Your Security Checkup

Recently I saw an article on Simple Talk, 15 Practical Tips for Securing SQL Server, and I thought that many of these are fairly simple things. Turn off unused features, disable sa, etc. These are things that a lot of people probably ensure are in their SQL Servers builds.

Though, I'm sure a lot of people don't bother.

Often, I've found that different people might be responsible for setting up servers, or they might have rights to change things on existing servers. Over time, what we thought of as a standard often isn't standard on all instances. Exceptions creep in, perhaps because developers change things when they don't know better or aren't thinking of security. Vendor software might have some unexpected requirements for similar reasons that deviate from our standard. We also might change our own standards over time and forget to revisit existing servers.

I wonder how many of you have a security audit procedure in place to re-examine your existing servers. It's something that ought to be done periodically, like storage management. It isn't needed every day or week, but a few times a year you might want to ensure things are set appropriately and ready for the next few months.

I've been surprised at the number of people that really like the Redgate Monitor Configuration page to keep track of their servers and the deviations their own standard config. It's also been interesting how many people upgrade to the Enterprise Edition to get the Security features. Tracking these over time can be a pain DBAs want an easy way to do this. In fact, there are so many feature requests for enhancements to security tracking that the devs on RGMEE are very busy.

It's getting to be the end of the year, and that's a slower time for many of us. Unless your business is related to the holidays, a lot of people take vacation, we have code freezes, and there's a little more time for housekeeping. This might be a good time to conduct a little security audit and ensure that your servers aren't open for attack or making it easy for malicious actors, or naïve but well-intentioned coworkers, to get into systems.

DBATools is a great way to do some changing or enforcing of standards across lots of servers. Even if you can't change all the settings, you might ensure you have documentation on why that one instance has an sa account enabled. You might also ensure that your security people have signed off on any exceptions.

If nothing else, a good security checkup should include checking your versions and getting up to date on patches.

Can We Please Stop Sending Passwords Over the Wire?

by maxtardiveau

SQLServerCentral

While analyzing SQL Server's network protocol, I came across a weird fact: when a database client logs in using SQL Server authentication (as opposed to Windows authentication), it has to send the user's password to the server, in blatant violation of common security guidelines. At first, I couldn't believe it; SQL Server generally does an […]