Browse by Tags

Avoid Domain Admin level accounts for SQL Server

Every so often I see a post in the forums where someone has stated they've used a Domain Admin level account to run the SQL Server service. The implications are that anyone who is a member of the sysadmin fixed server role is effectively a domain admin. That means if a developer is a member of this...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 06-12-2008
Data Loss Mailing List and Database

The folks at attrition.org have been stalwarts in providing information to the security community for ages, it seems. I first discovered them via their defacement mirror, which they ceased maintaining long ago because site defacements became so common there was no point. About three years ago they began...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 06-04-2008
Security by Obscurity?

Andy Warren points to a TechNet article about Security by Obscurity and wanted me to post some notes. Let's start with the example they used. Rename the Administrator account: I agree with Roger's take. We intentionally rename the administrator account because it does stop the malware and scripts...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 06-04-2008
Security by Obscurity?

If you're not familiar with the term it means to make something safe/secure by using a trick to hide the vulnerability rather than fixing it, or perhaps when "fixing" it is just isn't possible. Over the years I've seen the value of running SQL on a non-standard port, threats drop...

Posted to It Depends (Weblog) by Andy Warren on 06-01-2008
Security Issue with SQL Server Reporting Services 2008

I have a CTP of SSRS 2008 deployed to one of my servers. Today I built a couple of reports and from one of my systems, they all tested fine. However, this system, because it is a testing server, doesn't receive the Group Policy Object (GPO) controlling IE security settings that our standard systems...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 05-30-2008
Setting Static Ports when dealing with Named Instances and Kerberos

I ran across this a week or so ago. There were a couple of SQL Servers running named instances that we wanted to setup Kerberos authentication against (in the event we would use Kerberos delegation). Here is how the ports were set according to SQL Server Configuration Manager: The problem here is that...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 05-17-2008
Log Shipping with Security

Many DBA's struggle with maintaining their security infrastructure while providing the ability for dev to access the delivery environment. A common approach is to setup a NRT (Near Real Time) environment on a warm server. There are several approaches to this. If you're looking just to push data...

Posted to Ken Kaufman (Weblog) by Ken Kaufman on 05-13-2008
Thoughts on SQL Saturday in Jacksonville

I was able this Saturday to head down to Jacksonville and speak at the SQL Saturday there. There were a lot of folks, a lot of good presentations, and the area in and around Jacksonville was gorgeous. I gave two presentations, both of them security related, and I was pleasantly surprised and encouraged...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 05-07-2008
Recent slate of IIS attacks - more info

The recent slate of attacks on IIS servers don't seem to be an attack directly against IIS or against SQL Server itself. In other words, they aren't going after vulnerabilities in the server product (either one). Rather, the attacks are targeting weaknesses in the web application which permit...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 04-26-2008
SQL Server Forensics Book

I logged into Safari today to download some chapters I want to be able to review when I'm offline. I saw in the new titles there's a forthcoming book called SQL Server Forensics Analysis and it's by one of my co-authors from How to Cheat at Securing SQL Server 2005 , Kevvie Fowler. The book...

Posted to K. Brian Kelley - Databases, Infrastructure, and Security (Weblog) by bkelley on 04-05-2008

Page 1 of 7 (61 items) 1 2 3 4 5 Next > ... Last »