A Fine Slice Of SQL Server
Jon Russell clarifies the situation:
SQL Server administrators often encounter Microsoft updates labeled as “CU + GDR”, and understandably, this can cause confusion — especially when trying to stay on a consistent CU-based servicing path. This post clarifies what “CU + GDR” really means and why it’s not something to worry about.
Read on for an overview of the different security models, as well as the odd duck in SQL Server 2016.
Comments closedDavid Fitzjarrell takes a look at some settings:
Passwords expire, and, depending upon how various profiles are configured, accounts are either locked or provided a grace period during which the old password can be changed. In any recent enterprise password verification functions are provided to police new passwords to ensure a modicum of security. Let’s dig into what Oracle provides to assist in password security.
Basic elements of password security that Oracle provides start with the profile; listed below are the associated resources:
Read on for the available options you can set on a per-profile basis.
Comments closedKevin Wilkie does a bit of filtering:
Snowflake Dashboards can do a lot more than just show pretty numbers. Today, let’s focus on something that every data pro eventually has to deal with—filters that make navigating your dashboards less painful, especially when it comes to everyone’s favorite task: AUDITING.
Ah yes, auditing—because nothing says “data dream job” like tracing permissions. Whether it’s quarterly compliance checks or a sudden request from an overly curious auditor, somebody, at some point, will ask, “Who has access to what in Snowflake?” So let’s make that answer easy to deliver.
Click through for the process, using the development of a permissions auditing dashboard as the example.
Comments closedDesigning a reporting layer that protects sensitive data takes more than hiding tables behind a view. You must understand how schema permissions and ownership chaining interact, or a well‑meant deny can suddenly block your users—or worse, let them see columns you thought were private. The walk‑through below shows the entire life‑cycle of a common scenario:
- Build an HR table that holds confidential columns.
- Expose a summary view in a separate schema.
- Grant a reporting role access to the view but explicitly deny access to the HR schema.
- Break the ownership chain, observe the failure, diagnose the cause, and repair it by realigning ownership.
Read on to learn more. Note that this is all within a single database, so we aren’t talking about the cross-database ownership chaining setting. That setting being on immediately raises red flags for me.
Comments closedDavid Seis updates an instance or thirty:
Keeping your SQL Server instance up to date with the latest service packs and cumulative updates is one of the key components of SQL Server security. In this blog post, we will audit the dbatools command Update-DbaInstance, which can save you hours every month and help keep your environment more secure.
I will test, review, and evaluate the script based on a series of identical steps. Our goal is to provide insights, warnings, and recommendations to help you use this script effectively and safely. Update-DbaInstance is powerful tool to automate the update of one or many SQL server instances without needing to log in.
Click through for David’s thoughts on the cmdlet.
Comments closedDian Fay troubleshoots some row-level security slowness:
At my day job, we use row-level security extensively. Several different roles interact with Postgres through the same GraphQL API; each role has its own grants and policies on tables; whether a role can see record X in table Y can depend on its access to record A in table B, so these policies aren’t merely a function of the contents of the candidate row itself. There’s more complexity than that, even, but no need to get into it.
Read on for a dive into row-level security and several tips to make the operation faster.
Comments closedSteve Stedman breaks down some myths around Transparent Data Encryption in SQL Server:
Transparent Data Encryption (TDE) in SQL Server is a powerful feature designed to protect data at rest by encrypting database files. While TDE is an excellent tool for securing data stored on disk, it’s often misunderstood, leading to assumptions about its capabilities. In this blog post, we’ll clarify what TDE does not do to help you better understand its scope and limitations, ensuring you implement the right security measures for your SQL Server environment.
Click through for the list.
Comments closedMike Walsh explains why it’s important to keep up to date on patches:
At first, I was a bit shocked, but then I realized it actually makes sense and it matches a regret I hear far too often from folks who call us too late: “If we don’t change too much, we’re safe.”
Sadly, nothing can be further from the truth. When a software vendor releases a fix for a vulnerability, it certainly could be caused by a recent patch or update – but more often than not that fix is for a longstanding issue that has been until recently unknown to the world.
Read on for Mike’s argument. This also applies to people running versions of SQL Server no longer receiving patches (hint: 2016 SP3 and earlier). Just because there isn’t a patch doesn’t mean there isn’t a vulnerability.
Comments closedTim Radney enumerates the causes of an error:
Working with thousands of instances of Microsoft SQL Server, I often encounter users having issues. A common error is 18456 which indicates a login failure. Some common solutions are listed below.
Click through for the list.
Comments closedMike Walsh takes us through a recent CVE entry:
On patch Tuesday this week, Microsoft released an Important severity security update (a CVSS base score of 7.5)
The details of this 0-day exploit are available to read at the NIST site, and the Microsoft security update site.
In short, the exploit that Microsoft has discovered and subsequently fixed can allow information disclosure.
The NIST entry is kind of a joke right now, and the Microsoft security update info is basically what they submitted to NIST plus links to download the patches. Still, this is worth patching and it’s an issue that goes back at least to 2016—probably earlier, but 2016 is the last version of SQL Server that still gets security updates.
Comments closed