Clik here to view.
SQL Server Authentication Troubleshooter
I am posting this article on behalf of my teammate Lyudmila. A new tool to help investigate ‘Login Failed’ errors in SQL Server has been recently implemented and published on CodePlex:...
View ArticleClik here to view.
Blocking automated SQL injection attacks
SQL injection attacks have been on the rise in the last two years, mainly because of automated tools. We first witnessed these automated attacks in December 2007, and since then very little has changed...
View ArticleClik here to view.
TDE, DEK and the LOG
Transparent Database Encryption (TDE) was introduced in SQL Server 2008 to allow users to encrypt databases without affecting any applications. Before reading this blog I would suggest reading Sung...
View ArticleClik here to view.
Database Encryption Key (DEK) management
This post will talk about DEK, what it is and how it is securely stored and managed inside a database. Before enabling TDE a DEK must be created which is used to encrypt the contents of the database....
View ArticleClik here to view.
DEK and the Log
In my previous post I talked about DEK management and how it is stored in the database. In this post I will try to give an overview of how the database log file is encrypted by TDE and what are the...
View ArticleClik here to view.
Security Checklists on TechNet Wiki
Rick Byham, our wonderful technical writer, just posted some checklists you may find useful on the TechNet Wiki. You can search the wiki for word checklist or use these links: Database Engine Security...
View ArticleClik here to view.
rand vs. crypt_gen_random
Many applications need to generate random data, and in order to help in this task they typically rely on pseudorandom number generators (PRNG). Typical PRNGs are deterministic in nature and therefore...
View ArticleClik here to view.
Guest account in User Databases
Andreas Wolter recently posted yet another reason to keep guest disabled on user databases in SQL Server. He also points out some reasons why developers shouldn’t have access to production systems, but...
View ArticleClik here to view.
Contained Database Authentication: Introduction
In Microsoft SQL Server code-name “Denali” Community Technology Preview 1 (CTP1) we introduced the Contained Database (CDB) feature. As the name suggests, self-contained database have no external...
View ArticleClik here to view.
Contained Database Authentication: Monitoring and controlling contained users
Enabling contained database authentication on an instance allows db owners (and other privileged db users) to create and manage users who can connect to the database on the instance. However, the...
View ArticleClik here to view.
Contained Database Authentication: How to control which databases are allowed...
With the release of Microsoft SQL Server code-name “Denali” Community Technology Preview 1 (CTP1) and the introduction of Contained Database (CDB)...
View ArticleClik here to view.
Contained Database Authentication in depth
To connect with contained user credentials you have to specify contained database in the connection string. If no database is specified the connection will try to do traditional authentication as a...
View ArticleClik here to view.
Tips for using DB user with password
Creating DB-specific users with password on a contained DB can provide a lot of mobility for applications since it enables the possibility of moving a DB from any particular instance to another...
View ArticleClik here to view.
Revisiting the RC4 / RC4_128 Cipher
The implementation of RC4/RC4_128 in SQL Server does not salt the key and this severely weakens the security of data that is encrypted using the RC4/RC4_128 algorithm. In cryptography, an...
View ArticleClik here to view.
Prevent Tampering of Encrypting Data Using add_authenticator Argument of...
This article is one of several articles discussing some of the best practices for encrypting data. This article demonstrates how the @add_authenticator argument of the ENCRYPTBYKEY function can help...
View ArticleClik here to view.
Integrity checks with EncryptByKey
This article is a follow up to “Prevent Tampering of Encrypted Data Using @add_authenticator Argument for ENCRYPTBYKEY”. In the last article we described a scenario where the security risk of...
View ArticleClik here to view.
SQL Server 2008 PCI DSS v.2.0 Whitepaper
If PCI compliance with SQL Server is a concern for you, then you'll probably want to check out the Deploying SQL Server 2008 R2 Based on Payment Card Industry Data Security Standards (PCI DSS) Version...
View ArticleClik here to view.
Database Engine Permission Basics
I am posting this on behalf of my colleague Rick Byham, a technical writer on the SQL Server Team. Database Engine permissions are managed at the server level through logins and fixed server roles, and...
View ArticleClik here to view.
Data Hashing in SQL Server
A common scenario in data warehousing applications is knowing what source system records to update, what data needs to be loaded and which data rows can be skipped as nothing has changed since they...
View ArticleClik here to view.
Meet the team at SQL PASS Summit 2011
PASS Summit 2011 is coming to Seattle this week starting October 11th 2011. You'll have the opportunity to meet a lot of folks from the SQL Server team during the event, and a variety of speakers that...
View Article