Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
100 Cards in this Set
- Front
- Back
|
Endpoints can be of two different transports: ____ and ______.
|
TCP
HTTP |
|
|
An endpoint has two basic parts: a ____ and a _____ .
|
transport
payload |
|
|
An endpoint can have one of three states:
|
STARTED
STOPPED DISABLED. |
|
|
The first layer of access security is determined by the _____ state.
|
endpoint
|
|
|
The second layer of security is permission to connect to the ______.
|
endpoint
|
|
|
You can create Transmission Control Protocol (TCP) endpoints with three different payloads:
|
TSQL
DATABASE_MIRRORING SERVICE_BROKER |
|
|
Because port ______ is the default TCP port number for a DATABASE_MIRRORING endpoint and _____ is the default TCP port for a TSQL endpoint, you might want to specify a different port number to avoid DOS attacks.
|
5022
1433 |
|
|
TSQL endpoints do not have any additional configuration options beyond the universal _____ settings.
|
TCP
|
|
|
When all Database Mirroring and Service Broker instances reside within a single domain or across trusted domains, you should use _____ authentication. When instances span non-trusted domains, you should use _______-based authentication.
|
Windows
certificate |
|
|
Use _____ for minimal encryption strength and best performance. Use _____ if you require strong encryption.
|
RC4
AES |
|
|
You can specify only one TCP endpoint with a payload of ________ for each instance of SQL Server.
|
DATABASE_MIRRORING
|
|
|
What are the two parts of an endpoint?
|
An endpoint has a transport defined as either TCP or HTTP and has a payload defined as TSQL, SERVICE_BROKER, DATABASE_MIRRORING, or SOAP.
|
|
|
What are the three states of an endpoint, and what is the difference between each state?
|
The three states are STARTED, STOPPED, and DISABLED. An endpoint that is STARTED listens for and allows connections. An endpoint that is STOPPED listens for connection requests and returns an error message. An endpoint that is DISABLED does not respond to any request.
|
|
|
What authority must be granted before an endpoint allows a connection request?
|
granted the CONNECT permission on the endpoint
|
|
|
What types of authentication are available for Service Broker and Database Mirroring endpoints?
|
NTML or Kerberos authentications can be specified. You can also specify an option of NEGOTIATE, which causes the specific authentication method to be negotiated between the application and the endpoint.
|
|
|
What are the two universal arguments for TCP endpoints?
|
You are required to specify a port for the endpoint to listen on. If you want, you can configure an IP address that restricts the endpoint to respond to traffic coming only from the specified IP address.
|
|
|
Endpoints in SQL Server act very similar to ________ by filtering out any traffic that does not meet allowed formats.
|
firewalls
|
|
|
Each endpoint has a transport that is defined as either ___ or _____.
|
TCP
HTTP |
|
|
Endpoints have a second part called the payload, which is defined as ____, _______, _____, or ______.
|
tsql
database_mirroring service_broker soap |
|
|
__________ endpoints are configured during installation to listen on the port number specified for the instance .
|
TSQL
|
|
|
_________ and _________endpoints can have an authentication method specified as well as enabled for encrypting all traffic sent based on an algorithm that you specify.
|
Service Broker
Database Mirroring |
|
|
How do you configure an instance so that only local connections are allowed?
|
The TCP/IP provider enables connections to be created to the instance remotely. By disabling the TCP/IP provider, you can create only local connections to the instance.
|
|
|
What do you use to enable or disable features for an instance?
|
The sp_configure system stored procedure is used to enable or disable features.
|
|
|
The first surface area configuration decision that you make occurs during installation, when you decide whether to force all login access to the instance to use _______ credentials.
|
Windows-only
|
|
|
You should disable the _______ for any instance that you do not want remote connections.
|
TCP/IP provider
|
|
|
The _______ tool is used to enable or disable features.
|
sp_configure
|
|
|
Logins within SQL Server 2008 can be five different types:
|
Standard SQL Server login
Windows login Windows group Certificate Asymmetric key |
|
|
You can create SQL Server logins mapped to ____ or ______ keys.
|
certificates
asymmetric |
|
|
Logins mapped to certificates and asymmetric keys are used internally as a ____________.
|
security container
|
|
|
When the ________ option (the default and recommended setting) is enabled, SQL Server 2008 enforces the Windows password policy settings when you create a SQL Server login.
