Skip to main content

Live from @LearningTree London - Security Day - Day 2

This week I’m teaching Learning Tree’s course 2108 SQL Server Database Administration in the LEC in London. Following on from last weeks success live blogging from the back of the room whilst producing the 294 influence skills course, this week I’m in the process of trying this from the front of the class.

Day 1 yesterday, went well. You can read the live blog from day 1 here

Today on day 2 of 2108 SQL Server Database Administration and our second day as Tree Tech's DBA we'll be focusing on security and building a robust security model for our databases. We have a little bit to discuss around moving and migrating databases first though. Last night's session ended with the an exercise where the attendees  migrated a couple of databases to our new SQL Server 2014 instance using detach and attach. This morning we'll look at backup and restore.

16:30 Drinks....

16:15 Finished up with the security exercise, and then its time for after-class drinks

15:55 In the last exercise of the day we are putting the final touches to our security model.

14:50 Lots of good discussion around object level permissions and how best to implement them. I'm a fan of database roles and using Windows groups personally.

14:35 - Afternoon Coffee Break

14:35 Exercise complete and we've got the end of chapter 3. Our security model is taking shape. We have all the necessary roles created in both databases...After break we'll look  at managing permissions.

14:10 Second exercise this afternoon we are creating some database roles to be used in implementing the new security model on our orders database.

13:35 Discussion around orphaned logins and fixing them using SP_CHANGE_USERS_LOGIN and SP_HELP_REV_LOGIN

13:15 Exercise creating some logins, both Windows Authentication and SQL Server Authentication logins.

12:16 Lunch a few phones and walk around the Euston area and we'll be starting back at 13:15.

12:15 Went to lunch with a discussion around the dedicated admin account and how it could be useful in getting yourself out of whole when everything else around you server wise is hung up.

11:45 Exercise on creating user defined server roles

11:30 Discussion about user-defined server roles next up...and a short exercise on creating them.

11:20 Good discussion around the SQL Server security model. Looked at the different scope of permissions. Talked about the dangers of server scoped permissions and giving those out unnecessarily. We are starting fix the Tree Tech security model

10:25 Morning Coffee Break

10:20 Interesting discussion around database migration and monitoring data file space.

09:00 We are going to start with brief recap on yesterday, then we'll look at the alternatives to detach and attach as a  method of moving databases.

08:45 - The breaking SQL Server news overnight was that SQL Server 2014 Service Pack 2 has been released. You can download here.

08:30 Class setup and people are starting to arrive.


Popular posts from this blog

SQL Server 2012 and Virtual Service Accounts

This post is written by David Postlethwaite
If you are using SQL Server 2012 you will probably have noticed that the default account for the SQL services has changed from that used in previous versions. With SQL 2005 and 2008 the default account for SQL service and SQL Agent service was “NT Authority\System”. This is one the built in accounts on a Windows machine, managed by the machine and selectable from a dedicated dropdown list

The Network Service account was introduced in Windows 2003 as an alternative to using the LocalSystem account, which has full local system privileges on the local machine, a major security concern.
The Network Service has limited local privileges easing these security concerns but when many services on a machine use the Network Service account it becomes harder to track which service is actually accessing resources and performing actions, because all the services are using the one Network Service account.
Also, this account, by default, has sysadmin per…

Always Encrypted

By David Postlethwaite

Always Encrypted is new features in SQL Server 2016 and it is also available in Azure SQL Database. Here you can encrypt columns in a table with a master key and a certificate so that they will appear as encrypted strings to those who don’t have the required certificate installed on their pc.
Once the certificate is installed on the computer then the unencrypted data can then be seen as normal.

The data passes from database to your application as the encrypted value, only the application with the correct certificate can unencrypt the data so it is secure across the wire. This will go some way to resolving the concern of people worried about putting their sensitive data on a shared server in the cloud such as Microsoft Azure and accessing the data across the Internet.

At the time of writing Always Encrypted is only supported with ADO.NET 4.6, JDBC 6.0 and ODBC 13.1 but expect other driver to become available.

The calling application (including SSMS) must also hav…

How to Setup Kerberos Correctly

David was in Copenhagen this weekend delivering his Kerberos talk Taming the Beast: Kerberos for the SQL DBA to SQL Saturday Denmark. I have had a quick chat with him via email since he got back and he said he had a great time. The event was very well attended with 280+ attendees and his talk was well attended.

I think David is planning submitting a few sessions to SQL Saturday events in Europe in the next few months so look out for him there and we'll keep you posted as to his whereabouts when schedules get finalised later in the year.

David has pre-recorded his Kerberos talk. You can watch on you tube and I have also embedded it in this post if you want to see what his kerberos talk  covers...

If we can help you with a SQL Sever problem visit our SQL Server Consulting page or contact us