New SQL Server community tool

For those of us in the US, it’s our day of independence. A day that stands for FREEDOM and happiness. Fireworks will light up the sky tonight! For the rest of the world it’s another random day in July. But don’t worry everyone can celebrate “Free”dom with this new community tool.

I’ve spent the last couple years writing, improving, and using this tool at my customers. This health check now has more than 300 data points and even pulls out bad practice and concerns from your procs. As of today, I gift it to the community. #SQLFAMILY

Read More »

Are my SQL logins weak?

Security is a vital component of data security. In today’s day and age it is imperative to think about security. Recently there have been many high profile examples of data theft. This is a very simple script which allows you to find any SQL Server authenticated accounts that have either a blank password or password that matches the user name and allow you to take action to remove the threat immediately.Read More »

SQL Server Security Series, part 1

In the first entry in this SQL Server security series, we will demonstrate a brute force attack against SQL Server and discuss various techniques to protect against one. Brute force attacks are nothing new. They have been around for a long time and are very simplistic by design. The recent coverage of Apple vs FBI has brought up the topic again, as many news sources claim that the FBI is requesting a tool to “brute force” the pin of a locked phone.

Brute force attacks are named as such due to their design. This type of attack has no real “brains”, like you see with social engineering techniques. A password file is fed into a login tool and away it goes. Hammering and hammering until it is out of potential passwords or is successful.

In June of 2015, I added two tools to the Microsoft Technet Gallery which can be used to help achieve better SQL Server security. The first tool is a T-SQL script designed to reveal any SQL Server authenticated logins have either a blank password or a password matching the login name. The second is a console application designed to demonstrate a brute force attack.

Read More »