|
CHECK_POLICY
|
|
|
____________is used to prevent brute force attacks against a login.
|
CHECK_EXPIRATION
|
|
|
Using Windows _______ provides the greatest flexibility for managing security access.
|
groups
|
|
|
role - Administer BCP and Bulk Insert operations
|
bulkadmin
|
|
|
role - Creates databases
|
dbcreator
|
|
|
role - Manage disk resources
|
diskadmin
|
|
|
role - Manage connections and start or pause an instance
|
processadmin
|
|
|
role - Create, alter, and drop logins, but can’t change passwords
|
securityadmin
|
|
|
role - Perform the same actions as diskadmin and processadmin, plus manage endpoints, change instance settings, and shut down the instance
|
serveradmin
|
|
|
role - Manage linked servers
|
setupadmin
|
|
|
role - Perform any action within the instance. Members cannot be prevented from accessing any object or performing any action.
|
sysadmin
|
|
|
______ users were added to replace application roles. Users still authenticate to the instance using their own credentials. The user’s login needs access to the database.
|
Loginless
|
|
|
Loginless users are designed to replace _____ roles. Loginless users also provide a much better audit trail than an application role because each user must authenticate to the ______ using their own credentials instead of using a generic account.
|
application
instance |
|
|
fixed role - Add or remove users in the database
|
db_accessadmin
|
|
|
fixed role - Back up the database but cannot restore a database or view any information in the database
|
db_backupoperator
|
|
|
fixed role - Issue SELECT against all tables, views, and functions within the database
|
db_datareader
|
|
|
fixed role - Issue INSERT, UPDATE, DELETE, and MERGE against all tables within the database. Members of this role must also be members of the db_datareader role.
|
db_datawriter
|
|
|
fixed role - Execute data defi nition language (DDL) statements
|
db_ddladmin
|
|
|
fixed role - Prevent SELECT against all tables, views, and functions within the database
|
db_denydatareader
|
|
|
fixed role - Prevent INSERT, UPDATE, DELETE, and MERGE against all tables within the database
|
db_denydatawriter
|
|
|
fixed role - Owner of the database that has full control over the database and all objects contained within the database
|
db_owner
|
|
|
fixed role - Manage the membership of roles and associated permissions, but cannot manage membership for the db_owner role
|
db_securityadmin
|
|
|
fixed role - Default group in every database that all users belong to
|
public
|
|
|
Which logins cannot be used to authenticate to an instance?
|
You cannot use logins that are mapped to a certificate or asymmetric key to authenticate to an instance.
|
|
|
What database principal was created as a replacement for an application role?
|
Loginless users are the replacement for an application role.
|
|
|
Logins can be mapped to certificates or asymmetric keys, but logins mapped to certificates or asymmetric keys cannot be used to authenticate to an ________.
|
instance
|
|
|
Since the _____account cannot be locked out, you should rename the account using the ALTER LOGIN command.
|
sa
|
|
|
Loginless users, created as a replacement to application roles, are users in a database that are not mapped to a ____.
|
login
|
|
|
_____ are the objects on which you grant permissions. Every object within SQL Server, including the entire instance, is a ________.
|
Securables
securable |
|
|
A stored procedure is nothing more than an ____ to the database, which means that developers do not even need to know the structure of the database.
|
API
|
|
|
To create a schema owned by another database principal, the user creating the schema must have ________ permission on the principal being designated as the schema owner.
|
IMPERSONATE
|
|
|
____________provide the basis for the encryption hierarchy within SQL Server and are also required to before you can create a certifi cate or asymmetric key.
|
Master keys
|
|
|
You have a single _____ for the entire instance along with a database ______ within each database.
|
service master key
master key |
|
|
By default the _________ is used to encrypt any
database master key that is created within the instance. |
service master key
|
|
|
A database master key must be generated explicitly using the following command:
|
CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘<StrongPasswrd>’
|
|
|
The database ________ is used to protect any certificates, symmetric keys, or asymmetric keys that are stored within a database
|
master key
|
|
|
A _________ certificate is essentially a fi le that is supplied by a certifi cate authority that validates the entity using the certifi cate
|
public
|
|
|
________certificates are generated by and used to protect data within an organization.
|
Private
|
|
|
How are principals, securables, and permissions related?
|
You can GRANT, REVOKE, or DENY permissions ON a securable TO a principal.
|
|
|
What is an ownership chain, and how can you have a broken ownership chain?
