none
credential usage

    Question

  • Hello,

    writing a book abt SQL Server security, so asking here some questions I have a hard time finding answers to by my own.

    Do you know what usage, except SQL Agent, can be made for a CREDENTIAL ? backups and BULK INSERT do not use it, so is there any functionality taking advantage of it ?

    thank you

    Friday, January 13, 2012 5:12 PM

Answers

  • Although I have only used Credentials to grant external access to SQL Agent Proxies, the same mechanism is documented to be for Logins as well.

    http://msdn.microsoft.com/en-us/library/ms161950.aspx

    This grants the login in SQL Server (whether a Windows login or a SQL Server login) the ability to interact with Windows and the domain under the rights granted to the Credential's login.  

    For a Windows login, this may not be needed often since the Windows login itself has Windows rights, but this would allow you to change the rights that the login uses.

    For SQL Server logins there are no direct rights with which to interact with Windows and the domain.  Therefore a credential grants such a login the external rights needed.

    Also, if you search around you will see that Credential play a role in EKM and encryption.

    http://msdn.microsoft.com/en-us/library/bb895340.aspx

    RLF

    • Marked as answer by Peja Tao Wednesday, February 01, 2012 7:19 AM
    Friday, January 13, 2012 10:27 PM

All replies

  • Although I have only used Credentials to grant external access to SQL Agent Proxies, the same mechanism is documented to be for Logins as well.

    http://msdn.microsoft.com/en-us/library/ms161950.aspx

    This grants the login in SQL Server (whether a Windows login or a SQL Server login) the ability to interact with Windows and the domain under the rights granted to the Credential's login.  

    For a Windows login, this may not be needed often since the Windows login itself has Windows rights, but this would allow you to change the rights that the login uses.

    For SQL Server logins there are no direct rights with which to interact with Windows and the domain.  Therefore a credential grants such a login the external rights needed.

    Also, if you search around you will see that Credential play a role in EKM and encryption.

    http://msdn.microsoft.com/en-us/library/bb895340.aspx

    RLF

    • Marked as answer by Peja Tao Wednesday, February 01, 2012 7:19 AM
    Friday, January 13, 2012 10:27 PM
  • Hello,

     

    thank you ! I have seen the EKM access. I guess there is no other usage for credentials outside of SQL Agent. I don't see any mention in BOL more precise than "resources outside of SQL ..." except for EKM, and the proxy used for xp_cmdshell... and the passwords for database mater keys, but it is not an external access per se, just used to store the password.

    I tried with BACKUP, RESTORE, BULK INSERT. Those commands use the SQL Service account. So I give up, that must be it.

    Saturday, January 14, 2012 8:53 AM