SQL Server: Windows Groups, default schemas, and other properties

Exceptions are dangerous because people like to simplify their thinking process using rules, so exceptions always carry the risk of being overlooked. In security, exceptions are a bad thing because they make the model more complex and complex systems can break in more ways than simple systems, thus being harder to analyze and secure. Windows Groups are…

0

A SQL Injection attack and search engines

A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here’s a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search for the query string “http://1.verynx.cn/w.js” (the quotes are part of the search string) shows that there are still sites infected today. So,…

0

A discussion of password authentication schemes

I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen people wondering which method they should use. First, what…

0

Security in a nutshell

Here’s an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A.The hacker looks at program P and wonders how can he use it to perform actions other than A.The security guy wants to implement a program P that allows users to perform action A and only…

0

An interesting book: Scott Rosenberg’s "Dreaming in Code"

If you are wondering why software is hard to make or if you know why, but you would like to see how others deal with the issue, you may enjoy reading Scott Rosenberg’s book, “Dreaming in Code“. I picked it this weekend and while I didn’t finish it yet, I enjoyed what I read so…

0

SQL Server 2005: How to debug login failures (18456, anyone?)

In my series of new posts on old topics, I decided to gather today several pieces of information that I think will help in debugging SQL Server login failures. Although most information should remain useful for future versions as well, some of it may become outdated, so I tagged this article as 2005 specific. Login…

0

SQL Server: Password policy FAQ

I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Q: What is the SQL Server password policy…

13

Can encryption make you more vulnerable?

A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I’d like to add a few comments on this topic. I think that the article makes a very good…

0

How to request features in Microsoft products

I want to address the topic of requesting feature changes in Microsoft products, to point to some tools that can help, and to describe ways to use those tools more effectively. This post is based on my experience working on customer requests while being a member of the Microsoft SQL Server team, but you may…

3