Category Archives: SQL Server

The thing that makes Encryption work

2 Replies

For this months TSQL Tuesday Matthew McGiffen asks us some broad questions around Encryption and Data Protection. His timing is great, because that’s exactly what I gave a talk about last month at SQL Saturday South Island. My timing is not so great. It’s Thursday. I could tell you about Tuesday, but I’m not sure you would believe me. So apologies for being late Matthew, thanks for the great topic which I keep telling everyone who will listen we all need to keep front of mind.

I’m going to start off in the past, where Encryption was a big scary thing for me. I didn’t get it. It was complicated and seemed like some hidden voodoo science that I just wasn’t smart enough to understand. One thing I’ve learnt though is that not understanding the intricacies of how something works is actually not that bigger deal so long as you understand what it is used for, when it’s appropriate to use and how to go about implementing it. Embracing my inability to know everything about everything is something I actually recognize as a big career turning point for me, and if it hasn’t been for you yet then I’ve got a thing called AI that we need to have a chat about.

At any rate, a little less distantly in the past I presented at SQL Saturday SOuth Island and did demo’s inside an hour on how to do the following forms of ‘encryption’.

  • WITH ENCRYPTION object ‘encryption’
  • Connection Encryption
  • Transparent Data Encryption
  • Backup Encryption
  • Always Encrypted Column Encryption

5 forms of encryption in an hour. When to do it, why to do it, and how to do it – take my code. But that wasn’t the point of the talk. Hopefully what people took away from the talk was that there is no technical barrier to them going away and implementing encryption in their environment straight away. The features are available in all paid editions of SQL Server, the process is really well documented, and they had just witnessed someone implement them all in a handful of minutes.

The stuff that really matter is the bits around the protection. What is the impact of encryption on your database size…your backup size…your ability to use third party dedupe products…your developers process…your compliance…your security. Each one of those things is a blog post in itself (oh good…no more wondering what to blog about next month…) but the one I want to focus in on is a human element and it’s something I have had to deal with directly in the past week (See reference to Tuesday above).

As employees we are often tasked with figuring out how to get something done quickly. We have an incredible ability to figure out the ‘how’ to a problem, and we live in a glorious age where the ‘how’ knowledge is readily and generously shared by a multitude of online genius types. So when someone says ‘encrypt this column’ it’s quite possible that a moderately competent IT professional can figure out the how, make that column encrypted and tick whatever compliance box their boss was worried about that week.

What we are often not so good about is documentation and knowledge transfer, particularly of an ad hoc task that took us a couple of hours several years ago. The biggest problem I have with encryption is that people change roles, and change jobs, and fall out of trees. When any form of encryption is in place, we run the risk of ending up in a state where data is irreversibly encrypted because the certificate is lost – or we have a backup, but not a private key or a decryption password. I don’t want to make people afraid of encryption, but I do want people to be very aware that the technical implementation of encryption is not the hard part. The hard part is agreeing and documenting all the things that go round encryption.

So my call to action to you – person with TDE in your environment, and you – person with Always Encrypted implemented on a server near the end of it’s life – is to make sure more than just you know how to access the backups or certificates and know where your process is documented.

You won’t thank me for this, it will be one more long boring task to work your way through, but if you don’t do it – you, or whoever inherits your environment, may well curse the name of whoever introduced encryption into your workplace. And that would be a shame.

SQL Saturday South Island – Wrap Up

Leave a reply

What an amazing weekend.

Sometimes you can go to a free training event and take a few notes of things to go look up and that’s a win. And some days the stars align, you pick the right sessions and you walk away with solutions to problems you are working on right now.

I was lucky enough to attend Craig Ryans session on reducing your SQL spend. This is something I focus on in most of my client engagements so generally I think we have the bases covered. Not even close! Craig had a handful of different considerations that I need to work into our own offerings including comparing pricing in different regions and dusting off the cobwebs from the Web Edition of SQL Server – which to be quite honest I haven’t considered in my calculations for years. Then add in changing operating system and we saw an example of how to actieve the same levels of performance on the same hardware(or often better hardware) for half the price. Great session well worth the price of admission(which was free, but to be honest I would have paid twice that.)

My own session went okay. We went through the 5 types of Encryption that are available within SQL Server and demo’d each, making it clear that technical know-how is not a reason to not start the process of implementing Encryption in your environments. And a great thing happened after that session. I had fumbled a couple of times with the technical setup and switching between slide decks and Management Studio and one of the audience came up to me afterwards with a recommendation on using colour coding for session connections. This is something I often do when I am connecting to prod or non-prod client environments, but I think it would be a great addition to a session where I’m demo’ing in multiple different environments – both for me and the audience. So thank you anonymous random guy.

The next session I started going to was Warwick Rudds session on Azure Data Studio, but Warwick hit a technical snag when the presentation room monitor decided it had had enough and went to sleep. Warwick always presents great content, but I also know he distrubtes it really well so I promised to catch it on online and took the opportunity to grab a Lime scooter back to the hotel and drop off my laptop so I was set for a big night after the event without having to lug it around.

