SQL, Analysis Services & related stories. : SQL Server 2005 Administrationhttp://blogs.msdn.com/ikovalenko/archive/tags/SQL+Server+2005+Administration/default.aspxTags: SQL Server 2005 Administrationen-USCommunityServer 2.1 SP1 (Build: 61025.2)How to avoid 1000 rows limitation when querying active directory (AD) from SQL 2005 with using custom code.http://blogs.msdn.com/ikovalenko/archive/2007/03/22/how-to-avoid-1000-rows-limitation-when-querying-active-directory-ad-from-sql-2005-with-using-custom-code.aspxThu, 22 Mar 2007 14:08:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:1930441Igor Kovalenko20http://blogs.msdn.com/ikovalenko/comments/1930441.aspxhttp://blogs.msdn.com/ikovalenko/commentrss.aspx?PostID=1930441<P>As all of you know it is possible to query active directory from SQL Server with using ADSI provider as linked server. This solution works fine until you will have a lot of users in active directory. According to best practice guide&nbsp;windows system engineers always configured AD to return no more then 1000 rows per one query. Of course you can avoid this limitation too (with using range keyword or some other ways, as for me require deep AD knowledge). Some other extremily complicated T-SQL scripts can be found in internet. My current post's goal is to show two main things: </P> <P>1. how to register a couple of assemblies (your own and related system assemblies) in SQL Server with UNSAFE permission&nbsp;WITHOUT setting TRUSTWORTHY ON for your database according to best practice security guide. Security check will passed in this way according to certificate permissions.</P> <P>2. how to create a simple CLR procedures&nbsp;for quirying AD as any other SQL datasource without creating linked server.</P> <P>You can find MSADHelper2.rar project attached. It contains project files; you can extract MSADHelper.dll assembly from here, or build a new one by yourself (in that case please generate a new strong key, my is not included in project files). </P> <P>P.S. I am not an expert in C#, so you can improve this source as you wish to add some dispose or other required methods.</P> <P>Here is installation script:</P> <P>SET NOCOUNT ON<BR>GO<BR>USE Master<BR>GO</P> <P>--sp_configure 'clr enabled', 1<BR>--reconfigure with override</P> <P>--ALTER DATABASE&nbsp;&lt;your_database_name&gt; SET TRUSTWORTHY OFF<BR>--GO</P> <P>-- create keys from assembly&nbsp;</P> <P>CREATE ASYMMETRIC KEY MSADHelperAsKey FROM EXECUTABLE FILE = 'C:\distrib\ADSI\MSADHelper2.dll' --&nbsp;specify correct path here.<BR>GO<BR>CREATE ASYMMETRIC KEY SystemDirectoryServicesKey FROM EXECUTABLE FILE = 'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll' <BR>GO<BR>--SELECT * FROM sys.asymmetric_keys<BR>--GO</P> <P>-- create logins for special goals<BR>CREATE LOGIN SQLCLRHelperLogin FROM ASYMMETRIC KEY MSADHelperAsKey<BR>GO<BR>CREATE LOGIN SQLCLRSysDirServLogin FROM ASYMMETRIC KEY SystemDirectoryServicesKey<BR>GO</P> <P>-- grant necessary (UNSAFE) permissions<BR>GRANT UNSAFE ASSEMBLY TO SQLCLRHelperLogin <BR>GO <BR>GRANT UNSAFE ASSEMBLY TO SQLCLRSysDirServLogin <BR>GO </P> <P>-----------------------------------------------------------------------<BR>---<BR>--- **************************************************************<BR>---<BR>-----------------------------------------------------------------------</P> <P>USE&nbsp;&lt;your_database_name&gt;<BR>GO</P> <P>CREATE&nbsp;ASSEMBLY [System.DirectoryServices]<BR>FROM&nbsp;'C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll'<BR>WITH&nbsp;PERMISSION_SET = UNSAFE<BR>GO<BR>CREATE&nbsp;ASSEMBLY [MsForClient.SqlServer.SqlClrToolkit.MSADHelper]<BR>FROM&nbsp;'C:\distrib\ADSI\MSADHelper2.dll' -- please specify correct path here<BR>WITH&nbsp;PERMISSION_SET = UNSAFE<BR>GO</P> <P>--Have a look at the assembly within the database<BR>--SELECT * FROM sys.assemblies<BR>--SELECT * FROM sys.assembly_files<BR>GO</P> <P>--Create&nbsp;procedures from the assembly</P> <P>-- return list of registered providers (from registry)<BR>CREATE&nbsp;PROCEDURE dbo.usp_GetListOfRegisteredDirectoryProviders<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetListOfRegisteredDirectoryProviders<BR>GO</P> <P>-- test methods - is it possible to create AD object?&nbsp;</P> <P>CREATE PROCEDURE dbo.usp_TryAuthenticate(@pAdsiPath nvarchar(4000), @pSecure int)<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_TryAuthenticate<BR>GO</P> <P>-- by default any method will execute under SQL Server Service account. If this account don't have enought privileges - please specify another one as @pUserName and </P> <P>-- @pPassword to access AD</P> <P>CREATE PROCEDURE dbo.usp_TryAuthenticateAsUser(@pAdsiPath nvarchar(4000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int)<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_TryAuthenticateAsUser<BR>GO</P> <P>-- enum AD structure - be carefull, to much info!</P> <P>CREATE PROCEDURE dbo.usp_FillInfoByPath(@pAdsiPath nvarchar(4000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int)<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_FillInfoByPath<BR>GO</P> <P>-- get AD object properties</P> <P>CREATE PROCEDURE dbo.usp_GetNodeProperties(@pAdsiPath nvarchar(4000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int)<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetNodeProperties<BR>GO</P> <P>-- extract user list</P> <P>CREATE PROCEDURE dbo.usp_GetUserList(@pAdsiPath nvarchar(4000), @pOutputFieldList NVarChar(2000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int, @pScope nvarchar(10))<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetUserList<BR>GO</P> <P>-- extract group list</P> <P>CREATE PROCEDURE dbo.usp_GetGroupList(@pAdsiPath nvarchar(4000), @pOutputFieldList NVarChar(2000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int, @pScope nvarchar(10))<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetGroupList<BR>GO</P> <P>-- extract list of computers</P> <P>CREATE PROCEDURE dbo.usp_GetComputerList(@pAdsiPath nvarchar(4000), @pOutputFieldList NVarChar(2000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int, @pScope nvarchar(10))<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetComputerList<BR>GO</P> <P>-- extract members of AD group</P> <P>CREATE PROCEDURE dbo.usp_GetGroupMembers(@pAdsiPath nvarchar(4000), @pOutputFieldList NVarChar(2000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int)<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetGroupMembers<BR>GO</P> <P>-- enum user membership</P> <P>CREATE PROCEDURE dbo.usp_GetUserMembership(@pAdsiPath nvarchar(4000), @pOutputFieldList NVarChar(2000), @pUserName sysname, @pPassword nvarchar(100), @pSecure int)<BR>AS EXTERNAL NAME [MsForClient.SqlServer.SqlClrToolkit.MSADHelper].