Browse by Tags
All Tags »
Security (
RSS)
The SANS Internet Storm Center has a great handler post about working at the Abuse department for an ISP: Securing a Network - Lessons Learned The handler, Deborah Hale goes into detail about some of the issues faced. Things like end users not having...
The network scanner Nmap has a new version out, 4.68. The GUI interface (Zenmap) which comes with the Windows installer version is pretty sharp. A lot of changes in this version. I just did a test run and it correctly identified OS and services on the...
Every so often I see a post in the forums where someone has stated they've used a Domain Admin level account to run the SQL Server service. The implications are that anyone who is a member of the sysadmin fixed server role is effectively a domain...
The folks at attrition.org have been stalwarts in providing information to the security community for ages, it seems. I first discovered them via their defacement mirror, which they ceased maintaining long ago because site defacements became so common...
Andy Warren points to a TechNet article about Security by Obscurity and wanted me to post some notes. Let's start with the example they used. Rename the Administrator account: I agree with Roger's take. We intentionally rename the administrator...
I have a CTP of SSRS 2008 deployed to one of my servers. Today I built a couple of reports and from one of my systems, they all tested fine. However, this system, because it is a testing server, doesn't receive the Group Policy Object (GPO) controlling...
I ran across this a week or so ago. There were a couple of SQL Servers running named instances that we wanted to setup Kerberos authentication against (in the event we would use Kerberos delegation). Here is how the ports were set according to SQL Server...
I was able this Saturday to head down to Jacksonville and speak at the SQL Saturday there. There were a lot of folks, a lot of good presentations, and the area in and around Jacksonville was gorgeous. I gave two presentations, both of them security related...
Filed under: SQL Server 2000, SQL Server 2005, Security, Conferences/User Groups, Community, SQL Server, database security, SQL Server security, SQLSaturday, Presenting, SQL Saturday
The recent slate of attacks on IIS servers don't seem to be an attack directly against IIS or against SQL Server itself. In other words, they aren't going after vulnerabilities in the server product (either one). Rather, the attacks are targeting...
I logged into Safari today to download some chapters I want to be able to review when I'm offline. I saw in the new titles there's a forthcoming book called SQL Server Forensics Analysis and it's by one of my co-authors from How to Cheat at...
The SQLSaturday in Jacksonville, Florida, will be held May 3, 2008. I'm on track now to give two security based presentations: Protecting Your SQL Server From Treasure Seekers : This presentation is geared for system administrators, DBAs, and developers...
I'm a little late on this one, but Cesar Cerrudo has announced he's going to demonstrate exploits to Windows Server 2008, IIS 7.0, and SQL Server at the Hack in the Box conference in Dubai : Windows Server 2008, Still not totally secure The Windows...
SQL Server MVP Randy Dyess has a short webcast which provides the highlights of SQL Server 2008 security.He includes some demos which show the centralized management features inherent in SQL Server 2008. You can find it on the SQL Server Magazine's...
I've been dealing with a security product from a security company in recent days that breaks best practices with respect to the database configuration. This has reminded me of the list of issues I've seen over the past six months that have raised...
The new version of Metasploit is out. Included is a GUI interface. It's a complete re-write in Ruby (note to self, learn more about Ruby) whereas the previous version were in Perl. The Metasploit Framework site If you aren't familiar with Metasploit...
More Posts
Next page »