I got back in time for Heidi Hasting to talk about some of the processes she has automated and the tools she uses. I picked a couple of key words out of her presentation abstract and thought it may just help with an issue that a colleague is currently working on. Heidi had flown in late and had the last session of the day and presented on 2 hours sleep. But man did she deliver just what I was after with some pieces being perfect to solve a Powershell\PowerBI analytics\MS Licensing issues that have been on my periphery over the last week or two.

And as always the real value in these sessions is that if you don’t get the exact piece of information you are after in a session, you can go out afterwards, buy someone a drink and chat about the technologies we are working with and chew over the problems we are faced with in our day jobs. I literally got thousands of dollars of value out of the event and had an amazing time doing it. Thanks to Hamish and the team for another successful and enjoyable event.

Come to SQL Saturday South Island

Leave a reply

Hi all – a quick note telling you to come along and support SQL Saturday South Island.

Once again Hamish has pulled together a great group of speakers from New Zealand, Australia and even the USA. As always it is a free day of training, and you even get a free lunch thrown in, so if not for bettering your professional career and learning lots of cool new stuff – come along and grab a free lunch – cause it turns out there IS such a thing as that.

SQL Saturday South Island 2023 (#1061)

Managed Instance duplicate system databases in file_stats

Leave a reply

Suppose you use sys.dm_io_virtual_file_stats to get performance metrics on your server. Further suppose you then drop that into the table using the database name and the collection time as your primary key. If you do this on a managed instance, and you group by database_ID for your datacollection you are going to hit a problem.

Why?

Because this:

        select 
            database_id,
            db_name(database_id) database_name
            ,cast(sum(num_of_bytes_read + num_of_bytes_written) / 1048576 as decimal(18, 2)) io_total_mb
            ,case when convert(decimal(18,2), (sum(num_of_bytes_read ) / 1048576)) = 0 then 0.001 else convert(decimal(18,2), (sum(num_of_bytes_read ) / 1048576)) end io_read_mb
            ,case when convert(decimal(18,2), (sum(num_of_bytes_written) / 1048576)) = 0 then 0.001 else convert(decimal(18,2), (sum(num_of_bytes_written) / 1048576)) end io_write_mb
        from 
            sys.dm_io_virtual_file_stats(null, null) dm_io_stats
        group by 
            database_id

Will give you a result like this:

This stuffed me up quite a bit but once you know that you are looking at stats for invisible magic Azure Managed Instance databases messing up your results there are several options:

  • Filter out the stupid high database_id’s
  • Be consistent in whether you use name or id for your grouping and primary keys.

SQL Agent Account failing to log in

Leave a reply

A quick one today caused by an interesting error I received. A client dropped me a message that they were running a stored procedure fine as themselves but when they dropped it into a SQL Agent Job it started to fail. The message was pretty clear:

“Executed as user: Domain\SQLAgent. Login failed for user ‘ Domain\SQLAgent ‘. [SQLSTATE 28000] (Error 18456). The step failed.”

I like problems that are easy to solve, just check the Domain\SQLAgent account on the SQL Instance and find it’s….enabled…and has all the permissions required to run this stored procedure? Hmmm.

Then I noted that despite getting a login failure message there was no corresponding login failure message in the SQL Error Logs. Time to dig into the code and I was able to identify that the stored procedure references a linked server. That linked server was (Hooray) set up to log in to the remote server in the context of the executing account. So the login wasn’t failing locally, it was failing on the remote server. Sure enough I could see login failure messages on the remote server that matched the times the job had tried to run.

Resolving the remote login failure allowed the job to run successfully. Hopefully this post will point you to your potential error and save some time banging your head against a wall!

TSQL Tuesday – IT is about serving people

Leave a reply

This months TSQL Tuesday invitation is hosted by Gethyn Ellis who asks about the best career advice you ever got. For me it was more of a career realization, although it’s undoubtably been said to me multiple times I’m just a bit slow registering stuff. Some would probably say I still haven’t ‘got it’ when it comes to this particular idea.

TSQL Tuesday

I’m an IT guy, and probably somewhat stereotypical in that I got into this line of work because the power of computers in general, and data in particular have always been so interesting to me. Finally, here in 2023, with the advent of AI coming into the mainstream the general population is starting to understand some of the ‘coolness’ I saw in IT back when I started my career. The idea that a computer could be programmed to do the sets of tasks for me and increase the amount of stuff I could know and achieve so drastically has always been a wonder. IT is a fascinating and challenging field to be in.

But also fascinating, and definitely challenging, are people. When I look back on my career none of the milestones have been technical, they are all off the back of forming and evolving relationships with people. Whether that be walking into an IT company off the street and telling them I was available to work, the first beer with people who have kept an eye on my career, helping revive and grow a user group, speaking at a SQL event for the first time or running a SQL event for the first time – the key points have always been more about people than technology.

We have to do it when we first convince someone to give us a job in IT. Any given project is likely to be as much a series of political and scheduling challenges more so than purely technical ones. As we move up the pecking order we need to manage expectations and relationships with both those in a position to move us to the next rung, and those who may resent us moving off the rung we’re on. The technical stuff is important, for sure, but it’s not the thing that will define your career – your ability to form and nurture relationships with people is.

