SQL Server Security Interview Questions & Answers

SQL Server Security Interview Questions

Are you prepared in attending an interview? Are you worried for job interview preparation? Then do not worry, we’ve a right answer for your job interview preparation. SQL Server offers a security architecture which is designed to allow database administrators and developers to create secure database applications and counter threats. If you are preparing for SQL Server Security job interview and don’t know how to crack interview and what level or difficulty of questions to be asked in job interviews then go through Wisdomjobs SQL Server Security interview questions and answers page to crack your job interview. SQL Server Security is an architecture providing developers and administrators to create and secure the database. Below are the list of frequently asked SQL Server Security interview questions and answers which can make you feel comfortable to face the interviews:

SQL Server Security Interview Questions And Answers

SQL Server Security Interview Questions
    1. Question 1. What Is The Guest User Account In Sql Server? What Login Is It Mapped To It?

      Answer :

      The Guest user account is created by default in all databases and is used when explicit permissions are not granted to access an object.  It is not mapped directly to any login, but can be used by any login.  Depending on your security needs, it may make sense to drop the Guest user account, in all databases except Master and TempDB

    2. Question 2. What Is The Use Of Builtinadministrators Group In Sql Server?

      Answer :

      Any Windows login in BUILTINAdministrators group is by default a SQL Server system administrator. This single group can be used to manage administrators from a Windows and SQL Server perspective

    3. Question 3. We Have A List Of 3 Sql Server Logins Which Are Dedicated To A Critical Application. We Have Given All Required Rights To Those Logins. Now My Question Is We Have To Restrict The Access Only To These Three Logins. Means There Are Two Conditions: A) No Other User Should Be Able To Access The Database Except Those Three Logins B) Even For Those Three Logins They Should Be Able To Run Their Queries Only Through The Application. If Someone Login Through Ssms And Trying To Run A Query Should Result Into A Failure. Finally There Should Be Only Way To Running A Query Is From Their Application Using One Of Those Three Logins, There Should Be No Other Way To Run Queries On That Database. How Do You Restrict?

      Answer :

      Do not give access to any other login on that database except for those 3 app logins.

      Create a trigger that test each and every query like below

      IF app_name() in(‘SQL Query Analyzer’,’Microsoft SQL Server Management Studio’)

      raiserror (…..)


    4. Question 4. How To Resolve The Orphan Use Problem?

      Answer :

      To find out the orphan users:

      USE <database_name>;


      sp_change_users_login @Action='Report';


      To resolve the orphan user problem:

      10USE <database_name>;


      sp_change_users_login @Action='update_one', 




    5. Question 5. What Are The Fixed Server Level Roles?

      Answer :

      SysAdmin – Can perform any activity

      ServerAdmin – Can change server configuration, restart, shutdown server

      SecurityAdmin – Can manage server level logins, also can manage db level if they have permission on db

      Granted: ALTER ANY LOGIN

      ProcessAdmin – Can kill a process on an instance


      DiskAdmin – Can manage the disk files

      Granted: ALTER RESOURCES

      BulkAdmin – Can perform BULK INSERT


      SetupAdmin – Can add and remove linked servers


      Dbcreator – Can create, alter, drop and restore any database on the instance


      Public – Default role for newly created login

      sp_helpsrvrolemember : List out the members mapped with the server roles

    6. Question 6. What Are The Database Roles?

      Answer :

      • db_accessadmin – Granted: ALTER ANY USER, CREATE SCHEMA, Granted with Grant option – Connect
      • db_backupoperator – Granted: BACKUP DATABASE, BACKUP LOG, CHECKPOINT
      • db_datareader – Granted – SELECT
      • db_datawriter – Granted – INSERT, UPDATE and DELETE
      • db_ddladmin – Granted – Any DDL operation
      • db_denydatareader – Denied – SELECT
      • db_denydatawriter – Denied – INSERT, UPDATE and DELETE
      • db_owner – Granted with GRANT option: CONTROL
      • dbm_monitor – Granted: VIEW most recent status in Database Mirroring Monitor
      • sp_helprolemember : List out the members mapped with the server roles


      Fixed database roles are not equivalent to their database-level permission. For example, the db_owner fixed database role has the CONTROL DATABASE permission. But granting the CONTROL DATABASE permission does not make a user a member of the db_owner fixed database role.

