Mat Stephen's SQL Server WebLog : SQL Server Security

Letter from America 3 - Mischievous reports and feeding the 5000

Mat_Stephen — Thu, 04 Aug 2005 05:08:00 GMT

After all my messing around yesterday, I've decided to create this post in pocket word.

I attended a securty session yesterday and was reminded of an issue that can send DBAs scuttling from the room when they learn of it's presence, the 'trojan report'.

Reporting Services (RS) reports can use Windows security to access it's source database, that's to say it can use the securty credentials of the report user. This is what you'd expect we'd recommend since we so often bang on about the advantages of this securty model..

The trojan report is written by a ner do well, who includes some dodgy code in a report query, maybe via a stored procedure. The dodgy code might be malevolant or just pure naughty, but it won’t work using the insufficient security credentials of the report writer. However, the code will work when run by a CXO, or anyone with the necessary credentials, someone who runs the report to merely return a bunch of sales data. The good news, if you are a DBA with blood rapidly draining from your head, is there is a new EnableIntegratedSecurity system property that was introduced in SP1 and documented clearly in the readme for sp2. With this property you can disable any trojan report.

I'm always amazed when I come to events like Techready or TechEd, events that require feeding 5000+ attendees at meal times. These big feeding sessions are positively biblical in proportion. It takes a small army of people to: efficiently herd delegates passed the numerous long tables laden with food, to set the tables, to ferry the food in and out and to finally clear it all up. The whole thing is a logistical marvel.

When I learned that Jesus fed 5000 people, equiped with only a few loaves of bread and a bag of fish, I was taught that this was an extraordinary achievement. Well, as the son of God I think this was probably a bit of a no brainer - turning a small quantity of food into a vast feast. However, looking back on it now, what is truly amazing is how he managed to distribute all the food with only twelve deciples at his disposal.

My battery is running low so I better get on and submit this now, before I have another disaster like yesterday.

SQL Server 2000 Analysis Services Cube Security

Mat_Stephen — Wed, 20 Jul 2005 16:26:00 GMT

If you were given an opportunity to create a “cubed” solution for 50,000 different users, would you create one cube with 50,000 roles? Would you create 50,000 cubes – one for each customer? What would you do?

This is what Mosha Pasumansky and Dave Wickert from the product team suggest for SQL Server 2000 - of course it all changes in SQL Server 2005. The problem in SQL2000, if you use the native method of using roles to implement security, with a large number of user roles, the cubes just grow and grow - which is not good. But there is another way and thats:

Dimension Security

Dynamic Dimension Security in Analysis Services 2000 presentation - by Dave Wickert
http://www.mosha.com/msolap/ppt/131%20Dynamic%20Security.ppt
Dynamic Dimension Security in Analysis Services 2000 (presentation notes, project, info, ppt etc) - by Dave Wickert
http://www.mosha.com/msolap/samples/Dynamic%20security.zip
Customizing dimension security - by Russ Whitney
http://www.windowsitpro.com/SQLServer/Article/ArticleID/27305
Use UDFs in the definitions of dimension security
http://support.microsoft.com/?id=816480

Yankee Group identified a sharp rise in companies' assessment of Microsoft's security level

Mat_Stephen — Wed, 27 Apr 2005 06:30:00 GMT

For 3 or 4 years I’ve been telling people how Microsoft has made security and privacy the number one priority. From this Yankee Group article (excerpt below) – it’s good to see perception change and that change based on customer experience.

"In terms of security, The Yankee Group identified a sharp rise in companies' assessment of Microsoft's security level. On a scale of 1 to 10, companies rated Microsoft's security at 7.6, double the rating in a similar survey conducted last year. Yankee Group analyst Laura DiDio said that Microsoft's shift to a monthly security update cycle and increased efforts to combat security issues were the main drivers behind its new ratings. In addition, Survey respondents said that Windows servers recover 30 percent more quickly from security attacks than Linux servers.”

Source: Yankee Group, Laura DiDio

Link to article: http://news.com.com/Study+shows+Microsoft%2C+Linux+costs+neck-and-neck/2100-7344_3-5654036.html

SQL Server Security – you can’t do without it

Mat_Stephen — Wed, 15 Dec 2004 22:12:00 GMT

Security – I find it very hard to get enthusiastic about security, after all it doesn’t visibly do anything; I’d far rather solve the world’s problems than avoid them. However this is such an important topic I thought I should blog on the topic sooner rather than later.

The aim of this blog is to take some of the pain out of the subject by pointing you to a few resources that I think should give you, the SQL DBA, all you need to sleep peacefully at night; and without too much effort, give you more time to get on and help your business make money.

There are two essential things you should do:

Firstly, read this article “10 Steps to Help Secure SQL Server 2000” found at:
http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

Follow this article and you won’t make any basic mistakes.

Secondly, run the “Microsoft Baseline Security Analyzer v1.2.1 (for IT Professionals)” found at:

http://www.microsoft.com/downloads/details.aspx?familyid=b13ebd6b-e258-4625-b0a3-64a4879f7798&displaylang=en

There’s a handy Q&A for this here: http://www.microsoft.com/technet/security/tools/mbsaqa.mspx

So if you do these two things I doubt if your boss will ever have grounds to sack you over a failure to implement a secure SQL Server installation – assuming you follow all the good advice.

Beyond this there’s a jolly good website that you should have bookmarked known as the “SQL Server Security Center”, found at: http://www.microsoft.com/technet/security/prodtech/dbsql/default.mspx

This provides everything you need to know - particularly on how to stay secure and headline topics. Have a look at it now!