Skip to content

Latest commit

 

History

History
96 lines (79 loc) · 5.2 KB

Security.md

File metadata and controls

96 lines (79 loc) · 5.2 KB

DBA Dash Security

Service Account

The service account used for DBADash should be a member of the sysadmin role on the SQL instance and also be a member of the local "Administrators" group. It's possible to configure a user with a lower level of access but this might prevent DBA Dash from collecting certain information about your SQL instances.

Why local admin?

This is required to run WMI queries (optional). These are used to collect drive space, driver info and o/s info. If you don't want the tool to use WMI, select the "Don't use WMI" checkbox when adding an instance in the DBA Dash Service Config Tool. If you don't check this box, WMI collection will be attempted - resulting in a logged error if the user doesn't have access. If drive space isn't collected via WMI it will be collected through SQL instead - but only for drives that contain SQL files. You could provision the required WMI access to your service account.

Why SysAdmin?

If the tool doesn't run as sysadmin it won't be able to collect last good CHECKDB date as well as some other data from the registry like processor name, system manufacturer and model. Sysadmin can be granted using:

ALTER SERVER ROLE [sysadmin] ADD MEMBER [{LoginName}]

Running with Minimal Permissions

If you don't want to grant sysadmin access, you can assign the permissions listed below instead

Server Level Permissions:

  • View Server State
  • View Any Database
  • Connect Any Database
  • Alter Event Session (For Slow Query trace if used)
  • View Any Definition

MSDB Database:

  • Add user to the db_datareader role.
  • Add user to the SQLAgentReaderRole role

This script can be used to provision the required permissions:

/*
	Use this script to configure permissions for the DBA Dash service account if you don't want to use the sysadmin server role.
	DBA Dash can collect more data when running as sysadmin but most features and functionallity will work with a more limited account
	See here for details: https://github.com/trimble-oss/dba-dash/edit/main/Docs/Security.md

	On the destination connection the service will need to be a member of db_owner role on the repository database
	To allow the service to create the repository database you can use:
	GRANT CREATE ANY DATABASE TO {LoginName}
*/
DECLARE @LoginName SYSNAME = 'DBADashService' /* !!!! Replace with your own service login !!!! */
DECLARE @SQL NVARCHAR(MAX)
SET @SQL = N'
GRANT VIEW SERVER STATE TO ' + QUOTENAME(@LoginName) + '
GRANT VIEW ANY DATABASE TO ' + QUOTENAME(@LoginName) + '
GRANT CONNECT ANY DATABASE TO ' + QUOTENAME(@LoginName) + '
GRANT VIEW ANY DEFINITION TO ' + QUOTENAME(@LoginName) + '
GRANT ALTER ANY EVENT SESSION TO ' + QUOTENAME(@LoginName) + ' /* Required if you want to use slow query capture */
USE [msdb]
IF NOT EXISTS(SELECT * 
			FROM msdb.sys.database_principals
			WHERE name = ' + QUOTENAME(@LoginName,'''') + ')
BEGIN
	CREATE USER ' + QUOTENAME(@LoginName) + ' FOR LOGIN ' + QUOTENAME(@LoginName) + '
END
ALTER ROLE [db_datareader] ADD MEMBER ' + QUOTENAME(@LoginName) + '
ALTER ROLE [SQLAgentReaderRole] ADD MEMBER ' + QUOTENAME(@LoginName) + '
'
PRINT @SQL
EXEC sp_executesql @SQL

Repository Database Permissions

The service will also need db_owner permissions to the repository database. The repository database is created by clicking the "Deploy/Update Database" button in the service configuration tool, otherwise it's created when the service starts. To allow the service account to create the repository database you can use:

DECLARE @LoginName SYSNAME = 'DBADashService' /* !!!! Replace with your own service login !!!! */
DECLARE @SQL NVARCHAR(MAX)
SET @SQL = N'
GRANT CREATE ANY DATABASE TO ' + QUOTENAME(@LoginName) 
PRINT @SQL
EXEC sp_executesql @SQL

Or to grant the permissions after creating the repository database:

DECLARE @LoginName SYSNAME = 'DBADashService' /* !!!! Replace with your own service login !!!! */
DECLARE @RepositoryName SYSNAME = 'DBADashDB' /* !!!! Replace with your own Repository Database Name (default:DBADashDB) !!!! */
DECLARE @SQL NVARCHAR(MAX)
SET @SQL = N'
USE ' + QUOTENAME(@RepositoryName) + '
GO
CREATE USER ' + QUOTENAME(@LoginName) + ' FOR LOGIN ' + QUOTENAME(@LoginName) + '
GO
ALTER ROLE [db_owner] ADD MEMBER ' + QUOTENAME(@LoginName) 
PRINT @SQL
EXEC sp_executesql @SQL

Config file Security

The application configuration is stored in a "ServiceConfig.json" file. You can edit this manually but it's recommended to use the "DBADashServiceConfigTool.exe" app to ensure a valid configuration. Sensitive information like connection string passwords and AWS Secret key are encrypted automatically. This is done to avoid storing the data in plain text but it should be considered as obfuscation rather than encryption (due to the storage of encryption keys). Ideally you should use Windows authentication to connect to your SQL instances which avoids the need to store passwords in the config file.

If you are collecting data from remote SQL instances via a S3 bucket you could consider using IAM roles instead of specifying the credentials in the config file. I would also recommend creating a new S3 bucket and configure minimal permissions that allow only read/write access to the new bucket.