The mission of the Security Virtual Chapter is to provide guidance and education, and to foster open discussion on security topics as they pertain to SQL Server and its environment.
2015 Presentations
May 2015
Real World SQL Server Database Administration with just a bit of sysadmin
Presenter: Ronald Dameron

Description: If you are interested in minimizing or possibly preventing the type of breach that happened at Anthem Inc, you will likely find my session "Real World SQL Server Database Administration with just a bit of sysadmin" very interesting.

It is becoming increasingly difficult to allow SQL Server database administrators to retain perpetual sysadmin access on production servers due to IT Security, Audit, and Compliance concerns.

I will review the fundamentals needed to define a configurable permission model currently in use at a large insurance company that allows database administrators to do routine work without having unfettered access to business data. Several demonstrations will show that many DBA tasks can be done without sysadmin access. Attendees will also learn how to deploy a set of permissions that allows DBAs to do routine work, elevate DBA permissions quickly to respond to production emergencies and how to grant sysadmin permissions during disaster recovery scenarios. Scripts will be reviewed and demonstrated that secure the database server, undo the permission model in case of unforeseen circumstances and discover which servers remain to be locked down. Attendees will leave this session with the realization that DBAs need to be sysadmin only when required.

Session slide deck: SQLServerAdminWithAbitOfSysadmin.pdf (5.6 KB)
Session recording: RealWorldSQLServerDatabaseAdministrationwithjustabitofsysadminwithRonaldDameron.zip (7 KB)
Session scripts: Scripts.zip (5.6 KB)


April 2015
Analysis Services Security
Presenter: Stacia Misner

Description: Because an Analysis Services multidimensional database is secure by default, security must be configured before users can query cubes. In this session, we review how to configure roles for user access and how to restrict what users see. In addition, we will explore techniques for advanced security scenarios, including data-driven security on standard and parent-child dimensions and permissions for writeback of cell and dimension data. Last, we will cover administrator security to control access to Analysis Services at the database and server level.

Session slide deck: AnalysisServicesSecurityWithStaciaMisner.pdf (370.5 KB)
Session recording: AnalysisServicesSecurityWithStaciaMisner..zip (29.1 MB)


March 2015
SOX and ISO 27001 Audits for Databases
Presenter: Megha Thakkar

Description: Are you a public company? Are you implementing ISO 27001 security standards or planning to implement it in near future? If so, you will be excited to learn about SOX 404 and ISO 27001 compliance requirements and audit process.

The session would cover all audit requirements, best practices, remediation efforts and most important “what does it mean for you and your organization”. We will talk about SOX topics: Segregation of Duties, Access Management, Policies and related controls. We will also talk about ISO 27001: What it is, Annex A controls related to databases, certification process, risk assessment and other related topics.

Audit is not that fun, but I will try to make it fun in less than 1 hour.

Please feel free to reach out to Megha via email if you have follow up questions.

Session slide deck: SOXandISO27001AuditsforDatabaseswithMeghaThakkar.pptx (488 KB)
Session recording: SOXandISO27001AuditsforDatabaseswithMeghaThakkar.zip (17.05 MB)


2014 Presentations
April 2014
Understanding and Eliminating SQL Injection
Presenter: Kevin Feasel

Description:Over the past several years, hacktivists, criminals, and people just "out for lulz" have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.

SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.

Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.


March 2014
Microsoft SQL Server 2014 Countdown: Buffer Pool Extension and Resource Governor for IO
Presenter: Microsoft

Description:
Buffer Pool Extension can potentially increase performance of OLTP application by allowing extension of SQL Server buffer pool to non-volatile disks, such as Solid State Drives (SSDs). In addition, enhancement of Resource Governor in SQL Server 2014 on IO allows much better control of physical IO in SQL Server resource pools.

See the full Microsoft SQL Server 2014 Countdown Webinar Schedule at: http://www.sqlpass.org/SS2014Launch

Session recording: Streaming video


February 2014
Configuring SQL Access for the Web Developer
Presenter: Kendal Van Dyke

Description:
This session will demonstrate the ways that ASP & ASP.NET applications can be configured to make connections to SQL Server from different versions of IIS so that we can keep our servers secure and our DBAs happy. Session Goals:
1) Learn when to use SQL logins and when to use Windows Authentication
2) Understand the concept of impersonation
3) Learn how ASP and ASP.NET applications can be configured to use impersonation to make secure connections to SQL Server
4) Learn how to configure IIS and Windows to support impersonation.