    7. Question 7. What Are The Security Related Catalog Views?

      Answer :

      Server Level:

      • Sys.server_permissions
      • Sys.server_principals
      • Sys.server_role_members
      • Sys.sql_logins

      Database Level:

      • Sys.database_permissions
      • Sys.database_principals
      • Sys.database_role_members

    8. Question 8. What Are The Extra Roles Available In Msdb?

      Answer :

      db_ssisadmin: Equals to sysadmin

      db_ssisoperator: Import/Delete/Change Role of own packages

      db_ssisltduser: Only can view and execute the packages

      dc_admin: Can administrate and use the data collector

      dc_operator: Can administrate and use the data collector

      dc_proxy : Can administrate and use the data collector

      PolicyAdministratorRole: can perform all configuration and maintenance activities on Policy-Based Management policies and conditions.

      ServerGroupAdministratorRole : Can administrate the registered server group

      ServerGroupReaderRole: Can view and the registered server group

      dbm_monitor: Created in the msdb database when the first database is registered in Database Mirroring Monitor

    9. Question 9. If You Lose Rights To Your Sql Server Instance What Are The Options To Connect To Sql Server Instance?

      Answer :

      Option1: Use the Dedicated Administrator Connection

      Option2: Use BUILTINAdministrators Group

      Option3: Change Registry Values

    10. Question 10. What Objects Does The Fn_my_permissions Function Reports On?

      Answer :

      • SERVER
      • DATABASE
      • CHEMA
      • OBJECT
      • USER
      • LOGIN
      • ROLE
      • TYPE
      • SERVICE
      • ASSEMBLY
      • CONTRACT
      • ENDPOINT
      • ROUTE

      SELECT * FROM fn_my_permissions(NULL, ‘SERVER’);

      SELECT * FROM fn_my_permissions(‘AdventureWorks’, ‘DATABASE’);

      SELECT * FROM fn_my_permissions(‘Employee’, ‘OBJECT’)

    11. Question 11. Name Three Of The Features Managed By The Surface Area Configuration Tool?

      Answer :

      Ad-hoc remote queries

      • Common language runtime
      • Dedicated Administrator Connection
      • Database Mail
      • Native XML Web Services
      • OLE Automation
      • Service Broker
      • SQL Mail
      • Web Assistant
      • xp_cmdshell

    12. Question 12. What Options Are Available To Audit Login Activity?

      Answer :

      Custom solution with your application to log all logins into a centralized table

      • Enable login auditing at the instance level in Management Studio
      • Execute Profiler to capture logins into the instance
      • Leverage a third party product

    13. Question 13. How To Perform Backup For Certificates In Sql Server?

      Answer :

      • Using Native Backup
      • Using Backup Certificate Command

    14. Question 14. Name 3 Of The Features That The Sql Server Built-in Function Loginproperty Performs On Standard Logins?

      Answer :

      Date when the password was set

      • Locked out standard login
      • Expired password
      • Must change password at next login
      • Count of consecutive failed login attempts
      • Time of the last failed login attempt
      • Amount of time since the password policy has been applied to the login
      • Date when the login was locked out
      • Password hash

    15. Question 15. How Can Sql Server Instances Be Hidden?

      Answer :

      To hide a SQL Server instance, we need to make a change in SQL Server Configuration Manager. To do this launch SQL Server Configuration Manager and do the following: select the instance of SQL Server, right click and select Properties. After selecting properties you will just set Hide Instance to “Yes” and click OK or Apply. After the change is made, you need to restart the instance of SQL Server to not expose the name of the instance.

    16. Question 16. Is Profiler The Only Tool That Has The Ability To Audit And Identify Ddl Events?

      Answer :

      No. In SQL Server 2005 DDL triggers were introduced to audit CREATE, ALTER and DROP events for relational (stored procedures, functions, views, etc.) and security (certificates, logins, server, etc.) objects.

    17. Question 17. What Are Some Of The Pros And Cons Of Not Dropping The Sql Server Builtinadministrators Group?

      Answer :


      • Any Windows login is by default a SQL Server system administrator
      • This single group can be used to manage SQL Server from a system administrators perspective


      Any Windows login is by default a SQL Server system administrator, which may not be a desired situation

    18. Question 18. What Is Sql Injection And Why Is It A Problem?

      Answer :

      SQL Injection is an exploit where unhandledunexpected SQL commands are passed to SQL Server in a malicious manner.  It is a problem because unknowingly data can be stolen, deleted, updated, inserted or corrupted.

