December 12, 2017 at 2:03 am
Thom A - Monday, December 11, 2017 8:49 AMI've raised my concerns with the Boss. We have Dev and UAT environments, so she should be using those. It's not her fault, she's doing what she'd been told; "replicate these scripts in the new automation tool and test them". What they didn't tell her was "WHATEVER YOU DO, DON'T TEST THIS ONE DURING WORKING HOURS!!!". Hopefully they'll move her to the other environments, as if she breaks them then we just restore them back; that's what they're designed for! ^_^
This is where you're love some "DevOps" and a one button "run this stuff" process that has gates around the hours where it runs and feedback for the user. Or spin up some new environment. We do have SQL Clone from Redgate here, though it could be expensive for some companies.
December 12, 2017 at 2:10 am
jasona.work - Monday, December 11, 2017 10:09 AMThat might be an option, but half the fun of working someplace like that would be to be able to walk over to the shop floor and chat with the folks working on the rockets and such...
Get hands-on with a Dragon capsule, stick your head in the bell of a Falcon rocket, that sort of thing...
(Yes, I'm a space geek...)
(/me hops on USAJobs to see if NASA is in the market for a DBA)
My son would love that job. Keep it for a couple years and then he can take your place while you go on to bigger and better things.
December 12, 2017 at 2:18 am
I have an old Windows Home server for a file share at home. Usually move over pictures/video from other machines there.
These days I'd be tempted to add a couple 6/8TB drives and R1 them from just some Win or Linux box, exposing shares from there.
December 12, 2017 at 5:44 am
My current NAS at home is a homebrew box, a 4U rack mount case with 8 drive bays, a mid-range workstation board, and right now 4x 2TB drives, running FreeNAS.
Works like a champ, and eventually I'll add a drive to host iSCSI connections for the Hyper-V servers. Probably set me back all in about $4-500 (guesstimate)
December 12, 2017 at 7:09 am
I'm actually a little concerned what our VA report is going to look like. Time to find out! 🙂
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
December 12, 2017 at 7:58 am
Thom A - Tuesday, December 12, 2017 7:09 AMhttps://blogs.technet.microsoft.com/dataplatforminsider/2017/12/11/whats-new-in-ssms-17-4-sql-vulnerability-assessment/I'm actually a little concerned what our VA report is going to look like. Time to find out! 🙂
Nice. I hadn't heard about it yet. Like any assessment tool, I wonder what "knowledge base of rules" refers to and if it'll change as threats change, new one emerge and new exploits are found. Interesting, nonetheless, so thanks for posting it.
December 12, 2017 at 8:18 am
Ed Wagner - Tuesday, December 12, 2017 7:58 AMThom A - Tuesday, December 12, 2017 7:09 AMhttps://blogs.technet.microsoft.com/dataplatforminsider/2017/12/11/whats-new-in-ssms-17-4-sql-vulnerability-assessment/I'm actually a little concerned what our VA report is going to look like. Time to find out! 🙂
Nice. I hadn't heard about it yet. Like any assessment tool, I wonder what "knowledge base of rules" refers to and if it'll change as threats change, new one emerge and new exploits are found. Interesting, nonetheless, so thanks for posting it.
Had a quick run. Some things it flags are you can set baselines though, which seems interesting; Microsoft acknowledge that different places have different requirements! Others seem to be based on some guidelines they have somewhere, for example "CLR should be disabled", "Remote Access feature should be disabled".
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
December 12, 2017 at 9:30 am
Thom A - Tuesday, December 12, 2017 8:18 AMEd Wagner - Tuesday, December 12, 2017 7:58 AMThom A - Tuesday, December 12, 2017 7:09 AMhttps://blogs.technet.microsoft.com/dataplatforminsider/2017/12/11/whats-new-in-ssms-17-4-sql-vulnerability-assessment/I'm actually a little concerned what our VA report is going to look like. Time to find out! 🙂
Nice. I hadn't heard about it yet. Like any assessment tool, I wonder what "knowledge base of rules" refers to and if it'll change as threats change, new one emerge and new exploits are found. Interesting, nonetheless, so thanks for posting it.
Had a quick run. Some things it flags are you can set baselines though, which seems interesting; Microsoft acknowledge that different places have different requirements! Others seem to be based on some guidelines they have somewhere, for example "CLR should be disabled", "Remote Access feature should be disabled".
Looking over the page you linked, and the page for the Vulnerability Assessment tool itself, I'm wondering if MS is using the DISA STIGs as the base for the recommendations...
More likely, I suspect, MS provides input on the STIGs and is using that, rather than the other way around...
Going to have to look at this and play with it on my lab and see...
