This editorial was originally published on July 20, 2014. It is being republished as Steve is out of the office.
At SQL Bits this year I attended a security presentation from Andreas Wolter. The session examined some attack methodologies, showing the flow that an attacker might go through to gain information about your database instance with SQL Injection. It's a scary and eye-opening talk, and one that I might recommend to all DBAs and developers so that they can understand the dangers involved with poorly coded applications.
One of the most scary attacks was the elevation of privileges from a web user to a sysadmin on an instance, mainly because of the Trustworthy setting being enabled. I had never imagined this as an attack vector, but it was disconcerting to say the least. However it got me wondering about instances I've managed.
Would I detect if a new sysadmin were added? Or an existing user added to the role? I'm not sure I would, though that's certainly something I plan on setting up with some sort of monitoring to detect. I would guess that most DBAs, whether professional or accidental, might not catch this either, at least until some audit was performed. At that time it might be too late to protect your data, and certainly too late to protect your reputation.
Security is a tough topic, and it's an ongoing process to protect your systems. I hope to see more presentations like this at future events, and I'd encourage you to request them for any events you plan on attending. You can certainly do this for all SQL Saturday events (there's a suggest a session on the schedule page).
Security requires vigilance and vigilance requires monitoring. Both of those also need knowledge, so be sure that you don't neglect the security of your SQL Servers and continue to educate yourself over time as well as implementing technical solutions.
NEW SQL Provision: Create, protect, & manage SQL Server database copies for compliant DevOps
Create and manage database copies effortless and keeps compliance central to the process. With SQL Provisions virtual cloning technology, databases can be created in seconds using just MB of storage, enabling business to move faster. Sensitive data can be anonymized or replaced with realistic data to ensure data is protected as it moves between environments. Download your free trial
The industry standard for comparing and deploying SQL Server database schemas
Trusted by 71% of Fortune 100 companies, SQL Compare is the fastest way to compare changes, and create and deploy error-free scripts in minutes. Plus you can easily find and fix errors caused by database differences. Download your free trial
Power BI Dashboards can be kept current using simple DAX formulas in your data models. Save yourself time and energy by understanding how dashboard tiles work on PowerBI.com and what can be done to set your dashboards to a current period. More »
This special edition of the PASS Marathon series will focus on the General Data Protection Regulation (GDPR). You’ll learn how the legislation impacts SQL Server data professionals around the globe and practical steps you can take to help ensure you’re ready for when GDPR enforcement takes effect on May 25th. More »
Ok, I’ll admit it. I like scripts that are handy and do things. Especially if the scripts make my life... More »
Question of the Day
Today's Question (by Steve Jones):
I've got some data that contains US postal codes. This data is stored in a numeric field. If I use the FORMAT() function, what format string should I use to ensure that any leading zeros are replaced with a real 0 and the rest of the numeric values are returned correctly? What string is the second parameter of the FORMAT() function.
) AS a (n)
SELECT TOP 10
Think you know the answer? Click here, and find out if you are right.
We keep track of your score to give you bragging rights against your peers.
This question is worth
1 point in this category: FORMAT().
We'd love to give you credit for your own question and answer.
To submit a QOTD, simply log in to the
Protect your data from attack by using SQL Server technologies to implement a defense-in-depth strategy, performing threat analysis, and encrypting sensitive data as a last line of defense against compromise. The multi-layered approach in this book helps ensure that a single breach doesn't lead to loss or compromise of your data that is confidential and important to the business. Get your copy from Amazon today.
Yesterday's Question of the Day
(by Steve Jones):
I want to use the mathematical function cosine function in a Python script inside of SQL Server. I know that this function isn't in the base Python interpreter, but is in the math module. What do I run to get access to this function in my script?
Answer: import math
In Python, to access code inside of a module from your script, you use the import command with the name of the module.
union with constant values
I'm doing this:
select 'EVY', 'Everyone', ...
where ... and @Grouping = 'false'
That @Grouping = false still returns the row if the value is true....
Splitting a Full Name
- I'm trying to split a full name column up into First / Middle / Last....but some of the names are like "Joe...
This newsletter was sent to you because you signed up at SQLServerCentral.com.
Feel free to forward this to any colleagues that you think might be interested.
If you have received this email from a colleague, you can register to receive it here.