[MsForClient.SqlServer.SqlClrToolkit.MSADHelper].usp_GetUserMembership<BR>GO</P> <P>-- execute &amp; test section</P> <P>EXEC dbo.usp_GetListOfRegisteredDirectoryProviders<BR>GO</P> <P>-- try to check - if net framework carefully installed and AD objects created without any issue<BR>DECLARE @pStr nvarchar(4000)<BR>SET @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxxxx,DC=ru'<BR>EXEC dbo.usp_TryAuthenticate @pStr, 1<BR>GO<BR>-- try to run under another account</P> <P>DECLARE @pStr nvarchar(4000), @pUserName sysname, @pPassword nvarchar(100)<BR>SELECT @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxxxx,DC=ru', @pUserName = N'SQLSvc', @pPassword = N'xxxxxxx'</P> <P>EXEC dbo.usp_TryAuthenticateAsUser @pStr, @pUserName, @pPassword, 1<BR>GO</P> <P>-- extract AD info as relational tree (use ID &amp; ParentID to build object tree)<BR>DECLARE @pStr nvarchar(4000), @pUserName sysname, @pPassword nvarchar(100)<BR>SET @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxxx,DC=ru'</P> <P>EXEC dbo.usp_FillInfoByPath @pStr, @pUserName, @pPassword, 0<BR>GO</P> <P>--- get all properites of object<BR>DECLARE @pStr nvarchar(4000), @pUserName sysname, @pPassword nvarchar(100)<BR>--SET @pStr = N'LDAP://CN=User01,CN=Users,DC=HQ,DC=corp,DC=xxxxxxx,DC=ru'<BR>SET @pStr = N'LDAP://CN=Domain Admins,CN=Users,DC=HQ,DC=corp,DC=xxxxxxxxxx,DC=ru'</P> <P>EXEC dbo.usp_GetNodeProperties @pStr, @pUserName, @pPassword, 0<BR>GO<BR>---- get user list and attributes</P> <P>DECLARE @pStr nvarchar(4000), @pOutputFieldList nvarchar(2000), @pUserName sysname, @pPassword nvarchar(100)<BR>-- to extract users from exact OU<BR>-- 'LDAP://OU=TestGroup,DC=HQ,DC=corp,DC=xxxxxxxx,DC=ru'<BR>-- all users from AD<BR>-- @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxxx,DC=ru'<BR>SELECT @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxxxxx,DC=ru', <BR>&nbsp;@pOutputFieldList = 'cn,name,description,distinguishedName,whenChanged,primaryGroupID,memberOf', @pUserName = '', @pPassword = N''</P> <P>EXEC dbo.usp_GetUserList @pStr, @pOutputFieldList, @pUserName, @pPassword, 0, 'Subtree'<BR>GO</P> <P>---- extract group list<BR>DECLARE @pStr nvarchar(4000), @pOutputFieldList nvarchar(2000), @pUserName sysname, @pPassword nvarchar(100)<BR>-- to extract groups from exact group<BR>-- 'LDAP://CN=Domain Admins,CN=Users,DC=HQ,DC=corp,DC=xxxxxxx,DC=ru'<BR>-- all&nbsp;groups from AD<BR>-- @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxx,DC=ru'<BR>SELECT @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxx,DC=ru', <BR>&nbsp;@pOutputFieldList = 'cn,name,description,distinguishedName,whenChanged', @pUserName = '', @pPassword = N''</P> <P>EXEC dbo.usp_GetGroupList @pStr, @pOutputFieldList, @pUserName, @pPassword, 0, 'Subtree'<BR>GO</P> <P>---- get computer list<BR>DECLARE @pStr nvarchar(4000), @pOutputFieldList nvarchar(2000), @pUserName sysname, @pPassword nvarchar(100)<BR>SELECT @pStr = N'LDAP://DC=HQ,DC=corp,DC=xxxxxxxxx,DC=ru', <BR>&nbsp;@pOutputFieldList = 'cn,name,distinguishedName,whenChanged', @pUserName = '', @pPassword = N''</P> <P>EXEC dbo.usp_GetComputerList @pStr, @pOutputFieldList, @pUserName, @pPassword, 0, 'Subtree'<BR>GO</P> <P>------- get group members<BR>DECLARE @pStr nvarchar(4000), @pOutputFieldList nvarchar(2000), @pUserName sysname, @pPassword nvarchar(100)<BR>--SELECT @pStr = N'LDAP://CN=Domain Admins,CN=Users,DC=HQ,DC=corp,DC=xxxxxxxxx,DC=ru', <BR>-- @pOutputFieldList = 'sAMAccountName'<BR>SELECT @pStr = N'LDAP://CN=Administrators,CN=Users,DC=HQ,DC=corp,DC=xxxxxxxxx,DC=ru', <BR>&nbsp;@pOutputFieldList = 'Name', @pUserName = '', @pPassword = N'' </P> <P>EXEC dbo.usp_GetGroupMembers @pStr, @pOutputFieldList, @pUserName, @pPassword, 0<BR>GO</P> <P>----- enlist user membership<BR>DECLARE @pStr nvarchar(4000), @pOutputFieldList nvarchar(2000), @pUserName sysname, @pPassword nvarchar(100)<BR>SELECT @pStr = N'LDAP://CN=Administrator,CN=Users,DC=HQ,DC=corp,DC=xxxxxxxxx,DC=ru', <BR>&nbsp;@pOutputFieldList = 'Name', @pUserName = '', @pPassword = N''</P> <P>EXEC dbo.usp_GetUserMembership @pStr, @pOutputFieldList, @pUserName, @pPassword, 0<BR>GO</P> <P><BR>-- Here is a&nbsp;section of cleanup script</P> <P>USE &lt;your_database_name&gt;<BR>GO</P> <P>-- delete procedures<BR>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetListOfRegisteredDirectoryProviders]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetListOfRegisteredDirectoryProviders]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_TryAuthenticate]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_TryAuthenticate]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_TryAuthenticateAsUser]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_TryAuthenticateAsUser]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_FillInfoByPath]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_FillInfoByPath]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetNodeProperties]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetNodeProperties]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetUserList]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetUserList]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetGroupList]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetGroupList]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetComputerList]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetComputerList]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetGroupMembers]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetGroupMembers]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[usp_GetUserMembership]') AND type in (N'P', N'PC'))<BR>&nbsp;DROP PROCEDURE [dbo].[usp_GetUserMembership]<BR>GO</P> <P>-- delete assemblies<BR>IF&nbsp; EXISTS (SELECT * FROM sys.assemblies asms WHERE asms.name = N'MsForClient.SqlServer.SqlClrToolkit.MSADHelper')<BR>&nbsp;DROP ASSEMBLY [MsForClient.SqlServer.SqlClrToolkit.MSADHelper]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.assemblies asms WHERE asms.name = N'System.DirectoryServices')<BR>&nbsp;DROP ASSEMBLY [System.DirectoryServices]<BR>GO</P> <P>USE Master<BR>GO</P> <P>-- drop logins</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.server_principals WHERE name = N'SQLCLRSysDirServLogin')<BR>&nbsp;DROP LOGIN [SQLCLRSysDirServLogin]<BR>GO</P> <P>IF&nbsp; EXISTS (SELECT * FROM sys.server_principals WHERE name = N'SQLCLRHelperLogin')<BR>&nbsp;DROP LOGIN [SQLCLRHelperLogin]<BR>GO</P> <P>-- drop keys&nbsp;</P> <P>IF EXISTS(SELECT * FROM sys.asymmetric_keys WHERE [name] = 'MSADHelperAsKey')<BR>&nbsp;DROP ASYMMETRIC KEY MSADHelperAsKey<BR>GO</P> <P>IF EXISTS(SELECT * FROM sys.asymmetric_keys WHERE [name] = 'SystemDirectoryServicesKey')<BR>&nbsp;DROP ASYMMETRIC KEY SystemDirectoryServicesKey<BR>GO</P> <P>-- Seems to me finished :-)</P> <P>Dec 08, 2007 :</P> <P>i updated source code to fix bug - many thanks to <SPAN style="FONT-SIZE: 11pt; FONT-FAMILY: 'Calibri','sans-serif'; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: 'Times New Roman'; mso-bidi-theme-font: minor-bidi; mso-ansi-language: RU; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Taylor Gerring </SPAN></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1930441" width="1" height="1">TSQLSQL Server 2005 SecuritySQL Server 2005 AdministrationSQL CLRSwitching context with using EXECUTE AS ... not always switch it in fact as you wish.http://blogs.msdn.com/ikovalenko/archive/2007/03/01/switching-context-with-using-execute-as-not-always-switch-it-in-fact-as-you-wish.aspxThu, 01 Mar 2007 11:23:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:1777963Igor Kovalenko1http://blogs.msdn.com/ikovalenko/comments/1777963.aspxhttp://blogs.msdn.com/ikovalenko/commentrss.aspx?PostID=1777963<P>In this demo i will&nbsp;try to explain why SET TRUSTWORTHY ON on some databases may&nbsp;make the sysadmin job unsafe. In previous posts i explained how db owner (or any developer) can try to implemet simplest luring attack against server sysadmin. According to BOL to avoid this problem sysadmin should switch to the context of the account/login with lowest possible privileges. Lets try to test this approach.