Back to my personal blog

  I am no longer part of the SQL Server team, but I still have a lot of passion for security and SQL Server, so I am reviving this blog.   I cannot promise to write articles on a regular basis anymore, but if you are interested in any topic for SQL Server 2008 security,…

0

SQL Server Security team is starting a new blog

  First of all, I am really sorry for not writing anything for quite a long time.     The SQL Server Security team is starting a new blog: SqlSecruity. Starting today I will be writing all the new SQL Server articles in the new SQL Server Security blog, and I am keeping this blog for…

1

Link to MSDN forum discussion: "Yet another question on Application security…. "

   I am adding a link to one of the MSDN SQL Server Security forum discussion regarding application security (i.e. restricting access to database resources based on the application): Yet another question on Application security….       Please feel free to post any additional questions or feedback either on the forum or on this space.    …

2

Disaster Recovery: What to do when the SA account password is lost in SQL Server 2005

You may have faced the issue of losing the SQL Server SA password. Perhaps you followed the security best-practice of removing the  builtin\Administrators from the sysadmin server role,  and no one  you can find is in the sysadmin role.   At this point you may think that your only options are to reinstall SQL Server and…

19

Dynamic SQL and digital signatures in SQL Server 2005

   As I already mentioned, dynamic SQL is a quite powerful, but also quite dangerous. In SQL Server 2005 we introduced a new feature that is also quite powerful and when used properly can be quite useful; but it is important to learn and understand any such feature in order to use it properly.  In…

5

After a long delay, I am ready to start posting again

  I know it has been quite some time since I added any new content, I sincerely apologize for that, but I have the next article ready and I will be posting it quite soon.     Please let me know if there is any topic you will like to discuss in more detail for…

0

Dynamic SQL & SQL injection

  I know there are a lot of papers that talk about dynamic SQL in more depth than what I am going to cover, but as SQL injection is still one of the biggest security problems in the relation databases world, that I decided to include this part as a quick (and hopefully helpful) reminder.  …

10

Let’s talk about Dynamic SQL (preamble)

  I want to talk about how dynamic SQL is affected by the execution context, but as this is a huge and broad topic I am going to divide this topic into multiple parts and write different posts for each one of them, focusing in one aspect of dynamic SQL at a time. Dynamic SQL…

1

Using a digital signature as a secondary identity to replace Cross database ownership chaining

  In SQL Server 2000, Cross database ownership chaining (CDOC) was a mechanism used to allow access (DML access) to resources on different DBs without explicitly granting access to the resources (such as tables) directly.     Unfortunately CDOC is a feature that Microsoft does not recommend as it has some serious security risks inherent…

5

Quick guide to DB users without logins in SQL Server 2005

  SQL Server 2005 introduced a new SQL DB principal subtype that can be quite useful: a SQL user that is not mapped to any login. You may be asking yourself “Why is this feature interesting? after all SQL Server already had the ability to create SQL users”, well, to answer this question I would…

9