Are my SQL logins weak?

Security is a vital component of data security. In today’s day and age it is imperative to think about security. Recently there have been many high profile examples of data theft. This is a very simple script which allows you to find any SQL Server authenticated accounts that have either a blank password or password that matches the user name and allow you to take action to remove the threat immediately.Read More »

Is Resource Monitor (resmon) all I need to troubleshoot storage?

I was recently doing some work on my Windows 10 desktop and placed a drive on one of the slower internal disks. It’s old. It’s 7200 RPM. It’s just plain slow. All that’s fine and good as I’m not doing any production workloads from this development machine.

I thought that until one query was taking exceptionally long to complete. I pulled up Resource Monitor to check CPU and storage pressure. Everything looked just fine. In fact, the D: drive wasn’t even listed as having any IO latency.Read More »

SQL Server Security Series, part 1

In the first entry in this SQL Server security series, we will demonstrate a brute force attack against SQL Server and discuss various techniques to protect against one. Brute force attacks are nothing new. They have been around for a long time and are very simplistic by design. The recent coverage of Apple vs FBI has brought up the topic again, as many news sources claim that the FBI is requesting a tool to “brute force” the pin of a locked phone.

Brute force attacks are named as such due to their design. This type of attack has no real “brains”, like you see with social engineering techniques. A password file is fed into a login tool and away it goes. Hammering and hammering until it is out of potential passwords or is successful.

In June of 2015, I added two tools to the Microsoft Technet Gallery which can be used to help achieve better SQL Server security. The first tool is a T-SQL script designed to reveal any SQL Server authenticated logins have either a blank password or a password matching the login name. The second is a console application designed to demonstrate a brute force attack.

Read More »