Wise man or Wise guy? You Decide

Just another WordPress.com weblog

Archive for the ‘Security’ Category

Windows 7, UAC, and SQL Server

Posted by sqlwiseguy on September 8, 2009

This is just a quick note, almost a continuation of my Access Denied, Not Possible post.  I have been working on some queries for a Default Trace presentation that I am preparing for the Space Coast User Group and SQLSaturday #21 – Orlando, and one of the queries has to do with trying to find logins that have gained access through a Windows Group.  Since I am working on my laptop (no domain), I decided to add the Builtin\Administrators group, delete my explicit login, and get access via the group.  Interestingly enough, in order to get access to SQL Server via Builtin\Administrators you need to run SSMS as Administrator.  Here’s the error I get when not running SSMS as administrator:

SSMSLoginFailWhen I did run SSMS as administrator, I was able to successfully login to my local SQL Server.

No, I do not leave Builtin\Adminstrators as sysadmin on my servers and with SQL Server 2008, I do not have it at all.

Posted in Security, SQL Server, UAC, Win7 | 2 Comments »

Citibank Online Payment Rant

Posted by sqlwiseguy on February 13, 2009

While we were in New Hampshire my wife used my AT&T Universal Mastercard (provided by Citibank) to make a purchase, but she didn’t mean to use this card. Now the only reason we have this card is because we get 30 free calling card minutes a month, and we have not used it for anything but the free calling card minutes in at least 3 years.

My payment is due so I went on-line and logged into my account (remember this for later) to make my payment. Well, it turns out I don’t have a bank account setup to make the payment from. Hey, no big deal, right? Just get the routing and account numbers out of the check book and away we go! NOT! After I entered the routing and account numbers I had to make it past the verification step which consists of entering the 3 digit code on the back of the card and entering the security word you chose when you setup the account. Remember I have already logged into the account and am trying to set up payment account, I’m not trying to get money, I’m trying to pay THEM! Of course I have no idea what my security word is, so I click on the “need help remembering your security word” link expecting to get a question like, “What’s your mother’s maiden name?”. Of course this is not what happens at all, nope, just a list of “You may have chosen your mother’s maiden name, the last 4 digits of your or a friend’s phone number, etc…”. Great! This is like Super Genius Jeapordy. Not only do you need to come up with the question, but you need to come up with the question AND the answer. Now I am ready to throw everything out the window. Why do they need to verify who I am when I am ALREADY LOGGED IN? Shouldn’t they be asking this when I log in? I just want to set up an account to send them money, not take money. Hey if someone hacks into my on-line credit card account and wants to pay the balance, I’m all for it! As a matter of fact I wish they would choose to do it to the credit card I do use. Fortunately I made this attempt 5 days before the payment is due, so I may actually get it done before the payment is late.

Don’t get me wrong, I’m all for keeping my credit card data secure, but that should be done by not letting me log in, not AFTER I’m logged in.

Thanks for reading, I had to get this out of my system.

Posted in Rants, Security | 1 Comment »

Kerberos Authentication and SQL Server

Posted by sqlwiseguy on December 11, 2008

Great article by K. Brian Kelley on SQLServerCentral today on Configuring Kerberos Authentication. If, like me, this was something you do not really understand this is a very good explanation that is easier to understand than most other resources I have found.

As always, it is a good idea to check out the discussion as well, as questions you may have are probably in there and answered.

Posted in Security, SQL Server, SqlServerCentral | Leave a Comment »