SQL Server Security Articles

Protecting Against SQL Injection

Despite being so well understood, SQL Injection remains one of the most common vulnerabilities in web applications. What is SQL Injection Any SQL which is dynamically created has the potential for having malicious SQL injected into it. For example, the below code receives a querystring and adds it to a SQL select string which will […]

Understanding SQL Server 2008 R2 Fixed Database Level Roles

To easily manage the permissions in our databases, Microsoft has provided several roles in SQL Server which are security principals that group other principals. They are like groups in the Microsoft Windows operating system. Database-level roles are database-wide in their permissions scope. The various types of SQL Server fixed database roles are as follows: · […]

Avoiding Parameter Sniffing in SQL Server

Parameter sniffing is when SQL Server compiles a stored procedure’s execution plan with the first parameter that has been used and then uses this plan for subsequent executions regardless of the parameters. First let’s look at a worked example. Assume we have table as below. CREATE Table TblData (ID INT IDENTITY PRIMARY KEY , Name […]

ASP.NET MVC Security – Guarding Against Mass Assignment Vulnerability

In my previous article on Parameter Tampering in ASP.NET MVC I focused on the general techniques of parameter tampering and defenses against it. In this article I will examine a specific type of parameter tampering which is often termed Mass Assignment. In most MVC web development frameworks (including ASP.NET MVC). Model binding works by assigning […]

Protect Your ASP.NET App From SQL Parameter Injection

Securing your ASP.NET web app from SQL Injection attacks paramount in the design of any ASP.NET app

Pro SQL Server Disaster Recovery

Database server can (and will) fail just like any other electronic device. Therefore it would be grossly negligent not to plan ahead how to deal with such a situation. How the resulting plan looks like, differs on a case by case basis, but at a bare minimum should the databases that are hosted on the […]

SQL Server Security Audit (Part 3) – Operating System Level Audit

Operating system level audits Typically, most DBAs have remote access privilege to the Windows machine hosting the database server. If you have administrator privilege in the Windows box (or VM), you can take some time to try the following: Windows security log This should be actually a part of the DBA’s daily checks. However, as […]

SQL Server Security Audit (Part 1) – Server Level Audit

Although security is a major component of database administration, it is sometimes overlooked in favour of convenience. User accounts are given elevated permissions to save time, patches and hot-fixes are not applied timely and best practices are often not followed. Over time, the server becomes vulnerable to potential breaches of security. As the DBA, you […]

SQL Server Audit Articles (All)

Auditing with Microsoft Assessment and Planning (MAP) Toolkit 5.0 – Part 3 Auditing with Microsoft Assessment and Planning (MAP) Toolkit 5.0 – Part 2 Auditing with Microsoft Assessment and Planning (MAP) Toolkit 5.0 – Part 1 Retrieving Data from an Audit Table Auditing in SQL Server 2008 SQL Server Security Audit (Part 3) – Operating […]