Category: Security

Tibor Karaszi warns us to be wary of the securityadmin role:

Over the last week, I’ve seen two discussions where the securityadmin server role was suggested.

The scenario is typically that we don’t want to make this person a sysadmin, but we want this to manage logins and stuff like that.

But Tibor explains why you should watch out—my rule of thumb is to treat securityadmin as just as important as sysadmin. It’s not the same, but someone with securityadmin can do a lot of damage to a server.

Randolph West gives us the low-down on some malware:

Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of “MrbMiner” on SQL Server instances exposed to the Internet with passwords that can be brute-forced.

According to the report it installs an application written in C# by the name of assm.exe which communicates with a command-and-control server to download a digital coin mining tool, which may be disguised as various Windows system services. The malware uses several techniques to ensure that it sticks around.

Randolph has some more advice on how to determine if it is on one of your servers.

One quick thing I’d like to point out is that this is not a flaw within SQL Server; it only infects a machine which has a username and password it can guess.

Raul Gonzalez walks us through some security tips and shows how to lock accounts after a certain number of failures:

SQL Server provides two different forms of authenticating the users that connect to the database server: Windows Authentication, which is the default and preferred method, and SQL Server Authentication, which needs to be explicitly enabled.

There are reasons you might need to enable SQL Server authentication and, although advertised as less secure than Windows Authentication, there are still a few things we can do to minimise the risks.

Read on for those tips.