Denny Lee and JC Cannon have been hard at work producing a Compliance Guide for SQL Server 2008 , including scripts and policy files. Great resource for anyone working on compliance with SQL Server.

I've had several questions about how exactly the buffering and error handling works in SQL Audit and thought it would help to give some more detail. For starters, let's break down the event firing workflow into the following stages: 1. Permission...

I just wanted to call attention to a few SQL Server 2008 related security papers written or reviewed by our team: Engine Separation of Duties for the Application Developer - discusses how to build applications that support role separation. Database...

In many occasions, marking a module (i.e. SP, trigger, etc.) with execute as can be really useful as it allows a controlled impersonation during the module execution; but at the same time there are many cases that it is necessary to access information...

Today we have released an updated Community Technology Preview of Microsoft Source Code Analyzer for SQL Injection. We made the following improvements based on community feedback: Included a GUI to view warnings generated by the tool. Downgraded...

We’ve long recommended that customers use the Windows Firewall to protect SQL Server installations. Starting with Windows XP/SP2, and continuing with Windows Vista, the firewall has been enabled by default on Windows client operating systems. Windows...

Two days ago, we released Microsoft ® Source Code Analyzer for SQL Injection, June 2008 CTP which can analyze SQL injection vulnerabilities in Active Server Pages (ASP) code. In this blog, we will describe simple steps to help you start using the tool...

Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code. Three weeks ago Microsoft released guidance ( http://blogs.technet.com/swi/archive...

We have received some feedback regarding the “SQL Server 2005 Encryption – Encryption and data length limitations” article, but unfortunately the owner of this blog is no longer a member of our team and we really don’t have access to it in order to answer...

xp_cmdshell is essentially a mechanism to execute arbitrary calls into the system using either the SQL Server context (i.e. the Windows account used to start the service) or a proxy account that can be configured to execute xp_cmdshell using different...

In SQL Server 2005 we introduced a new database property named TRUSTWORTHY bit (TW bit for short) at the database level in order to work as a safeguard to reduce the default surface area regarding some powerful new features: EXECUTE AS USER and CLR assemblies...

Recently I have heard a few questions regarding the scope of the SYMMETRIC KEY key-ring, especially when using modules (i.e. stored procedures) to open a key. One particular topic that got my attention is the impression that the OPEN SYMMETRIC KEY call...