Whenever I do a security presentation, I make sure to cover the Principle of Least Privilege. And when I do I boil it down to this very simple definition:

Giving the rights to do the job. No more. No less.

If you don't give enough rights, the person can't do… Read more

On a couple of recent webcasts, I pointed out the folks were running with the local Administrator account. To start this out, I'm not a big fan of security by obfuscation. Security by obfuscation (not code obfuscation, but security by obscurity, if you prefer, I'm using the terms obfuscation/obscurity interchangeably in… Read more

 I was playing around with the endpoint catalog views this afternoon just looking at ways to do poor man's configuration collection on SQL Server and the options avaliable. The endpoints naturally represent the way in to SQL Server and since TCP is the default network protocol for SQL Server 2005… Read more

Tomorrow night, May 28th, I'll be speaking the Augusta Developer's Guild. This is a make-up from earlier in the year when I got sick. Feeling just fine and looking forward to talking about SQL Server and security. If you're in the area, please come on by. I'd love to meet… Read more

Yesterday I did something I wouldn't have thought of doing a year ago: I stayed home. When I woke up, my sinuses were pressing down so hard that it hurt to move my head. Sometimes, a nice hot shower will help open things up and I'll be fine. Combine that… Read more

Note: Since there have been several comments on this, I'm using parameterization at the application layer in the security sense of using the CreateParameter method. I'm not talking about parameterized queries with respect to execution plans or the specific use of sp_executesql. I thought I made that clear with… Read more

This is spurred on by a comment a pen tester made. He was referring to a particular technology and said something to the effect of, "What do you expect? It's 30 year-old technology." I was stunned when the comment was relayed to me. My response was, "An armed guard with an… Read more

Shortly after the Zune debuted, I purchased one. And I've been happy with it. It's done everything I expected out of a music/video player and it's gone with me nearly everywhere. So I was a bit saddened to pull it out this morning and see that the screen had been cracked.… Read more

Not too long ago the developer community got a fantastic resource called Stack Overflow. It's a question and answer site, so it's like forums, only it's not. The interface is well done, finding questions to answer is easy because of the tag system, and the site has in place… Read more