Microsoft SQL Server 2012 continues this trend with an extensive collection of new security features and enhancements. These enhancements not only help organizations to improve access controls to data, but also to achieve the highest level of data protection and compliance. Also, these features help make SQL Server arguably the most robust common database platform from a security perspective, with less vulnerability and fewer security patches needed to maintain the system.

SQL Server 2012 has many new security features, and three of the bigger new features are: Default Schema for Windows Groups, Audit enhancements, and User-Defined Server Roles.

Default schema for Windows groups
A database schema can now be tied to a Windows Group rather than an individual user in order to increase database compliance.  This makes it easier to administer database schemas, decreases the complexity of database schema management through individual Windows users, prevents errors of assigning a schema to the wrong user when a user changes groups, avoids unnecessary implicit schema creation, and by reducing the chances of choosing the wrong schema then it greatly reduces the chance of query errors.

Before SQL Server 2012 was introduced, it was not possible to specify the default schema for Windows groups. As a result, when the user getting access through Windows group membership created database objects such as a table or view inside a database, SQL Server automatically created a separate user (mapped to the admin account) and a schema with the same name in the database. Because of this security manageability issue, we end up having hundreds of users and schemas inside databases, which caused administrative challenges and is a managerial nightmare for administrators. Hence, SQL Server community requested a fix for this security issue via the Microsoft Connect site.

Luckily, SQL Server 2012 addresses this security issue by allowing us to assign a default schema for Windows Groups, which helps organizations simplify their database schema administration.

The following Transact SQL (T-SQL) demonstrates the process of assigning the default schema for Windows Group:

-- Creating Default Schema "ProdAdmins" for Windows Group "MyDomain\ProdDBAs"
CREATE SCHEMA [ProdAdmins] AUTHORIZATION [MyDomain\ProdDBAs]
GO


-- Set Default Schema for Windows Group "MyDomain\ProdDBAs"
ALTER USER [MyDomain\ProdDBAs] WITH DEFAULT_SCHEMA=[ProdAdmins]
GO

Audit Enhancements
Server and database audit specification objects found in SQL Server 2008 and SQL Server 2008 R2 are the most useful features of SQL Server and help the organization meet various regulatory compliance requirements. The problem with these auditing features is that they were only in the enterprise edition.

Fortunately, the server level audit specification features are now supported by all versions of SQL Server 2012. Audit specification features of SQL Server 2012 are more resilient to failures with writing to the audit log, and it is possible to limit the number of audit log files without rolling over. SQL Server 2012 audit specification features also support user-defined groups, which means we can now write audited events to the audit log by using sp_audit_write (Transact-SQL) procedure. Finally, SQL Server 2012 supports the ability to filter the audit events and include new audited groups to monitor contained database users.

User-Defined Server Roles
User-Defined Server Roles increase flexibility, manageability, and facilitates compliance towards better separation of duties.  It allows creation of new server roles to suit different organizations that separate multiple administrators according to roles.  Roles can also be nested to allow more flexibility in mapping to hierarchical structures in organizations.  It also helps prevent organizations from using sysadmin for database administration. We can use CREATE SERVER ROLE, ALTER SERVER ROLE and DROP SERVER ROLE Transact-SQL statements to create, alter and drop user-defined server roles. This is demonstrated as follows:

-- Creating user-defined roles
CREATE SERVER ROLE [JuniorDBA]


-- Granting server-wide permissions

GRANT CREATE ANY DATABASE TO [JuniorDBA]

-- Adding members to user-defined roles
ALTER SERVER ROLE [JuniorDBA]
ADD MEMBER [Domain\JuniorDBA_Group1]
ALTER SERVER ROLE [JuniorDBA]
ADD MEMBER [Domain\JuniorDBA_Group1]

-- Making user-defined role member of fixed server role ALTER SERVER ROLE [processadmin]
ADD MEMBER [JuniorDBA]


-- Dropping user-defined roles
DROP SERVER ROLE [JuniorDBA]