Inspecting SQL Server TLS Certificates Without Credentials
If you’ve ever needed to check the TLS certificate on a SQL Server instance — whether it’s expired, misconfigured, missing SANs, or just plain self-signed — you’ve probably had to connect with SSMS, run some…
Detecting Locked or Expired Logins
SQL Server logins can be configured to use password policies enforced by Windows. These policies include determining when passwords expire, how many invalid passwords can be entered before lock-out, etc. The T-SQL code in this…
Auditing Login Events with Service Broker
Perhaps one of the most important aspects of running a secure SQL Server is auditing login events – essentially capturing who’s logging in, and who’s attempting to login. Being aware of who’s logging in, and…
dbo – Database Owner
In SQL Server, the dbo or Database Owner is a server-level principal that has full access to the owned database. Microsoft’s best practices recommend creating a discrete user, either an Active Directory domain user or…
Filesystem security for TDE Keys and Certificates
What is TDE, and why is filesystem security important? Transparent Database Encryption, or TDE, is used to encrypt an entire database. The encryption is “transparent” since once the database is loaded by SQL Server, anyone…
Cannot use Certificate because its Private Key is not Present
Introduction Transparent Database Encryption, or TDE as it’s colloquially known, is a great solution for data security “at rest”. That is, data is encrypted on-disk, preventing someone with a copy of the database files from…