Webcast: How to Secure SQL Server – End to End Security

On April 16, 2024, I will be giving another webcast; this one will be on SQL Server security.

Sign up link

As always, the registration is free. Here’s the abstract:

Data is the lifeblood for almost every organization. As a result, platforms like Microsoft SQL Server are high-value targets for attackers. However, knowing what to do and not do can be daunting.

In this webinar, we’ll walk through a framework to secure your SQL Servers from end-to-end. Starting with the install and walking through surface area, permissions, backups, encryption, and concluding with decommissioning, we’ll cover every area you’ll need to consider for your SQL Server environment. Where they are applicable, we’ll also point out industry good practices and where to find the documentation on them.

By the end of the webinar, you should leave with a plan for where to start, what’s most important, and where to go for more information to ensure you can properly harden and secure the SQL Servers in your organization.

Webinar: How to Harden SQL Server

On November 29, 2023, at 11 AM Eastern Standard Time, I’m presenting a webinar on how to harden SQL Server.

Link to Register (free): GoTo Webinar – How to harden SQL Server – registration

Here’s the abstract:

Microsoft SQL Server has been a target of threat actors for over 20 years. The first world-wide exploit of SQL Server was known as SQL Slammer and it caused significant changes to Microsoft’s software development lifecycle and the instituting the Trustworthy Computing initiative. Now, a fresh attack against SQL Server has made the news: DB#Jammer. DB#Jammer and attacks like it exploit poor security configurations in both SQL Server and the surrounding technology.

Beyond the abstract, here’s what I’m going to go into detail about:

• Understanding surface area, zero trust, and network security.
• Assuming an already breached mentality.
• The importance of basics such as password strength and account lockout.
• The need for a layered approach when it comes to security – network, OS, and SQL Server.
• Proper auditing and reporting to detect breaches

Basic SQL Server Configuration Help for Involuntary DBAs

After my presentation at the Techno Security and Digital Forensics conference, I had a information security professional stop by to ask a few questions. He’s in the position where he supports other clients since he works in a third-party security operations center (SOC). The reason most of these clients pay for a SOC instead of developing one of their own is cost. Since they don’t have the money to splurge on a lot of IT positions, another one that’s usually missing is the DBA.

Often times, as a SOC provider, when they interact with clients they can tell fairly quickly that the SQL Servers aren’t configured well. However, they don’t have the knowledge to go in and help their clients in a quick and easy way. He asked for advice. I pointed him to something that we have in our community: sp_Blitz. It’s part of the First Responder Toolkit from Brent Ozar.

Why did I recommend that particular tool? There are several reasons:

1. It’s designed to provide a quick health check of your SQL Server.
2. It’s a free tool (yes, you have to register), meaning budget isn’t an issue.
3. The community has worked on and contributed to it.
4. It provides explanations and recommendations on how to fix what’s wrong.

For someone such as an involuntary DBA or a consultant trying to assist a client when that’s not your primary skill set, it lets you make solid recommendations immediately that will improve the SQL Server setup. And it’s not hard to setup and run:

If you haven’t looked at this tool before, grab it, put into a non-prod environment, and see if it can help you.

Speaking at Charlotte BI Group Tomorrow

Tomorrow, Tuesday, April 7, 2015, I’ll be speaking at the Charlotte BI user group. The meeting starts at 5:30 PM.

Here’s the info:

RSVP Link

Topic: Securing the ETL Pipeline

We’re going to look at typical ETL (Extract, Transform, Load) pipelines and consider the weak points an attacker might go after. Our goal in this isn’t to cause FUD (Fear, Uncertainty, and Doubt), but to discuss risks at each point, options for protecting the vulnerability, and what we’ve seen typically done (if anything). While this talk primarily focuses on Microsoft SQL Server, especially the database engine and SSIS, many of the points covered will be applicable to any solution set.

Location: 8055 Microsoft Way, Charlotte NC 28273

Speaking on ETL Security

I will be giving a presentation on ETL (Extract, Transform, Load) security at two user groups in the coming weeks.

Securing the ETL Pipeline

We’re going to look at typical ETL (Extract, Transform, Load) pipelines and consider the weak points an attacker might go after. Our goal in this isn’t to cause FUD (Fear, Uncertainty, and Doubt), but to discuss risks at each point, options for protecting the vulnerability, and what we’ve seen typically done (if anything). While this talk primarily focuses on Microsoft SQL Server, especially the database engine and SSIS, many of the points covered will be applicable to any solution set.

