Jeff Prom's SQL Server Blog

Sharing knowledge and tips on SQL Server, Business Intelligence and Data Management.

Archive for the ‘Security’ Category

SQL Saturday #611 – Orange County 2017

Posted by jeffprom on February 22, 2017

sqlsat611_web

SQL Saturday Orange County is coming up fast! The event will be on April 1st, 2017 at Golden West College, 15744 Goldenwest St, Orange County, California, 92647.

Reserve your spot today by going here: http://www.sqlsaturday.com/611/EventHome.aspx

I’ll be presenting two sessions:

  • SQL Injections and How To Stop Them
  • Mastering Master Data Services (Lots of changes in SQL Server 2016!)

Posted in MDS, Security | Leave a Comment »

SQL Saturday #497 – Huntington Beach 2016

Posted by jeffprom on March 14, 2016

sqlsat497_web

April is shaping up to be a fun, yet busy month. I have also been selected to present two topics at SQL Saturday #497 in Huntington Beach on April 2nd! I will be presenting on SQL Injections and Master Data Services. Here are descriptions of my presentations.

SQL Injections and How to Stop Them

Right now, there are hackers all around the world trying to get into your web applications. How safe are you? By using a technique called SQL injections, hackers can wreak havoc with web applications by compromising security, manipulating data, hoarding system resources, retrieving sensitive information, and manipulate data database objects such as dropping databases!

During the demo, we will take on a couple of different roles. As a hacker we will walk through steps a hacker might take to compromise a web application in order to retrieve sensitive data such as credit card information, usernames, passwords, and social security numbers. Assuming the role of a developer, we will then show various prevention techniques and their effectiveness in preventing SQL injections.

Attend this session to learn how SQL injections work, identify if you are being attacked, and how to stop them.

Update: Thank you to everyone who attended my session. We had a full room! 🙂

As requested, you can download the presentation and scripts here.

jeffprom-presenting

Mastering Master Data Services

As your organization grows, one challenge will be the management of data between systems and organizational units. With MDS, Microsoft provides the ability to have one accurate source of non-transactional data. This data can then be used within applications, other databases, and ETL processes. By leveraging data stewards to help manage the data repository, you can ensure that your MDS data is always up-to-date and accurate.

In this presentation we will cover MDS from start to finish including installation, creating models/entities, working with data, using the Excel add-in, security, hierarchies, views, versions, and business rules. After this presentation, you will have a good understanding of what master data management is, what MDS does, how to use it, and how to get started with your own MDS project.

To register for this event and to find additional information, you can visit the SQL Saturday Huntington Beach page here:
http://www.sqlsaturday.com/497/EventHome.aspx

Posted in Events, MDS, Security | 1 Comment »

SQL Saturday #350 – Winnipeg

Posted by jeffprom on October 28, 2014

sqlsat350_web

On Saturday, November 22nd I will be at the Winnipeg SQL Saturday #350 event and will be giving a presentation on SQL Injections. The event will be held at the Red River Community College – downtown, 160 Princess St., Winnipeg, MB R3B 1K9, Canada. This is a great opportunity to learn more about SQL Server and I highly encourage everyone to attend.

Here is the topic I will be presenting on:

SQL Injections and How To Stop Them

SQL injections are a technique where malicious users can inject SQL commands into a SQL statement, through web page input. If left unprotected, SQL injections can cause havoc with web applications by compromising security, manipulating data, hoarding system resources, retrieving sensitive data, removing databases and database objects, or taking databases offline! This session will show how SQL injections work, identify if you are being attacked, and cover various prevention techniques and their effectiveness.

To register for this event and to find additional information, you can visit the SQL Saturday Winnipeg page here:

https://www.sqlsaturday.com/350/eventhome.aspx

 

Posted in Events, Security | Leave a Comment »

SQL Saturday #332 – Minnesota 2014

Posted by jeffprom on September 5, 2014

sqlsat332_web-white

This year I have been selected to present at SQL Saturday #332 Minnesota on what I consider to be a very fascinating topic; SQL Injections. If left unprotected, your web applications can be severely compromised by SQL Injection attacks. To learn more about SQL Injections, I invite you to attend my session on October 25th, 2014.

SQL Injections and How To Stop Them

SQL injections are a technique where malicious users can inject SQL commands into a SQL statement, through web page input. If left unprotected, SQL injections can cause havoc with web applications by compromising security, manipulating database data, hoarding system resources, retrieving sensitive data, and even removing database objects like the database itself! This session will show how SQL injections work, identify if you are being attacked, and cover various prevention techniques and their effectiveness.

There is a fantastic list of presenters at this event! Secure your spot today by signing up on the SQL Saturday website.

http://sqlsaturday.com/332/eventhome.aspx

 

Posted in Events, Security | Leave a Comment »

Encrypting SQL Server Connections

Posted by jeffprom on September 5, 2013

If you use SQL Server in the cloud you may not always have a secure connection. Thankfully there is support in several areas within SQL Server to help secure connections. Let’s take a look at a couple.

SQL Server Management Studio
1. In SSMS, go to Object Explorer
2. Click the Connect drop-down, and select Database Engine
3. Enter the Server name and login credentials (don’t click Connect yet!)
4. Click on the ‘Options >>’ button
5. On the ‘Connection Properties’ tabe, check the box for ‘Encrypt Connection’

6. If you have an untrusted certificate on your server (see below), click on the ‘Additional Connection Parameters’ tab. Enter ‘TrustServerCertificate=True’.

7. Click the ‘Connect’ button.

PowerPivot
1. Open Excel
2. Click on the PowerPivot tab
3. Click on the Manage button
4. Select the drop down under ‘From Database’
5. Select ‘From SQL Server’
6. Enter the Server name, login credentials, and Database name
7. Click the ‘Advanced’ button

8. Scroll down to the bottom and set the following:
Trust Server Certificate = True (see certificates below)
Use Encryption for Data = True

9. Click Ok
10. Select the data sources (tables)

Certificates
Digital certificates can come from various sources. There are several ‘trusted’ 3rd party sources such as Thawte and VeriSign that are called Certificate Authorities (CA). To get a certificate from a trusted source you will most likely need to pay an annual fee. If you have a trusted certificate, you shouldn’t have to tell SQL Server that you want to trust the certificate.

On the other hand, if you don’t have a trusted certificate, you should already have a self signed certificate that Windows created.

To see a list of certificates installed on your computer, do the following:
1. click on Start, Run, MMC
2. File, Add/Remove Snap-in…
3. Certificates, Add
4. Select Computer Account, Next
5. Local Computer, Finish
6. Ok
7. Expand Certificates, Personal, and click on Certificates

This shows a list of certificates currently installed. From here you can import and export certificates by right clicking and going under the ‘All Tasks’ menu.

Securing connections in SQL Server is a great way to keep your data private over unsecure lines. SQL Server uses certificates to establish secure connections. Be sure to use these techniques to create secure connections from SSMS or PowerPivot when venturing out into the open cloud.

Posted in Security | Leave a Comment »