Welcome to Sign in | Join | Help

Browse by Tags

All Tags » SQL Server - security   (RSS)
This post is based on an old presentation I gave several years back. A video of the presentation used to be available here , but today I couldn't get it to work, so I am attempting to make available most of the information from the presentation within Read More...
If you ever needed to debug a permission related issue when using xp_cmdshell, you have probably realized that a crucial piece of information is about what particular account xp_cmdshell is executing under. If you are the administrator of the database, Read More...
I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild. Read More...
I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL Read More...
Exceptions are dangerous because people like to simplify their thinking process using rules, so exceptions always carry the risk of being overlooked. In security, exceptions are a bad thing because they make the model more complex and complex systems Read More...
A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search Read More...
This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links. Read More...
In my series of new posts on old topics, I decided to gather today several pieces of information that I think will help in debugging SQL Server login failures. Although most information should remain useful for future versions as well, some of it may Read More...
I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Read More...
First, I must say that I don't know why these exist in an undocumented form. They have been around for a long time and a search on their names gets me back pages of hits. Being undocumented means that their actual implementation may change slightly from Read More...
I am grouping here two topics (orphaned users and loginless users) that are actually very different, but I have often seen confusion between them, so I am covering them together in an attempt to dispel that confusion. In a previous discussion of logins Read More...
I have kept silent on this feature while it was being developed, but as it has now been publicly advertised in various ways (being mentioned here , here , here , and here , for example), I think it is probably time to write a bit about it. Given that Read More...
I have been watching the SQL Server Security forum for several years now and there is one question that gets spawned about once a month under different titles. It invariably begins with a request for guidance on how to secure access to a database, which Read More...
At some point during SQL Server's history, its designers must have confronted the following problem: how to give someone permission to see parts of a table without giving him any permission on the table? Slices of a table are easily defined using views, Read More...
In a previous post , I talked about the various types of principals in SQL Server. Let's have a further look in this post at permissions and at some of the hardcoded principals that ship with any installation of SQL Server. Permissions are what allow Read More...
More Posts Next page »