In SQL Server 2012, Server Audit can be created with a predicate expression (refer to MSDN ). This predicate expression is evaluated before audit events are written to the audit target. If the evaluation returns TRUE the event is written to the audit...

Copied from an internal email from a PM on the team, Jakub - I’m pleased to announce that SQL Server 2012 Best Practices Analyzer (BPA) has been released and is available for download at http://www.microsoft.com/download/en/details.aspx?id=29302...

2 New Whitepapers: SQL Server 2012 Security Best Practice white paper (updated link: http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx) from operational...

Microsoft is working on a new Windows Azure service through SQL Azure Labs , called Trust Services. It is an application-level encryption framework that can be used to protect sensitive data stored on the Windows Azure Platform. By using Trust Services...

Last week, we released SQL Azure Security Services through SQL Azure Labs. In this initial version of our labs, you can Scan your SQL Azure server or individual databases for security issues - We look for design issues, elevation issues and etc...

PASS Summit 2011 is coming to Seattle this week starting October 11 th 2011. You'll have the opportunity to meet a lot of folks from the SQL Server team during the event, and a variety of speakers that will share their experiences and delight you with...

A common scenario in data warehousing applications is knowing what source system records to update, what data needs to be loaded and which data rows can be skipped as nothing has changed since they were last loaded. Another possible scenario is the need...

I am posting this on behalf of my colleague Rick Byham, a technical writer on the SQL Server Team. Database Engine permissions are managed at the server level through logins and fixed server roles, and at the database level through database users...

If PCI compliance with SQL Server is a concern for you, then you'll probably want to check out the Deploying SQL Server 2008 R2 Based on Payment Card Industry Data Security Standards (PCI DSS) Version 2.0 white paper published by Parente Beard LLC. The...

This article is a follow up to “Prevent Tampering of Encrypted Data Using @add_authenticator Argument for ENCRYPTBYKEY” . In the last article we described a scenario where the security risk of copying encrypted data from one row to another...

This article is one of several articles discussing some of the best practices for encrypting data. This article demonstrates how the @ add_authenticator argument of the ENCRYPTBYKEY function can help prevent tampering with encrypted data. Imagine the...

The implementation of RC4/RC4_128 in SQL Server does not salt the key and this severely weakens the security of data that is encrypted using the RC4/RC4_128 algorithm. In cryptography, an initialization vector (IV) is a fixed size input to a cryptographic...

Creating DB-specific users with password on a contained DB can provide a lot of mobility for applications since it enables the possibility of moving a DB from any particular instance to another one without the need to also manually move login information...

To connect with contained user credentials you have to specify contained database in the connection string. If no database is specified the connection will try to do traditional authentication as a login in master database. If the database does not support...

With the release of Microsoft SQL Server code-name “Denali” Community Technology Preview 1 (CTP1) and the introduction of Contained Database (CDB) ( http://msdn.microsoft.com/en-us/library/ff929071(SQL.110).aspx ), we also introduced the capability...

Enabling contained database authentication on an instance allows db owners (and other privileged db users) to create and manage users who can connect to the database on the instance. However, the instance administrator (or other privileged server principal...

In Microsoft SQL Server code-name “Denali” Community Technology Preview 1 (CTP1) we introduced the Contained Database (CDB) feature. As the name suggests, self-contained database have no external dependencies. Contained databases can therefore...

Andreas Wolter recently posted yet another reason to keep guest disabled on user databases in SQL Server. He also points out some reasons why developers shouldn’t have access to production systems, but I’d like to focus on the implications for guest....

Many applications need to generate random data, and in order to help in this task they typically rely on pseudorandom number generators (PRNG). Typical PRNGs are deterministic in nature and therefore they are not cryptographically suitable, this is the...

Rick Byham, our wonderful technical writer, just posted some checklists you may find useful on the TechNet Wiki . You can search the wiki for word checklist or use these links: Database Engine Security Checklist: Encrypting Sensitive Data Database...

In my previous post I talked about DEK management and how it is stored in the database. In this post I will try to give an overview of how the database log file is encrypted by TDE and what are the implicataions of key rotations (DEK or encryptor changes...

This post will talk about DEK, what it is and how it is securely stored and managed inside a database. Before enabling TDE a DEK must be created which is used to encrypt the contents of the database. It is a symmetric key and supported algorithms are...

Transparent Database Encryption ( TDE ) was introduced in SQL Server 2008 to allow users to encrypt databases without affecting any applications. Before reading this blog I would suggest reading Sung Hsueh’s whitepaper on TDE and MSDN as it covers...

SQL injection attacks have been on the rise in the last two years, mainly because of automated tools. We first witnessed these automated attacks in December 2007, and since then very little has changed in the way that these attacks work. Attackers use...

I am posting this article on behalf of my teammate Lyudmila. A new tool to help investigate ‘Login Failed’ errors in SQL Server has been recently implemented and published on CodePlex: http://ssat.codeplex.com/ The tool is implemented in C# and...