access. This is more trusted—highly recommended for SQL Server.
    • Mixed Mode Authentication: Allows both Windows and SQL Server authentication. Less secure than trusted authentication. Doesn't allow use of Kerberos protocol.
    • MySQL Authentication: MySQL uses slightly different authentication from SQL Server and Oracle. It verifies users based on the host the server is running on, combined with the user-supplied username and password.
    • Oracle Authentication: Oracle offers multiple options for authenticating users and machines. Database servers, database links, and environment passwords can be used as credentials for authentication with varied customization for different environments. Security can be further enhanced by purchasing other applications. Advanced Security provides security features such as encryption.

    Password Policies

    • Compromised Passwords: Most security breaches originate from compromised passwords.
    • Policy: Enforcing password policies within database server applications is often a good first line of defense against compromised passwords. Server and written policies combined for better results.
    • Database-Enforced Policies: Vendor-specific password policies differ in their settings. Almost all database servers today enforce complexity.

    Database-Enforced Password Policies

    • Vendor Specific: Policies often specific to the database vendor.
    • Key Attributes: Password attributes include complexity, failed login attempts, password expiration, and password reuse prevention.

    Written Password Policies

    • User Agreements: Policies are usually included in an agreement between the organization and its users. Must balance flexibility with the need for consistent and strict enforcement.
    • Common Standards: Common standards might include password sharing, and password storage.

    Database Vendor-Specific Password Management

    • SQL Server: Passwords should be unique, not common words, or usernames, and of a set minimum length (8-128 characters), can include underscored, dollar signs, or numbers. Must minimally have one digit and one alphabetic character, not begin with a number.
    • MySQL: Passowrds are stored in 45-bit encryption, are case-sensitive, and vary in length. Special characters can be included.
    • Oracle: Stored encrypted in DBA_USER table. Password must have at least 3 character difference, have at least one digit and alphabetic character, cannot start with a number, and can include special characters, or characters other than $, # .

    Authorization

    • Permission Application: The process of applying permissions to a user to ensure users requesting access have permission.
    • Predetermined: Authorization is decided prior to the user gaining authentication credentials.
    • Privileges: Important for appropriate access, to help ensure the security of the database.

    User Account Management

    • Management Tasks: User accounts are added, removed, and privileges are assigned.
    • Administrator Understanding: System administrators must know default accounts created during database installation.

    Default User Accounts

    • Predefined Access: Default accounts are created with specific access privileges.
    • System Accounts: These accounts are often part of system administration.
    • Data Security: Default account protection and security are vital to data safety.

    Adding and Removing Users

    • Default Password: Default passwords should always be changed.
    • Encrypted Passwords: Passwords should be saved in encrypted files.
    • Different Logins: Use varying logins and passwords for different applications;
    • Policy Compliance: Ensure user compliance with database usage policies.
    • Removing Accounts: Perform an inventory of user-created objects before removing a user. This is important because deleting accounts might lead to data loss.
    • Disabling Instead of Deleting: Experts recommend disabling accounts rather than deleting them, to prevent data loss. Proper documentation is crucial for tracking additions and deletions of user accounts.

    User Privileges

    • Smallest Unit: Privileges are the smallest units of authorization. They specify a user's ability to access specific resources or perform specific actions on certain objects.
    • Examples: Examples include operations like deleting rows, creating tables, and executing procedures.
    • Planning Stage: Privileges should be well planned out during initial database design.

    User Privileges (Continued)

    • Principle of Least Privilege: Each user should be given only the minimum number of privileges necessary for performing legitimate tasks within the system.
    • Grant and Deny Methods: There are two ways to grant a privilege:
      • fixed-grant privileges: privileges that are predefined by the database systems;
      • single-statement privileges: privileges granted to individual users.
    • Levels of Privilege in SQL Server: Three levels for SQL Server: server-level permissions, database-level permissions, andobject-level permissions can be awarded, potentially tied to granting permission to specific tables or roles.

    User Privileges (Continued)

    • MySQL Privileges: Five different types of (levels of) privilege in MySQL: global privileges, database privileges, table object privileges, column object privileges, and routine privileges;
    • Oracle Privileges: Two privilege levels in Oracle: system and object-level privileges.
    • Public Privilege: The system may offer a PUBLIC role, by default, to all database users. Granting permissions to this role is generally not recommended.

    Roles

    • Combined Privileges: Roles are sets of related privileges combined for simpler management of users or database objects.
    • Assignment to multiple users: A single role can encompass multiple users
    • Centralization: Management simplifies due to a centralized point from which management is performed.
    • Types and Functions: Roles come in different forms: fixed server, fixed database, user-defined, application, and public. The type of role determines the privileges it grants.

    Roles (Continued)

    • SQL Server Roles: SQL Server roles include server roles, typically for administering the server environment, and database roles, providing specific privilege to database users. Examples of SQL Server roles include sysadmin, securityadmin, serveradmin, setupadmin, processadmin, dbcreator, and diskadmin.
    • Database Roles (SQL Server): Fixed database roles in SQL Server such as db_owner, db_accessadmin, db_datareader, db_datawriter, db_ddladmin, db_securityadmin, db_backupoperator, db_denydatareader, db_denydatawriter
    • User-defined Roles: Roles specifically created for database access and object management (user-defined)

    Roles (Continued)

    • MySQL Roles: Roles are not natively included within MySQL Server alone. They are created through scripting or third-party applications.
    • Oracle Roles: Oracle provides built-in roles at the system and object levels. System roles, or built-in roles, offer privileges to objects or are granted to other roles. Some examples are DBA and JAVA_ADMIN.

    Inference

    • Unauthorized Access: Inference allows unauthorized users to access sensitive information by making logical assumptions based on the database's responses (query-based).
    • Inferred Knowledge: By making deductions from database responses, information about the database contents could be accessed.
    • Sensitivity: Inference poses a significant threat, which is difficult to predict, detect, and mitigate.

    Inferencing Examples

    • Logic and Relationships: Inference usually works through the use of logic, relationships, and constraints. Well-organized tables are vulnerable. Examples include hotel database tables holding information such as customer ID, name, room number, and profile level. Knowledge can be potentially inferred by a given query about access information.
    • Statistical Inference: Statistical inferences use database queries to analyze patterns in data. Sensitive information can be deduced by manipulating these queries (such as those about salary or other financial information).

    Minimizing Inference

    • Security Measures: Techniques like Polyinstantiation, logging, monitoring, alerting unusual user activities, and limiting user capabilities, and adjusting queries can be used to mitigate threats.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Database Security PDF

    Description

    Test your knowledge on database authentication principles, including the differences between authentication and authorization, and the advantages of using various authentication methods. This quiz covers critical concepts essential for securing database environments.

    More Like This

    Use Quizgecko on...
    Browser
    Open
    Browser
    Browser