The mission of the Security Virtual Group is to provide guidance and education, and to foster open discussion on security topics as they pertain to SQL Server and its environment.

2017 Presentations
November 2017
SQL Injection Attacks: Is Your Data Secure?
Presenter:Bert Wagner

SQL injection is one of the most common ways that hackers gain access to your SQL server. Do you know how to protect your data from malicious users? This session will provide an overview of how SQL injection works as well as T-SQL examples and techniques to protect against it. We’ll also take a look at why some commonly used techniques aren’t as secure as many people think. If you ever write or maintain dynamic SQL queries then this session is for you.

Level: 200

Session recording: (44.4 MB)
Slide deck:
Demo code: Download from
Watch on Youtube:

June 2017
The Dirty Business of Auditing
Presenter:Brian Kelley

Auditing is often a dirty word among DBAs because it equates to more work with little perceived business value. However, auditing is a necessary evil for most businesses and it usually falls to the DBA to ensure SQL Server is properly audited. In this session we'll look at what the operating system and SQL Server provide for us in order to meet the requirements of internal and external auditors, regulatory legislation, and even overbearing system owners who want to know everything about what's going on in their application. We'll consider what tools to use to quickly implement the properly level of auditing to meet the need.

Level: 200

Session recording: (21 MB)
Slide deck: TheDirtyBusinessofAuditingByKBrianKelley.pptx (274.3 KB)
Watch on Youtube:

Kerberos Delegation for SSRS Made Simple
Presenter:Kathi Kellenberger

Is Kerberos delegation something you avoid like a vicious three-headed guard dog? Once you hear a clear explanation, it will all make sense and no longer be scary! Attend this session to learn what needs to be done to get SSRS working with Kerberos delegation.

Session (27 MB)
Slide deck and demo code:KerberosDelegationForSSRSMadeSimpleByKathiKellenberger (1 MB)
Watch on Youtube:

April 2017
Hacking SQL Server for Fun and Profit
Presenter:Argenis Fernandez

In this session we'll explore several methods of hacking into SQL Server instances. Some methods assume you have Windows Administrator privileges on the box; others only require access to your physical network. We'll cover SQL injection, memory dumps, man-in-the-middle, pass-the-hash, and other attack vectors. Armed with this knowledge, you should be able to go back to your job and make a difference in your network security.

Session (95.4 MB)
Slide deck:HackingSQLServerforFunandProfitByArgenisFernandez.ppt (1.5 MB)
Demo (2 KB)
Watch on Youtube:

VMware, SQL Server, and Encrypting Private Data
Presenter:Patrick Townsend

Encryption has traditionally been the hardest part of data security, with key management being the hardest part of encryption. Join Patrick Townsend, Founder & CEO of Townsend Security, as he discusses these technologies and how they no longer deserve the reputation they have earned for being difficult and expensive.

Session (17.1 MB)
Slide deck:VMwareSQLServerAndEncryptingPrivateDataByPatrickTownsend_SlideDeck.pdf (4.1 MB)
Watch on Youtube:

March 2017
SQL Server Security Mistakes Everyone Makes
Presenter:Robert L Davis

If you got audited tomorrow, do you know what security mistakes could be uncovered?

The fact is, there are common security mistakes that everyone makes and may not even realize that their security is compromised. This session will cover things people do every day that weakens their security, will demonstrate why it is a potential vulnerability, and show you how to fix it.

Level: 100

Session (28 MB)
Slide deck:SQLServerSecurityMistakesEveryoneMakes.pptx (718 KB)
Demo (3 KB)
Watch on Youtube:

2016 Presentations
November 2016
SQL Server Encryption Basics
Presenter: Bob Pusateri

High-profile attacks by hackers have made the news more and more the past few years, and your database is a prized target! Fortunately SQL Server offers many possible layers of protection, one of which is encryption. This session will cover SQL Server's encryption capabilities, how they work, and what they have to offer. Topics discussed will include certificates, encryption algorithms, backup encryption, transparent database encryption, and column-level encryption. Attend this session and learn how SQL Server can help you hide your data in plain sight!

Level: 100

Session (26 MB)
Slide (665 KB)
Demo (1 KB)
Watch on Youtube:

June 2016
Securing SQL Server with TLS 1.2
Presenter: MSSQL Tiger Team

Recent changes to security compliance is driving the initiative in various IT environments to disable all security protocols apart from TLS 1.2. This has wide ranging impact on SQL Server installations from startup failures to connectivity issues. In this session, we will talk about the changes available in SQL Server 2008 and above to support TLS 1.2 and the changes required on the server and SQL Server configuration to support TLS 1.2.

Level: 200

Session (30.4 MB)
Slide deck:
Demo code:
Watch on Youtube:

Your Sensitive Data Warriors: AlwaysOn Encryption and Data Masking in SQL Server 2016
Presenter: Virginia Mushkatblat

In an hour-long presentation we will discover how to prevent the most popular type of a fraud.... and it is not financial one! We will cover use cases of stolen data and present new and improved ways to use two most important and just introduced features in the Microsoft security and privacy framework - AlwaysOn Encryption and Dynamic Data Masking, their pros and cons. We will also cover the other cases that fall into custom solutions for Security and Privacy in Design implementations.