</P> <P>USE master<BR>GO</P> <P>-- create test database<BR>CREATE DATABASE [TestDB] ON PRIMARY&nbsp;( NAME = N'TestDB', FILENAME = N'C:\TestDB.mdf', SIZE = 3072KB, FILEGROWTH = 1024KB )<BR>&nbsp;LOG ON ( NAME = N'TestDB_log', FILENAME = N'C:\TestDB_log.ldf', SIZE = 1024KB, FILEGROWTH = 10%)<BR>GO</P> <P>-- set option<BR>EXEC dbo.sp_dbcmptlevel @dbname=N'TestDB', @new_cmptlevel=90<BR>GO</P> <P>-- first time test with TRUSTWORTHY = OFF</P> <P>ALTER DATABASE [TestDB] SET TRUSTWORTHY OFF<BR>GO</P> <P>-- create login Test<BR>USE [master]<BR>GO<BR>CREATE LOGIN [Test] WITH PASSWORD=N'111', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF<BR>GO</P> <P>USE [TestDB]<BR>GO</P> <P>-- create user test<BR>CREATE USER [Test] FOR LOGIN [Test]<BR>GO</P> <P>-- create test DDL trigger - fired on any DENY event<BR>CREATE TRIGGER [ddl_test_trigger]<BR>ON DATABASE <BR>FOR DENY_DATABASE<BR>AS <BR>&nbsp;<BR>SET NOCOUNT ON</P> <P>&nbsp;IF IS_SRVROLEMEMBER ('sysadmin') = 1<BR>&nbsp; PRINT 'Sysadmin found, security can be broken easily.'<BR>&nbsp;ELSE<BR>&nbsp; PRINT 'Sysadmin not found, you are in safe.'<BR>&nbsp;<BR>GO</P> <P>-- test under sysadmin (sa) account<BR>DECLARE @cmd nvarchar(1000)</P> <P><STRONG><EM>SET @cmd = 'DENY BACKUP DATABASE TO [Test]'</EM></STRONG> <BR><STRONG><EM>EXEC (@cmd)</EM><BR></STRONG>GO</P> <P>-- <STRONG>you'll see "Sysadmin found, security can be broken easily."</STRONG></P> <P>-- so the next step according to BOL - switch to lowest privileges context for desired operation<BR>DECLARE @cmd nvarchar(1000)<BR><STRONG><EM>SET @cmd = 'DENY BACKUP DATABASE TO [Test]' <BR>EXEC (@cmd) AS USER = 'dbo'<BR></EM></STRONG>GO</P> <P>-- <STRONG>you'll see now "Sysadmin not found, you are in safe."<BR></STRONG>-- Thats is our desired goal - to be in safe. Lets try to set TRUSTWORTHY ON</P> <P><STRONG><EM>ALTER DATABASE [TestDB] SET TRUSTWORTHY ON<BR></EM></STRONG>GO</P> <P>-- try again the "safe" version<BR>DECLARE @cmd nvarchar(1000)<BR><STRONG><EM>SET @cmd = 'DENY BACKUP DATABASE TO [Test]' <BR>EXEC (@cmd) AS USER = 'dbo'<BR></EM></STRONG>GO</P> <P>-- <STRONG>you'll see again "Sysadmin found, security can be broken easily."</STRONG></P> <P>-- clear objects<BR>USE Master<BR>GO</P> <P>DROP DATABASE [TestDB]<BR>GO</P> <P>DROP LOGIN [Test]<BR>GO</P> <P>--------------------------------------------------------</P> <P>As as result of this demo i would recommend you do not use TRUSTWORTHY ON on your databases. Otherwise before making any <BR>changes under 'sa' account in unknown databases please check TRUSTWORTHY setting for the database you are <BR>working with, because simple EXECUTE AS .... (even with cookie) will not&nbsp;protect you&nbsp;from loosing you privileges or <BR>GRANT 'sa' privileges to everybody (as explained in&nbsp;my previous articles). And be always in safe :-).</P> <P>--------------------------------------------------------</P> <P mce_keep="true">&nbsp;</P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1777963" width="1" height="1">SQL Server AdministrationSQL Server 2005 SecuritySQL Server 2005 AdministrationWorkaround for “Unable to set Default Schema for a group”.http://blogs.msdn.com/ikovalenko/archive/2007/01/27/workaround-for-unable-to-set-default-schema-for-a-group.aspxSat, 27 Jan 2007 23:02:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:1543942Igor Kovalenko1http://blogs.msdn.com/ikovalenko/comments/1543942.aspxhttp://blogs.msdn.com/ikovalenko/commentrss.aspx?PostID=1543942<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">Let assume you are using Windows Authentication with SQL Server 2005,&nbsp; you've added a new server account for domain group and would like to give it a default schema.&nbsp; The properties window is the same for users and groups but&nbsp;the default schema field is enabled only for user entities.&nbsp;&nbsp;As a result you cannot&nbsp;add a default schema to a group. So if any member of [domain]\TestGroup will try to create table without explicit schema pointed in a statement (like CREATE TABLE t1 (ID int)), (s)he will always get an error.</FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman"></FONT></FONT></SPAN>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">You can see a long thread about this issue here <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><A href="http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=79418&amp;SiteID=1&amp;PageID=0"><FONT face="Times New Roman" color=#800080 size=3>http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=79418&amp;SiteID=1&amp;PageID=0</FONT></A><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">I’d like to show you a simple workaround.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">Before testing please create a Windows group like [domain]\TestGroup, create a dummy user [domain]\TestUser and make this user be a member of TestGroup. <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">USE [master]<BR>GO</SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"></SPAN><o:p></o:p>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">-- create login for the group<BR>CREATE LOGIN [FCOD\TestGroup] FROM WINDOWS WITH DEFAULT_DATABASE=[Northwind]<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">GO<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>-- switch to database<BR>USE Northwind<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">GO<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><BR>-- create dummy schema</SPAN><o:p></o:p></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">CREATE SCHEMA [dummy] – this is a schema for testing.<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">GO<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">-- create a database user for TestGroup (Windows group)<BR>CREATE USER [TestGroup] FOR LOGIN [FCOD\TestGroup]<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">GO<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">ALTER AUTHORIZATION ON SCHEMA::[dummy] TO [TestGroup]<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">GO<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">-- grant CREATE TABLE privilege, if you need others – please assign theirs here.<BR>GRANT CREATE TABLE TO [TestGroup]<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">GO<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">That’s all. Now TestUser can connect to SQL Server, Northwind database, and create table. Please reboot your computer, logon like TestUser and connect to SQL Server. When you will run <o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">CREATE TABLE t1 ( ID int )<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">you’ll see, that SQL engine will automatically:<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 54pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 54.