    19. Question 19. How Can Sql Injection Be Stopped?

      Answer :


      • Validate the SQL commands that are being passed by the front end
      • Validate the length and data type per parameter
      • Convert dynamic SQL to stored procedures with parameters
      • Prevent any commands from executing with the combination of or all of the following commands: semi-colon, EXEC, CAST,SET, two dashes, apostrophe, etc.
      • Based on your front end programming language determine what special characters should be removed before any commands are passed to SQL Server
      • Network Administration
      • Prevent traffic from particular IP addresses or domains
      • Review the firewall settings to determine if SQL Injection attacks can prevented
      • Remove old web pages and directories that are no longer in use because these can be crawled and exploited

    20. Question 20. How To Recover From Sql Injection?

      Answer :

      If for some reason the resolution implemented does not resolve the problem and the SQL Injection attack occurs again, the quickest path may be to do the following:

      • Shut down the web sites
      • Review the IIS logs to determine the commands issued and which web pagecommand has the vulnerability
      • Convert the code to determine which tables were affected and the command issued
      • Find and replace the string in your tables
      • Correct the web pagecommand that has the vulnerability
      • Test to validate the issue no longer occurs
      • Deploy the web pagecommand
      • Re-enable the web sites

    21. Question 21. How To Enforce Security In Sql Server?

      Answer :

      By providing strong Passwords, Limited the access to make sure right people have access to the right data, Creating Customized database roles, server roles and assign privileges and by choosing the correct authentication mode etc.

      A DBA should be careful in providing security…..General precautions includes:

      • Minimize the number of sysadmins allowed to access SQL Server.
      • Give users the least amount of permissions they need to perform their job.
      • Use stored procedures or views to allow users to access data instead of letting them directly access tables.
      • When possible, use Windows Authentication logins instead of SQL Server logins.
      • Don’t grant permissions to the public database role.
      • Remove user login IDs who no longer need access to SQL Server.
      • Avoid creating network shares on any SQL Server.
      • Turn on login auditing so you can see who has succeeded, and failed, to login.
      • Ensure that your SQL Servers are behind a firewall and are not exposed directly to the Internet.
      • Using server, database and application roles to control access to the data
      • Securing the physical database files using NTFS permissions
      • Using an un guessable SA password
      • Restricting physical access to the SQL Server
      • Disabling the Guest account
      • Isolating SQL Server from the web server
      • Choose either of the service to run SQL Server (Local User – Not an Admin , Domain User – Not an Admin)
      • Restrict the remote administration (TC)
      • If SQL Server authentication is used, the credentials are secured over the network by using IPSec or SSL, or by installing a database server certificate.
      • Do not use DBO users as application logins
      • Firewall restrictions ensure that only the SQL Server listening port is available on the database server.
      • Remove the SQL guest user account.
      • Remove the BUILTINAdministrators server login.
      • Apply the latest security updates / patches

      We have plenty of features in SQL SERVER to enforce the security. The major features include:

      • Password policies
      • Encryption
      • Limited metadata visibility (system Tables to Catalog Views)
      • DDL triggers
      • User-schema separation
      • Impersonation
      • Granular permission sets
      • Security catalog views

      In addition to these features we have some more added in SQL SERVER 2008, like Policy Based Management, Security Audit, Improved Encryption, Backup Security etc.

      When we talk about the security we have to consider the below:

      • Patches and Updates
      • Services
      • Protocols
      • Accounts
      • Files and Directories
      • Shares
      • Ports
      • Registry
      • Auditing and Logging
      • SQL Server Security
      • SQL Server Logins, Users, and Roles
      • SQL Server Database Objects

    22. Question 22. You Are Delegating Permissions On Your Sql Server To Other Administrators. You Have Local, Single Server Jobs On One Server That You Would Like To Allow Another Administer To Start, Stop, And View The History For, But Not Delete History. This Administrator Will Own The Jobs. Which Role Should You Assign?

