In my last post in this series , I talked about ''blind SQL Server installs'' and some of the potential consequences of making uninformed choices during setup (or of just accepting all of the defaults). Today I wanted to touch on security a bit. I frequently...(read more)

This blog is not about avoiding logging in using the sa login. Hopefully we all know about this, and work towards avoidning this practice. Instead I want to talk about using sa, but not to login (authenticate), but as owner for jobs and databases. I want...(read more)

As I have mentioned in all of the previous posts, basic functionality is the foundation of any system. So it goes without saying that if you have just implemented a payroll system, everyone is getting paid.  To meet the basic bar that EVERYONE agrees...(read more)

In what user context does a job run? I recently found myself in a forum discussion and gave my stock reply, later realizing that I haven't actually tested this for a long time (I used to demo this in class during 6.5 courses - when we actually had time...(read more)

I really enjoyed speaking at the Portland SQL Server User Group meeting last night about SQL Server security...and I have an update. We were talking about the supposed inability of auditing to audit usage of sys.fn_get_audit_file, the system function that reads an audit log. Raul Garcia of the SQL Server team had the answer. "For ...

In a shared SQL Server hosting environment, there are several problems that can arise when you let your customers use Management Studio to connect and administer their databases. In the typical case, you give them a single SQL Authentication username...(read more)

I missed last week because I was having fun up in Canada... mostly without any kind of computer access at all. It was a nice break, but now I'm back in the thick of things again. So this week, I am going to try to beef it up a bit to compensate for last...(read more)

This month I'll be presenting a session for the Portland SQL Server User Group. I'll be discussing and demonstrating the new security features in SQL Server 2008 with a post-talk Q&A about SQL Server security in general. I've also got some swag to raffle off. See you on the fourth Thursday!

I've always been concerned with security and I've always stressed the importance of auditing the REAL user context not just the current user (see this post on EXECUTE AS and auditing). So, I generally try to avoid using dynamic string execution and if necessary create well tested/protected parameters (fyi - using QUOTENAME can be a ...

Sorry I'm a day late on this one; yesterday I was fully engulfed by Resource Governor stuff and a filter refreshing problem at work, and then last night I spent the entire evening away from a computer (for the first time in what seems like ages).  Anyway, without further ado, here are the items I noticed this week that I think could use some ...