Level: 300

Session (32 MB)
Watch on Youtube:

March 2016
SQL Server Basics
Presenter: Kenneth Fisher

In the modern age, data is a company's most valuable resource and, unfortunately, data crimes are common. Because of this, everyone that works with SQL Server should have a basic understanding of database security. Attend this session to learn the what, how, and why of database security. Learn what permissions, securables, and principals are. Learn how to manage database security. Most importantly, learn what the best practices are and why they are important. Your company's data is your responsibility, and after attending this session you can step up and keep it safe.

Session recording:SQLServerSecurityBasics_KennethFisher (31 MB)
Slide deck:SQLServerSecurityBasics_KennethFisher.pptx (905 KB)
Watch on Youtube:

2015 Presentations
December 2015
Row Level Security (RLS)
Presenter: Geri Reshef

Row Level Security (RLS) is a built in technology that was added to SQL Azure in the beginning of 2015, and later to the 2016 CTPs. This technology enables the administrator to control the rows the user can access and manipulate in the table (in addition to controlling access to the table itself). In the presentation a possible solution will be shown, for previous versions which do not support the new RLS technology, several scenarios how to implement the new feature, performance issues, a critical review, etc.

Session recording:2015-12-03 10.04 Row Level Security (RLS) by Geri (66 MB)
Slide deck:GeriReshef_RLS.pptx
TSQL: RLS.sql.txt
Watch on Youtube: Pending...

October 2015
Where Should I Be Encrypting My Data?
Presenter: Joseph D'Antoni

In this session, we'll look at all the various places within the application stack where data can be encrypted or hashed. These places and encryption technologies include the application layer, the middle tier, the database layer, encrypting over the wire, transparent data encryption, encrypting using your MPIO driver, and offloading encryption to your HBAs. With this information in hand, you'll be able to make the best decisions about where in the application stack to do this work. You will also get information about using Always Encrypted in SQL Server 2016..

Session (0 MB)
Slide deck:.pptx (0 KB)
Watch on Youtube:https://

Keeping SQL Server and SQL Database Secure and Compliant
Presenter: Jack Richins

As part of operating the Azure SQL DB service, the SQL Server Team has gone through several audits such as PCI, FedRAMP, SOC, etc. as documented on Microsoft Azure Trust Center. I’ll be sharing some of the things we’ve learned that will help SQL Server and Azure SQL DB admins achieve compliance. I’ll also be taking questions and hope to hear from you what frustrations you face trying to become compliant with SQL Server and SQL DB.

Session (14.85 MB)
Slide deck:KeepingSQLServerandSQLDatabaseSecureandCompliantbyJackRichins.pptx (56 KB)
Watch on Youtube:

September 2015
Azure AD authentication for SQL Database V12
Presenter: Mirek Sztajno

Azure SQL Database V12 supports a preview release of Azure Active Directory authentication, a mechanism of connecting to SQL Database by using identities in Azure Active Directory (Azure AD) for managed and federated domains. With Azure Active Directory authentication, you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage SQL Database users and simplifies permission management.

Session (39.19 MB)
Slide deck:AzureAD.Authentication.Overview.PASS.SecurityVC.PPTX (281 KB)
Watch on Youtube:

Deep Dive on Encryption in SQL Server/SQL Database
Presenter: Raul Garcia

This talk is a deep dive on protecting sensitive data at rest on SQL Server. We will cover several SQL technologies that are available on SQL Server and on Azure SQL Database. This discussion will cover Transparent Database Encryption, Cell-Level Encryption, and a new feature that allows to encrypt data on the client: Always Encrypted.

Session (42.44 MB)
Demo (6 KB)
Watch on Youtube:

August 2015
SQL Server Security
Presenter: Mattias Lind

SQL Server supports Windows Authentication and SQL Server Login Authentication as well as Partial Contained Databases. This session discuss ways of successfully use these different methods and tips and tricks from the field.

Session (57.7 MB)
Slide deck:SQLServerSecuritywithMattiasLind.pptx (2.3 MB)
Watch on Youtube:

July 2015
Row-Level Security in SQL Server and SQL Database
Presenter: Tommy Mullaney

Description: This talk is a deep dive on Row-Level Security (RLS), a new security programmability feature on SQL Server and SQL Database that allows you to filter which rows users can access in a shared table. We’ll cover how to use RLS in common scenarios with demos and best practices.

Session (35.2 MB)
Watch on Youtube:

June 2015
SQL Server and Application Security for Developers
Presenter: Mladen Prajdic

Description: A lot of companies have a philosophy of "ship early with as many features as possible.” Security is an afterthought since it isn't fun to do and no one will attack them anyway. However, the dark side never sleeps, and security breaches have always happened, often leaving companies severely exposed or even bankrupt.

