Posts

Full day PreCon Practical Performance Analysis in Melbourne at Asia & Australia Tour 2018

As it has almost become a habit by now for me, I will be touring Asia this summer. This year not only Asia, but for the first time also Australia. (There, however, is winter, which sometimes leads to funny confusion in agreements until you get used to this.) 1st stop: Singapore – Azure SQL Database […]

Separation of Duties (SoD) and role-based security conception in SQL Server

Introduction With the upcoming implementation of the European General Data Protection Regulation (GDPR) in May 2018, having a security concept in place is essentially required by law. Microsoft SQL Server, just like other database systems, carries the main asset to protect: the data itself. Therefore, it is time for an article from a more strategic […]

SQL Server Row- and Cell-Level Security – Disclosure vulnerability

It’s time for another post on security matters. And through a forum-thread on data-driven security by the means of views using the IS_MEMBER(), USER_NAME(), SUSER_SNAME() – functions, I came up with the idea of giving a short example how such constructs can easily be circumvented and the protected/hidden data become disclosed, when not being secured […]

Security-Check-Script & Survey: SQL Server Security – Database-Owners, critical Permissions and role membership

In this survey, I would like to explore in a greater radius which accounts are typically used as database owners. I will subsequently publish the cumulated results here to share them with the community together with some recommendations for hardening security. In this instance, particular server-wide permissions both of the used account as well as, […]

Where are the scripts to the session „SQL Attacked/Hacking SQL Server“ ? ;-)

Subsequent to the lectures from my “Hacking SQL Server” series “Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)” which I have already given at the SQLSaturdays Rheinland, Istanbul, at the SQLRAlly Amsterdam and at many regional groups of PASS Germany, more often than not the question arises whether I make […]

Security-Session: “SQL Server under Attack” this November @ SQL Rally Amsterdam

Alright, this is going to be the by far most active year in terms of speaking at international conferences: After 6 conferences last year, including SQL Rally Nordic, which I really liked a lot, I had to decide between SQL Rally Nordic again or SQL Rally Amsterdam or even both.

CONTROL SERVER vs. sysadmin/sa: permissions, system procedures, DBCC, automatic schema creation and privilege escalation caveats

Since SQL Server 2005, the server wide permission CONTROL SERVER has been existing. In principle being an alternative to sysadmin-membership, it did not turn out to be much more than a shelf warmer. – Little known and even less used. One of the main reasons for this was the absence of an option to grant […]

Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)

At this year’s SQLSaturday in Germany I have shown one of my sessions again, in which I concentrate on “attack”. For me a great opportunity to dive deep into SQL Server Security and several penetration-test-tool, and to explore SQL Server for pitfalls and security configuration. At the end I had a long list of possible […]

Conferences 2013: Frankfurt Database Days and a couple of “Oracle-Moments”

I usually try to announce my conference participation in advance in order to give readers a chance to possibly plan them. Due to a severe lack of time and because I jumped in spontaneously for an absent speaker only a week before the conference, I didn’t manage to give you a heads-up this time.

Sessions at the SQLCon 2011

This year, too, I am going to be present with two sessions until now at the SQL Con 2011 (26-29 September) in Mainz. Update (09/2011): I cancelled the presentation on “Reporting Services in SQL Server Denali” in favor of a topic I feel even more strongly about. (Besides, the Reporting Services themselves will hardly go […]