Security – Page 36 – Curated SQL

Creating a Trust between On-Prem AD and AWS Directory Service

Published 2022-03-16 by Kevin Feasel

Most SQL Servers use a large portion of the authentication as Windows Authentication – utilising Kerberos and NTLM protocols via Active Directory. So when it comes to considering moving on-prem SQL Server resources to Cloud Providers – Active Directory is a foundational question. There are other methods than Microsoft Directory – which I’ll discuss in future posts.
Utilising AWS RDS SQL Server with Windows Authentication methods is only possible using the AWS Directory Service. i.e The AWS RDS SQL Server is created and added as a resource to the AWS Directory Service . If on-prem users require access to the AWS RDS SQL Server via Kerberos , a forest trust is required between the AWS Directory Service and the on-prem AD.
For this post – the focus is on an existing on-premises SQL Server inventory using Microsoft Active Directory Services.

Read on to see what you’d need to do to implement this.

Comments closed

Working with SIDs in Powershell

Published 2022-03-15 by Kevin Feasel

Jeffery Hicks translates security identifiers:

As usually happens during my day, I get sidetracked to another issue, and before you know it, I have a new PowerShell tool. In this instance, I was looking at event logs using Get-WinEvent. One of the event record properties is a UserID.
That’s very nice, but who is this? In this particular instance, the UserID property is SecurityIdentifier object.

Read on to see how to translate a SecurityIdentifier into something human-understandable.

Comments closed

Stringing Azure Data Factory between VNets

Published 2022-03-08 by Kevin Feasel

Ahmed Mahmoud performs networking wizardry:

Customer wants to connect Azure Data Factory on one subscription to an Azure SQL Server on Virtual Machine (SQL VM) on another subscription. check out the architecture diagram below for more clarification.

Click through for that diagram as well as the process. And between VNet peering and Private Link, I believe (but could be wrong in saying) the traffic would never leave Azure-hosted machines even when it transits between subscriptions.

Comments closed

Database Offline Works but Online Permissions Failure

Published 2022-03-08 by Kevin Feasel

David Alcock unravels a mystery:

I was browsing the SQL Server subreddit earlier where someone had posted a problem where they’d been able to take a database offline but couldn’t bring the database back online via a script or the UI in SSMS (full thread here).
There’s a bit of a back story; all the DBA’s have left the business (facepalm) so a non-DBA has been left with the admin type tasks. Secondly the reason the database was being taken offline was to take physical backups of the databases mdf and ldf files (double facepalm).

That is its own issue but read on for the problem at hand.

Comments closed

Restoring a TDE-Enabled Database Backup to another SQL Server

Published 2022-03-03 by Kevin Feasel

Tom Collins has a backup to restore:

I have a SQL Server with TDE enabled and the user databases are TDE configured. I need to take a backup and restore the TDE enabled database to another SQL Server Instance . Could you take me through the steps including prerequisites?

The answer is yes. And Tom is so kind as to show the answer rather than giving a flippant response, which is my modus operandi.

Comments closed

Connecting to MySQL in RDS

Published 2022-02-25 by Kevin Feasel

Chad Callihan shows proof of authenticity:

We’ll use MySQL Workbench for this example. Feel free to grab the latest version from over here.
Let’s open up Workbench and click the plus sign next to MySQL Connections to create a new MySQL Connection:

Read on to see how it all works.

Comments closed

Authenticating with s5cmd

Published 2022-02-25 by Kevin Feasel

Anthony Nocentino has the need for speed. And authentication:

At work, I get to work with some fantastic tech that pushes the boundaries of performance. I needed to do some performance testing from a Windows server into a FlashBlade using s3. I reached out to a colleague of mine, Joshua Robinson, who told me about s5cmd. s5cmd is a very fast, parallel s3 compatible command-line client.
Check out Joshua’s post for some performance numbers. Here’s a direct quote from his post.

But it doesn’t matter how fast it is if you can’t connect, so Anthony shows us how to do just that.

Comments closed

Restarting SQL Server during TDE Encryption

Published 2022-02-24 by Kevin Feasel

Tom Collins takes a risk:

I am planning on TDE encrypting a bunch of large SQL Server databases. Due to potential IO contention issues during the work day , the plan is to encrypt these databases during the out of hrs period. If the encryption is triggered , but there is a SQL Server service restart during the encryption process , will the encryption process be impacted when the SQL Server service restarts?

Click through to see what happens.

Comments closed

Basics of Risk Management

Published 2022-02-21 by Kevin Feasel

Matthew Roche lays out some of the basics of risk management:

One simple and lightweight approach for risk management involves looking at two factors: risk likelihood, and risk impact.
Risk likelihood is just what it sounds like: how likely is the risk to occur. Once you’re aware that a risk exists, you can measure or estimate how likely that risk is to be realized. In many situations an educated guess is good enough. You don’t need to have a perfectly accurate number – you just need a number that no key stakeholders disagree with too much.^[3]Rather than assigning a percentage value I prefer to use a simple 1-10 scale. This helps make it clear that it’s just an approximation, and can help prevent unproductive discussions about whether a given risk is 25% likely or 26% likely.
Risk impact is also what it sounds like: how bad would it be if the risk did occur? I also like to use a simple 1-10 scale for measuring risk impact, which is more obviously subjective than the risk likelihood. So long as everyone who needs to agree agrees that the impact a given risk is 3 or 4 or whatever, that’s what matters.

Read on for a summary of the topic and a good leaving-off point to learn more.

Comments closed

Finding Public IP Addresses in Azure

Published 2022-02-15 by Kevin Feasel

Werner Rall is looking for public IPs:

Creating Resources in Azure is so simple for IT teams these days but finding all the public endpoints that could be visible to the internet can be challenging. Why do I need to understand which IP’s are exposed to the internet? Without a proper understanding of which Public IPs are available to the internet we cannot fully secure or protect our resources. In this article we will look at using the Azure Native Graph Explorer solution to query not only Virtual Machine Public IP Addresses but other resources containing IP addresses in our Azure Tenant.

Read on to see how.

Comments closed

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Category: Security