SQL Server 2008 Compliance Guide

Denny Lee and JC Cannon have been hard at work producing a Compliance Guide for SQL Server 2008, including scripts and policy files. Great resource for anyone working on compliance with SQL Server…. Read more

SQL Audit Buffering and Error Handling

I’ve had several questions about how exactly the buffering and error handling works in SQL Audit and thought it would help to give some more detail. For starters, let’s break down the event firing workflow into the following stages: 1. Permission Check/Audit Check 2. Filling out the event 3. Distribute event to Audit Extended Event… Read more

SQL Server 2008 Security Whitepapers

I just wanted to call attention to a few SQL Server 2008 related security papers written or reviewed by our team: Engine Separation of Duties for the Application Developer – discusses how to build applications that support role separation. Database Encryption in SQL Server 2008 Enterprise Edition – in depth treatise on Transparent Database Encryption. Cryptography in… Read more

Accessing the calling context in modules that use EXECUTE AS

  In many occasions, marking a module (i.e. SP, trigger, etc.) with execute as can be really useful as it allows a controlled impersonation during the module execution; but at the same time there are many cases that it is necessary to access information using the caller’s execution context (i.e. revert to the default behavior),… Read more

Microsoft ® Source Code Analyzer for SQL Injection – July 2008 CTP

Today we have released an updated Community Technology Preview of Microsoft Source Code Analyzer for SQL Injection.     We made the following improvements based on community feedback: Included a GUI to view warnings generated by the tool. Downgraded the requirements to Microsoft .NET Framework 2.0 from 3.0. Improved the ASP parser and analysis engine… Read more

SQL Server and the Windows Server 2008 Firewall

We’ve long recommended that customers use the Windows Firewall to protect SQL Server installations. Starting with Windows XP/SP2, and continuing with Windows Vista, the firewall has been enabled by default on Windows client operating systems. Windows Server 2008 marks the first time this protection has been extended to a Windows Server OS. For those of… Read more

Getting started with Microsoft ® Source Code Analyzer for SQL Injection

Two days ago, we released Microsoft ® Source Code Analyzer for SQL Injection, June 2008 CTP which can analyze SQL injection vulnerabilities in Active Server Pages (ASP) code. In this blog, we will describe simple steps to help you start using the tool quickly.   1. Download the tool from http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA. Msscasi_asp_pkg.exe is a self… Read more

Microsoft ® Source Code Analyzer for SQL Injection – June 2008 CTP

Today Microsoft has released a Community Technology Preview of a new source code analyzer that can help ASP developers find SQL Injection vulnerabilities in their code.   Three weeks ago Microsoft released guidance (http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx) on protecting ASP and ASP.NET web sites against SQL injection attacks. At the same time, Microsoft took an action item to develop… Read more

SQL Server 2005 Encryption – Encryption and data length limitations (feedback page)

  We have received some feedback regarding the “SQL Server 2005 Encryption – Encryption and data length limitations” article, but unfortunately the owner of this blog is no longer a member of our team and we really don’t have access to it in order to answer to your feedback properly.     I would like… Read more


xp_cmdshell is essentially a mechanism to execute arbitrary calls into the system using either the SQL Server context (i.e. the Windows account used to start the service) or a proxy account that can be configured to execute xp_cmdshell using different credentials. Because of its nature, xp_cmdshell is very flexible, actually I would say it is… Read more