Installing SQL Server 2008 Services in a High-Security Domain

If you need to install the SQL Server 2008 Database Engine (SS08) or the SQL Server Reporting Services (SSRS) in a domain where some of the administrative privileges of the local administrator account have been removed, you may want to check 3 particular permissions, listed just below. Unfortunately, these permissions don’t get checked by the RTM (release-to-manufacturing)…

2

Documenting Full-Text Indexes

Top-notch security requires a complete set of documentation to help DBAs remain aware of what they’re responsible for, and help a new DBA become aware. Recently, I was asked how to determine the complete list of full-text indexes on an instance, and couldn’t find simple report, so I wrote the attached script to produce a list….


Project Oslo, a.k.a. SQL Server Modeling Services

Interesting. Project Oslo has an official name now, “SQL Server Modeling Services.” It’s interesting because Oslo seems strongly oriented toward developers, not SQL Server. For example, Oslo was absent from SQL PASS 2009, the leading SQL Server professional conference, which was only 3 weeks ago, and was instead announced at PDC09, which is the leading Microsoft conference for software developers….


SQL Server vs. Oracle Security Vulnerabilities

Think Oracle’s “Unbreakable” advertising implies it has the fewest vulnerabilties? Think again. This graphic is an excerpt from “OracleEdisonResponse.docx”. You can download the full document here: http://download.microsoft.com/download/A/F/1/AF1CC0A9-05B0-46FB-ACE3-2E4B11F8D182/OracleEdisonResponse.docx. Here’s the caption: “As seen in the chart, Oracle database consistently has more security vulnerabilities than Microsoft SQL Server. In fact, Microsoft SQL Server has very low vulnerability from…


Custom Auditing

If auditing had no cost, we’d always audit everything, but it can have major performance costs, so the principle is: Audit only what you have to audit for each system, depending on how much protection is necessary for the data in each system.  SQL Server Profiler can be great to use for a little while to capture data for troubleshooting, but…

2

SQL Server 2005, List of Events Captured by the Default Trace

Looking for a quick list of the events monitored/captured by SQL Server 2005’s default trace? Here ya go:   Database: Data File Auto GrowDatabase: Data File Auto ShrinkDatabase: Database Mirroring State ChangeDatabase: Log File Auto GrowDatabase: Log File Auto ShrinkErrors and Warnings: ErrorLogErrors and Warnings: Hash WarningErrors and Warnings: Missing Column StatisticsErrors and Warnings: Missing Join…


Making STIG Compliance Much Easier, Part II

Securing a system requires efforts that can be dropped into 3 buckets: Configuration, Alerting, and Auditing. (Am I missing any? Post a comment if you think of any others…) Securing a system’s configuration means its run-time configuration. Design-time is irrelevant except in how it impacts the run-time configuration, as it is only the actual run-time…


Mission Assurance Category

This is old news to all of you who have memorized the Department of Defense Instruction (DoDI) Number 8500.2, which is one of the source documents that the Database STIG is based on, but for the rest of you… Not all databases are created equal. A database with corporate strategies and payrolls is probably a…


Making STIG Compliance Much Easier

Tired of struggling to implement the Database STIG on a server, only to have to repeat the process on another server, then another…? When you upgrade to SQL Server 2008, you can use policy-based management to dramatically reduce the workload. Define a policy once and apply it to all your servers at one time. Sweet! Download the SQL…

2

Changing the Domain of SQL Server

The following are areas of concern you should consider when changing the domain of a SQL Server or restoring a database to a SQL Server in a different domain. If you think of anything I missed, please let me know and I’ll update this list. Account Names and Permissions Application accounts Credentials (for Agent proxies) Database…