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-fareast-font-family: Arial"><SPAN style="mso-list: Ignore">-<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">create [domain]\TestUser schema in Northwind</SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 54pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 54.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-fareast-font-family: Arial"><SPAN style="mso-list: Ignore">-<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">create [domain]\TestUser database user in Northwind<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 54pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 54.0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-fareast-font-family: Arial"><SPAN style="mso-list: Ignore">-<SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">create table [domain\TestUser].t1 in Northwind<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Any user (member of [domain]\TestGroup) currently can connect to desired server, work with database and even create own tables in own schemas. No other actions required, and no rules required for any new member of TestGroup. <o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>If&nbsp;you&nbsp;like all table be created in dummy schema, you can use explicit schema like&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p>&nbsp;</o:p></SPAN></P><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">CREATE TABLE dummy.t1 ( ID int )</SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt">.&nbsp;</o:p></SPAN></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1543942" width="1" height="1">SQL Server 2005TSQLSQL Server 2005 AdministrationSQL Server 2005: building security model based on DDL triggers.http://blogs.msdn.com/ikovalenko/archive/2007/01/15/sql-server-2005-building-security-model-based-on-triggers.aspxMon, 15 Jan 2007 03:13:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:1467082Igor Kovalenko2http://blogs.msdn.com/ikovalenko/comments/1467082.aspxhttp://blogs.msdn.com/ikovalenko/commentrss.aspx?PostID=1467082<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Last month I’m working with a client to create something like non-standard security model. He asked for the following features:<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3>server–level management only for sa (server admin).<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3>database–level management for dbo (one or more dbo per database). Dbo is responsible for database's user management, update / refresh structure etc.; but dbo should not be able to alter database.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3>dbo as well as other database persons should not be able to make a database backup (or log file backup). This is necessary because database backups covered by Veritas software and any unwanted backup may hang database recovery process.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3>strong security, to restrict sa rights from been captured by dbo.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN>So we’ve decided to start from server-level permissions. To capture server control somebody can run <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GRANT CONTROL SERVER TO test_user. <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">To run this statement you should be a member of sysadmin server role, but this is not a big problem for dbo at all (see below).<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3></FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">To prevent form this issue happens we’ve decided to use server-level events. Lets have a look :<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">CREATE TRIGGER [ddl_restrict_any_serverlevelpermission]<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ON ALL SERVER <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- i'm using event groups here, but it is possible to track events more precise.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">FOR DDL_GDR_SERVER_EVENTS <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">AS<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @data XML<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @data = EVENTDATA()<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT @data<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">/*<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">&lt;EVENT_INSTANCE&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;EventType&gt;GRANT_SERVER&lt;/EventType&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;PostTime&gt;2007-01-12T19:28:39.580&lt;/PostTime&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;SPID&gt;63&lt;/SPID&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;ServerName&gt;NAME&lt;/ServerName&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;LoginName&gt;sa&lt;/LoginName&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;Grantor&gt;sa&lt;/Grantor&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;Permissions&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>&lt;Permission&gt;control server&lt;/Permission&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;/Permissions&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;Grantees&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;</SPAN><SPAN style="mso-spacerun: yes">&nbsp;&nbsp; </SPAN>&lt;Grantee&gt;test_user&lt;/Grantee&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;/Grantees&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;AsGrantor /&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;GrantOption&gt;0&lt;/GrantOption&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;CascadeOption&gt;0&lt;/CascadeOption&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;TSQLCommand&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>&lt;SetOptions ANSI_NULLS="ON" ANSI_NULL_DEFAULT="ON" ANSI_PADDING="ON" QUOTED_IDENTIFIER="ON" ENCRYPTED="FALSE" /&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>&lt;CommandText&gt;GRANT CONTROL SERVER TO test_user&lt;/CommandText&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;/TSQLCommand&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">&lt;/EVENT_INSTANCE&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">*/<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @event_type nvarchar(200), @login_name sysname, @grantor sysname, @grantee sysname<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- actualy you can find spid here, but this value useless<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SELECT @event_type = @data.value('(/EVENT_INSTANCE/EventType)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @login_name = @data.value('(/EVENT_INSTANCE/LoginName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @grantor = @data.value('(/EVENT_INSTANCE/Grantor)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @grantee = @data.value('(/EVENT_INSTANCE/Grantees/Grantor)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- send email to sa before you will raise error<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--EXEC msdb.dbo.sp_send_dbmail @recipients='server_admin@Adventure-Works.com',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@subject = 'Attempt to catch server-level permission',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body = @data,<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body_format = 'HTML'<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- additional features.