Browse by Tags

The First One

It's been a long time since I saw a vulnerability in SQL Server released. And to date, there haven't been any for SQL Server 2005, nearly 3 years after it's release in Nov 2005. That changed today I saw a note from Secunia just some in: Microsoft SQL Server and MSDE Multiple Vulnerabilities...

Posted to SQL Musings (Weblog) by Steve Jones on 07-08-2008
Avoid Domain Admin level accounts for SQL Server

Every so often I see a post in the forums where someone has stated they've used a Domain Admin level account to run the SQL Server service. The implications are that anyone who is a member of the sysadmin fixed server role is effectively a domain admin. That means if a developer is a member of this...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 06-12-2008
Security Issue with SQL Server Reporting Services 2008

I have a CTP of SSRS 2008 deployed to one of my servers. Today I built a couple of reports and from one of my systems, they all tested fine. However, this system, because it is a testing server, doesn't receive the Group Policy Object (GPO) controlling IE security settings that our standard systems...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 05-30-2008
Setting Static Ports when dealing with Named Instances and Kerberos

I ran across this a week or so ago. There were a couple of SQL Servers running named instances that we wanted to setup Kerberos authentication against (in the event we would use Kerberos delegation). Here is how the ports were set according to SQL Server Configuration Manager: The problem here is that...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 05-17-2008
Thoughts on SQL Saturday in Jacksonville

I was able this Saturday to head down to Jacksonville and speak at the SQL Saturday there. There were a lot of folks, a lot of good presentations, and the area in and around Jacksonville was gorgeous. I gave two presentations, both of them security related, and I was pleasantly surprised and encouraged...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 05-07-2008
Jacksonville SQLSaturday less than a month away!

The SQLSaturday in Jacksonville, Florida, will be held May 3, 2008. I'm on track now to give two security based presentations: Protecting Your SQL Server From Treasure Seekers : This presentation is geared for system administrators, DBAs, and developers and covers the "low-hanging fruit"...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 04-05-2008
Honeypots in the Database

As a follow up to my post about Cesar Cerrudo's new whitepaper , earlier this month David Litchfield talked about putting honeypots in the database in his blog post, Database tripwires... , to catch someone snooping around. The basic idea for non-Oracle databases is to create some sort of alerting function...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 11-23-2007
Whitepaper on Malware to Attack Databases

Cesar Cerrudo of Argeniss Information Security has put out a new whitepaper (.pdf format), Data0: Next generation malware for stealing databases , describing how malware could be crafted to steal information out of databases. For the most part, it stays at a high-level, however, Cesar does give a few...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 11-23-2007
Resources: SQL Server 2005 Security

Work responsibilities took up my time on Thursday and Friday, so I never got around to posting. Here's the resources I planned on covering on Friday: online sources for SQL Server security. Website: Center for Internet Security - SQL Server Benchmarks CIS is well known for producing quality benchmarks...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 11-11-2007
SQL Server: Showing permissions for a given database user

Building upon my post from last Tuesday , if you know all the roles for a given user, you'll probably want all the permissions as well. In prior versions of SQL Server, the way to go was the system stored procedure sp_helprotect . However, sp_helprotect is stuck in legacy SQL Server 2000 permissions...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 11-06-2007

Page 1 of 4 (37 items) 1 2 3 4 Next >