In this session we'll look at a few attack vectors that can be used against your company, and what you as a developer can and should do to protect against them. It will involve a good mix of security conscious SQL Server and application development, because you care about your work and nobody messes with you.

Session (80.39 MB)
Slide deck:SQLAndAppSecurityForDevs.pptx (771 KB)
Demo (254 KB)

May 2015
Always Encrypted in SQL Server 2016 and Azure SQL Database
Presenter: Jakub Szymaszek

Description: This talk provides an overview of Always Encrypted - the new encryption technology in SQL Server and Azure SQL Database. Quite different from Transparent Data Encryption, Always Encrypted, is the encryption of data not only at rest, but also in use and in transit. With Always Encrypted, encryption and decryption of data happens transparently inside the application, using keys stored in a trusted location outside of SQL Server, so even DBAs cannot look at plain text data. The talk will include a demo showing how to develop applications using Always Encrypted and explaining how the technology works.

Session (28.2 MB)

Real World SQL Server Database Administration with just a bit of sysadmin
Presenter: Ronald Dameron

Description: If you are interested in minimizing or possibly preventing the type of breach that happened at Anthem Inc, you will likely find my session "Real World SQL Server Database Administration with just a bit of sysadmin" very interesting.

It is becoming increasingly difficult to allow SQL Server database administrators to retain perpetual sysadmin access on production servers due to IT Security, Audit, and Compliance concerns.

I will review the fundamentals needed to define a configurable permission model currently in use at a large insurance company that allows database administrators to do routine work without having unfettered access to business data. Several demonstrations will show that many DBA tasks can be done without sysadmin access. Attendees will also learn how to deploy a set of permissions that allows DBAs to do routine work, elevate DBA permissions quickly to respond to production emergencies and how to grant sysadmin permissions during disaster recovery scenarios. Scripts will be reviewed and demonstrated that secure the database server, undo the permission model in case of unforeseen circumstances and discover which servers remain to be locked down. Attendees will leave this session with the realization that DBAs need to be sysadmin only when required.

Session slide deck: SQLServerAdminWithAbitOfSysadmin.pdf (5.6 KB)
Session (32.1 MB)
Session scripts: (7 KB)

April 2015
Analysis Services Security
Presenter: Stacia Misner

Description: Because an Analysis Services multidimensional database is secure by default, security must be configured before users can query cubes. In this session, we review how to configure roles for user access and how to restrict what users see. In addition, we will explore techniques for advanced security scenarios, including data-driven security on standard and parent-child dimensions and permissions for writeback of cell and dimension data. Last, we will cover administrator security to control access to Analysis Services at the database and server level.

Session slide deck: AnalysisServicesSecurityWithStaciaMisner.pdf (370.5 KB)
Session (29.1 MB)

March 2015
SOX and ISO 27001 Audits for Databases
Presenter: Megha Thakkar

Description: Are you a public company? Are you implementing ISO 27001 security standards or planning to implement it in near future? If so, you will be excited to learn about SOX 404 and ISO 27001 compliance requirements and audit process.

The session would cover all audit requirements, best practices, remediation efforts and most important “what does it mean for you and your organization”. We will talk about SOX topics: Segregation of Duties, Access Management, Policies and related controls. We will also talk about ISO 27001: What it is, Annex A controls related to databases, certification process, risk assessment and other related topics.

Audit is not that fun, but I will try to make it fun in less than 1 hour.

Please feel free to reach out to Megha via email if you have follow up questions.

Session slide deck: SOXandISO27001AuditsforDatabaseswithMeghaThakkar.pptx (488 KB)
Session (17.05 MB)

2014 Presentations
April 2014
Understanding and Eliminating SQL Injection
Presenter: Kevin Feasel

Description:Over the past several years, hacktivists, criminals, and people just "out for lulz" have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.

SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.

Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.

March 2014
Microsoft SQL Server 2014 Countdown: Buffer Pool Extension and Resource Governor for IO
Presenter: Microsoft

Buffer Pool Extension can potentially increase performance of OLTP application by allowing extension of SQL Server buffer pool to non-volatile disks, such as Solid State Drives (SSDs). In addition, enhancement of Resource Governor in SQL Server 2014 on IO allows much better control of physical IO in SQL Server resource pools.

See the full Microsoft SQL Server 2014 Countdown Webinar Schedule at:

Session recording:Streaming video

February 2014
Configuring SQL Access for the Web Developer
Presenter: Kendal Van Dyke

This session will demonstrate the ways that ASP & ASP.NET applications can be configured to make connections to SQL Server from different versions of IIS so that we can keep our servers secure and our DBAs happy. Session Goals:
1) Learn when to use SQL logins and when to use Windows Authentication
2) Understand the concept of impersonation
3) Learn how ASP and ASP.NET applications can be configured to use impersonation to make secure connections to SQL Server
4) Learn how to configure IIS and Windows to support impersonation.

Session slides and code:