Entries by Andreas Wolter

SQL Server Row- and Cell-Level Security – Disclosure vulnerability

It’s time for another post on security matters. And through a forum-thread on data-driven security by the means of views using the IS_MEMBER(), USER_NAME(), SUSER_SNAME() – functions, I came up with the idea of giving a short example how such constructs can easily be circumvented and the protected/hidden data become disclosed, when not being secured […]

Security-Check-Script & Survey: SQL Server Security – Database-Owners, critical Permissions and role membership

In this survey, I would like to explore in a greater radius which accounts are typically used as database owners. I will subsequently publish the cumulated results here to share them with the community together with some recommendations for hardening security. In this instance, particular server-wide permissions both of the used account as well as, […]

Where are the scripts to the session „SQL Attacked/Hacking SQL Server“ ? ;-)

Subsequent to the lectures from my “Hacking SQL Server” series “Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)” which I have already given at the SQLSaturdays Rheinland, Istanbul, at the SQLRAlly Amsterdam and at many regional groups of PASS Germany, more often than not the question arises whether I make […]

Comparing Extended Events vs SQL Trace – or why SQL Trace & Profiler are just a thing of the past :-)

As a reminder: Extended Events have been integrated in SQL Server since SQL Server 2008. And since SQL Server 2012 SP1, all events existing in SQL Trace have been available. In addition, Extended Events have also been available for Analysis Services since SQL Server 2012 Tracing Analysis Services (SSAS) with Extended Events – Yes it […]