Browse by Tags

All Tags » SQL Server » computer security   (RSS)
SQL Injection watch blog
I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild. Read More...
Posted 14 August 09 02:34 by lcris | 0 Comments   
Filed under , ,
Basic SQL Server Security concepts: ownership, CONTROL, TAKE OWNERSHIP
I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL Read More...
Posted 11 August 09 03:39 by lcris | 0 Comments   
Filed under , , ,
SQL Server undocumented password hashing builtins: pwdcompare and pwdencrypt
First, I must say that I don't know why these exist in an undocumented form. They have been around for a long time and a search on their names gets me back pages of hits. Being undocumented means that their actual implementation may change slightly from Read More...
Posted 31 October 07 11:08 by lcris | 0 Comments   
Filed under , ,
Basic SQL Server Security concepts: SIDs, orphaned users, and loginless users
I am grouping here two topics (orphaned users and loginless users) that are actually very different, but I have often seen confusion between them, so I am covering them together in an attempt to dispel that confusion. In a previous discussion of logins Read More...
Posted 25 October 07 05:42 by lcris | 0 Comments   
Filed under , , ,
SQL Server 2005: A note about the use of certificates
To avoid any confusion, this post is not about the use of certificates for securing the communication between a client machine and the server; instead, this refers to the use of certificates created via the CREATE CERTIFICATE DDL. I am prompted in writing Read More...
Posted 04 October 07 08:59 by lcris | 3 Comments   
Filed under , , ,
SQL Server 2008: Transparent data encryption feature - a quick overview
I have kept silent on this feature while it was being developed, but as it has now been publicly advertised in various ways (being mentioned here , here , here , and here , for example), I think it is probably time to write a bit about it. Given that Read More...
Posted 03 October 07 04:55 by lcris | 2 Comments   
Filed under , , ,
Security and copy protection
I have been watching the SQL Server Security forum for several years now and there is one question that gets spawned about once a month under different titles. It invariably begins with a request for guidance on how to secure access to a database, which Read More...
Posted 24 September 07 03:57 by lcris | 0 Comments   
Filed under , ,
Basic SQL Server Security concepts - ownership chaining: good and evil; schemas
At some point during SQL Server's history, its designers must have confronted the following problem: how to give someone permission to see parts of a table without giving him any permission on the table? Slices of a table are easily defined using views, Read More...
Posted 13 September 07 11:37 by lcris | 0 Comments   
Filed under , , ,
Basic SQL Server Security concepts - permissions and special principals: sa, dbo, guest
In a previous post , I talked about the various types of principals in SQL Server. Let's have a further look in this post at permissions and at some of the hardcoded principals that ship with any installation of SQL Server. Permissions are what allow Read More...
Posted 12 September 07 03:12 by lcris | 0 Comments   
Filed under , , ,
SQL Server 2005: About login password hashes
There seem to be a couple of misconceptions around the SQL Server handling of login passwords. Hopefully, by the end of this post, you will have a much clearer idea about what is going on under the covers. Note that this refers to the passwords of logins Read More...
Posted 30 April 07 09:22 by lcris | 1 Comments   
Filed under , , ,
SQL Server 2005 security presentations at PASS - Pre Conference
If you missed the PASS Pre Conference security presentations, you can now catch up by viewing them online: http://cmcgc.com/Media/WMP/261115/ . Read More...
Posted 08 December 06 08:49 by lcris | 0 Comments   
Filed under , , ,
Who needs encryption?
For those that read my previous posts, the question in the title may be startling. I want to reassure you from the start: this post is not about encryption being a useless technique; it is just about it not being a solution for certain problems and definitely Read More...
Posted 30 November 06 06:07 by lcris | 4 Comments   
Filed under , , , ,
SQL Server 2005: Demo for enabling database impersonation for cross database access
There is an excellent article on this topic in Books Online: Extending Database Impersonation by Using Execute As . I just wrote a small demo to illustrate the techniques described in that article. It can be used as a companion to that article, if you're Read More...
Posted 24 October 06 07:23 by lcris | 0 Comments   
Filed under , ,
SQL Server 2005: An example for how to use counter signatures
A while ago, I wrote a post showing how signatures can be used to allow users to perform operations without explicitly granting them the permissions required for that operation. In this post I'll present more details about the use of signatures. One important Read More...
Posted 19 October 06 06:27 by lcris | 0 Comments   
Filed under , , ,
SQL Server 2005: How to regenerate the same symmetric key in two different databases
In a previous post on using symmetric keys , I mentioned that keys can be recreated using the KEY_SOURCE and IDENTITY_VALUE clauses of CREATE SYMMETRIC KEY. In this post, I'd like to expand a little on this topic and present a small demo as well. Because Read More...
Posted 06 July 06 03:26 by lcris | 9 Comments   
Filed under , , ,
More Posts Next page »

Search

This Blog

These posts are provided "AS IS" with no warranties, and confer no rights.

Syndication

Page view tracker