Browse by Tags

SQL Server Security team is starting a new blog
First of all, I am really sorry for not writing anything for quite a long time. The SQL Server Security team is starting a new blog: SqlSecruity . Starting today I will be writing all the new SQL Server articles in the new SQL Server Security blog, and Read More...
Posted 29 November 07 04:24 by raulga | 1 Comments   
Link to MSDN forum discussion: "Yet another question on Application security.... "
I am adding a link to one of the MSDN SQL Server Security forum discussion regarding application security (i.e. restricting access to database resources based on the application): Yet another question on Application security.... Please feel free to post Read More...
Posted 13 July 07 10:09 by raulga | 2 Comments   
Disaster Recovery: What to do when the SA account password is lost in SQL Server 2005
You may have faced the issue of losing the SQL Server SA password. Perhaps you followed the security best-practice of removing the builtin\Administrators from the sysadmin server role, and no one you can find is in the sysadmin role. At this point you Read More...
Posted 12 July 07 10:19 by raulga | 3 Comments   
Filed under
Dynamic SQL and digital signatures in SQL Server 2005
As I already mentioned, dynamic SQL is a quite powerful, but also quite dangerous. In SQL Server 2005 we introduced a new feature that is also quite powerful and when used properly can be quite useful; but it is important to learn and understand any such Read More...
Posted 09 May 07 11:42 by raulga | 5 Comments   
Filed under , , , ,
After a long delay, I am ready to start posting again
I know it has been quite some time since I added any new content, I sincerely apologize for that, but I have the next article ready and I will be posting it quite soon. Please let me know if there is any topic you will like to discuss in more detail for Read More...
Posted 09 May 07 11:38 by raulga | 0 Comments   
Dynamic SQL & SQL injection
I know there are a lot of papers that talk about dynamic SQL in more depth than what I am going to cover, but as SQL injection is still one of the biggest security problems in the relation databases world, that I decided to include this part as a quick Read More...
Posted 04 January 07 03:53 by raulga | 8 Comments   
Filed under ,
Let's talk about Dynamic SQL (preamble)
I want to talk about how dynamic SQL is affected by the execution context, but as this is a huge and broad topic I am going to divide this topic into multiple parts and write different posts for each one of them, focusing in one aspect of dynamic SQL Read More...
Posted 04 January 07 03:46 by raulga | 1 Comments   
Filed under
Using a digital signature as a secondary identity to replace Cross database ownership chaining
In SQL Server 2000, Cross database ownership chaining (CDOC) was a mechanism used to allow access (DML access) to resources on different DBs without explicitly granting access to the resources (such as tables) directly. Unfortunately CDOC is a feature Read More...
Posted 30 October 06 07:53 by raulga | 3 Comments   
Filed under ,
Quick guide to DB users without logins in SQL Server 2005
SQL Server 2005 introduced a new SQL DB principal subtype that can be quite useful: a SQL user that is not mapped to any login. You may be asking yourself “Why is this feature interesting? after all SQL Server already had the ability to create SQL users”. This article tries to describe this new feature and give some useful tips on how to use it. Read More...
Posted 03 July 06 03:25 by raulga | 2 Comments   
Filed under ,
Attachment(s): User_without_login.sql
How to distribute digitally signed SQL modules
Digital signatures in SQL Server 2005 modules can be used to extend the privileges of the caller for the duration of the call. This feature enables the ability to create an application that can enable authorized callers to access resources (such as tables, symmetric keys, etc.) that otherwise would require highly escalated privileges. While adding a signature when you have control of the certificate’s private key is really straightforward, but it may not be so obvious how to distribute an application that uses this feature without giving away the private key. Read More...
Posted 29 May 06 06:30 by raulga | 1 Comments   
Filed under
SQL Server 2005 –Encrypting data on existing applications
SQL Server 2005 encryption requires the application to be aware of it and to decrypt the data before it can be consumed as well as encrypt (and verify that the encryption call succeeded) before storing it. When you are writing new schemas and new applications Read More...
Posted 03 May 06 11:09 by raulga | 4 Comments   
Filed under
Link to Laurentiu's blog
I am including a link to Laurentiu Cristofor's blog: http://blogs.msdn.com/lcris . Laurentiu is one of the most valuable contributors in the SQL Security forums, and his articles and demos are great resources for anyone interested in SQL Server security Read More...
Posted 03 May 06 09:25 by raulga | 0 Comments   
Filed under
Indexing encrypted data
Encrypted data and indexes One thing I have been asked many times is how to create an index on top of encrypted data in SQL Server 2005. In SQL Server 2005 the encryption functions are nondeterministic, which means that every time a function is called, Read More...
Posted 11 March 06 09:17 by raulga | 10 Comments   
Filed under

Search

This Blog

Syndication

Page view tracker