SQL Server 2005: Execution Context

This post is based on an old presentation I gave several years back. A video of the presentation used to be available here, but today I couldn’t get it to work, so I am attempting to make available most of the information from the presentation within this post. Keep in mind that the demo associated with…


Finding information about which account xp_cmdshell is running as

If you ever needed to debug a permission related issue when using xp_cmdshell, you have probably realized that a crucial piece of information is about what particular account xp_cmdshell is executing under. If you are the administrator of the database, you already know the context used by xp_cmdshell, but otherwise you may not have that…


SQL Injection watch blog

I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/. It’s worth a look from time to time, to get an idea of what attacks are going on in the wild.


Basic SQL Server Security concepts: ownership, CONTROL, TAKE OWNERSHIP

I realized today that while I have discussed earlier object permissions, I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL (introduced in SQL Server 2005). Ownership: This should be pretty clear – the owner of an object is…


SQL Server: Windows Groups, default schemas, and other properties

Exceptions are dangerous because people like to simplify their thinking process using rules, so exceptions always carry the risk of being overlooked. In security, exceptions are a bad thing because they make the model more complex and complex systems can break in more ways than simple systems, thus being harder to analyze and secure. Windows Groups are…


A SQL Injection attack and search engines

A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here’s a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search for the query string “http://1.verynx.cn/w.js” (the quotes are part of the search string) shows that there are still sites infected today. So,…


SQL Server 2005: How to debug login failures (18456, anyone?)

In my series of new posts on old topics, I decided to gather today several pieces of information that I think will help in debugging SQL Server login failures. Although most information should remain useful for future versions as well, some of it may become outdated, so I tagged this article as 2005 specific. Login…


SQL Server: Password policy FAQ

I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Q: What is the SQL Server password policy…


SQL Server undocumented password hashing builtins: pwdcompare and pwdencrypt

First, I must say that I don’t know why these exist in an undocumented form. They have been around for a long time and a search on their names gets me back pages of hits. Being undocumented means that their actual implementation may change slightly from one version of SQL Server to another, mainly because the…