Module 9

Configuring Security for SQL Server

Agent
Module Overview

• Understanding SQL Server Agent Security

• Configuring Credentials
• Configuring Proxy Accounts
Lesson 1: Understanding SQL Server Agent
Security

• Overview of Security in SQL Server Agent

• SQL Server Agent Roles
• Discussion: Job Dependencies in SQL Server Agent
• Assigning Security Contexts to SQL Server Agent
Job Steps
• Troubleshooting Security in SQL Server Agent
• Demonstration: Assigning a Security Context to
Job Steps
Overview of Security in SQL Server Agent

• SQL Server Agent is a Windows service, so a

service account is required
• Agent service account:
• A dedicated Windows domain account is
recommended
• Local System and Network Service are supported, but
are not recommended
• By default, job steps that interact with the operating
system execute under the security context of the
service account
SQL Server Agent Roles

• SQLAgentUserRole
• Manage own jobs

• SQLAgentReaderRole
• Manage own jobs
• View definitions for jobs owned by other users

• SQLAgentOperatorRole
• Manage own jobs
• View definitions for jobs owned by other users
• Enable and disable jobs owned by other users
Discussion: Job Dependencies in SQL Server
Agent

• Question: Which SQL Server resources would

SQL Server Agent jobs potentially depend upon?

• Question: Which resources outside SQL Server

might SQL Server Agent jobs depend upon?

• Question: Which permissions are needed for

accessing the external resources?
Assigning Security Contexts to SQL Server Agent
Job Steps

• Transact-SQL job steps

• Typically executed in the security context of the job
owner
• Members of sysadmin impersonate the SQL Server
Agent service account, or can impersonate other
database users
• Other job step types
• Executed by sysadmin using the service account
• Other logins must use a proxy account

• Proxy accounts
• Enable a job step to impersonate a Windows identity
• Are associated with one or more job step subsystems
Troubleshooting Security in SQL Server Agent
Demonstration: Assigning a Security Context to
Job Steps

In this demonstration, you will see the effect of

SQL Server Agent job ownership on the security
context of job steps
Lesson 2: Configuring Credentials

• Overview of Credentials
• Configuring Credentials
• Managing Credentials
• Demonstration: Configuring Credentials
Overview of Credentials

• Authentication for a resource or system outside

the database engine instance
• Typically Windows user name and password
• Third-party cryptographic providers are also supported

• Some system credentials are created

automatically during SQL Server installation (##
prefix)
Configuring Credentials

• Configure credentials by using the CREATE

CREDENTIAL command or through SSMS
• Passwords are encrypted by using the master
server encryption key
• When the master server encryption key is
changed, stored password are automatically re-
encrypted for the new key
CREATE CREDENTIAL FileOperation
WITH IDENTITY =
'ADVENTUREWORKS\FileSystemServices',
SECRET = 'Pa$$w0rd';
GO
Managing Credentials

• sys.credentials catalog view

• ALTER CREDENTIAL
• Both the identity and the secret are always updated
ALTER CREDENTIAL FileOperation
WITH IDENTITY =
'ADVENTUREWORKS\FileOps',
SECRET = 'Pa$$w0rd1';
GO

• DROP CREDENTIAL
Demonstration: Configuring Credentials

In this demonstration, you will see how to work

with credentials
Lesson 3: Configuring Proxy Accounts

• Overview of Proxy Accounts

• Managing Proxy Accounts
• Demonstration: Configuring Proxy Accounts
Overview of Proxy Accounts

• Job step subsystems:

• Proxy accounts can be associated with one or more of
the SQL Server Agent job step subsystems
• A proxy account cannot be used to run a job step using
a subsystem it does not have an association with
• Proxy account permissions:
• Being referenced as a proxy account does not change
the permissions of the credential
• Only members of sysadmin can create and use proxy
accounts by default
• Permission to use proxy accounts can be granted to
members of the SQL Server Agent fixed roles
Managing Proxy Accounts

• Proxy account configuration stored in msdb

• Proxy account catalog views:
• dbo.sysproxies
• dbo.sysproxylogin
• dbo.sysproxyloginsubsystem
• dbo.syssubsystems

• Manage proxy accounts through SSMS, or by

using system stored procedures in msdb
Demonstration: Configuring Proxy Accounts

In this demonstration, you will see how to

configure and use a SQL Server Agent proxy
account
Lab: Configuring Security for SQL Server Agent

• Exercise 1: Analyzing Security Problems in SQL

Server Agent
• Exercise 2: Configuring a Credential
• Exercise 3: Configuring a Proxy Account
• Exercise 4: Configuring and Testing the Security
Context of the Job
Logon Information
Virtual machine: 20764C-MIA-SQL
User name: ADVENTUREWORKS\Student
Password: Pa55w.rd

Estimated Time: 60 minutes

Lab Scenario

A new SQL Server Integration Services package

that is triggered by a SQL Server Agent job on the
MIA-SQL instance is failing. It is likely that a
security issue is causing the job to fail. In this lab,
you will review the reasons why the job is failing,
correct the situation through the use of
credentials and proxy accounts, and assign a proxy
account to the SQL Server Agent job to correct the
issue.
Lab Review

• The SQL Server Integration Services package in

this lab uses SQL Server Authentication to connect
to the MIA-SQL instance to extract data. If the SQL
Server Integration Services package were
configured to use Windows authentication for its
database connection, under what security context
is the connection made when the Generate Sales
Log job is executed by
ADVENTUREWORKS\Administrator?
• Assume that the exercise was successfully
completed when you are selecting your answer.
Module Review and Takeaways

• Review Question(s)
• Best Practice