Patch your SQL Server instance today
On 14 February 2023, Microsoft released updates for all supported versions of SQL Server in the form of a General Distribution Release (GDR). A GDR is an out-of-band update that usually includes bug fixes and/or…
You can’t secure your network with spite
I wrote a post a couple weeks ago about not changing port 1433 for security reasons. I received this comment, which is not visible on that page because it warrants a lengthy response. I have…
Don’t change your default SQL Server port for security reasons
Since we’re on a recent theme of revising long-held best practices that are not, here’s a timely one for you: Don’t change your default SQL Server port for security reasons. In SQL Server Configuration Manager,…
System-versioned ledger tables: things you can’t do
This is the third post in the series about system-versioned ledger tables, a new feature introduced in Azure SQL Database. You can read Part 1 and Part 2 if you haven’t already. Every choice we…
System-versioned ledger tables: the next step
In the first post of this series, we learned about a new type of system-versioned table that also works at the database level and introduces a mechanism that demonstrates whether your database has been tampered…
Introducing system-versioned ledger tables
As long-time readers of this blog know, I’m a big fan of temporal tables, also known as system-versioned temporal tables. Until recently, temporal tables were synonymous with system-versioned tables, but all that changed a short…
Why you need a Dead Man’s Switch
Right off the top here, I must note that the term “dead man’s switch” is archaic, so for the rest of this post I’ll refer to it as “operator presence control,” or OPC. The concept…
Security update for all supported versions of SQL Server (CVE-2021-1636)
Microsoft announced updates today for all supported versions of SQL Server, for a privilege escalation vulnerability that leverages Extended Events. For security reasons no further details have been provided, but you can expect more information in…
A new malware attack on SQL Server
Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of “MrbMiner” on SQL Server instances exposed to the Internet with passwords that can be brute-forced. According to the report…
Picking up the pieces after the DBA has left: taking ownership of a SQL Server instance
WARNING: This post contains information that can get you fired if you use it without express written permission. In some jurisdictions it might get you jail time as well. Let’s assume you are a consultant,…
What is a strong password anyway?
Background Fellow Microsoft MVP Troy Hunt (blog | Twitter) has been operating the website Have I Been Pwned (HIBP) for a number of years now. For the record, “pwned” is pronounced like “owned” but with a…
SQL Server 2019 is here
With the release of SQL Server 2019, I wanted to highlight in a single place some things that I’m excited about. Drawing on sessions I presented this year at SQLBits and SQL Saturday Edmonton respectively,…
When security and news collide
Behold! There’s a scary monster called skip‑2.0, announced by ESET: This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while…
Convert legacy password storage without aggravating your users
In a previous post I wrote about storing password hashes in a database, which raises the question of how to convert an existing legacy password storage system to use hashes (or even no passwords!) without annoying the…
How to really store a password in a database
Recently I wrote: Don’t store passwords in a database. I stand by this statement. I expected a lot of flak because I didn’t explain myself. This post goes into a bit of an explanation of…