-->
SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Databases – Infrastructure – Security

Brian Kelley is an author, columnist, and Microsoft SQL Server MVP focusing primarily on SQL Server security. He is a contributing author for How to Cheat at Securing SQL Server 2005 (Syngress), Professional SQL Server 2008 Administration (Wrox), and Introduction to SQL Server (Texas Publishing). Brian currently serves as an infrastructure and security architect. He has also served as a senior Microsoft SQL Server DBA, database architect, developer, and incident response team lead.

Register for Red Gate’s SQL in the City

Aunt Kathi. Grant Fritchey. Steve Jones. They’re part of five hours of training on SQL Server performance and DevOps with the database in mind. And it’s free. And it’s on-line. I’m looking forward to this. If you’re not familiar with what I’m talking about, it’s Red Gate’s SQL in the… Read more

0 comments, 137 reads

Posted in Databases – Infrastructure – Security on 8 December 2017

Kalen Delaney’s Weekly Webinars

Anyone who has been working with SQL Server for any length of time should be aware of the name Kalen Delaney. She is one of the luminaries in our community. Therefore, the opportunity to learn from her is definitely one you should seize upon.

Back in September she began a… Read more

0 comments, 109 reads

Posted in Databases – Infrastructure – Security on 7 December 2017

Webinar: Understanding SQL Injection and Its Consequences

On Thursday, December 14, at 3 PM Eastern, I will be giving a presentation on SQL injection. Registration is required but otherwise the webinar is free:

Register for Webinar

This is put on by the MSSQLTips folks and we hope you’ll find it informative. If there’s anything specific you’d like… Read more

0 comments, 205 reads

Posted in Databases – Infrastructure – Security on 6 December 2017

More Beginner / Fundamentals Content

Not surprisingly, there are folks who want beginner / fundamentals presentations and blog posts. 



I put up the poll based on a brief conversation on Twitter about some folks wanting more advanced content and complaining when beginner content was offered. I’ve heard the same comments when I ran a beginner… Read more

0 comments, 116 reads

Posted in Databases – Infrastructure – Security on 5 December 2017

Security Architecture: Knowing the Adversary

When I present or teach on a security topic, I take the time to cover the mindset of the adversary. There are a lot of maxims out there to “know thine enemy,” but here’s a good recent one that explains why:

“Unless you can think the way that an evil…

Read more

5 comments, 373 reads

Posted in Databases – Infrastructure – Security on 4 December 2017

Geek Sync Recording: Taking Control of Your SQL Server Sprawl

Back in July, I gave a webcast for Idera’s Geek Sync. They’ve published the recording. You can find it here:

Take Control of Your Organization’s SQL Server Sprawl

It’s about an hour long and it focuses on automation, setting up sized templates for servers, pushing and enforcing OS settings using… Read more

0 comments, 225 reads

Posted in Databases – Infrastructure – Security on 17 November 2017

Learning to Give Presentations Well (Part 2)

Presentation Zen cover

In Part 1, I gave some advice from Toastmasters. We’ll return to the Toastmasters advice in Part 3. In Part 2 we’re going to look at recommendations from Garr Reynolds. You can find this advice and more in Presentation Zen, which I found to… Read more

0 comments, 210 reads

Posted in Databases – Infrastructure – Security on 15 November 2017

Learning to Give Presentations Well (Part 1)

I’ve given technical presentations for years. I’ve also taught in churches and youth groups years before that. For me, speaking in public isn’t a big deal. However, I know that when someone is first starting out, it can be a challenging experience. Even though I felt comfortable speaking in public,… Read more

1 comments, 1,261 reads

Posted in Databases – Infrastructure – Security on 6 November 2017

If You’re Stuck at Home for the PASS Summit

Conferences are a great place to network, to see new technologies or to see existing technologies being used in new ways, or just to get away the day-to-day work. You may love your job, but having a break to refresh and re-focus is certainly good, too. So what if you… Read more

1 comments, 358 reads

Posted in Databases – Infrastructure – Security on 30 October 2017

Don’t “Test” Against Production

A few months ago, I was participating in a threat hunting exercise on the security side. The gentleman leading the exercise was discussing some scans to run. However, before we did anything, he made sure to state that we should run against a non-production environment first. Apparently, some of his… Read more

