Blog - Title

  • SQL Security

    Getting Started With Always Encrypted

    • 19 Comments
    The recently released SQL Server 2016 Community Technology Preview 2 introduced Always Encrypted , a new security feature that ensures sensitive data is never seen in plaintext in a SQL Server instance. Always Encrypted works by transparently encrypting...
  • SQL Security

    Announcing Transparent Data Encryption for Azure SQL Database

    • 16 Comments
    Available today, SQL Database Transparent Data Encryption (preview) protects your data and helps you meet compliance requirements by encrypting your database, associated backups, and transaction log files at rest without requiring changes to your application...
  • SQL Security

    Database Encryption Key (DEK) management

    • 13 Comments
    This post will talk about DEK, what it is and how it is securely stored and managed inside a database. Before enabling TDE a DEK must be created which is used to encrypt the contents of the database. It is a symmetric key and supported algorithms are...
  • SQL Security

    SQL Server 2012 Best Practices Analyzer

    • 11 Comments
    Copied from an internal email from a PM on the team, Jakub - I’m pleased to announce that SQL Server 2012 Best Practices Analyzer (BPA) has been released and is available for download at http://www.microsoft.com/download/en/details.aspx?id=29302...
  • SQL Security

    SQL Server and the Windows Server 2008 Firewall

    • 10 Comments
    We’ve long recommended that customers use the Windows Firewall to protect SQL Server installations. Starting with Windows XP/SP2, and continuing with Windows Vista, the firewall has been enabled by default on Windows client operating systems. Windows...
  • SQL Security

    Enforce Windows Password Policy on SQL Server Logins

    • 8 Comments
    If users choose to use SQL login to connect to SQL Server rather than using NT authenticating, it is worth to remind that SQL server does provide the option of enforcing window password policy on SQL logins. When creating a SQL login you can specify...
  • SQL Security

    Microsoft ® Source Code Analyzer for SQL Injection – June 2008 CTP

    • 7 Comments
    [UPDATE: The TechNet article and the scanning tool are no longer available. ] Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code...
  • SQL Security

    Database Engine Permission Basics

    • 7 Comments
    I am posting this on behalf of my colleague Rick Byham, a technical writer on the SQL Server Team. Database Engine permissions are managed at the server level through logins and fixed server roles, and at the database level through database users...
  • SQL Security

    Data Hashing in SQL Server

    • 5 Comments
    A common scenario in data warehousing applications is knowing what source system records to update, what data needs to be loaded and which data rows can be skipped as nothing has changed since they were last loaded. Another possible scenario is the need...
  • SQL Security

    DEK and the Log

    • 5 Comments
    In my previous post I talked about DEK management and how it is stored in the database. In this post I will try to give an overview of how the database log file is encrypted by TDE and what are the implicataions of key rotations (DEK or encryptor changes...
  • SQL Security

    Blocking automated SQL injection attacks

    • 4 Comments
    SQL injection attacks have been on the rise in the last two years, mainly because of automated tools. We first witnessed these automated attacks in December 2007, and since then very little has changed in the way that these attacks work. Attackers use...
  • SQL Security

    Guest account in User Databases

    • 4 Comments
    Andreas Wolter recently posted yet another reason to keep guest disabled on user databases in SQL Server. He also points out some reasons why developers shouldn’t have access to production systems, but I’d like to focus on the implications for guest....
  • SQL Security

    Contained Database Authentication: How to control which databases are allowed to authenticate users using logon triggers

    • 4 Comments
    With the release of Microsoft SQL Server code-name “Denali” Community Technology Preview 1 (CTP1) and the introduction of Contained Database (CDB) ( http://msdn.microsoft.com/en-us/library/ff929071(SQL.110).aspx ), we also introduced the capability...
  • SQL Security

    Contained Database Authentication in depth

    • 4 Comments
    To connect with contained user credentials you have to specify contained database in the connection string. If no database is specified the connection will try to do traditional authentication as a login in master database. If the database does not support...
  • SQL Security

    Tips for using DB user with password

    • 4 Comments
    Creating DB-specific users with password on a contained DB can provide a lot of mobility for applications since it enables the possibility of moving a DB from any particular instance to another one without the need to also manually move login information...
  • SQL Security

    xp_cmdshell

    • 4 Comments
    xp_cmdshell is essentially a mechanism to execute arbitrary calls into the system using either the SQL Server context (i.e. the Windows account used to start the service) or a proxy account that can be configured to execute xp_cmdshell using different...
  • SQL Security

    How To Choose Audit Action Group When Using Auditing in SQL Server 2008

    • 4 Comments
    SQL Sever 2008 introduces auditing feature which can audit both server-level events and database-level events and several specific database actions. Please check http://msdn.microsoft.com/en-us/library/cc280386.aspx for more details. One difficulty...
  • SQL Security

    Security Best Practice and Label Security Whitepapers

    • 4 Comments
    2 New Whitepapers: SQL Server 2012 Security Best Practice white paper (updated link: http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx) from operational...
  • SQL Security

    First HSM for SQL Server 2008 released!

    • 3 Comments
    Today, January 15th 2009, Safenet announced its release of Luna SA HSM support for SQL Server 2008 and became the first EKM provider available in the market! SQL Server 2008 introduced Extensible Key Management (EKM) for managing keys outside of...
  • SQL Security

    OPEN SYMMETRIC KEY scope in SQL Server

    • 3 Comments
    Recently I have heard a few questions regarding the scope of the SYMMETRIC KEY key-ring, especially when using modules (i.e. stored procedures) to open a key. One particular topic that got my attention is the impression that the OPEN SYMMETRIC KEY call...
  • SQL Security

    Filter SQL Server Audit on action_id / class_type predicate

    • 3 Comments
    In SQL Server 2012, Server Audit can be created with a predicate expression (refer to MSDN ). This predicate expression is evaluated before audit events are written to the audit target. If the evaluation returns TRUE the event is written to the audit...
  • SQL Security

    PVKConverter

    • 3 Comments
    I'm happy to inform you that if you were looking for a tool from Microsoft to convert PFX files to PVK files so you could import PFX certificates into SQL Server, we now have one. Big thank you to the devs that worked on this! Available now on the download...
  • SQL Security

    SQL Application Column Encryption Sample (Codeplex) available

    • 2 Comments
    To achieve many compliance guidelines on Azure SQL Database, the application needs to encrypt the data. The intent of this article is provide some guidelines and an example library for encrypting data at rest for relational databases. We just published...
  • SQL Security

    How to: Scale out multi-tenant apps using RLS and Elastic Database Tools

    • 2 Comments
    In response to a common customer ask, we've published guidance for developing multi-tenant applications on Azure SQL Database using row-level security (RLS) for tenant isolation and elastic database tools (formerly "Elastic Scale") for sharding. These...
  • SQL Security

    Recommendations for using Cell Level Encryption in Azure SQL Database

    • 2 Comments
    When we introduced Transparent Data Encryption (TDE) to Azure SQL Database, we also introduced Cell-Level Encryption (CLE, also known as SQL Server key hierarchy). For more details on TDE on Azure SQL Database, I would recommend visiting the Channel9...
Page 1 of 4 (87 items) 1234