Accessing the calling context in modules that use EXECUTE AS

  In many occasions, marking a module (i.e. SP, trigger, etc.) with execute as can be really useful as it allows a controlled impersonation during the module execution; but at the same time there are many cases that it is necessary to access information using the caller’s execution context (i.e. revert to the default behavior),… Read more

Microsoft ® Source Code Analyzer for SQL Injection – July 2008 CTP

Today we have released an updated Community Technology Preview of Microsoft Source Code Analyzer for SQL Injection.     We made the following improvements based on community feedback: Included a GUI to view warnings generated by the tool. Downgraded the requirements to Microsoft .NET Framework 2.0 from 3.0. Improved the ASP parser and analysis engine… Read more

SQL Server and the Windows Server 2008 Firewall

We’ve long recommended that customers use the Windows Firewall to protect SQL Server installations. Starting with Windows XP/SP2, and continuing with Windows Vista, the firewall has been enabled by default on Windows client operating systems. Windows Server 2008 marks the first time this protection has been extended to a Windows Server OS. For those of… Read more

Getting started with Microsoft ® Source Code Analyzer for SQL Injection

Two days ago, we released Microsoft ® Source Code Analyzer for SQL Injection, June 2008 CTP which can analyze SQL injection vulnerabilities in Active Server Pages (ASP) code. In this blog, we will describe simple steps to help you start using the tool quickly.   1. Download the tool from http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Msscasi_asp_pkg.exe is a self… Read more

Microsoft ® Source Code Analyzer for SQL Injection – June 2008 CTP

Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code.   Three weeks ago Microsoft released guidance (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop… Read more

SQL Server 2005 Encryption – Encryption and data length limitations (feedback page)

  We have received some feedback regarding the “SQL Server 2005 Encryption – Encryption and data length limitations” article, but unfortunately the owner of this blog is no longer a member of our team and we really don’t have access to it in order to answer to your feedback properly.     I would like… Read more

xp_cmdshell

xp_cmdshell is essentially a mechanism to execute arbitrary calls into the system using either the SQL Server context (i.e. the Windows account used to start the service) or a proxy account that can be configured to execute xp_cmdshell using different credentials. Because of its nature, xp_cmdshell is very flexible, actually I would say it is… Read more

The TRUSTWORHY bit database property in SQL Server 2005

  In SQL Server 2005 we introduced a new database property named TRUSTWORTHY bit (TW bit for short) at the database level in order to work as a safeguard to reduce the default surface area regarding some powerful new features: EXECUTE AS USER and CLR assemblies. These new features are really powerful, but without the… Read more

OPEN SYMMETRIC KEY scope in SQL Server

  Recently I have heard a few questions regarding the scope of the SYMMETRIC KEY key-ring, especially when using modules (i.e. stored procedures) to open a key. One particular topic that got my attention is the impression that the OPEN SYMMETRIC KEY call may “leak outside the module” (i.e. the key will remain opened) if… Read more