K. Brian Kelley - Databases, Infrastructure, and Security
Archives: May 2009
Security Basics: Applying the Principle of Least Privilege Properly
Whenever I do a security presentation, I make sure to cover the Principle of Least Privilege. And when I do I boil it down to this very simple definition:
Giving the rights to do the job. No more. No less.
If you don't give enough rights, the person can't do… Read more
2 comments, 2,876 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 29 May 2009
Why I Say Something about Running as Administrator
On a couple of recent webcasts, I pointed out the folks were running with the local Administrator account. To start this out, I'm not a big fan of security by obfuscation. Security by obfuscation (not code obfuscation, but security by obscurity, if you prefer, I'm using the terms obfuscation/obscurity interchangeably in… Read more
5 comments, 1,863 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 28 May 2009
Catalog view: sys.tcp_endpoints
I was playing around with the endpoint catalog views this afternoon just looking at ways to do poor man's configuration collection on SQL Server and the options avaliable. The endpoints naturally represent the way in to SQL Server and since TCP is the default network protocol for SQL Server 2005… Read more
0 comments, 2,284 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 27 May 2009
Speaking at Augusta Developer's Guild
Tomorrow night, May 28th, I'll be speaking the Augusta Developer's Guild. This is a make-up from earlier in the year when I got sick. Feeling just fine and looking forward to talking about SQL Server and security. If you're in the area, please come on by. I'd love to meet… Read more
0 comments, 1,198 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 27 May 2009
Sick? Stay home!
Yesterday I did something I wouldn't have thought of doing a year ago: I stayed home. When I woke up, my sinuses were pressing down so hard that it hurt to move my head. Sometimes, a nice hot shower will help open things up and I'll be fine. Combine that… Read more
1 comments, 759 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 19 May 2009
SQL Injection - Why I Don't Think Parameterization is Enough
Note: Since there have been several comments on this, I'm using parameterization at the application layer in the security sense of using the CreateParameter method. I'm not talking about parameterized queries with respect to execution plans or the specific use of sp_executesql. I thought I made that clear with… Read more
26 comments, 2,500 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 15 May 2009
Rant: Is It an Effective Control or Not?
This is spurred on by a comment a pen tester made. He was referring to a particular technology and said something to the effect of, "What do you expect? It's 30 year-old technology." I was stunned when the comment was relayed to me. My response was, "An armed guard with an… Read more
12 comments, 1,120 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 5 May 2009
A Dead Zune and Choices
Shortly after the Zune debuted, I purchased one. And I've been happy with it. It's done everything I expected out of a music/video player and it's gone with me nearly everywhere. So I was a bit saddened to pull it out this morning and see that the screen had been cracked.… Read more
0 comments, 769 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 4 May 2009
New Community Resource for IT Pros - Server Fault
Not too long ago the developer community got a fantastic resource called Stack Overflow. It's a question and answer site, so it's like forums, only it's not. The interface is well done, finding questions to answer is easy because of the tag system, and the site has in place… Read more
2 comments, 967 reads
Posted in K. Brian Kelley - Databases, Infrastructure, and Security on 1 May 2009