SQL Server Database Ownership: survey results & recommendations

/9 Comments/in , ,
You may remember the survey on database ownership which I launched several months ago. In the following, I am now presenting the results and giving my official recommendation for a best practice for security in terms of database ownership. First, if you still need the script:
Read more

New Permissions in SQL Server 2014: IMPERSONATE ANY LOGIN, SELECT ALL USER SECURABLES, CONNECT ANY DATABASE and the old CONTROL SERVER

/0 Comments/in ,
SQL Server 2014 brings altogether 5 new permissions. Two of those are on database level and only available in the Windows Azure SQL Database Edition – not in the box-version.
Read more

DISABLE and DENY LOGIN, DENY USER & Effect on Impersonation and Permissions

/0 Comments/in
A short article on the effects – or missing effects – regarding the disabling & denying connect of Logins & Users on impersonation and permission. Every once in a while one can observe that Logins or Users have been denied the Connect permission or a Login has been disabled. Therefore a correct expectation and understanding […]
Read more

SQL Server Row- and Cell-Level Security – Disclosure vulnerability

/1 Comment/in
It’s time for another post on security matters. And through a forum-thread on data-driven security by the means of views using the IS_MEMBER(), USER_NAME(), SUSER_SNAME() – functions, I came up with the idea of giving a short example how such constructs can easily be circumvented and the protected/hidden data become disclosed, when not being secured […]
Read more

Security-Check-Script & Survey: SQL Server Security – Database-Owners, critical Permissions and role membership

/1 Comment/in , ,
In this survey, I would like to explore in a greater radius which accounts are typically used as database owners. I will subsequently publish the cumulated results here to share them with the community together with some recommendations for hardening security. In this instance, particular server-wide permissions both of the used account as well as, […]
Read more

Where are the scripts to the session „SQL Attacked/Hacking SQL Server“ ? ;-)

/0 Comments/in ,
Subsequent to the lectures from my “Hacking SQL Server” series “Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)” which I have already given at the SQLSaturdays Rheinland, Istanbul, at the SQLRAlly Amsterdam and at many regional groups of PASS Germany, more often than not the question arises whether I make […]
Read more

Security-Session: “SQL Server under Attack” this November @ SQL Rally Amsterdam

/in , ,
Alright, this is going to be the by far most active year in terms of speaking at international conferences: After 6 conferences last year, including SQL Rally Nordic, which I really liked a lot, I had to decide between SQL Rally Nordic again or SQL Rally Amsterdam or even both.
Read more

CONTROL SERVER vs. sysadmin/sa: permissions, system procedures, DBCC, automatic schema creation and privilege escalation caveats

/4 Comments/in ,
Since SQL Server 2005, the server wide permission CONTROL SERVER has been existing. In principle being an alternative to sysadmin-membership, it did not turn out to be much more than a shelf warmer. – Little known and even less used. One of the main reasons for this was the absence of an option to grant […]
Read more

Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)

/in , , ,
At this year’s SQLSaturday in Germany I have shown one of my sessions again, in which I concentrate on “attack”. For me a great opportunity to dive deep into SQL Server Security and several penetration-test-tool, and to explore SQL Server for pitfalls and security configuration. At the end I had a long list of possible […]
Read more

Conferences 2013: Frankfurt Database Days and a couple of “Oracle-Moments”

/in , , , ,
I usually try to announce my conference participation in advance in order to give readers a chance to possibly plan them. Due to a severe lack of time and because I jumped in spontaneously for an absent speaker only a week before the conference, I didn’t manage to give you a heads-up this time.
Read more