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- 1. we can analyze &lt;grantor&gt; here to add some additional logic here.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- 2. you can analyze &lt;grantee&gt; list here to restrict the list of persons from been granted server control (for example, by mistake or misprint).<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- 3. for demostration purposes we will restrict any kind of server-level permissions at all.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">RAISERROR ('GRANT/DENY/REVOKE SERVER level permission denied! Ask your server administrator.',10, 1)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ROLLBACK<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GO<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">That’s all. This trigger will inform server admin for any attempt to grant / deny / revoke any server level permission.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">After that we will prevent dbo from altering database the same way:<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">CREATE TRIGGER [ddl_restrict_alterdatabase] <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ON ALL SERVER <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">FOR ALTER_DATABASE, DROP_DATABASE<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">AS <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @data xml<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @trigger_name sysname, @LoginName sysname, @UserName sysname, @dbname sysname<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @data = EVENTDATA()<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT @data<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">/*<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">&lt;EVENT_INSTANCE&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;EventType&gt;ALTER_DATABASE&lt;/EventType&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;PostTime&gt;2007-01-12T20:05:27.527&lt;/PostTime&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;SPID&gt;65&lt;/SPID&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;ServerName&gt;NAME&lt;/ServerName&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;LoginName&gt;sa&lt;/LoginName&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;DatabaseName&gt;TestSecurity&lt;/DatabaseName&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;TSQLCommand&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>&lt;SetOptions ANSI_NULLS="ON" ANSI_NULL_DEFAULT="ON" ANSI_PADDING="ON" QUOTED_IDENTIFIER="ON" ENCRYPTED="FALSE" /&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>&lt;CommandText&gt;ALTER DATABASE [TestSecurity] SET RECOVERY SIMPLE WITH NO_WAIT<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">&lt;/CommandText&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes">&nbsp; </SPAN>&lt;/TSQLCommand&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">&lt;/EVENT_INSTANCE&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">*/<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- send email to self before you will raise error<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- EXEC msdb.dbo.sp_send_dbmail @recipients='server_admin@Adventure-Works.com',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@subject = 'Attempt to alter database',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body = @data,<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body_format = 'HTML'<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- If you want to allow ALTER DATABASE operation to some person – please use &lt;login_name&gt; tag and add some logic here<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- If you want to exclude your personal databases from been tracked by this trigger – please pay attention on &lt;DatabaseName&gt; tag.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">RAISERROR ('ALTER DATABASE DISABLED!',10, 1)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ROLLBACK<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GO<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Also we will protect sa from any server-level authorization attemts:<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">CREATE TRIGGER [ddl_deny_alter_serverauthorization]<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ON ALL SERVER <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">FOR DDL_AUTHORIZATION_SERVER_EVENTS<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">AS<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @data XML<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @data = EVENTDATA()<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT @data<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- send email to self before you will raise error<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--EXEC msdb.dbo.sp_send_dbmail @recipients='server_admin@Adventure-Works.com',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@subject = 'Attempt to alter server-level object ownership',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body = @data,<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body_format = 'HTML'<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">RAISERROR ('Alter server-level authorization denied. Ask your server administrator.',10, 1)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ROLLBACK<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GO<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">That’s all for server-level section. Below we will describe some database-level triggers. To improve your audit procedures you (server administrator) can use WITH ENCRYPTION option to prevent dbo from viewing the sources.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">The first goal is to protect database from any attempt of making backup. How we will cover this requirement:<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3>sa will create a script, this script will DENY BACKUP DATABASE, BACKUP LOG for each database user. This option will restrict even dbo from making backup. Nobody from db_backupoperator will be able to make backup </FONT></SPAN></FONT><FONT size=3><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">. Suddenly dbo or member of db_securityadmin still be able to return this privilege back with using GRANT BACKUP DATABASE TO &lt;account&gt;. Lets restrict these persons from been doing that.