December 12, 2017 at 10:43 am
jasona.work - Tuesday, December 12, 2017 9:30 AMThom A - Tuesday, December 12, 2017 8:18 AMEd Wagner - Tuesday, December 12, 2017 7:58 AMThom A - Tuesday, December 12, 2017 7:09 AMhttps://blogs.technet.microsoft.com/dataplatforminsider/2017/12/11/whats-new-in-ssms-17-4-sql-vulnerability-assessment/I'm actually a little concerned what our VA report is going to look like. Time to find out! 🙂
Nice. I hadn't heard about it yet. Like any assessment tool, I wonder what "knowledge base of rules" refers to and if it'll change as threats change, new one emerge and new exploits are found. Interesting, nonetheless, so thanks for posting it.
Had a quick run. Some things it flags are you can set baselines though, which seems interesting; Microsoft acknowledge that different places have different requirements! Others seem to be based on some guidelines they have somewhere, for example "CLR should be disabled", "Remote Access feature should be disabled".
Looking over the page you linked, and the page for the Vulnerability Assessment tool itself, I'm wondering if MS is using the DISA STIGs as the base for the recommendations...
More likely, I suspect, MS provides input on the STIGs and is using that, rather than the other way around...
Going to have to look at this and play with it on my lab and see...
My guess is that you're right. I don't know the DOD STIG like you do, but I doubt it would audit to the whole thing.
December 13, 2017 at 2:03 am
They've release a Python based Command Line Tool now. Not sure we really needed another ones of those. I understood the need for MSOS (at least while no equivalent to SSMS is on Linux), but sqlcmd works fine on both Windows and Bash. https://blogs.technet.microsoft.com/dataplatforminsider/2017/12/12/try-mssql-cli-a-new-interactive-command-line-tool-for-sql-server/
From the image, however, I don't like that it's using double quotes for quote blocks.
I'm hoping that the new bits that Microsoft are bringing out are a sign of good things to come, rather than a loss of focus on other areas.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
December 13, 2017 at 6:25 am
Thom A - Tuesday, December 12, 2017 7:09 AMhttps://blogs.technet.microsoft.com/dataplatforminsider/2017/12/11/whats-new-in-ssms-17-4-sql-vulnerability-assessment/I'm actually a little concerned what our VA report is going to look like. Time to find out! 🙂
"Permissions to select from system tables and views should be revoked from non-sys-admin" <-- from the screenshot on the blog
Uh, wut? so I wouldn't be able to get to INFORMATION_SCHEMA? why?
-------------------------------------------------------------------------------------------------------------------------------------
Please follow Best Practices For Posting On Forums to receive quicker and higher quality responses
December 14, 2017 at 5:31 am
So I loaded up 17.4 to give the VA a try.
It's interesting what it reports, but it certainly doesn't come close to a STIG checklist. That being said, I can see the utility of the tool as it will get a database in a relatively better security state than I suspect most tend to be.
Basically, I'd look at it as a "quick-and-dirty I was made the DBA because my manager voluntold me I was going to be responsible for the SQL install we needed last week and what the HECK am I doing?" sort of tool.
Not as heavily restrictive and PITA to implement sometimes as a STIG, but better than not looking at some rather basic things...
And, to reference Jonathon above me's comment, I'd expect the intent is to treat any recommendations as a guideline, not a set-in-stone requirement. After all, if you've got something that uses INFORMATION_SCHEMA that isn't a sysadmin, if it's for a darn good reason and there's no other way to do it, you accept the potential risk, do what you can to mitigate it, and move on.
December 14, 2017 at 5:48 am
So this article hits a little close to home (the references to poverty are so true).
So how do we (the "Olds") fix this?
December 14, 2017 at 5:49 am
Thom A - Wednesday, December 13, 2017 2:03 AMThey've release a Python based Command Line Tool now. Not sure we really needed another ones of those. I understood the need for MSOS (at least while no equivalent to SSMS is on Linux), but sqlcmd works fine on both Windows and Bash. https://blogs.technet.microsoft.com/dataplatforminsider/2017/12/12/try-mssql-cli-a-new-interactive-command-line-tool-for-sql-server/From the image, however, I don't like that it's using double quotes for quote blocks.
I'm hoping that the new bits that Microsoft are bringing out are a sign of good things to come, rather than a loss of focus on other areas.
Pretty neat. Though, I think most of us like using iPython (cmd line tool) or iPython Notebook (browser with local web server) with Pandas to query the DB live. Works out pretty well because you can query and then slam it into a visual all in one swing in both modes.
December 14, 2017 at 6:15 am
Request for the brain trust here on the thread. I'm researching an article on the plan at Heathrow airport for dealing with snow. I'm fairly certain it's published somewhere, but I can't find the specifics of it. The closest I've come is this PDF on their plan to improve the plan after the 2010 disaster (6 inches of snow when the plan only dealt with .8cm, yes, you read that correctly, less than 1 centimeter). Any help would be appreciated.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
Viewing 15 posts - 60,646 through 60,660 (of 66,549 total)
You must be logged in to reply to this topic. Login to reply