Press "Enter" to skip to content

Category: Security

Access Controls in PostgreSQL

Umair Shahid talks about access rights:

Access control is a fundamental aspect of database security, ensuring that only authorized users can perform specific actions on the data. Effective access control helps protect sensitive information from unauthorized access and prevents data breaches, which can have severe legal and financial repercussions for organizations.

PostgreSQL has a strong reputation for reliability, feature robustness, and performance. One of its notable strengths is its comprehensive support for various access control mechanisms, which allow database administrators to finely tune who can access what data and how.

It turns out that there’s a lot of overlap in how these work between SQL Server and Postgres, though the exact syntax may be a bit different for certain items.

Leave a Comment

SQL Server Security Series Wrap-Up

Mike Walsh puts a bow on it:

Thanks for tuning into our posts for the 30 SQL Server security checks in 30 days series this month. I want to recap the entire month of posts with a few homework assignments to get you started today.

Read on for those three assignments, including adopting a security mindset, remembering that humans tend to be the weak points of security, and trying out sp_CheckSecurity.

Leave a Comment

A Reason to Avoid Database Chaining in SQL Server

Jeff Iannucci gives us the details:

SQL Server database ownership may seem like an insignificant concern, but choosing the wrong owner for your database can be a main contributor to security disasters like ransomware. Let’s talk a bit about how to choose an owner that doesn’t create a huge security vulnerability for you and your SQL Server instance.

(Note: this isn’t the same as being in the db_owner role, although we will look at that later in this post.)

Click through for more information. This is one of the big reasons to avoid cross-database ownership chaining or setting TRUSTWORTHY on any database. Jeff has another way of resolving this particular problem that works, but the best solution is not to use either of those features.

Leave a Comment

Certificate Expiration Dates and TDE

Mike Lynn talks Transparent Data Encryption:

Transparent Data Encryption uses certificates in its architecture for protecting your data while at rest. One attribute of a certificate is they have an expiration date. Certificates expire for a couple reasons, but the main reason is to enforce security. When a website certificate expires it forces the website owners to get a new certificate by proving they are who they say they are with a trusted third party. 

SQL Server certificates that are used for TDE also have an expiration date, but these dates are only checked when you are creating a self-signed certificate using the “CREATE CERTIFICATE” T-SQL command. If you don’t supply an expiration date when creating your certificate SQL Server will assign one that is 1 year into the future.

Read on to learn more about how it works with TDE. I will say that with encrypting backups, SQL Server does care about the expiration date when it comes to creating a new encrypted backup, but not when it comes to restoring a backup.

Leave a Comment

xp_cmdshell and Security

Jeff Iannucci talks xp_cmdshell:

That most likely means the hacker in the incident gained access to SQL Server, and then used xp_cmdshell to open a Windows command shell. With that shell opened, they could then pass DOS and/or PowerShell commands to collect information and download malware onto the server.

It sounds dangerous. It is. But whether or not xp_cmdshell is enabled is irrelevant.

Exactly. This is something Sean McCown has harped upon for years, and I’ve done my best to follow. You can do bad things with xp_cmdshell, but disabling it doesn’t actually help for reasons Jeff mentions. Instead, assuming you need xp_cmdshell for some work, don’t go beyond the pre-set limitations (where a user needs sysadmin or CONTROL SERVER) and it’s fine.

Leave a Comment

adutil Now Available for RHEL 9 and Ubuntu 22.04

Amit Khandelwal has good news for us:

We’re thrilled to share that adutil, the Active Directory Utility for SQL Server, is now officially supported on RHEL 9 and Ubuntu 22.04. If you’ve been waiting for this, your patience has paid off! Let’s dive into the details.

I had released a video on Active Directory in SQL Server on Linux that included a workaround to get adutil going on Ubuntu 22.04. I’m glad that part of the video is now obsolete.

Leave a Comment