If you’re in or near the Midlands or Upstate of SC, I’d love for you to come out so we can meet and discuss this topic, professional development, and SQL Server in general:

August 5, 2014 – SQL Server Innovators Guild – Greenville, SC

August 14, 2014 – Midlands PASS Chapter – Columbia, SC

Midlands PASS July Meeting – July 10

The Midlands PASS Chapter will hold its next meeting on July 10. We meet at MicroStaff IT in Cayce, SC. Here is the main presentation:

Statistics, Indexes, and their Impact

Speaker: Brian Kelley, SQL Server MVP

Statistics. Indexes. Clustered Indexes. Non-Clustered Indexes. Covering Indexes. Bookmark Lookups. Perhaps you’ve heard these terms. They determine how well or poorly your queries run. In this session, we’ll look at what these things are, how they impact your queries, what to do to maximize their use, and when you should consider making changes.

This is a 100-200 level presentation.

You can RSVP for the meeting (it helps us plan for food) at the EventBrite Event Page for this meeting.

 

Security #Datachat on Twitter Tonight

Tonight, at 9 PM Eastern, I’ll be participating in a #datachat on SQL Server security. It’s sponsored by Confio (now part of Solarwinds).

You can find more details about the #datachat here.

How can you participate? Simply open up a search for #datachat and participate in the community Q and A. The more, the merrier!

I hope to see you online.

Presenting on Security at Midlands PASS

On Thursday, February 13, 2014, I’ll be at Midlands PASS in Columbia, SC. We’ll be meeting from 5:30 PM to about 7:30 PM. I’ll once again be given an open ended SQL Server security talk. Here’s the description:

Midlands PASS Chapter’s annual SQL Server security refresher! This is an open-ended discussing hosted by SQL Server MVP and resident SQL Server security expert, Brian Kelley. Bring your scenarios and questions and we’ll work through the best ways to build security solutions for and using Microsoft SQL Server.

We meet at Microstaff IT in Cayce, SC. They are a great host and we enjoy the accommodations. If you’re in the area, please stop on by!

We do ask that you RSVP so we know how much food to bring.

Free Online SQL Server Training for the Week of November 17, 2013

If you’re a training provider and I’ve missed you, please drop me a line at brian {dot} kelley {at} sqlpass {dot} org.

All times are Eastern (New York). To convert to your local time, use the converter at timeanddate.com.

Tuesday, Nov 19:

• 11 AM – XQuery Basics for the DBA – Jason Strate – Pragmatic Works
• 6 PM – Data Vault Data Warehouse – Jeff Renz – PASS Business Intelligence Virtual Chapter

Wednesday, Nov 20:

• 10 AM – Understanding Query Execution Plans – Richard Douglas – MSSQLTips.com
• 3 PM – Chapters 13 & 14 of Delivering Business Intelligence with Microsoft SQL 2012 – (forum) – PASS SQL Book Readers VC

Thursday, Nov 21:

• 11 AM – Controlling Your SSIS Control Flow Using Containers – T.J. Brown – Pragmatic Works
• 1 PM – PCI for the SQLDBA – Andy Warren – PASS Security VC

Training Providers I Regularly Review:

• Confio
• Idera
• Microsoft
• MSSQLTips.com
• Pragmatic Works
• Professional Association for SQL Server – I’m using the events page. If you’re a chapter leader and haven’t converted your meeting announcements over to Events, please check the Chapter Dashboard to learn how to do so.
• SQL Lunch
• SQL Sentry
• SSWUG.org

Free Online SQL Server Training for the Week of November 10, 2013

If you’re a training provider and I’ve missed you, please drop me a line at brian {dot} kelley {at} sqlpass {dot} org.

All times are Eastern (New York). To convert to your local time, use the converter at timeanddate.com.

Tuesday, Nov 12:

• 11 AM – SSIS Design Patterns for Loading a Data Warehouse – Bradley Schacht – Pragmatic Works
• 8 PM – Dimensional Modeling Design Patterns: Beyond Basics – Jason Horner – PASS Business Intelligence VC

Wednesday, Nov 13:

• 12 PM – Testing and Benchmarking SQL Server Consolidation – Frank Cicalese – PASS Virtualization VC
• 2 PM – How Active Directory Affects SQL Server – Ryan Adams – PASS Database Administration VC

Thursday, Nov 14:

• 11 AM – A Better Way to Read Execution Plans – (not listed) – SQL Sentry
• 11 AM – Practical SSAS: Getting Started with Analysis Services – Bradley Schacht – Pragmatic Works
• 1 PM – Challenges to Designing Financial Warehouses – (not listed) – PASS Data Architecture VC

Training Providers I Regularly Review:

• Confio
• Idera
• Microsoft
• MSSQLTips.com
• Pragmatic Works
• Professional Association for SQL Server – I’m using the events page. If you’re a chapter leader and haven’t converted your meeting announcements over to Events, please check the Chapter Dashboard to learn how to do so.
• SQL Lunch
• SQL Sentry
• SSWUG.org