Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Archives: February 2009

First Impressions of the Kindle 2

As I blogged about previously, I had decided to go ahead and pre-order the Kindle 2. It was slated for delivery on Thursday, February 26, but came a day early.I've had it in my hands now for two days and here are some of the things I've noted:

The… Read more

A Security Control Inconsistently Applied Is Not a Control

Some things and readings today reminded me of this: a security control inconsistently applied is not a control. The whole point of a security control is to provide a check in order to catch malicious behavior. Some controls are preventative. Others are detective or compensating. An example of a… Read more

Excel Malformed File Vulnerability - Remote Code Execution

Today, Microsoft release a security advisory about a new vulnerability in Microsoft Excel. This one affects both PCs and Macs. The Microsoft Security Response Center blog has a post there as well. SecurityFocus has a bit more information, basically indicating Symantec is detecting files containing an exploit to… Read more

Determining if a Server Principal Owns Database Objects

This question comes up a lot in the forums: "How do I know if the login owns any objects?" Usually the reason this question is asked is to be able to find those objects and change the ownership so the login/server principal could be dropped. The first key is to map… Read more

1 comments, 3,445 reads

Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 24 February 2009

New Video Appearing on Front Page of JumpStart TV

All of the videos I've done are up under my profile. However, the video for The difference between GRANT, DENY and REVOKE in SQL Server should appear on the front page of JumpStart TV shortly.

  Read more

Detecting When a Login Has Implicit Access to a Database

Yesterday I blogged about how to figure out what database principals corresponded to what server principals. The key is to match up the SIDs between sys.server_principals and sys.database_principals. But I also stated there were 3 cases where the logins had implicit access to a database and therefore we wouldn't… Read more

Mapping Database Principals to Server Principals

A question on the forum asked how to find all the database mappings for a particular login. If you're on SQL Server 2000 or below, the tables you want to use are syslogins in the master database and sysusers in each database. The key to tying the login to a user… Read more

6 comments, 2,893 reads

Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 22 February 2009

Looking Forward to Getting My Kindle 2

When the Kindle 2 was first announced, I debated about whether or not to get it. Then I realized I had to same sort of debate with myself over the Kindle, and that ultimately there were a couple of times I regretted not having gotten one. One of those times… Read more

You Must Trust Your DBAs

This is a follow-on post to You Must Trust Someone. My point in that post was to establish that being able to and and actually trusting your account and server administrators is a necessity. I didn't go into the business aspect of that, but basically it boils down to… Read more

Adobe Acrobat/Reader 0day - Disable JavaScript

There is an active attack in the wild for the newly announced Adobe Acrobat and Adobe Reader vulnerability. While the attack isn't widespread, there is always the possibility of copycat attacks. One of the recommended suggestions is really easy to do, so I'm posting it here, and that's to… Read more

1 comments, 1,119 reads

Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 20 February 2009

You Must Trust Someone

After some recent talks with security folks and auditors, one of the things I have had a hard time getting across is that you must trust those folks responsible for account and server management when it comes to securing your data. Yes, you can put in a lot of deterrents, but… Read more

The Limited Usefulness of Encrypting File System (EFS) and Transparent Data Encryption (TDE)

This is something that hit me as I was presenting to the Charlotte SQL Server User Group last night.

Back in the Windows 2000 days I wrote an article on Encrypting File System and explaining how it could be used to protect the database files at rest. In my Fortress… Read more

3 comments, 1,422 reads

Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 18 February 2009

Another Reason to Avoid Cross-Database Ownership Chaining

This past weekend we were moving database files around because we added new LUNs to an existing production cluster. We went at the old tried and true way, we detached the databases, moved the files, and re-attached the databases. That seemed to work well and we thought everything was okay.… Read more

2 comments, 1,063 reads

Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 13 February 2009

Counterpoint: Against Specialization

Brent Ozar wrote his Things you know now and in it he says this under his first point, Pick one thing and get really good at it:

"I’m not saying you should stop learning, but you should focus your learning on a very small surface area, and dive deeply into…

Read more

New Security Bulletin for SQL Server 2000/2005 (MS09-004)

Affected Versions:

  • SQL Server 2000 SP4
  • SQL Server 2005 SP2

Unaffected Versions:

  • SQL Server 2005 SP3
  • SQL Server 2008

Original Vulnerability Report: http://www.securityfocus.com/archive/1/archive/1/499042/100/0/threaded

Microsoft Security Bulletin Link: http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx

Brief Analysis:

The extended stored procedure, sp_replwritetovarbin, has a buffer overflow vulnerability which can be exploited to perform a remote code exploit… Read more

Things you know now...

This was the brainchild of Mike Walsh, who asked, "What do you wish you knew when you were starting?" I was tagged by Michelle Ufford, so here are my answers.

 "To Lead Is to Follow" - I've written about this before, but just understanding that at some… Read more

SQL Server 2008 Enterprise Edition install - use the "right" version of the Microsoft .NET 3.5 SP1 install

This is something that bit us over the weekend as we attempted to install two new SQL Server 2008 Enterprise Edition instances on a Windows Server 2003 failover cluster. The cluster already had existing SQL Server 2005 instances, but I don't think that matters. In any case, we went to… Read more

Professional Goals for 2009

Every time management / professional development book out there tells one to not only develop goals but actually write them down. That's the first real step to accomplishing them. One source I read suggested writing the goals as if you've already accomplished them. Because that puts you in the frame of… Read more

Speaking / Teaching Engagements

I should have put this out earlier, before going to the SQL Server Innovators Guild, but I got too busy. Here are my current speaking / teaching engagements for the first half of the year:

February:
  3  - SQL Server Innovators Guild – Greenville, SC - Fortress SQL… Read more

SQL Server security bulletin due on Tuesday

As part of its advance notification, Microsoft has released the list of security bulletins that should be coming our way Tuesday, Februarry 10, 2009. Among them is a remote code exploit rated Important by Microsoft for SQL Server. The affected software list shows SQL Server 2000 and 2005. It… Read more