Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Databases – Infrastructure – Security

Brian Kelley is an author, columnist, and Microsoft SQL Server MVP focusing primarily on SQL Server security. He is a contributing author for How to Cheat at Securing SQL Server 2005 (Syngress), Professional SQL Server 2008 Administration (Wrox), and Introduction to SQL Server (Texas Publishing). Brian currently serves as an infrastructure and security architect. He has also served as a senior Microsoft SQL Server DBA, database architect, developer, and incident response team lead.

Speaking on ETL Security

I will be giving a presentation on ETL (Extract, Transform, Load) security at two user groups in the coming weeks.

Securing the ETL Pipeline

We’re going to look at typical ETL (Extract, Transform, Load) pipelines and consider the weak points an attacker might go after. Our goal in this isn’t… Read more

0 comments, 96 reads

Posted in Databases – Infrastructure – Security on 25 July 2014

Midlands PASS July Meeting – July 10

The Midlands PASS Chapter will hold its next meeting on July 10. We meet at MicroStaff IT in Cayce, SC. Here is the main presentation:

Statistics, Indexes, and their Impact

Speaker: Brian Kelley, SQL Server MVP

Statistics. Indexes. Clustered Indexes. Non-Clustered Indexes. Covering Indexes. Bookmark Lookups. Perhaps you’ve heard these… Read more

0 comments, 111 reads

Posted in Databases – Infrastructure – Security on 3 July 2014

PASS Summit Session Selection

Let’s make it democratic. Let’s ensure we get solid sessions from key people. And let’s save a ton of work in the process.

Spotlight Sessions:

There are certain folks that are extremely knowledgeable in their areas of expertise. They also happen to be excellent presenters. Have the spotlight sessions and… Read more

15 comments, 112 reads

Posted in Databases – Infrastructure – Security on 27 June 2014

What is an “operational” DBA?

On Facebook last night, I posted the following:

An operational DBA isn’t just a manager of a traditional RDBMS, transactional system. An operational DBA manages the data platform, whatever it is, when it hits production. Their goals are not traditionally the same as someone focused on development. They are looking…

Read more

2 comments, 129 reads

Posted in Databases – Infrastructure – Security on 27 June 2014

“A good DBA is a lazy DBA”

I’m borrowing from Andy Leonard (blog | twitter) who says all the time, “Good engineers are lazy.”

If you’re thinking, “Why would I want (to be) a lazy DBA?” let me explain. There’s a lot to be said for hard work. However, have you ever seen someone who… Read more

6 comments, 861 reads

Posted in Databases – Infrastructure – Security on 25 June 2014

Service Packs coming for SQL Server 2008/2008 R2

I’m not prophetic, I promise. However, some good news on the service pack front with regards to SQL Server 2008 and 2008 R2. There have been rumblings about a last service pack for these versions of SQL Server for a while, but nothing official had been said. However, an… Read more

0 comments, 1,725 reads

Posted in Databases – Infrastructure – Security on 30 May 2014

Do you apply SQL Server Cumulative Updates?

I think Steve Jones makes a great point here with respect to cumulative updates:

“This is one reason I’ve been hesitant to remain current with Cumulative Updates (CUs). Microsoft doesn’t stand behind them, with the text on each CU page that users should only apply the patch if they…

Read more

7 comments, 1,707 reads

Posted in Databases – Infrastructure – Security on 28 May 2014

Minimize permissions for file locations

When we talk about security, we often point to the Point of Least Privilege. I write a lot about applying this to SQL Server, but it’s important to handle this outside of SQL Server, especially at the file / share level. Why would we care about this as DBAs /… Read more

1 comments, 972 reads

Posted in Databases – Infrastructure – Security on 16 May 2014

The Scary DBA Comes to Columbia, SC

*sound of glass crashing* *cue theme music*

(in a wrestling announcer’s shocked voice) “It can’t be! He’s not supposed to be here! It’s the Scary DBA! What’s he doing here!”

That’s right, folks, SQL Server MVP Grant Fritchey (blog | twitter) will be coming to speak in Columbia,… Read more

0 comments, 121 reads

Posted in Databases – Infrastructure – Security on 9 May 2014

Understanding the Three A’s of Security for SQL Server

Do you know what the “Three A’s of Security” are and how they apply to Microsoft SQL Server? Let’s look at them as they are important for managing security properly on a given Microsoft SQL Server.