      Answer :


      SQL Server provides 3 fixed roles for the agent service that limit privileges for administrators. The SQLAgentUserRole is designed for local jobs (not multiserver) that allow the member to work with their owned jobs (edit, start, stop, view history) without deleting the history of any job.

    23. Question 23. What Is Application Role In Sql Server Database Security?

      Answer :

      Application roles are database level roles like database roles. We can create them and assign permissions to them just like regular database roles but we can’t map users with them. Instead, we provide a password to unlock access to the database.

      Here it is how it works:

      • Create a login on SQL Server for application user
      • Create an application role on the corresponding database.
      • Give the application role password to the user
      • User will have access to login to SQL Server but doesn’t have any access to the database including public role.
      • He/she just need to provide the password to unlock the access to the database
      • EXEC sp_addapprole ‘App_Role_Name’, ‘Password’
      • Once it is executed successfully the user will get all rights that your app role have on that database.

    24. Question 24. What Are The New Security Features Added In Sql Server 2012?

      Answer :

      Default Schema for Windows Group Logins: Let’s say we have a Windows account [MyDomain WinAdmin]. If someone from this group logged in [MyDomainUser1] and tried to create an object then there will be a new schema created like [MyDomainUser1].Table. This issue got fixed in 2012. In 2012 we can assign a default schema for the Windows Group accounts.

      User Defined Server Roles: Till 2008 R2 we have user defined roles at database level, 2012 allows us to create a Server level user defined roles which gives us more control in handling security.

      Contained Database: Easier database migrations as it contains user and login information on same database instead of in Master.

      Data Protection: Supporting Hash Algorithm-256 (SHA-256) and SHA-512.

      Auditing: Native support/feature for auditing the database environment by creating the Audit specifications. We can also create user defined audits.

      Ex: We can create an Audit specification to trace all events for a specific login and write all these event details into Audit Log. We can also filter the events.

    25. Question 25. What Is The New Security Features Added In Sql Server 2014?

      Answer :

      Functionality Enhancement for TDE: In 2014 Transparent Data Encryption takes the normal backup and then applies the Encryption before writing it to the disk. It allows backup compression is useful when TDE enabled. TDE applies on compressed backup.

      CONNECT ANY DATABASE: This is a new server level permission which can allow a login to connect all existing and future databases in the instance. This can be helpful when we need to give permissions for audit purpose.

      IMPERSONATE ANY LOGIN: This is a new server level permission which gives us more control in giving/denying impersonate access to logins.

      SELECT ALL USER SECURABLES: A new server level permission. When granted, a login such as an auditor can view data in all databases that the user can connect to.

    26. Question 26. What Is The New Security Features Added In Sql Server 2016?

      Answer :

      Always Encrypted:

      • This is a new feature which is useful for managing highly sensitive data
      • Unlike TDE it encrypts data at rest means physical files (Data, Log and Backup), data in memory and data in communication channels.
      • TEMPDB is uninvolved from encryption
      • Encryption can be applied to column level.
      • A driver that encrypts and decrypts the data as it is sent to the database server is installed on the client.
      • Application connection string must be changed.

      Row Level Security:

      • This is first introduced in Azure SQL Database. Now it’s part of on-premises feature from SQL Server 2016.
      • Data need not be encrypted but we can restrict the users to see the sensitive data. No master keys or certificates required as there is no encryption
      • Row-level security is based on a table-valued function which evaluates user access to the table based on a security policy that is applied to the table.
      • The access levels only applies to SELECT, UPDATE, DELETE operations but anyone who is having INSERT permissions can insert rows.
      • Only problem with this is using user defined functions to control user access which is a huge disadvantage from performance prospect.

      Dynamic Data Masking:

      • Masks data at select time based on user or database roles (Mainly for Read-only Users).
      • It actually doesn’t change the data but mask data based on the user who access that data.

      For example:

      I have a columns called “CredNo” to store customer creditcard number. If I mask this column then it will be viewed as 22XXXXXXXXXX56.

      But as I said data is not modified only this logic applied and data is masked based on the user/role.

      A SYSADMIN or db_owner can view the actual data.

      We can use 4 different types of functions to mask data: Email, Partial, Default, Random

Popular Interview Questions

All Interview Questions

All Practice Tests

All rights reserved © 2020 Wisdom IT Services India Pvt. Ltd DMCA.com Protection Status