Infrastructure at your Service

Security Archives - Blog dbi services

Nathan Courtine

Transparent Data Encryption – Certificate in master database: is it really a good practice?

By | Database Administration & Monitoring | No Comments

As encryption solution in SQL Server, Transparent Data Encryption (TDE) is simple and quick to set up. That’s why this is a common encryption mechanism. TDE encrypts data with a certificate at the page level, before SQL Server writes on the disk. It is supposed to protect your environment from some scenarios, where SQL Server files (backups or data) are stolen. By default the certificate used for encryption is stored in the master database. But…

Read More
Stéphane Haby

SQL server security pre-conference @SQL Pass Summit 2018 in Seattle

By | Database Administration & Monitoring, SQL Server, Technology Survey | No Comments

After long hours of flights, Christophe Cosme and I finally arrived in Seattle at the SQL PASS Summit 2018. We picked up our badge and bag and now we are ready to begin… This first day for me started with the pre-conference about SQL Server Security with Denny Cherry. Many topics were discussed like: Network Designs (such as public IP vs. Private IP) Firewall configurations (such as Network Design between Public network, Internal network and…

Read More
Mouhamadou Diaw

Masking Data With PostgreSQL

By | Database Administration & Monitoring, Database management, Postgres | 4 Comments

I was searching a tool for anonymizing data in a PostgreSQL database and I have tested the extension pg_anonymizer. PostgreSQL_anonymizer is a set of SQL functions that remove personally identifiable values from a PostgreSQL table and replace them with random-but-plausible values. The goal is to avoid any identification from the data record while remaining suitable for testing, data analysis and data processing. In this blog I am showing how this extension can be used. I…

Read More
Stéphane Haby

SQL Server Tips: Drop a database-user attached to a service…

By | Database Administration & Monitoring, Database management, SQL Server | No Comments

Few weeks ago, I have a little issue when I try to drop a database-user without login Unfortunately, I do a little mistake at the beginning… I receive like every morning a report if all AD logins (computers, groups, users) registered on SQL server instances are in the AD with the useful command sp_validatelogins This report indicates that a computer name dbi\server_name$ was no more in the AD. I drop the login without problem and…

Read More
Stéphane Haby

SQL Server Security: Are your databases ready for the GDPR?

By | Database Administration & Monitoring, SQL Server, Technology Survey | No Comments

The GDRP (General Data Protection Regulation), voted in 2016, will be applied in the European Union soon (May 25, 2018). We heard a lot of this new directive. The goal is to improve the protection and confidentiality of personally identifiable information for every European citizen. Quid of Switzerland? Read the article of Gregory here. A personal data is information that identifies a natural person, directly or indirectly. It can be a name, a photograph, an…

Read More
Oracle Team

Keep your orapw password file secure

By | Oracle | 2 Comments

By Franck Pachot . This is a small demo I did when I’ve found a database password file (orapw) lying around in /tmp with -rw-rw-rw- permissions, to show how this is a bad idea. People think that the orapw file only contains hashes to validate a password given, and forget that it can be used to connect to a remote database without password.

Read More
Stéphane Savorgnano

Pass Summit 2017: how to bypass SQL Server security

By | Database Administration & Monitoring | No Comments

Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs… so let’s have a look how to take the power within a SQL Server instance. Start a job under SQLAgentOperator role SQLAgentOperator…

Read More
Nathan Courtine

PASS SUMMIT 2017 – SQL Server Security

By | Database Administration & Monitoring | No Comments

Today is the first day of the PASS SUMMIT 2017 in Seattle (WA). The weather is cloudy and we have only 11°C… but where is the problem? Everything happens inside! (at the Convention Center). In this blog, I will make a summary of main attack vectors against MSSQL environments, based on Argenis FERANDEZ’s session called “Modern Security Attack Vectors Against SQL Server Environments”. METASPLOIT Metasploit is a penetration testing framework to exploit known security vulnerabilities….

Read More
Stéphane Haby

SQL Server 2016: patching CU with R Services

By | Database Administration & Monitoring, Database management | No Comments

As a good DBA, I begin to be up to date with all Cumulative Update (CU) by my customers. It is the first time that I run an update for SQL Server 2016 with the CU 3. I download the CU on Microsoft website and I begin my patching campaign on all SQL server 2016 instances. The first one is quick & successful. The second one, with R Services, is a little bit different. After,…

Read More
Stéphane Haby

SQL Server 2016: Does Dynamic Data Masking works with INSERT INTO and SELECT INTO commands?

By | Database Administration & Monitoring | No Comments

I wonder how works Dynamic Data Masking (DDM) with these two commands INSERT INTO  and SELECT INTO. First, I create a table and add some “sensitive data”: USE [DDM_TEST] GO CREATE TABLE [dbo].[Confidential]( [ID] [int] IDENTITY(1,1) NOT NULL PRIMARY KEY CLUSTERED, [Name] [nvarchar](70)NULL, [CreditCard] [nvarchar](16)NULL, [Salary] [int] NULL, [Email] [nvarchar](60)NULL) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Stephane’,N’3546748598467584′,113459,N’sts@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’David’,N’3546746598450989′,143576,’dab@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Nathan’,N’3890098321457893′,118900,’nac@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Olivier’,N’3564890234785612′,98000,’olt@dbi-services.com’) insert into [dbo].[Confidential]([Name],[CreditCard],[Salary],[Email]) values (N’Alain’,N’9897436900989342′,85900,’ala@dbi-services.com’)…

Read More