Meet the team at SQL PASS Summit 2011

PASS Summit 2011 is coming to Seattle this week starting October 11th 2011. You’ll have the opportunity to meet a lot of folks from the SQL Server team during the event, and a variety of speakers that will share their experiences and delight you with awesome SQL Server sessions. Lastly, the SQL Server Engine Security… Read more

Data Hashing in SQL Server

A common scenario in data warehousing applications is knowing what source system records to update, what data needs to be loaded and which data rows can be skipped as nothing has changed since they were last loaded. Another possible scenario is the need to facilitate searching data that is encrypted using cell level encryption or… Read more

Database Engine Permission Basics

I am posting this on behalf of my colleague Rick Byham, a technical writer on the SQL Server Team. Database Engine permissions are managed at the server level through logins and fixed server roles, and at the database level through database users and user-defined database roles. Logins Logins are individual user accounts for logging on… Read more

SQL Server 2008 PCI DSS v.2.0 Whitepaper

If PCI compliance with SQL Server is a concern for you, then you’ll probably want to check out the Deploying SQL Server 2008 R2 Based on Payment Card Industry Data Security Standards (PCI DSS) Version 2.0 white paper published by Parente Beard LLC. The paper is written by certified PCI auditors (QSAs) and is similar… Read more

Integrity checks with EncryptByKey

      This article is a follow up to “Prevent Tampering of Encrypted Data Using @add_authenticator Argument for ENCRYPTBYKEY”. In the last article we described a scenario where the security risk of copying encrypted data from one row to another could be blocked, but there are other scenarios that can benefit from using the @add_authenticator… Read more

Prevent Tampering of Encrypting Data Using add_authenticator Argument of EncryptByKey

   This article is one of several articles discussing some of the best practices for encrypting data. This article demonstrates how the @add_authenticator argument of the ENCRYPTBYKEY function can help prevent tampering with encrypted data.    Imagine the following scenario: The DBA is encrypting the salary column for all employees in such a way that… Read more

Revisiting the RC4 / RC4_128 Cipher

The implementation of RC4/RC4_128 in SQL Server does not salt the key and this severely weakens the security of data that is encrypted using the RC4/RC4_128 algorithm. In cryptography, an initialization vector (IV) is a fixed size input to a cryptographic algorithm that is typically required to be random or pseudorandom. Salting of cipher keys… Read more

Tips for using DB user with password

     Creating DB-specific users with password on a contained DB can provide a lot of mobility for applications since it enables the possibility of moving a DB from any particular instance to another one without the need to also manually move login information.   This new capability presents a lot of benefits, but it also implies… Read more