Session slides and code: Configuring SQL Access for the Web Developer.zip ( 679.9 KB)
Session recording: .zip ( MB)

January 2014
Code-Less Securing of SQL Server
Presenter: Argenis Fernandez

Description:
Learn from a Microsoft Certified Master how to secure your SQL Server infrastructure and your Windows installations to enhance resiliency and minimize exposure to attacks—all without touching any of your code!

Session recording: 2014-01-23 10.00 Code-Less Securing of SQL Server.wmv (46.9 MB)

2013 Presentations
December 2013
SQL Security Best Practices & Shrinking Your Attack Surface
Presenter: Matthew Brimer

Description:
SQL Security is a very broad and scary topic, one which many days could be dedicated to speaking on it. In this session Matt will give a high level overview of what Database Security is, what tools Microsoft gives you to accomplish it and some simple things that you can do to shrink your attack surface.

Slide deck and other session files: Database Security.pptx (1499 KB)
Session recording: ShrinkingYourAttackSurface.zip (331.7 MB)

November 2013
PCI For The SQLDBA
Presenter: Andy Warren ( blog|@sqlandy)

Description:
Are you storing or planning to store credit card numbers? If so, you need to learn all you can about the requirements for PCI compliance. We'll cover how PCI works from the requirements to the final audit, and eveything in between that you'll need to know something about. We'll talk about encryption, key management, logging, alerting, administration access, granular permissions, tokenization, and as much more as we can fit into an hour. It's a complex topic, but that just makes it more interesting!

Slide deck and other session files: PCI for the SQL DBA.zip (2.1 MB)
Session recording: PCI For The SQL DBA recording.zip (50.4 MB)



Implementing a HIPAA Compliance Strategy with SQL Server
Presenter: Brandon Leach (@SQLServerNerd)

Description:
HIPAA puts a lot of responsibility on our companies and compliance can be hard to maintain. Today medical data is more valuable on the black market than a social security number or a credit card. As DBAs we're charged with the security of our data and thus act as front line defense. In this hour long session We'll delve into the Health Insurance Portability and Accountability Act (HIPAA) and what implications it has for us as data professionals. We'll discuss SQL Server best practices that can help protect ourselves, our company, and the people whom we serve. We'll also dive into features in SQL Server that can help in this endeavor.

Slide deck: ImplementingAHIPAAComplianceStrategy.pptx (1341 KB)
Session recording: ImplementingAHIPAAComplianceStrategy.zip (35.64 MB)



August 2013
Cure your sysadmin addiction
Presenter: Ronald Dameron

Description:
Learn how to use the Separation of Duties Framework and a Privileged Identity Management suite to minimize the permissions needed by DBAs to do routine work. I'll review the Separation of Duties Framework and an easy to implement, low hassle solution that provides DBAs the minimum necessary access required to maintain the server but not be able to view user data. I will prove that sysadmin is not always required more often than most DBAs think. Also, attendees will learn how to define a permission set with a single script that allows your company’s DBAs to do routine work and how to elevate DBA permissions quickly to respond to production emergencies.
Slides and demos: CureYourSysadminAddiction.zip (668 KB)
Session recording: Not available due to technical difficulties.




July 2013
SQL Server Encryption Decrypted
Presenter: K. Brian Kelley (blog|@kbriankelley)

Description:
In this session we'll look at Microsoft SQL Server's built-in encryption options and how best to use them. We'll discuss best practices with respect to speed and security in the options available to us. Also, we'll briefly cover Transparent Data Encryption, a new feature in SQL Server 2008 Enterprise Edition, which encrypts the whole database at rest.

Slides and demos: July2013EncryptionDecrypted.zip (248 KB)
Session recording: 2013-07-18 10.02 SQL Server Encryption Decrypted.zip (22 MB)

For updates on future meetings and events, follow us on Twitter at @PASS_SecurityVC.