http://www.sqlservercentral.com/Content tagged Security, Strategies posted on SQLServerCentral.comen-us360sjones@sqlservercentral.com (Steve Jones)How many DBAs need a solution to track those changes made for multiple systems? Auditing is becoming more and more prevalent in all systems and having a good solution can really make your DBA job interesting. New author Keren Ramot brings us his technique that works indepedent of the database structure. http://www.sqlservercentral.com/articles/Security/2773/2007/12/26http://www.sqlservercentral.com/articles/Security/2773/The Sarbanes-Oxley act has changed many IT jobs, usually requiring more work and documentation. Johan Bijnens brings us a list of some things his team has had to do to comply with SOX regulations. http://www.sqlservercentral.com/articles/Security/3203/2007/10/02http://www.sqlservercentral.com/articles/Security/3203/This article discusses: How SQL injection attacks work, Testing for vulnerabilities, Validating user input, Using .NET features to prevent attacks, and Importance of handling exceptionshttp://www.sqlservercentral.com/redirect/articles/3239/2007/09/19http://www.sqlservercentral.com/redirect/articles/3239/A patch to your SQL Server system can cause problems, but an unpatched SQL Server is unprotected. Learn the pros and cons of SQL Server patches. http://www.sqlservercentral.com/redirect/articles/3195/2007/09/04http://www.sqlservercentral.com/redirect/articles/3195/Auditing is something that almost every DBA needs to tackle at some point in his or her career. David McKinney brings a new twist on the solution by using XML and XSL to help implement auditing in your SQL Server application. http://www.sqlservercentral.com/articles/Security/3179/2007/08/20http://www.sqlservercentral.com/articles/Security/3179/Many state data-breach laws exempt encrypted data from PR-nightmare public-notice requirements, but don't let that fool you into thinking it's an easy answer to the data privacy challenge. Here's the lowdown on loopholes, caveats and options to consider when applying encryption.http://www.sqlservercentral.com/redirect/articles/3080/2007/07/17http://www.sqlservercentral.com/redirect/articles/3080/This article discusses: How SQL injection attacks work, Testing for vulnerabilities, Validating user input, and more.http://www.sqlservercentral.com/redirect/articles/3073/2007/07/09http://www.sqlservercentral.com/redirect/articles/3073/SQL Server 2005 builds some great encryption tools into the product, but what if you are stuck with SQL Server 2000? SQL Server expert Michael Coles brings us the first part of a series along with a free toolkit to manage encryption and keys. http://www.sqlservercentral.com/articles/Security/sql2000dbatoolkitpart1/2361/2007/06/22http://www.sqlservercentral.com/articles/Security/sql2000dbatoolkitpart1/2361/How many DBAs need a solution to track those changes made for multiple systems? Auditing is becoming more and more prevalent in all systems and having a good solution can really make your DBA job interesting. New author Keren Ramot brings us his technique that works indepedent of the database structure. http://www.sqlservercentral.com/articles/Security/2773/2007/12/26http://www.sqlservercentral.com/articles/Security/2773/Pop provides a cunning, trigger-based technique for auditing the activity on SQL Server tables http://www.sqlservercentral.com/redirect/articles/2725/2007/01/09http://www.sqlservercentral.com/redirect/articles/2725/All good detective stories have a femme fatale. In the case of corporate espionage scandals, Celia Goodson, a seasoned businesswoman and once a glossily groomed blonde, has been involved in investigating more business transgressions to hit the City in the last three decades than anyone else of her years.http://www.sqlservercentral.com/redirect/articles/2723/2006/12/21http://www.sqlservercentral.com/redirect/articles/2723/We'll go over some examples of attacks against protocols and rules following, which will help you when designing and implementing protocols of your own.http://www.sqlservercentral.com/redirect/articles/2718/2006/12/19http://www.sqlservercentral.com/redirect/articles/2718/In this article I will discuss some new ideas that can result in either modifying SQL statements or injecting SQL code even if the code has escaped the delimiting characters. I will start with some best practices for constructing delimited identifiers and SQL literals, and then I'll show you new ways attackers can inject SQL code in order to help you protect your applications.http://www.sqlservercentral.com/redirect/articles/2720/2006/12/14http://www.sqlservercentral.com/redirect/articles/2720/The suggested method illustrates a way how such tampering by an authorized user can be detected. While this method doesn't provide tamper-prevention measures, but as there is no such thing as ultimate security, detection of such tampers will help maintaining the integrity of information in a great way http://www.sqlservercentral.com/redirect/articles/2717/2006/12/12http://www.sqlservercentral.com/redirect/articles/2717/Arthur Fuller advises DBAs to try to break their software in order to make sure their SQL Server databases can withstand potential attacks. See if your code can hold up to his suggested tests.http://www.sqlservercentral.com/redirect/articles/2620/2006/10/12http://www.sqlservercentral.com/redirect/articles/2620/SQL Server 2005 builds some great encryption tools into the product, but what if you are stuck with SQL Server 2000? SQL Server expert Michael Coles brings us the first part of a series along with a free toolkit to manage encryption and keys. http://www.sqlservercentral.com/articles/Security/sql2000dbatoolkitpart1/2361/2007/06/22http://www.sqlservercentral.com/articles/Security/sql2000dbatoolkitpart1/2361/A defense-in-depth strategy, with overlapping layers of security, is the best way to counter these threats, and the least-privileged user account (LUA) approach is an important part of that defensive strategy. The LUA approach ensures that users follow the principle of least privilege and always log on with limited user accounts. This strategy also aims to limit the use of administrative credentials to administrators, and then only for administrative tasks.http://www.sqlservercentral.com/redirect/articles/2297/2006/02/24http://www.sqlservercentral.com/redirect/articles/2297/Auditing, analyzing and