Separation of Duties (SoD) and role-based security conception in SQL Server

Introduction With the upcoming implementation of the European General Data Protection Regulation (GDPR) in May 2018, having a security concept in place is essentially required by law. Microsoft SQL Server, just like other database systems, carries the main asset to protect: the data itself. Therefore, it is time for an article from a more strategic […]

DISABLE and DENY LOGIN, DENY USER & Effect on Impersonation and Permissions

A short article on the effects – or missing effects – regarding the disabling & denying connect of Logins & Users on impersonation and permission. Every once in a while one can observe that Logins or Users have been denied the Connect permission or a Login has been disabled. Therefore a correct expectation and understanding […]

Security-Session: “SQL Server under Attack” this November @ SQL Rally Amsterdam

Alright, this is going to be the by far most active year in terms of speaking at international conferences: After 6 conferences last year, including SQL Rally Nordic, which I really liked a lot, I had to decide between SQL Rally Nordic again or SQL Rally Amsterdam or even both.

CONTROL SERVER vs. sysadmin/sa: permissions, system procedures, DBCC, automatic schema creation and privilege escalation caveats

Since SQL Server 2005, the server wide permission CONTROL SERVER has been existing. In principle being an alternative to sysadmin-membership, it did not turn out to be much more than a shelf warmer. – Little known and even less used. One of the main reasons for this was the absence of an option to grant […]

Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)

At this year’s SQLSaturday in Germany I have shown one of my sessions again, in which I concentrate on “attack”. For me a great opportunity to dive deep into SQL Server Security and several penetration-test-tool, and to explore SQL Server for pitfalls and security configuration. At the end I had a long list of possible […]