Posts

Security-Fixes for SQL Server and why Security Best Practices Matter

/0 Comments/in ,
With 14 July 2015, quite precisely one year after the first security bugs in 5 years had to be fixed, we have been given a new reason to test one’s security patching policy. – Provided that you have such a policy for SQL Server.
Read more

SQL Server 2016 – the Security & Performance Release

/0 Comments/in , , ,
The news broke in early May: That’s when Satya Nadella presented SQL Server 2016 at the Microsoft Ignite-Conference in Chicago. I can already say that SQL Server 2016 will be one of the most exciting releases in recent years. And that’s because this time it’s clearly focused on security. Next to performance features, security features […]
Read more

Performance/ Management Data Warehouse Data Collector & AlwaysOn Availability Groups

/0 Comments/in ,
This time, we are dealing with the „MDW“, short for Management Data Warehouse,( http://msdn.microsoft.com/en-us/library/bb677306.aspx), which I like to recommend as a minimal performance logging-approach. From time to time, and most recently in the context of my PASS Essential „SQL Server Analysis tools & Techniques for Performance und general Monitoring“, the question arises as to whether […]
Read more

SQL Server Database Ownership: survey results & recommendations

/9 Comments/in , ,
You may remember the survey on database ownership which I launched several months ago. In the following, I am now presenting the results and giving my official recommendation for a best practice for security in terms of database ownership. First, if you still need the script:
Read more

New Permissions in SQL Server 2014: IMPERSONATE ANY LOGIN, SELECT ALL USER SECURABLES, CONNECT ANY DATABASE and the old CONTROL SERVER

/0 Comments/in ,
SQL Server 2014 brings altogether 5 new permissions. Two of those are on database level and only available in the Windows Azure SQL Database Edition – not in the box-version.
Read more

DISABLE and DENY LOGIN, DENY USER & Effect on Impersonation and Permissions

/0 Comments/in
A short article on the effects – or missing effects – regarding the disabling & denying connect of Logins & Users on impersonation and permission. Every once in a while one can observe that Logins or Users have been denied the Connect permission or a Login has been disabled. Therefore a correct expectation and understanding […]
Read more

SQL Server Row- and Cell-Level Security – Disclosure vulnerability

/1 Comment/in
It’s time for another post on security matters. And through a forum-thread on data-driven security by the means of views using the IS_MEMBER(), USER_NAME(), SUSER_SNAME() – functions, I came up with the idea of giving a short example how such constructs can easily be circumvented and the protected/hidden data become disclosed, when not being secured […]
Read more

Security-Check-Script & Survey: SQL Server Security – Database-Owners, critical Permissions and role membership

/1 Comment/in , ,
In this survey, I would like to explore in a greater radius which accounts are typically used as database owners. I will subsequently publish the cumulated results here to share them with the community together with some recommendations for hardening security. In this instance, particular server-wide permissions both of the used account as well as, […]
Read more

Where are the scripts to the session „SQL Attacked/Hacking SQL Server“ ? ;-)

/0 Comments/in ,
Subsequent to the lectures from my “Hacking SQL Server” series “Security Session „SQL Attack..ed“ – Attack scenarios on SQL Server (“Hacking SQL Server”)” which I have already given at the SQLSaturdays Rheinland, Istanbul, at the SQLRAlly Amsterdam and at many regional groups of PASS Germany, more often than not the question arises whether I make […]
Read more

Security-Session: “SQL Server under Attack” this November @ SQL Rally Amsterdam

/in , ,
Alright, this is going to be the by far most active year in terms of speaking at international conferences: After 6 conferences last year, including SQL Rally Nordic, which I really liked a lot, I had to decide between SQL Rally Nordic again or SQL Rally Amsterdam or even both.
Read more