Skip to main content

Training on the T's - SQL Server Security Easy Button Q&A

On October 7, 2014, I spoke for Pragmatic Works' Training on the T's webinar series. 
Here's the rest of the questions I didn't get to answer. 

Q: Where can I get the slide deck and presentation?
A: Orlando SQL Saturday , Tampa SQL Saturday , Jacksonville SQL Saturday

Q: All of our database tables are under the dbo schema. How can I set up programmers to be able to modify stored procedures but not give them the dbo schema permission with which they can modify tables?
A: I think the only possible way to do this is to split the stored procedures and tables into different schema. I do not see a way in the permission models to grant permission to modify stored procedures without also granting the same permission to modify tables.  Granting ALTER ON OBJECT gives access to multiple object types in the database. See longtime SQL Server MVP Erland Sommarskog's comment here on this question. See the next question for additional information. 

Q: Where i can get the SQL Server permissions PDF?
A. Google "sql server permissions poster" or go to this link.

Q: Good morning, Where I can find the current session recording? I missed half of the beginning part.
A: Consider yourself lucky. You missed most of my 'ums' in the first half. ;-)
You can find it here.

Q: Would you recommend using this security script along with C2 auditing?
A: Yes, but I would recommend using the Common Criteria Compliance option instead. C2 audit mode is deprecated and will be removed from a future version of SQL Server.

Q: The password vault you keep referring to is the windows credential manager found under user accounts in control panel?
A. No, it's called the Cyber-Ark Enterprise Password Vault

Q:You mentioned a couple of names of people we should know and I missed the name of the first guy.

Q: How does the DBA sign out a user id with sysadmin rights?
A: In our environment, they log in to Cyber-Ark and provide a valid change or incident ticket.

I apologize for too many 'ums' and completely forgetting to use Zoomit while reviewing the script.
Thank you for attending! 

Comments

Popular posts from this blog

Modifying Endpoint URLs on Availability Group Replicas

I recently had to modify the Endpoint URLs on our SQL Server Availability Group replicas.  The reason for this blog post is that I could not answer the following questions: Do I need to suspend data movement prior to making this change?  Would this change require a restart of the database instance? I spent enough time searching on my own to no avail that I tossed the question to the #sqlhelp hashtag on Twitter and Slack but didn't get an answer prior to executing the change request. After reading the relevant documentation, I think it's probably a good idea to suspend data movement for this change. The T-SQL is straightforward.  USE MASTER GO ALTER AVAILABILITY GROUP [AG1]  MODIFY REPLICA ON 'SQL2012-1' WITH (ENDPOINT_URL = 'TCP://10.10.10.1:5022'); ALTER AVAILABILITY GROUP [AG1]  MODIFY REPLICA ON 'SQL2012-2' WITH (ENDPOINT_URL = 'TCP://10.10.10.2:5022'); ALTER AVAILABILITY GROUP [AG2]  MODIFY REPLICA ON 'SQL2012-1

Set Azure App Service Platform Configuration to 64 bit.

If you need to update several Azure App Services' Configuration to change the Platform setting from 32 bit to 64 bit under Configuration | General settings, this script will save you about six clicks per service and you won't forget to press the SAVE button. Ask me I know. 🙄 Login-AzureRmAccount Set-AzureRmContext  -SubscriptionName  "Your Subscription" $ResourceGroupName  =  'RG1' ,  'RG2', 'RG3' foreach  ( $g   in   $ResourceGroupName ) {       # Set PROD slot to use 64 bit Platform Setting      Get-AzureRmWebApp  -ResourceGroupName  $g  | Select Name |  %  {  Set-AzureRmWebApp  -ResourceGroupName  $g  -Name  $_ .Name  -Use32BitWorkerProcess  $false  }       # Set staging slot to use 64 bit Platform setting      Get-AzureRmWebApp  -ResourceGroupName  $g  | Select Name |  %  {  Set-AzureRmWebAppSlot  -ResourceGroupName  $g  -Name  $_ .Name  -Slot  "staging"  -Use32BitWorkerProcess  $false  }  }

Convincing DBAs to Learn PowerShell

Currently, I am the sole DBA at my employer to dive deep into Microsoft Windows PowerShell. It has become my most important tool for discovering the state of our database server inventory as we work towards our standardization goals. It is also the main tool I use to answer questions about the inventory that require querying multiple servers. As I have learned how to use PowerShell, I have shared scripts and one-liners with my co-workers for the past year or more in an effort to convince them it is worthwhile to learn. I've written a couple of articles at Simple Talk describing some of my scripting experience. I've shared links to blog posts, articles, and tips on how to use PowerShell. It got me thinking about what is the best way to get someone started with PowerShell. In my efforts to learn PowerShell, I was always looking for examples. In my opinion, this is the best way to start after some initial readings on the PowerShell basics. So, my latest recommendat