Consolidation Guidance for SQL Server

Sung Hsueh, a former SQL Engine Security team member, just published a whitepaper with co-authors Antony Zhong and Madhan Arumugam on Consolidation Guidance for SQL Server. Though it covers far more than just security considerations, it does outline the pro’s and con’s of different levels of consolidations (VM’s, Instance, Database) in regards to security and… Read more

How To: Share a Single EKM Credential among Multiple Users

   SQL Server Extensible Key Management (EKM) requires the authentication information (user/password) to be stored in a credential mapped to the primary identity. This version of EKM cannot be used under an impersonated context; that is, you cannot access the EKM while running a module with the EXECUTE AS clause.    However, some customers want… Read more

Filtering (obfuscating) Sensitive Text in SQL Server

  A very common concern when dealing with sensitive data such as passwords is how to make sure that such data is not exposed through traces. SQL Server can detect and filter the SQL statements in traces that include the usage of DDL and built-ins (such as OPEN SYMMETRIC KEY, and EncryptByKey) that are known… Read more

Link to Lyudmila’s blog

  My teammate Lyudmila is maintaining her own TechNet blog where she writes articles related to SQL Server security. You can access her blog at http://blogs.technet.com/lyudmila_fokina. Her blog is written in Russian, but the samples she includes should be easy to follow, and you can use an online translation tool for the rest of the text.  … Read more

Arx the latest vendor to support EKM

With the increasing popularity of the EKM feature in SQL Server 2008, more vendors are adding their support for this great feature.  I’m very happy to announce that Arx has just announced their releaese of their EKM provider dll: http://www.arx.com/about/PR/PR-PrivateServer-HSM-Secures-Sensitive-Information-for-Microsoft-SQL-Server-2008.php I’ll keep you up-to-date with future vendor support.  Il-Sung…. Read more

How To Choose Audit Action Group When Using Auditing in SQL Server 2008

SQL Sever 2008 introduces auditing feature which can audit both server-level events and database-level events and several specific database actions. Please check http://msdn.microsoft.com/en-us/library/cc280386.aspx for more details. One difficulty the user may have is which action group should be used when trying to audit the interested events.  For example if the user wants to audit all… Read more

Thales/nCipher announces EKM support for SQL Server 2008

I’m very please to announce that last week during the RSA Conference, Thales announced their support for SQL Server 2008 with their nCipher product line of hardward security modules (HSMs) (http://iss.thalesgroup.com/Press/Press%20Releases/2009/Thales%20Hardware%20Security%20Modules%20integrate%20with%20Microsoft%20SQL%20Server%202008.aspx).  This will be of interest to those of you who are interested in leveraging the Extensible Key Management (EKM) feature of SQL Server 2008… Read more

PCI DSS Compliance with SQL Server 2008

Since PCI Compliance seems to be popular subject for SQL Server users (by which I mean that a quite a few of you are forced to deal with it) here’s something that may help.  Parente Randolph is a PCI QSA (Qualified Security Assessor) and they recently released a whitepaper entitled Deploying SQL Server 2008 Based on Payment… Read more

SQL Server EncryptByKey cryptographic message description

   Since the introduction of SQL Server 2008 extensible key management  (EKM), new opportunities may arise to handle data encryption on the client while still making the plaintext data accessible to authorized users in SQL Server. One issue between SQL Server and third party clients has been already discussed in the SQL Server Security forum… Read more

Enforce Windows Password Policy on SQL Server Logins

If users choose to use SQL login to connect to SQL Server rather than using NT authenticating, it is worth to remind that SQL server does provide the option of enforcing window password policy on SQL logins. When creating a SQL login you can specify CHECK_POLICY=on, which will enforced on this login of the Windows… Read more