A Fine Slice Of SQL Server
Tom Collins builds a time machine:
When recovering a certificate created during a CREATE CERTIFICATE I get a “Warning: The certificate you created is expired” message , although the certificate is added to the server. Is this an issue? how can I fix?
Read on for the answer.
Comments closedLee Markum takes a look at logins:
You know you need to be thinking about SQL Server security, but maybe you’re not sure where to start. Topics like firewalls and ports and port scanners and such may be dancing your mind. Those are good things to think about, but they are not under your sphere of influence as a data professional in charge of SQL Server. So, what can you do?
Your first place to start is by looking at the Logins, which as I’ve explained in a previous post, are at the level of the SQL Server instance level.
Read on for two approaches.
Comments closedRandolph West does a switcharoo:
Dave is referring to the Microsoft Docs page for
PWDENCRYPT(), which has been deprecated for some time. Unfortunately, although the recommended replacement isHASHBYTES(), there isn’t an example on either page of how to replicate the functionality ofPWDENCRYPT().So, borrowing from Sebastian Meine who wrote an article titled Hash Algorithms – How does SQL Server store Passwords?, this is how you can replicate the functionality of
PWDENCRYPT()to create a login, using theHASHBYTES()function instead:
If this is what you have, so be it…but an algorithm like bcrypt or scrypt would be so much better for this purpose than SHA2 or SHA3. That means using a third party library for it but there are plenty for React, .NET, Python, etc.
1 CommentReitse Eskens does some troubleshooting:
For those who are not familiar with Always Encrypted: it’s a built-in technique in SQL Server where data gets encrypted in a random or deterministic manner with a certificate and an algorithm. Long story short, without the certificate it’s gobbledygook. If you want to read more, check out this link.
As mentioned, the encryption was working perfectly, no-one could read the data in a usable way in the application. The point was that the application should be able to do that. And so we took up the challenge to see where things went wrong.
I’ve found that data is much more secure when nobody can ever see it again. That’s why I store all of my data in /dev/null. It’s also extremely fast.
Comments closedAlan La Pietra looks at all the Defenders you can get your hands on:
Microsoft Defender Antivirus is available in Windows 10 and Windows 11, and in versions of Windows Server
Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft “Defender for Endpoint”
Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your device and in the cloud
I see the hand of marketing in this. Which means they’ll probably all have different names nine months from now.
Comments closedJoey D’Antoni takes us through a process:
If this sounds scary, and it does to me, who is by far not an expert in all things security, but knows a little bit, you may ask, what are some alternative solutions? The answer to that question is Fido2, a different protocol for MFA and auth. Remember all of that stuff Microsoft talks about with passwordless login? That’s all based around Fido2. I configured this for DCAC’s Azure Active Directory yesterday, and I wanted to walk you through the steps.
Click through to learn how.
Comments closedPaul Harrison explains how homoglyphs can cause potential issues:
This article will walk through homoglyphs and a proposed type of attack that I have not yet seen in the wild, but I presume has occurred. Every programming language I’m aware of is impacted but I don’t know every programming language, so I’ll stick to PowerShell for the proofs of concepts below. I’ll also show code that I wrote to detect this vulnerability in PowerShell code which can be built upon to create scanners for other languages. The problems I present here can be detected if proper unit testing is in place. I don’t like writing unit tests either, but this is me Pestering you to consider adding unit testing to your pipeline.
Homoglyphs can definitely make it harder to perform code reviews and analyses, particularly when dealing with a malicious actor.
Comments closedSean Gallardy files events to the circular file:
Getting back on track instead of listening to me complain, many DBA’s and internal security folks like writing to the Windows Security Event Log because the word security is in the name and they have some tool like Splunk that automatically collects these details. I like automation, so that’s a nice win. However, you may be running into SQL Server error 33204 which is a failure to write an audit event to the security event log.
Read on to find one reason why this might happen.
Comments closedI was recently working on a client server and need to install the Az PowerShell module. I opened and administrator window and typed
Install-Module Azand received this error:
WARNING: Unable to find module repositories.
Turns out that was not the real answer. Click through to see what Frank ended up needing to do.
Comments closedTom Collins makes a connection:
Most SQL Servers use a large portion of the authentication as Windows Authentication – utilising Kerberos and NTLM protocols via Active Directory. So when it comes to considering moving on-prem SQL Server resources to Cloud Providers – Active Directory is a foundational question. There are other methods than Microsoft Directory – which I’ll discuss in future posts.
Utilising AWS RDS SQL Server with Windows Authentication methods is only possible using the AWS Directory Service. i.e The AWS RDS SQL Server is created and added as a resource to the AWS Directory Service . If on-prem users require access to the AWS RDS SQL Server via Kerberos , a forest trust is required between the AWS Directory Service and the on-prem AD.
For this post – the focus is on an existing on-premises SQL Server inventory using Microsoft Active Directory Services.
Read on to see what you’d need to do to implement this.
Comments closed