Authentication

Authentication is determining who a person/process is.

When a connection is made, it’s… Read more

0 comments, 2,136 reads

Posted in Databases – Infrastructure – Security on 22 April 2014

Encrypt usernames and passwords stored in files

I was looking at a product recently and came across a rather unpleasant surprise: the install instructions specified that I put the database connection in plaintext in web.config. I’ll explore this particular case and why it’s particularly egregious, but from a security perspective, this shouldn’t happen anymore, regardless of application.… Read more

0 comments, 1,421 reads

Posted in Databases – Infrastructure – Security on 2 April 2014

Speaking at Midlands PASS Chapter tonight

The Midlands PASS Chapter is an official PASS (Professional Association for SQL Server) chapter located in Columbia, SC. It’s free to attend our meetings, which are typically held the 2nd Thursday of each month.

Once a year we like to do an open forum on SQL Server security. It’s typically… Read more

0 comments, 113 reads

Posted in Databases – Infrastructure – Security on 13 March 2014

A summary of the SQL Server security #datachat is live

Recently I posted about participating in a #datachat about SQL Server security. As it turned out, we didn’t talk about SQL Server security, but data security. It was a good discussion with quite a few knowledgeable folks joining in. A summary of the discussion including some highlighted tweets can… Read more

0 comments, 151 reads

Posted in Databases – Infrastructure – Security on 12 March 2014

Auditing VMware vCenter Actions (on SQL Server)

When you’ve got a SIEM appliance or application, you want actions and events going into it as a central repository. That allows you to see patterns and hopefully track incidents across systems. As a result, if you want to track actions in VMware’s vCenter and you’ve got the database hosted… Read more

0 comments, 208 reads

Posted in Databases – Infrastructure – Security on 7 March 2014

The weakest link in database security

The weakest link in database security is the same as for most all IT security: people.

Because the weakest link is always people, we have adopted a principle called The Principle of Least Privilege to determine how we should assign security. If you’ve never heard of it, it’s a basic… Read more

1 comments, 189 reads

Posted in Databases – Infrastructure – Security on 6 March 2014

Security #Datachat on Twitter Tonight

Tonight, at 9 PM Eastern, I’ll be participating in a #datachat on SQL Server security. It’s sponsored by Confio (now part of Solarwinds).

You can find more details about the #datachat here.

How can you participate? Simply open up a search for #datachat and participate in the community Q… Read more

1 comments, 171 reads

Posted in Databases – Infrastructure – Security on 27 February 2014

Presenting on Top SQL Server Vulnerabilities

On February 19th, 2014, I’ll be giving a webinar from 3-4 PM Eastern on the Top SQL Server Vulnerabilities. You can register here for it.

It is being provided by MSSQLTips.com and GreenSQL. Here’s what I’m covering:

Your goal is to have a secure SQL Server installation. However,… Read more

0 comments, 1,361 reads

Posted in Databases – Infrastructure – Security on 12 February 2014

#TSQL2sDay – Data marts across a shaky WAN link

It sounded good in principle, especially given the requirements and the limitations:

  • We needed our various sites to be able to access the data on their customers.
  • Our line-of-business application that would be installed on the workstations will use this data.
  • Our sites resembled a snowflake schema with respect to…

Read more

2 comments, 141 reads

Posted in Databases – Infrastructure – Security on 11 February 2014

Presenting on Security at Midlands PASS

On Thursday, February 13, 2014, I’ll be at Midlands PASS in Columbia, SC. We’ll be meeting from 5:30 PM to about 7:30 PM. I’ll once again be given an open ended SQL Server security talk. Here’s the description:

Midlands PASS Chapter’s annual SQL Server security refresher! This is an open-ended…

Read more

0 comments, 105 reads

Posted in Databases – Infrastructure – Security on 10 February 2014

Free Online SQL Server Training for the Week of January 12, 2013

If you’re a training provider and I’ve missed you, please drop me a line at brian {dot} kelley {at} sqlpass {dot} org.

All times are Eastern (New York). To convert to your local time, use the converter at timeanddate.com.

 

Monday, Jan 13:

Read more

0 comments, 217 reads

Posted in Databases – Infrastructure – Security on 9 January 2014

Older posts