0 comments, 1,788 reads

Posted in Databases – Infrastructure – Security on 18 October 2017

Automating Everything with PowerShell – Getting Started #tsql2sday

I try to automate everything I can with PowerShell. Whether we’re talking SQL Server, WSUS, Active Directory, or any other product with active support in PowerShell, I try to write scripts to do everything. I believe in the old proviso that good engineers are lazy engineers (thank you, Andy Leonard Read more

0 comments, 649 reads

Posted in Databases – Infrastructure – Security on 17 October 2017

Randomness in Security Configuration

We were deploying a new web service. Because of the nature of the service, we wanted it to listen on a non-standard port. Security by obscurity doesn’t work against a real attacker or well-written malware. However, if someone was just attempting to check for a web server by doing the… Read more

0 comments, 1,183 reads

Posted in Databases – Infrastructure – Security on 14 August 2017

Just Say No to Social Engineering Memes

These memes, from a security and privacy perspective, are nothing but trouble. Here’s an example I just saw a friend respond to:


The reason I say trouble is because if you play along, they reveal a tremendous amount of personal information about you. That information is often used to secure… Read more

1 comments, 417 reads

Posted in Databases – Infrastructure – Security on 11 August 2017

#TSQL2sday: Interviewing Patterns

This T-SQL Tuesday is hosted by Kendra Little.

I’ve been told interviewing is an art. Perhaps it is. I view it more as an information exchange. The organization you’re interviewing with is trying to obtain information on you. You should be trying to obtain information on the organization. The… Read more

3 comments, 158 reads

Posted in Databases – Infrastructure – Security on 8 August 2017

Geek Sync on Wednesday: Taking Control of Your Organization’s SQL Server Sprawl

This Wednesday, July 26th, at 12 PM EDT, I’ll be giving a presentation through Idera’s Geek Sync series. You will need to register for the session.

Registration Link for Geek Sync talk

Here’s what I’ll be covering:

You have SQL Server sprawl throughout your organization. There are SQL Servers installed… Read more

0 comments, 168 reads

Posted in Databases – Infrastructure – Security on 24 July 2017

Remember What It’s Like to Be a Rookie

File this under “soft skills.” Let me start with a recent experience.

Last week I was leading a team of youth working around their local community. My oldest son was one of my co-leaders and he had just come back from his first year at The Citadel as well as… Read more

1 comments, 1,520 reads

Posted in Databases – Infrastructure – Security on 20 July 2017

Security Basics: The Principle of Least Privilege

Whenever I’m asked about creating a security model for an application or database, I tell folks to follow the Principle of Least Privilege. There are several definitions out there, some wordier than others. Here’s mine:

Give the permissions necessary to do the job. No more. No less.

If this is… Read more

2 comments, 1,956 reads

Posted in Databases – Infrastructure – Security on 30 June 2017

Recording of PASS Security VC Webinar

If you were unable to attend this month’s PASS Security Virtual Chapter webinar, The Dirty Business of Auditing, it has been published to YouTube.

As requested, here are the slides: The Dirty Business of Auditing (278 KB).


Read more

0 comments, 239 reads

Posted in Databases – Infrastructure – Security on 29 June 2017

The Three A’s: Auditing

Authentication and Authorization, the first two of the three A’s of security, control who gets access to what. However, at some point we’ll need to do who is accessing that what and when it happened. That brings us to the third A: Auditing.

Auditing isn’t strictly required on all systems.… Read more

0 comments, 1,245 reads

Posted in Databases – Infrastructure – Security on 28 June 2017

The Three A’s: Authorization

Having covered authentication yesterday, let’s move on the second A, authorization. Authentication was about proving identity. Now that we know that identity, we can determine permissions. Just because we have authentication doesn’t mean we have authorization. Let me give you an example. 

A club only permits patrons who are 21… Read more

0 comments, 1,482 reads

Posted in Databases – Infrastructure – Security on 27 June 2017

Older posts