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">CREATE TRIGGER [ddl_denybackup_for_new_user]<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ON DATABASE <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">FOR CREATE_USER<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">AS <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @data XML<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @data = EVENTDATA()<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT @data<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @user sysname, @stmt nvarchar(4000)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @user = @data.value('(/EVENT_INSTANCE/ObjectName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT @user<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @stmt = 'DENY BACKUP DATABASE, BACKUP LOG TO ' + @user<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN><FONT size=3><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">-- here it is necessary to add some logic to check for SQL injection, sysname (nvarchar(256)) are to long. Please do that </FONT></SPAN><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">EXEC(@stmt)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GO<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">This trigger will deny backup privilege for any new database user. The&nbsp;following trigger&nbsp;will prevent anybody from restoring BACKUP DATABASE privilege.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">CREATE TRIGGER [ddl_prevent_grant_events]<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ON DATABASE <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">FOR GRANT_DATABASE<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">AS <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @data XML<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @data = EVENTDATA()<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT @data<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @permission sysname, @login_name sysname, @user_name sysname, @dbname sysname<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @grantor sysname, @grantee sysname<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SELECT @permission = @data.value('(/EVENT_INSTANCE/Permissions/Permission)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @login_name = @data.value('(/EVENT_INSTANCE/LoginName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @user_name = @data.value('(/EVENT_INSTANCE/UserName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @dbname = @data.value('(/EVENT_INSTANCE/DatabaseName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @grantor = @data.value('(/EVENT_INSTANCE/Grantor)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @grantee = @data.value('(/EVENT_INSTANCE/Grantees/Grantee)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">IF UPPER(@permission) in ('CONTROL', 'BACKUP DATABASE', 'BACKUP LOG')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">BEGIN<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-- send email to self before you will raise error<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-- EXEC msdb.dbo.sp_send_dbmail @recipients='server_admin@Adventure-Works.com',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@subject = 'Attempt to take database ownership',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body = @data,<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body_format = 'HTML'<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>RAISERROR ('Option restricted. Please contact system administrator.', 16, 1)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>ROLLBACK <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">END<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">That’s all what you need. You can create this trigger, log into database as dbo and check the following:<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Use &lt;test_security_database&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GO<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GRANT CONTROL TO &lt;any_user&gt;<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GRANT BACKUP DATABASE TO &lt;any_user&gt;</FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"></FONT></FONT></SPAN>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Suddenly hungry dbo can drop your triggers from his/her database. Lets protect our trigger for dbo too.</FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">Be very careful to create this trigger on your production database – you will have to think how to drop it after that </FONT></SPAN><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">CREATE TRIGGER [ddl_prevent_drop_trigger]<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">ON DATABASE <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">FOR DROP_TRIGGER, ALTER_TRIGGER<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">AS <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @data xml<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">DECLARE @trigger_name sysname, @LoginName sysname, @UserName sysname, @dbname sysname<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SET @data = EVENTDATA()<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">SELECT @trigger_name = @data.value('(/EVENT_INSTANCE/ObjectName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @LoginName = @data.value('(/EVENT_INSTANCE/LoginName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @UserName = @data.value('(/EVENT_INSTANCE/UserName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, @dbname = @data.value('(/EVENT_INSTANCE/DatabaseName)[1]','sysname')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--SELECT [trigger_name] = @trigger_name<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, [LoginName] = @LoginName<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, [UserName] = @UserName<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">--<SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>, [DBname] = @dbname<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">IF @trigger_name in ('ddl_prevent_drop_trigger', 'ddl_denybackup_for_new_user', <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>'ddl_prevent_grant_events')<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>BEGIN<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-- send email to self before you will raise error<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>-- EXEC msdb.dbo.sp_send_dbmail @recipients='server_admin@Adventure-Works.com',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@subject = 'Attempt to drop trigger',<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body = @data,<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>--<SPAN style="mso-spacerun: yes">&nbsp;&nbsp;&nbsp; </SPAN>@body_format = 'HTML'<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>RAISERROR ('Please don''t touch this object!', 16, 1)<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 2">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>ROLLBACK<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-tab-count: 1">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>END<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">-- drop all other trigger <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">GO<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">This trigger will protect self and other triggers. This technology can be used to protect important information from been deleted / altered by mistake.