Академический Документы
Профессиональный Документы
Культура Документы
Objective
This document provides an overview of the HP SQL Server standards. Unless specifically mentioned, the stated position applies to all versions of SQL Server. Any and all exceptions to these standards must be approved by GDBA.
Revision History
Version 0.01 1.00 1.01 Date 11.1.2006 11.22.2006 2.2.2007 Author Brad Borgerding Brad Borgerding Brad Borgerding Description of Revision Initial draft. Initial version. Provided clarification about where an SSIS/DTS package could be stored
Table of Contents Objective..................................................................................................................................................................1 Revision History......................................................................................................................................................1 Table of Contents.....................................................................................................................................................1 SQL Server 2005 Installation Standards..................................................................................................................2 Feature Set...............................................................................................................................................................2 Security....................................................................................................................................................................4 Miscellaneous..........................................................................................................................................................4
1 HP Restricted
Port
Installation path
Instance Name
Authentication mode
Collation settings
Feature Set
This lists some of the major features within SQL Server. If a feature is not listed, consider it prohibited. Component
SQL Server Standards
Position
2 HP Restricted
Analysis Services
Not supported by GDBA. It is not allowed to be installed on a database server. Analysis Services requires a database to store its metadata. This database can be located on a separate server from where Analysis Services is located. SDBU is an excellent location for this database. Not supported by GDBA. Not supported by GDBA. Not available for application use. Its use is restricted to supporting SQL Server functionality such as replication, backups, etc. Approved. SSIS/DTS packages are allowed within the GDBA support framework. The package can be stored within SQL Server or as an external file on a separate server. Execution of the package must be done from a separate server. SQL Server Agent cant be used for scheduling/executing packages. Prohibited. This is a MAPI based email tool provided with earlier versions of SQL Server. SQL Mail has caused server instability so it is not allowed. With SQL Server 2005, it has been deprecated but similar functionality is provided through a new feature called database mail. See database mail for more information. Approved. (SQL Server 2005) Database mail is a new feature in SQL Server 2005. It uses standard SMTP to send mail. Database mail is enabled on all DCC installations but it is not configured. Only when an application requires it, should it be configured. Prohibited. xp_cmdshell spawns a Windows command shell and executes in the security context of the SQL Server service account which leads to a security vulnerability. Prohibited. Extended stored procedures are DLLs that dynamically load and run in the SQL Server address space. They can produce memory leaks and can lead to server instability. Extended stored procedures have been deprecated in SQL Server 2005. Approved. (SQL Server 2005) Prohibited. (SQL Server 2000 and prior) Prior to SQL Server 2005, full text search had a number of issues that made support difficult. It wasnt cluster aware and it wasnt integrated with the database backup. With SQL Server 2005, those issues have been addressed. Approved but its use must be reviewed. (SQL Server 2005) Prohibited. (SQL Server 2000 and prior) Linked servers provide the ability to execute commands against OLE DB data sources on remote servers. In SQL Server 2000 and prior, there are numerous security issues in its use. SQL Server 2005 has addressed those concerns but the use of linked servers must still be reviewed by GDBA. Linked servers are sometimes used inappropriately. Approved but its use must be reviewed. Replication in all its forms (merge, snapshot, transaction, peer-to-peer) can be
Reporting Services Notification Services SQL Server Agent SSIS/DTS (SQL Server Integration Services SQL 2005/Data Transformation Services SQL 2000) SQL Mail (sometimes called xp_sendmail)
Database Mail
xp_cmdshell
Extended stored procedures (typically identified with an xp prefix) Full Text Search
Linked Servers
Replication
3 HP Restricted
used to create multiple copies of data but each instance of its use must be reviewed by GDBA.
Security
Topic Elevated privileges Position Only granted to GDBA personnel. Elevated privileges include anything beyond Select, Insert, Update, Delete and the ability to create/maintain stored procedures. Account is disabled (SQL Server 2005) GDBA use only (SQL Server 2000 and prior) The sa account has full privileges within SQL Server. It has been used by worms and viruses to gain access to SQL Server. GDBA use only. Granted to the core GDBA SQL Server team and to the appropriate VCoE DBA team. GDBA use only. GDBA use only. Granted to the core GDBA SQL Server team and to the appropriate VCoE DBA team. Neither the application team nor any users have direct access to any GDBA database server. Windows Authentication only (preferred and default). Windows and SQL Server Authentication (mixed mode) (allowed) Windows authentication allows a user to connect through their Windows account. With SQL Server authentication, a user is validated by providing a login name and password. Because theres no password involved, Windows authentication is more secure. However, there are cases where Windows authentication will not work, such as connecting from a UNIX client, so mixed mode authentication is allowed. Windows password policies are enforced. These policies are defined by the HP IT Security group. They call for passwords to adhere to complexity rules, to lock after 5 unsuccessful logins, and to expire within a time frame.
sa account
sysadmin authority
Authentication mode
Miscellaneous
Topic Application code on the database server
SQL Server Standards
Position Prohibited. This includes any executables, DLLs, scripts, etc. SQL Server stored procedures
4 HP Restricted
are allowed. Prohibited. No application data outside the actual database is allowed on the database server. Prohibited. No file shares are allowed on the database servers. Since the application cant store any data on the server, theres no need to provide any shares. Prohibited. The database servers are to run only the database and whatever it needs to function. IIS, Tidal or any other software is not allowed.
5 HP Restricted