Author Archives: DBA Master

About DBA Master

Carlos Robles is a Solutions Architect at AWS, a former Microsoft Data Platform MVP, a Friend of Redgate, but more than anything a technology lover. He has worked in the database management field on multiple platforms for over ten years in various industries. He has diverse experience as a Consultant, DBA and DBA Manager. He is currently working as a Solution Architect, helping customers to solve software/infrastructure problems in their on-premise or cloud environments. Speaker, author, blogger, mentor, Guatemala SQL User group leader. If you don’t find him chatting with friends about geek stuff, he will be enjoying life with his family.

SQL Vulnerability Assessment

3 Replies

Vulnerability assessment is probably one of the most underrated new security features in SSMS 17. This feature is not new to SQL Server though, it already exists on Azure SQL DB but it was finally introduced in SSMS with the version 17.

If you are supporting a SQL Server environment where you have to face an exhaust external or internal IT audit process every quarter or perhaps monthly basis, I think this tool is great helping you to being proactive making you aware of all the security changes or threats you must remediate before auditors arrive to your desk asking for questions.

The only requirement for this new SSMS feature, is to have the 17.4 or latest SSMS version installed on your client machine, and a valid path to store the vulnerability scan result:

According to Microsoft, the VA (let’s use the short name from now on) runs lightweight scan directly to your SQL Server instance or a specific database, looking for security vulnerabilities and deviations from best practices, such as misconfigurations, excessive permissions, and exposed sensitive data. It also checks for security best practices to be in place in order to make your database environment safe.

The VA results contains all the security checks (passed or failed) , organized in three categories: high, medium and low risk.

Report header:

Security checks detail:

If we take a look at the example above, we can see how the Vulnerability assessments provides guidance on how to resolve the failed checks, in case the security check doesn’t apply to your environment you can dismiss such security check and it will no longer appear on future checks.

Let’s dig a little bit more about the security check ID VA1287 – Sensitive data columns should be classified:

As you noticed, the screenshot has a highlighted section where the scan result shows a couple of table columns not in compliance with GDPR. As you may know GDPR is s a regulation in EU law on data protection and privacy, which goes active on 05/25; so this is one major reason why you should  consider using the VA tool.

If you scroll down to the bottom of the AV1287 check, the report provides a detailed description and the impact of having this vulnerability active in your environment:

So, at this point you have your scan results with the description and impact of each one. Now let’s take a look what the tool recommends as remediation:

As you can see there is no rocket science here, the vulnerability scan recommends to implement security measures as Always encrypted or Dynamic Data Masking (SQL Server 16 +) to protect the sensitive information in your environment, and the most important part it helps you to stay away from trouble with your internal or external IT audit.

Let’s not forget about the baseline option:
This is very useful option to avoid false positives, let’s say you determined one of the scan results does not apply in your environment and you don’t want to have it in this report. The solution is click on the “Approve as baseline”, so the next scan will show the same result marked as passed.

Thanks for reading!

Reviewing the SQL Server ERROR log

Leave a reply

 

The SQL Server ERROR log is the best source to understand what’s wrong with your SQL Server instance, think this log is like your flight recorder.

In case you are not too familiar with the SQL Server ERROR log, the xp_readerrorlog extended stored procedure is your friend; and as a good friend you must get to know him. In this post, you will find some examples of how to take advantage of this undocumented stored procedure and maximize your time avoiding the utilization of slow and painful tools like Event Viewer from Windows.

First thing first, let’s understand what are the parameters we need to provide to the stored procedure and the most important how we have to use them.

Archive ID:
The first parameter is is about picking the order of the log we want to query:

  • Current log = 0
  • Archived error log #1 = 1
  • Archived error log #2 = 2

Log type:
Then, the second parameter is the SQL Server component we are focusing in:

  • SQL Server Instance Log = 1
  • SQL Agent Log = 0

So, combining these two parameter we can check the current log (0 in the first parameter) for a SQL Server instance (1 in the second parameter) or the SQL Server Agent (2 in the second parameter)

Here is how it looks like in T-SQL code:

-- Checking the current SQL Server instance and SQL Agent logs:
xp_readerrorlog 0,1 -- Remember 1 for SQL Server instance
xp_readerrorlog 0,2 -- Remember 2 fro SQL Server Agent

We also have an optional parameter we can include, it’s a simple search string. This parameter it’s really handy when you are looking for a specific event.

Here are some T-SQL examples how we can combine the first two parameters with a specific search string:

-- Checking for failed logins in our SQL Server instance:
xp_readerrorlog 0,1,'Login failed' --For SQL Server 2012 and below
xp_readerrorlog 0,1,"Login failed" --For SQL Server 2014 onwards

-- Checking for TempDB related entries in our SQL Server instance:
xp_readerrorlog 0,1,'TempDB' --For SQL Server 2012 and below
xp_readerrorlog 0,1,"TempDB" --For SQL Server 2014 onwards

Hopefully this tip could help you to save some time when looking at your SQL Server instance for recent errors or some events from the past that you might need to collect for further analysis.

Stay tuned for more DBA mastery tips.

ITIL certification for DBAs – Part 2

Leave a reply

 

In my previous post I did my best explain a little bit what ITIL is and how important is for DBAs to understand better about this framework.

Now let’s talk about how to get prepared to pass the ITIL foundations certification test. After spending quite some time researching about what was the best training path to take I figured out there was a few options.

The most common approach:
If you are lucky enough to get sponsorship from your current employer, there are multiple ITIL training providers that offers all-inclusive training packages in a formal classrooms.

In some cases these training packages includes the certification exam to be taken on the 4th day; which in my opinion is a really great because you will have all the information still fresh in your mind.

My approach:
In case you autodidact, like me, you will find a great amount of free\paid resources you can use to best the ITIL certification test.

Based on my research and personal experience I can recommend to use the following resources:

Books:

  • ITIL Foundation Exam Study Guide by Liz Gallacher & Helen Morris (1st edition):
    This is an excellent book you case use to establish a base knowledge of ITIL for the foundation tests but be careful it does not cover all the areas evaluated in the exam.

  • Passing Your ITIL Foundation Exam: 2011 by Axelos:
    This is the official exam reference book and updated in line with the 2011 syllabus, this i s by far the best study aid you will find, it contains every single area (and more) evaluated on the exam. It also include some mockup exams you can use to get an idea of the difficulty of this exam.

Online IT training (videos)
I have no question about how great these online trainings from Pluralsight and CBT nuggets are and how much they can help you to understand better all the concepts and scenarios described on the books.

If I have to choose, in my opinion the two courses from Chris Ward are the best in any aspect, the scenarios are really easy to understand and the way he walk through all the topics is just great.

ITIL Foundations by Lowell Amos
ITIL Foundation: Lifecycle Phases and Processes by Chris Ward

ITIL Foundation (November 2016) with Keith Barker
ITIL Foundation (June 2015) with Chris Ward

Practice Exams:

  • AXELOS’ ITIL Foundation app (Android and iOS):
    This mobile\table application is the perfect complement to AXELOS’ book, it helps to identify any subject areas where you are still weak and focus study time and practice in those areas specifically. Once you see your results from the practice exams , you can select the area of the lifecycle you need more practice on.

iOS
Android

  • Simply Learn exam preparation test:
    This is a free online source you can use to get an idea how you are progressing while studying for the certification exam. The questions are not that difficult but it will definitively helps you to practice. Go ahead a give it a try here.

Hopefully this post will guide you to choose the best option to pass the ITIL certification exam.
Stay tuned for more DBA mastery tips.