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman" size=3>Here is the end of successful story. You can build your additional security model with using server / database events or event groups. For more detail please have a look </FONT><A href="http://msdn2.microsoft.com/en-us/library/ms189871.aspx" mce_href="http://msdn2.microsoft.com/en-us/library/ms189871.aspx"><FONT face="Times New Roman" color=#800080 size=3>here</FONT></A><FONT face="Times New Roman" size=3> and </FONT><A href="http://msdn2.microsoft.com/en-us/library/ms191441.aspx" mce_href="http://msdn2.microsoft.com/en-us/library/ms191441.aspx"><FONT face="Times New Roman" color=#800080 size=3>here</FONT></A><FONT size=3><FONT face="Times New Roman">. <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Now I will show you how to pass through this “security” and why this kind of security doesn’t make sense (at least with using SQL Server 2005 sp1).<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Let’s assume you are dbo and you’ve decided to grant control over the server. You will create the trigger for each your database:<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">CREATE</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US">&nbsp;</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">TRIGGER</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US"> dbo</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; mso-ansi-language: EN-US">.</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US">MyNiceTrigger </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">ON&nbsp;DATABASE </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">WITH ENCRYPTION </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">FOR&nbsp;ALTER_OBJECT, DROP_TRIGGER, ALTER_TRIGGER – put here all possible database events </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">AS</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">BEGIN<o:p></o:p></FONT></SPAN></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">SET NOCOUNT ON</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; mso-ansi-language: EN-US">;<o:p></o:p></SPAN></FONT></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">IF</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: fuchsia; FONT-FAMILY: Arial; mso-ansi-language: EN-US">IS_SRVROLEMEMBER</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">(</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US">'sysadmin'</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">=</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> 1</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">begin</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P style="TEXT-INDENT: 36pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">SET @sqlstr</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">=</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US">'use master</SPAN><SPAN lang=EN-US style="COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P style="TEXT-INDENT: 36pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US">GRANT CONTROL SERVER TO &lt;dbo_account&gt; '</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P style="TEXT-INDENT: 36pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">EXEC </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: maroon; FONT-FAMILY: Arial; mso-ansi-language: EN-US">sp_executesql</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> @sqlstr</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">End<o:p></o:p></FONT></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">END<o:p></o:p></FONT></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">GO<o:p></o:p></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">After that ask&nbsp;server admin (sa)&nbsp;to make any changes in your database (or wait for a while when this will happens). After sa will change something this trigger fired and…. Server-level trigger will catch your attempt. Lets improve our trigger a little. As you can see there is no event to subscribe for disable trigger action. So lets try to use it </FONT></SPAN><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'; mso-char-type: symbol; mso-symbol-font-family: Wingdings"><SPAN style="mso-char-type: symbol; mso-symbol-font-family: Wingdings">J</SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT face="Times New Roman">.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes"></SPAN></FONT></FONT></SPAN>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman"><SPAN style="mso-spacerun: yes"></SPAN></FONT></FONT></SPAN><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">CREATE</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US">&nbsp;</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">TRIGGER</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US"> dbo</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; mso-ansi-language: EN-US">.</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US">MyNiceTrigger </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">ON&nbsp;DATABASE </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">WITH ENCRYPTION </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">FOR&nbsp;ALTER_OBJECT, DROP_TRIGGER, ALTER_TRIGGER – put here all possible database events </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">AS</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></FONT></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">BEGIN<o:p></o:p></FONT></SPAN></P> <P><FONT face="Times New Roman"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US">SET NOCOUNT ON</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; mso-ansi-language: EN-US">;<o:p></o:p></SPAN></FONT></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">IF</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: fuchsia; FONT-FAMILY: Arial; mso-ansi-language: EN-US">IS_SRVROLEMEMBER</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">(</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US">'sysadmin'</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">)</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">=</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: black; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> 1</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">Begin<o:p></o:p></SPAN></P> <P style="MARGIN-LEFT: 36pt"><FONT face="Times New Roman"><SPAN style="FONT-SIZE: 10pt; COLOR: blue">SET</SPAN><SPAN style="FONT-SIZE: 10pt"> @sqlstr<SPAN style="COLOR: gray">=</SPAN><SPAN style="COLOR: red">'DISABLE Trigger ALL ON ALL SERVER'<o:p></o:p></SPAN></SPAN></FONT></P> <P style="MARGIN-LEFT: 36pt"><FONT face="Times New Roman"><SPAN style="FONT-SIZE: 10pt; COLOR: blue">EXEC</SPAN><SPAN style="FONT-SIZE: 10pt"> <SPAN style="COLOR: maroon">sp_executesql</SPAN> @sqlstr<o:p></o:p></SPAN></FONT></P> <P style="MARGIN-LEFT: 36pt"><FONT face="Times New Roman"><SPAN style="FONT-SIZE: 10pt; COLOR: blue">SET</SPAN><SPAN style="FONT-SIZE: 10pt"> @sqlstr<SPAN style="COLOR: gray">=</SPAN><SPAN style="COLOR: red">'DISABLE Trigger ALL ON DATABASE'<o:p></o:p></SPAN></SPAN></FONT></P> <P style="MARGIN-LEFT: 36pt"><FONT face="Times New Roman"><SPAN style="FONT-SIZE: 10pt; COLOR: blue">EXEC</SPAN><SPAN style="FONT-SIZE: 10pt"> <SPAN style="COLOR: maroon">sp_executesql</SPAN> @sqlstr<o:p></o:p></SPAN></FONT></P> <P style="TEXT-INDENT: 36pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">SET @sqlstr</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: