SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Archives: May 2009

Security Basics: Applying the Principle of Least Privilege Properly

Whenever I do a security presentation, I make sure to cover the Principle of Least Privilege. And when I do I boil it down to this very simple definition:

Giving the rights to do the job. No more. No less.

If you don't give enough rights, the person can't do… Read more

Why I Say Something about Running as Administrator

On a couple of recent webcasts, I pointed out the folks were running with the local Administrator account. To start this out, I'm not a big fan of security by obfuscation. Security by obfuscation (not code obfuscation, but security by obscurity, if you prefer, I'm using the terms obfuscation/obscurity interchangeably in… Read more

Catalog view: sys.tcp_endpoints

 I was playing around with the endpoint catalog views this afternoon just looking at ways to do poor man's configuration collection on SQL Server and the options avaliable. The endpoints naturally represent the way in to SQL Server and since TCP is the default network protocol for SQL Server 2005… Read more

Speaking at Augusta Developer's Guild

Tomorrow night, May 28th, I'll be speaking the Augusta Developer's Guild. This is a make-up from earlier in the year when I got sick. Feeling just fine and looking forward to talking about SQL Server and security. If you're in the area, please come on by. I'd love to meet… Read more

Sick? Stay home!

Yesterday I did something I wouldn't have thought of doing a year ago: I stayed home. When I woke up, my sinuses were pressing down so hard that it hurt to move my head. Sometimes, a nice hot shower will help open things up and I'll be fine. Combine that… Read more

SQL Injection - Why I Don't Think Parameterization is Enough

Note: Since there have been several comments on this, I'm using parameterization at the application layer in the security sense of using the CreateParameter method. I'm not talking about parameterized queries with respect to execution plans or the specific use of sp_executesql. I thought I made that clear with… Read more

Rant: Is It an Effective Control or Not?

This is spurred on by a comment a pen tester made. He was referring to a particular technology and said something to the effect of, "What do you expect? It's 30 year-old technology." I was stunned when the comment was relayed to me. My response was, "An armed guard with an… Read more

A Dead Zune and Choices

Shortly after the Zune debuted, I purchased one. And I've been happy with it. It's done everything I expected out of a music/video player and it's gone with me nearly everywhere. So I was a bit saddened to pull it out this morning and see that the screen had been cracked.… Read more

New Community Resource for IT Pros - Server Fault

Not too long ago the developer community got a fantastic resource called Stack Overflow. It's a question and answer site, so it's like forums, only it's not. The interface is well done, finding questions to answer is easy because of the tag system, and the site has in place… Read more