|
An ownership chain applies to objects that reference other objects within a database. The owner of the schema that contains the object is considered the owner of the object. SQL Server checks permissions for the first object that you access, as well as each time the owner changes within the calling stack. The chain
of object owners within a calling stack is called an ownership chain. You have a broken ownership chain when the object owner changes within a calling stack and you have not been granted sufficient permissions to continue accessing objects within the call stack. |
|
|
You GRANT permissions ON a _________TO a principal.
|
securable
|
|
|
All ________within SQL Server is secured. If you have not been granted permission on an object, you do not even see the object
|
metadata
|
|
|
Digital signatures can be applied to a code module through the ____________ statement to provide a means to escalate permissions only when you execute a specified module without allowing direct access to the underlying objects.
|
ADD SIGNATURE
|
|
|
An important feature of DDL triggers is the ability to _____ an action.
|
roll back
|
|
|
Within the execution context of the DDL trigger, you have access to a special function, __________, that provides information about the DDL action
|
EVENTDATA()
|
|
|
Which object can be used to audit as well as prevent most object changes?
|
DDL triggers can audit any DDL command. If the DDL command executes within a transaction, a DDL trigger can be used to roll back the DDL and prevent the can be used to roll back the DDL and prevent the
change from occurring |
|
|
Which object is required before you can create a server or database audit specification?
|
You must create a server audit object before a server or database audit specification can be created.
|
|
|
_____triggers can be created to fire when specific DDL events or events within a group are executed.
|
DDL
|
|
|
If the DDL event executes within the context of a transaction, you can use a _____trigger to prevent the action from occurring.
|
DDL
|
|
|
_________creates an instance of an audit object.
|
CREATE SERVER AUDIT
|
|
|
After you create an audit object, you can hook server and database audit specifications to the audit object in order to ___________auditing.
|
centrally manage
|
|
|
________can be encrypted using a hash, passphrase, symmetric key, asymmetric key, or a certificate.
|
Columns
|
|
|
__________are commonly used encryptions since they provide the best balance between securing data and performance. __________and __________ provide
the strongest encryption and decryption method. |
Symmetric keys
Asymmetric keys certificates |
|
|
A ________ is a one-way algorithm that allows you to encrypt data but does not allow decryption.
|
hash algorithm
|
|
|
SQL Server allows you to specify five different hash algorithms...
|
SHA, SHA1, MD2, MD4, and MD5
|
|
|
Hash algorithms are also platform-_______.
|
agnostic
|
|
|
A ________is a string of one or more characters that are added to the value before hashing.
|
salt
|
|
|
________keys provide the best possible performance for routine use of encrypted data.
|
symmetric
|
|
|
_______keys are generated by a key server within an organization and cannot be backed up or moved from one system to another.
|
Asymmetric
|
|
|
To prevent the theft of data as it resides on disk or within a backup, SQL Server 2008 introduced ______________
|
Transparent Data Encryption (TDE)
|
|
|
TDE provides real-time encryption and decryption services to ensure that data within the _______and ________ is encrypted.
|
files
backups |
|
|
TDE works by using an encryption key stored within the database _________.
|
boot record
|
|
|
The TDE key is encrypted by using a certificate within the __________database.
|
master
|
|
|
The process of implementing TDE on a database is as follows:
|
1. Create a database master key in the master database.
2. Create a certificate in the master database. 3. Create a database encryption key in the target database using the certificate in the master database. 4. Alter the database and enable encryption. |
|
|
You must back up the ______used for TDE and store the backup in a safe location. After you encrypt it, you cannot access your data without the ________.
|
certificate
certificate |
|
|
What object is required to implement TDE?
|
You must create a certificate in the master database that is used to encrypt the database encryption key.
|
|
|
What do you need to do to a hash algorithm to increase the complexity when the range of possible encryption values is small?
|
If the range of possible values to encrypt is small, you need to salt the hash value in order to defeat brute force attacks.
|
|
|
Data can be encrypted within tables using a _______, a _____, a _______key, an ________key, or a _________.
|
hash algorithm
passphrase symmetric key asymmetric key certificate |
|
|
A hash algorithm should be used with a salt value unless the range of values being encrypted is _________ to defeat a brute force attack.
|
large enough
|
|
|
_______is used to encrypt “data at rest.” The contents of the data and transaction log, along with any backups, are encrypted by the engine.
|
TDE
|
|
|
If you implement TDE, make certain that you have a backup of the ___________along with the _____; otherwise, you will not be able to restore a backup.
|
certificate
private key |
