TechNet Magazine: feature article on Common SQL Server Security Issues and Solutions

The May 2009 TechNet Magazine is now available online, and it's the annual security issue. In there is an article I wrote highlighting 10 common security issues (and solutions) you should worry about if you're not a security-savvy DBA. It covers:

  • Physical security
  • Network security
  • Attach surface minimzation
  • Service accounts
  • Restricting use of administrator privileges
  • Authentication
  • Authorization
  • SQL injection
  • Disaster recovery
  • Auditing

There are also two screencasts of me demonstrating Transparent Data Encryption and SQL Server Audit, both in SQL Server 2008. 

To quote myself from the end of the article:

As far as takeaways from this article are concerned, I want you to realize that there are some steps you need to go through to ensure the data you are storing in SQL Server is as secure as you need it to be. This is especially important when you inherit a SQL Server instance that someone else has been managing. It's just like buying a house from someone—you need to ask if the alarm works, if the yard is fenced in, and who has copies of the keys. Running through the list I've given in this article is a good start, but make sure you dig deeper in areas that are relevant to you.

Check it out at http://technet.microsoft.com/en-us/magazine/2009.05.sql.aspx.

Enjoy!

SQL Server 2008: Does my database contain Enterprise-only features?

Moving databases around is pretty common, as is moving databases between servers running different Editions of SQL Server, especially during a disaster recovery situation. You may not know this, but in SQL Server 2005, if you had partitioning anywhere in a database, you could only attach/restore that database using an Enterprise or Developer instance. I say ‘you may not know this’ because partitioning isn’t really widely used (from what I can gather from talking to customers). The upshot of this is that SQL Server 2005 will refuse to attach/restore a database with partitioning in – even if you’re in a disaster recovery situation and the only server you have available has Standard Edition.

In SQL Server 2008, a lot more people are going to bump into this issue. The list of features that are Enterprise only, and will prevent attach/restore using a lower edition has expanded to include 3 new features that WILL be much more commonly used than partitioning. The four features that are in this category are:

  • Data compression (in all editions from 2016 SP1)
  • Partitioning (in all editions from 2016 SP1)
  • Transparent data encryption
  • Change data capture

All of these require elevated permissions to enable EXCEPT data compression, which only requires ALTER permission on a table. This means someone with table-owner privileges could enable compression without the DBA knowing, and suddenly the database can’t be attached/restored to, say, Standard Edition.

If you’re a DBA and have just taken over a database, there’s now an easy way to tell whether the database contains these features. A new DMV has been added – sys.dm_db_persisted_sku_features – that will report which of these four features are present in a database. Let’s check it out.

Using a 2008 Enterprise instance:

CREATE DATABASE EnterpriseOnly;
GO
USE EnterpriseOnly;
GO

CREATE TABLE compressed (c1 INT) WITH (DATA_COMPRESSION = ROW);
GO

SELECT * FROM sys.dm_db_persisted_sku_features;
GO

feature_name    feature_id
————–  ———–
Compression     100

Now let’s try backing up and restoring the database on a different edition:

BACKUP DATABASE EnterpriseOnly TO DISK = ‘C:\SQLskills\EnterpriseOnly.bck’;
GO

And on a 2008 Express instance:

RESTORE DATABASE EnterpriseOnly FROM DISK = ‘C:\SQLskills\EnterpriseOnly.bck’
WITH MOVE ‘EnterpriseOnly’ TO ‘C:\SQLskills\EnterpriseOnly.mdf’,
MOVE ‘EnterpriseOnly_log’ TO ‘C:\SQLskills\EnterpriseOnly_log.ldf’
GO

Processed 160 pages for database ‘EnterpriseOnly’, file ‘EnterpriseOnly’ on file 1.
Processed 5 pages for database ‘EnterpriseOnly’, file ‘EnterpriseOnly_log’ on file 1.
Msg 3167, Level 16, State 1, Line 1
RESTORE could not start database ‘EnterpriseOnly’.
Msg 3013, Level 16, State 1, Line 1
RESTORE DATABASE is terminating abnormally.
Msg 909, Level 21, State 1, Line 1
Database ‘EnterpriseOnly’ cannot be started in this edition of SQL Server because part or all of object ‘compressed’ is enabled with data compression or vardecimal storage format. Data compression and vardecimal storage format are only supported on SQL Server Enterprise Edition.
Msg 933, Level 21, State 1, Line 1
Database ‘EnterpriseOnly’ cannot be started because some of the database functionality is not available in the current edition of SQL Server.

Now, it’s cool that it tells you exactly why the database couldn’t be restored, but did you notice the first two lines of output? The database is fully restored BEFORE the operation fails! This makes perfect sense, as the database needs to be fully recovered before the server can tell whether any of the four features are still enabled or not. However, in a disaster recovery situation, waiting many hours for a database to restore only to be told that it can’t be restored on this instance would be even more disastrous.

To summarize, you should always know what’s happening in databases you manage. If portability of your databases to a lower Edition is important, make sure that none of these features can be enabled without you knowing about it.

Available for download: Our High-Availability hands-on labs and SQL Server 2008 JumpStart materials


A couple of weeks ago I blogged about the three tracks of the SQL Server 2008 JumpStart course that SQLskills.com taught internally for Microsoft and some MVPs – see here for details. Well, the content is now available to download! Note that this was based on CTP-5 (November 2007 CTP) and there have been *lots* of behavioral changes since then (with more planned for CTP-6 Refresh and RTM), but if you want a high-level overview of a bunch of the features (albeit in bullet-point summaries on slides) then this is a good place to start.


For me, what’s *REALLY* cool is that the site also has a downloadable VPC plus lab manuals for all of the AlwaysOn High-Availability hands-on labs that SQLskills.com wrote. We originally wrote these labs for SQL Server 2005 and I updated them all for CTP-5. The VPC has a long lab on each of the following:



  • Database Snapshots
  • Data Recovery and Preventative Techniques
  • Instant Initialization
  • Peer-to-Peer Replication (including the new Topology Wizard I blogged about here)
  • Table and Index Partitioning
  • Snapshot Isolation
  • Online Operations
  • Database Mirroring (including a demo I wrote of Automatic Page Repair, described here)
  • Service Oriented Database Architecture

There is some great depth in each of these – Kimberly blogged more info about the exercises in each lab here. There’s also another VPC image with some higher-level labs on a variety of 2008 features and written by a number of different people- including some labs on Policy-Based Management and Performance Data Collection that Kimberly wrote.


So – where can you get these from? Go to http://sqlserver2008jumpstart.microsofttraining.com/ and hit the Download link on the right-hand side. Register and then you can get to the materials. The AlwaysOn VPC image is Collection 2 at the bottom of the page, and you’ll see all the slide decks as you scroll down the page.


Enjoy!