I've had several questions about how exactly the buffering and error handling works in SQL Audit and thought it would help to give some more detail. For starters, let's break down the event firing workflow into the following stages: 1. Permission...

Thought some readers of this blog might be interested in Data Protection Day , tomorrow, January 28. The Council of Europe established this day to raise awareness of data privacy and data protection issues and how we, as technology professionals, can...

In continuation to the post by Jack back in October, we've added Auditing in SQL Server 2008 to our list of security focused white papers ( http://msdn.microsoft.com/en-us/library/dd392015.aspx ). We'll let you know as more white papers are published...

Il-Sung Lee and Art Rask’s whitepaper, Auditing in SQL Server 2008 , just hit the web. Congratulations! I just wanted to add to what Il-Sung already has said about this paper that this is a great resource that will answer some of the big questions we...

We would like your feedback on the scenarios where you need to assign default schemas to Windows groups. We have a post in the forums , but there has only been one reply so far. Please, if you have an opinion or even just want to express your support...

I'm pretty sure that there are many of you who have to deal with regulatory compliance but how many of you are aware that we have a SQL Server Compliance web portal? Check out http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx . There's a lot...

We have received some feedback regarding the “SQL Server 2005 Encryption – Encryption and data length limitations” article, but unfortunately the owner of this blog is no longer a member of our team and we really don’t have access to it in order to answer...

Recently I have heard a few questions regarding the scope of the SYMMETRIC KEY key-ring, especially when using modules (i.e. stored procedures) to open a key. One particular topic that got my attention is the impression that the OPEN SYMMETRIC KEY call...

In SQL Server 2005 we introduced a new database property named TRUSTWORTHY bit (TW bit for short) at the database level in order to work as a safeguard to reduce the default surface area regarding some powerful new features: EXECUTE AS USER and CLR assemblies...

Two days ago, we released Microsoft ® Source Code Analyzer for SQL Injection, June 2008 CTP which can analyze SQL injection vulnerabilities in Active Server Pages (ASP) code. In this blog, we will describe simple steps to help you start using the tool...

Today we have released an updated Community Technology Preview of Microsoft Source Code Analyzer for SQL Injection. We made the following improvements based on community feedback: Included a GUI to view warnings generated by the tool. Downgraded...

Aside from PCI, I probably hear more about HIPAA compliance (the Health Insurance Portability and Accountability Act ) from our customers than other regulations. Although there is no formal certification around HIPAA at this point, health care providers...

Since PCI Compliance seems to be popular subject for SQL Server users (by which I mean that a quite a few of you are forced to deal with it) here's something that may help. Parente Randolph is a PCI QSA (Qualified Security Assessor) and they recently...

With the increasing popularity of the EKM feature in SQL Server 2008, more vendors are adding their support for this great feature. I'm very happy to announce that Arx has just announced their releaese of their EKM provider dll: http://www.arx.com...

My teammate Lyudmila is maintaining her own TechNet blog where she writes articles related to SQL Server security. You can access her blog at http://blogs.technet.com/lyudmila_fokina . Her blog is written in Russian, but the samples she includes should...

Since the introduction of SQL Server 2008 extensible key management (EKM), new opportunities may arise to handle data encryption on the client while still making the plaintext data accessible to authorized users in SQL Server. One issue between SQL Server...

Regarding the DEK rotation in TDE, after a DEK has been rotated twice, a log backup must be performed before the DEK can be modified again, otherwise in the third time of rotation the following error message will be popped up: “ This command requires...

If anyone is planning to attend to the RSA Conference 2010 in San Francisco, please stop by and visit us at the Microsoft SQL Server booth and to the theater sessions we have prepared for the event: Title Schedule Speaker ...

We wanted to post and let everyone know that the Microsoft SQL Server Base and Infrastructure (SBIA) team is hiring for various test positions. This includes the Security team (or Core Security Infrastructure team) and several other teams who are working...

The SQL Security Team's Raul Garcia and Il- Sung Lee are presenting at 1 PM PST today on SQL Security in an online webcast. http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032444124&Culture=en-US . Good, 300 level discussion on how to...

I am posting this article on behalf of my teammate Lyudmila. A new tool to help investigate ‘Login Failed’ errors in SQL Server has been recently implemented and published on CodePlex: http://ssat.codeplex.com/ The tool is implemented in C# and...

Recently the Security Development Lifecycle (SDL) team announced the release of new type of security guidance papers called Quick security references (QSRs) . The first two papers focus on Cross-Site scripting and SQL Injection . I would strongly recommend...

SQL Server Extensible Key Management (EKM) requires the authentication information (user/password) to be stored in a credential mapped to the primary identity. This version of EKM cannot be used under an impersonated context; that is, you cannot access...

In many occasions, marking a module (i.e. SP, trigger, etc.) with execute as can be really useful as it allows a controlled impersonation during the module execution; but at the same time there are many cases that it is necessary to access information...

John Halamka , Harvard CIO, has blogged about the Caregroup Auditing project that was the basis for the Auditing portion of the Compliance SDK mentioned in my previous post . They did a lot of great work and we learned a lot from their feedback. And now...