Despite the major advances made with Profiler in SQL Server 2005, auditing changes isn't one of the strengths of the product. New author Sergey Pustovit brings us his technique that allows auditing of actions using shared accounts from an application. A few minor code changes, but overall this is a very interesting idea.   Read more...

Securing your SQL Server can be an arduous task, but very rewarding. This article covers 10 steps to properly protecting your data.   Read more...

The fear of having laptops stolen is a huge worry for all organizations. Maybe it’s even happened to you (I hope not!). The solution is simple, really -- don’t let your laptop get stolen. (I can hear you laughing now.) Keep the thing with you at all times, or leave it in your hotel room when you don’t want to carry it around. Yes, everyone has heard the warnings about hotel room theft, but I’ve never had something stolen from a hotel room and I spend well over 200 nights a year in hotels. (If you travel to a location where the general population has kleptomaniac tendencies, stay in hotels that offer safes in the room.) You’re far more likely to leave your laptop or PDA or smart phone or USB drive lying on the seat in a taxi or on the counter at a bar.  Read more...

Databases are being stolen. Customer data, credit card data, taxpayer data - they're all vulnerable. Scary? Yes - but wait, there's more. It's not just "their" data that's vulnerable - it's ours too!   Read more...

Creating an enterprise security plan is a complex endeavour. It involves evaluating multiple threats that gain access through many network paths to a hodgepodge of different applications and systems. With the focus on systems and paths, databases are frequently overlooked. Securing the database should be a fundamental tenet for any security practitioner when developing his or her security plan. The database is the source of data, the "crown jewels" in the information economy. Any security effort must start with this in mind and end with the strongest level of controls applied at the database layer.  Read more...

SQL Server Alerts provide a great way for the server to notify a DBA that some event has occurred, usually something bad that they need to fix. However alerts can also be used to drive business logic processes and enable some types of actions to be safely performed without requiring extraordinary rights by a user. Author Leo Peysakhovich brings us some ideas on how we can use alerts to implement business logic processing.   Read more...

Storing passwords in SQL Server for authentication by your application is a common practice. But not always a good one. Someone with access could easily see all passwords and perhaps cause mischief inside your application. Imagine the office gossip getting access to your HR application as the HR director! Not a good thing. Dinesh Asanka has written a short piece on how you can use a built in function in SQL Server to encrypt these passwords and use them with a minimum of effort.   Read more...

When transferring a database to a new server, you are bound to experience a user problem. In this article by Neil Boyle, he shows you how to transfer passwords and accounts seamlessly to a new server.   Read more...

This article covers four of the fixed database roles (db_datareader, db_datawriter, db_denydatareader, and db_denydatawriter). If you're new to SQL security (and maybe even if you're not) this article is worth reading.   Read more...

SecureWave forwarded us this link to some info about their product - they claim to be the only product capable of protecting SQL Server from buffer overflow attacks. You can download a free eval from their site. We have not reviewed this product.  Read more...

We've had a lot of coverage of dynamic sql (including another great one from Robert Marda later this week) but this one is a little different. Done in a question/answer format, Andy tries to explain to junior developers why dynamic sql is to be avoided, how to do so, what to do when you can't.   Read more...

Securing your SQL Server can be an arduous task, but very rewarding. This article covers 10 steps to properly protecting your data.   Read more...

In this follow up to one of our most popular articles, Andy responds to comments posted by readers and discusses how to manage SQL logins effectively in your applications.   Read more...

When transferring a database to a new server, you are bound to experience a user problem. In this article by Neil Boyle, he shows you how to transfer passwords and accounts seamlessly to a new server.   Read more...

Continuing with the Worst Practices Series: Steve Jones examines why encryption in the database is a bad idea.   Read more...

The major part of the article, however, is dedicated to a topic that often confuses people and leads to some of the strongest disagreements among IT professionals and developers: the benefits and drawbacks of enforcing security in the middle (or business) tier versus the data tier.   Read more...

One of the strengths of SQL Server is its ease of management and administration over other systems. Oracle, DB2, even early versions of SQL Server required command line mastery to make many types of changes. But should you really be using the GUI for most of your tasks?   Read more...

Continuing with Andy Warren's series on Worst Practices for a DBA, Steve Jones joins in this week with his worst practice.   Read more...

Microsoft has announced a new security program to help system administrators secure their sites. Worth a read.   Read more...

Learn how to secure your data by implementing SQL Server security best practices.   Read more...