Infrastructure at your Service

Security Archives - Blog dbi services

Stéphane Savorgnano

Pass Summit 2017: how to bypass SQL Server security

By | Database Administration & Monitoring | No Comments

Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs… so let’s have a look how to take the power within a SQL Server instance. Start a job under SQLAgentOperator role SQLAgentOperator…

 
Read More
Nathan Courtine

PASS SUMMIT 2017 – SQL Server Security

By | Database Administration & Monitoring | No Comments

Today is the first day of the PASS SUMMIT 2017 in Seattle (WA). The weather is cloudy and we have only 11°C… but where is the problem? Everything happens inside! (at the Convention Center). In this blog, I will make a summary of main attack vectors against MSSQL environments, based on Argenis FERANDEZ’s session called “Modern Security Attack Vectors Against SQL Server Environments”. METASPLOIT Metasploit is a penetration testing framework to exploit known security vulnerabilities….

 
Read More
Stéphane Haby

SQL Server 2016: patching CU with R Services

By | Database Administration & Monitoring, Database management | No Comments

As a good DBA, I begin to be up to date with all Cumulative Update (CU) by my customers. It is the first time that I run an update for SQL Server 2016 with the CU 3. I download the CU on Microsoft website and I begin my patching campaign on all SQL server 2016 instances. The first one is quick & successful. The second one, with R Services, is a little bit different. After,…

 
Read More
Stéphane Haby

SQL Server 2016: Does Dynamic Data Masking works with INSERT INTO and SELECT INTO commands?

By | Database Administration & Monitoring | No Comments

I wonder how works Dynamic Data Masking (DDM) with these two commands INSERT INTO  and SELECT INTO. First, I create a table and add some “sensitive data”: USE [DDM_TEST] GO CREATE TABLE [dbo].[Confidential]( [ID] [int] IDENTITY(1,1) NOT NULL PRIMARY KEY CLUSTERED, [Name] [nvarchar](70)NULL, [CreditCard] [nvarchar](16)NULL, [Salary] [int] NULL, [Email] [nvarchar](60)NULL) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Stephane’,N’3546748598467584′,113459,N’sts@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’David’,N’3546746598450989′,143576,’dab@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Nathan’,N’3890098321457893′,118900,’nac@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Olivier’,N’3564890234785612′,98000,’olt@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Alain’,N’9897436900989342′,85900,’ala@dbi-services.com’)…

 
Read More
Stéphane Haby

SQL Server 2016: Does Dynamic Data Masking work with Temporal Table?

By | Database Administration & Monitoring | No Comments

In the last IT Tagen 2016, I presented the Dynamic Data Masking (DDM) and how it worked. To add a little fun, I applied the DDM to a temporal table to see if the history table inherits also from DDM’s rules. In this blog, I explain all the different steps to reproduce my last demo. Step 1: Create the table and the temporal table in the database DDM_TEST USE [DDM_TEST] GO CREATE TABLE [dbo].[Confidential]( [ID]…

 
Read More
Stéphane Savorgnano

SQL Server 2016: Dynamic Data Masking and database role

By | Database Administration & Monitoring, Technology Survey | 4 Comments

Last week, dbi services organized an event named “SQL Server 2016: what’s new?” in Lausanne, Basel and Zurich. I would take the opportunity to say again a big thank you to everyone which joined us. During my session some questions concerning the new functionality Dynamic Data Masking were asked. In fact data are masked for some roles and not for some others. Let’s try to clarify that. I will use the same script I used…

 
Read More
Daniel Westermann

Securing your connections to PostgreSQL by using SSL

By | Database Administration & Monitoring | 5 Comments

Security is a big topic today and in the news almost every day. As the database usually holds sensitive data this data must be well protected. In most cases this is done by encrypting critical data inside the database and decrypt only when requested. But this is not all: When a client reads the data it is decrypted inside the database and then send back over the network unencrypted. What do you win with such…

 
Read More
Stéphane Savorgnano

SQL Server 2016: Always Encrypted – part 2

By | Database Administration & Monitoring, Technology Survey | No Comments

In my last blog post about SQL Server 2016 Always Encrypted, here, I showed how to use this new functionality but also that you have to separate the different execution context with an Application server, a database server and a security server to avoid that certificate will be available for all users and break the segregation. Let’s see how to build those environment. In my security server named SQL2016-2, I first create a Self-signed certificate…

 
Read More
Stéphane Savorgnano

SQL Server 2016: Always Encrypted

By | Database Administration & Monitoring, Technology Survey | One Comment

One of the top new features of SQL Server 2016 is the Always Encrypted functionality. Always Encrypted provides that data, store in a database, remains encrypted the all times there are in the database. There is a complete separation between persons who own the data and person who manage it. Only persons who own the data can see plain text data and person like DBAs, sys admins or privilege logins cannot have access to the…

 
Read More