When it comes to consulting and management your technical skills may allow you to get a job done, but it is your people skills, your ability to express the technical requirements to non-technical people and how you present a solution that will win you that job in the first place. It’s how you turn up and deal with those around you that will dictate how a customer feels about coming back to you for assistance next time. And when you decide that paid employment is not getting you the financial results you want and decide to move into contract consulting or start your own business – you had better believe that how you present yourself to people and handle relationships is at least as important as how you perform the technical aspects of the projects themselves.

Now I’m not encouraging you to neglect the technical side of the job – you’ve still got to be able to do the thing – but understand that the success of the thing is not just defined by whether your output window is red or black – it’s defined by understanding why you are doing the job and who it effects, and engaging with those people to ensure they are getting the outcome they are after.

Choosing a SQL Authentication Mode

Leave a reply

SQL Server Authentication Modes: Windows vs. Mixed Mode Security

When configuring SQL Server, one of the first decisions you’ll face is choosing the authentication mode. SQL Server offers two primary modes of authentication: Windows Authentication Mode and Mixed Mode Authentication. In general you are going to want to leave that in Windows Authentication Mode unless you have a compelling reason not to. In reality, most shared SQL instance will need Mixed Mode at some point.

Windows Authentication Mode

Windows Authentication is the default and recommended option for securing SQL Server. It leverages Active Directory (AD) to authenticate users, allowing for centralized management of credentials and permissions.

Advantages of Windows Authentication:

  1. Centralized Management: Administrators can manage user accounts, passwords, and permissions directly through AD.
  2. Kerberos Support: Windows Authentication uses the Kerberos protocol for secure authentication, providing enhanced security and performance.
  3. Password Management: SQL Server doesn’t store or manage passwords in this mode, reducing the risk of credential theft. An often forgotten benefit of this is the ease of migrating logins and databases between instances. There is no chance of a mismatched SID when using Windows Authentication
  4. Group Management: The ability to have a group and create a single login for all members of that group is often forgotten. This takes the centralized Management component in point one to another level allowing you to bring real role based management capabilities to your SQL environment.

Limitations of Windows Authentication:

  1. Dependency on Active Directory: This mode requires a robust AD setup, making it less ideal for standalone servers or environments without AD integration.
  2. Limited Flexibility: Non-Windows users or external applications may face challenges accessing the server. Scratch that – even SQL Server itself may have problems using Windows logins. For example using Windows authentication between linked servers will very quickly run you into a double-hop credential error unless you plan for it in advance.

Mixed Mode Authentication

Mixed Mode Authentication supports both Windows Authentication and SQL Server Authentication. In addition to using AD accounts, it allows SQL Server to manage its own user accounts, often referred to as SQL logins.

Advantages of Mixed Mode Authentication:

  1. Supports Non-Windows Clients: This mode is ideal for applications or users outside the AD ecosystem.
  2. Greater Flexibility: Mixed Mode provides more options for authenticating users and systems.

Limitations of Mixed Mode Authentication:

  1. Password Management Burden: SQL Server accounts require manual password policies and management, increasing administrative overhead. However from about SQL 2005 this is less of an issue. When creating a login the “Enforce Password Policy” box allows you to enforce those policies, while leaving the “Enforce Password Expiry” box unchecked removes the necessity of continually updating the passwords used in connection strings.
  2. Security Risks: SQL logins can be more vulnerable to brute-force attacks if strong password policies aren’t enforced. Additionally, it’s not uncommon to find that SQL logins are exposed in plain text in configuration files or connection strings.
  3. Shared Credentials: People are people…and inevitably someone is going to use that SQL login they found in a connection string to login to the database directly. Or an authorised user may share that login with another user while they are “waiting for their access to be authorised”. There’s a mountain of scenarios where people will begin using a SQL login, and the truth is that it is very hard to track even if you are looking for it.

Key Considerations for Choosing the Right Mode

  1. Environment Type:
    • For corporate environments with AD infrastructure, Windows Authentication is typically the better choice.
    • For standalone servers or systems requiring third-party integrations, Mixed Mode might be necessary.
  2. Security Requirements:
    • Windows Authentication reduces the attack surface by avoiding local SQL Server accounts.
    • Mixed Mode requires careful configuration to minimize risks, such as enforcing strong password policies and auditing login attempts.
  3. Application Needs:
    • Mixed mode authentication often ends up becoming a practical necessity if your applications or services don’t support Windows Authentication.

Securing Your Chosen Mode

Regardless of the chosen mode, here are a number of best practices to follow:

  • Enable Auditing: Monitor login attempts to detect and respond to suspicious activity.
  • Use Encryption: Protect data in transit by enabling SSL/TLS for client connections.
  • Enforce Password Policies: Implement strong, complex passwords for SQL logins in Mixed Mode. When these are stored in password vaults they should include the intended purpose and preferably the servers\ip addresses they will be used on. If you do this you can monitor for activity outside these locations to determine when the password is being shared\abused.
  • Limit Privileged Accounts: Restrict sysadmin access to only those who truly need it. And revisit that group on a regular basis to ensure they still need it.