gray; FONT-FAMILY: Arial; mso-ansi-language: EN-US">=</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US">'use master</SPAN><SPAN lang=EN-US style="COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P style="TEXT-INDENT: 36pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: red; FONT-FAMILY: Arial; mso-ansi-language: EN-US">GRANT CONTROL SERVER TO &lt;dbo_account&gt; '</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P style="TEXT-INDENT: 36pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US">EXEC </SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: maroon; FONT-FAMILY: Arial; mso-ansi-language: EN-US">sp_executesql</SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"> @sqlstr</SPAN><SPAN lang=EN-US style="COLOR: blue; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">End<o:p></o:p></FONT></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">END<o:p></o:p></FONT></SPAN></P> <P><SPAN lang=EN-US style="FONT-SIZE: 10pt; COLOR: blue; mso-ansi-language: EN-US"><FONT face="Times New Roman">GO<o:p></o:p></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Common conclusion. Nobody can protect sa. <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Conclusion for sa: <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt"><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings"><SPAN style="mso-list: Ignore"><FONT size=3>n</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">if you are working with databases – please don’t use sa privileges, please re-logon under appropriate account with minimal privileges.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt"><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings"><SPAN style="mso-list: Ignore"><FONT size=3>n</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">create some audit procedures for your server. It is possible to scan triggers / procedures bodies for harm code by phrases (at least try to do that).</FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt"><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings"><SPAN style="mso-list: Ignore"><FONT size=3>n</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">create small trigger for CREATE_TRIGGER and CREATE_PROCEDURE event in every database). Try to scan object body for potential problems.<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">Conclusion for dbo:<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l1 level1 lfo2; tab-stops: list 36.0pt"><SPAN lang=EN-US style="FONT-FAMILY: Wingdings; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingdings"><SPAN style="mso-list: Ignore"><FONT size=3>n</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt"><FONT size=3><FONT face="Times New Roman">…. It’s simple. You are always winner in this situation. Hope&nbsp;DISABLE_TRIGGER will be in the list of allowed events soon.</FONT></FONT></SPAN></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1467082" width="1" height="1">SQL Server 2005 SecuritySQL Server 2005 Administrationdb_securityadmin is very powerfull and … dangerous.http://blogs.msdn.com/ikovalenko/archive/2007/01/15/db-securityadmin-is-very-powerfull-and-dangerous.aspxMon, 15 Jan 2007 01:58:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:1466833Igor Kovalenko4http://blogs.msdn.com/ikovalenko/comments/1466833.aspxhttp://blogs.msdn.com/ikovalenko/commentrss.aspx?PostID=1466833<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p><FONT face="Times New Roman" size=3></FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">Few days ago I worked for one client. He uses the following business model: <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3>dbo usually responsible for high level database design and maintenance;<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3>all database users organized in additional security groups for security purposes;<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt 36pt; TEXT-INDENT: -18pt; mso-list: l0 level1 lfo1; tab-stops: list 36.0pt"><FONT face="Times New Roman"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><SPAN style="mso-list: Ignore"><FONT size=3>-</FONT><SPAN style="FONT: 7pt 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN></SPAN></SPAN><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3>dedicated person is responsible for user’s security maintenance, (s)he is able to assign user to explicit (one or more) application security group. This dedicated person is a department’s secretary, (s)he is trusted person, has only right to run simple SELECT statement on some tables, but (s)he is member of db_securityadmin database role.<o:p></o:p></FONT></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">Firstly it seems to me that security rules are appropriate and nothing can happen. Secretary is unable to maintain built-in database roles like db_datawriter etc. <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">Please login under account – member of db_securityadmin to check <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">SELECT * FROM fn_my_permissions(N'db_name', N'DATABASE')<BR style="mso-special-character: line-break"><BR style="mso-special-character: line-break"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">you will get the following list of privileges (according to BOL). <o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><STRONG><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">--&nbsp;&nbsp;ALTER ANY APPLICATION ROLE</SPAN></STRONG><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US; mso-bidi-font-weight: bold"><BR><STRONG><SPAN style="FONT-FAMILY: Arial">--&nbsp;&nbsp;ALTER ANY ROLE</SPAN></STRONG><BR><STRONG><SPAN style="FONT-FAMILY: Arial">--&nbsp;&nbsp;CREATE SCHEMA</SPAN></STRONG><BR><STRONG><SPAN style="FONT-FAMILY: Arial">--&nbsp;&nbsp;VIEW DEFINITION</SPAN></STRONG></SPAN><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">But if you run <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">GRANT CONTROL TO &lt;secretary&gt; -- grant database control to self<o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><FONT size=3><FONT face="Times New Roman">and try to run <o:p></o:p></FONT></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="mso-ansi-language: EN-US"><o:p><FONT face="Times New Roman" size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">SELECT * FROM fn_my_permissions(N'db_name', N'DATABASE')<BR style="mso-special-character: line-break"><BR style="mso-special-character: line-break"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">after that to ensure &lt;secretary&gt; now become dbo! <o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">Please be careful to use odd database security groups. Also only trusted person should be assigned to this group. As for now (SQL Server 2005 member of db_securityadmin) equal to database owner.</SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US">Next article I will show you potential problems in more details.<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; mso-ansi-language: EN-US"><o:p></o:p></SPAN></P><img src="http://blogs.msdn.com/aggbug.aspx?PostID=1466833" width="1" height="1">SQL Server 2005 SecuritySQL Server 2005 Administration