documenting your SQL Server installation is becoming more important all the time, especially as more and more attention is being paid to the security of your environment. Chad Miller brings us a look at a framework and a sample document you can use in your environment to conduct an audit. http://www.sqlservercentral.com/articles/Administering/conductingasqlserveroperationalaudit/2079/2005/10/24http://www.sqlservercentral.com/articles/Administering/conductingasqlserveroperationalaudit/2079/If a hacker sets sights on your SQL Server, there are four primary methods he can use to take control and carry out unauthorized, malicious activity. I will look at each of these: Password compromise, Account compromise, SQL injection, Buffer overflows http://www.sqlservercentral.com/redirect/articles/2102/2005/10/07http://www.sqlservercentral.com/redirect/articles/2102/We've had a lot of coverage of dynamic sql (including another great one from Robert Marda later this week) but this one is a little different. Done in a question/answer format, Andy tries to explain to junior developers why dynamic sql is to be avoided, how to do so, what to do when you can't. http://www.sqlservercentral.com/articles/Performance+Tuning/dynamicsqlorstoredprocedure/969/2005/08/26http://www.sqlservercentral.com/articles/Performance+Tuning/dynamicsqlorstoredprocedure/969/Despite the major advances made with Profiler in SQL Server 2005, auditing changes isn't one of the strengths of the product. New author Sergey Pustovit brings us his technique that allows auditing of actions using shared accounts from an application. A few minor code changes, but overall this is a very interesting idea. http://www.sqlservercentral.com/articles/Security/easyauditingasharedaccount/1953/2005/07/20http://www.sqlservercentral.com/articles/Security/easyauditingasharedaccount/1953/Securing your SQL Server can be an arduous task, but very rewarding. This article covers 10 steps to properly protecting your data. http://www.sqlservercentral.com/articles/Security/10securingyoursqlserver/701/2005/05/27http://www.sqlservercentral.com/articles/Security/10securingyoursqlserver/701/The fear of having laptops stolen is a huge worry for all organizations. Maybe it’s even happened to you (I hope not!). The solution is simple, really -- don’t let your laptop get stolen. (I can hear you laughing now.) Keep the thing with you at all times, or leave it in your hotel room when you don’t want to carry it around. Yes, everyone has heard the warnings about hotel room theft, but I’ve never had something stolen from a hotel room and I spend well over 200 nights a year in hotels. (If you travel to a location where the general population has kleptomaniac tendencies, stay in hotels that offer safes in the room.) You’re far more likely to leave your laptop or PDA or smart phone or USB drive lying on the seat in a taxi or on the counter at a bar.http://www.sqlservercentral.com/redirect/articles/1766/2005/02/28http://www.sqlservercentral.com/redirect/articles/1766/Databases are being stolen. Customer data, credit card data, taxpayer data - they're all vulnerable. Scary? Yes - but wait, there's more. It's not just "their" data that's vulnerable - it's ours too! http://www.sqlservercentral.com/redirect/articles/1669/2005/01/21http://www.sqlservercentral.com/redirect/articles/1669/Creating an enterprise security plan is a complex endeavour. It involves evaluating multiple threats that gain access through many network paths to a hodgepodge of different applications and systems. With the focus on systems and paths, databases are frequently overlooked. Securing the database should be a fundamental tenet for any security practitioner when developing his or her security plan. The database is the source of data, the "crown jewels" in the information economy. Any security effort must start with this in mind and end with the strongest level of controls applied at the database layer.http://www.sqlservercentral.com/redirect/articles/1590/2004/11/26http://www.sqlservercentral.com/redirect/articles/1590/SQL Server Alerts provide a great way for the server to notify a DBA that some event has occurred, usually something bad that they need to fix. However alerts can also be used to drive business logic processes and enable some types of actions to be safely performed without requiring extraordinary rights by a user. Author Leo Peysakhovich brings us some ideas on how we can use alerts to implement business logic processing. http://www.sqlservercentral.com/articles/Administering/sqlserveralerts/1435/2004/08/10http://www.sqlservercentral.com/articles/Administering/sqlserveralerts/1435/Storing passwords in SQL Server for authentication by your application is a common practice. But not always a good one. Someone with access could easily see all passwords and perhaps cause mischief inside your application. Imagine the office gossip getting access to your HR application as the HR director! Not a good thing. Dinesh Asanka has written a short piece on how you can use a built in function in SQL Server to encrypt these passwords and use them with a minimum of effort. http://www.sqlservercentral.com/articles/Security/saveyourpassword/1420/2004/07/12http://www.sqlservercentral.com/articles/Security/saveyourpassword/1420/When transferring a database to a new server, you are bound to experience a user problem. In this article by Neil Boyle, he shows you how to transfer passwords and accounts seamlessly to a new server. http://www.sqlservercentral.com/articles/Administering/fixingbrokenlogins/193/2004/07/05http://www.sqlservercentral.com/articles/Administering/fixingbrokenlogins/193/This article covers four of the fixed database roles (db_datareader, db_datawriter, db_denydatareader, and db_denydatawriter). If you're new to SQL security (and maybe even if you're not) this article is worth reading. http://www.sqlservercentral.com/articles/Security/sqlpermissionsdatareaderwriter/110/2003/10/10http://www.sqlservercentral.com/articles/Security/sqlpermissionsdatareaderwriter/110/SecureWave forwarded us this link to some info about their product - they claim to be the only product capable of protecting SQL Server from buffer overflow attacks. You can download a free eval from their site. We have not reviewed this product.http://www.sqlservercentral.com/redirect/articles/970/2003/04/29http://www.sqlservercentral.com/redirect/articles/970/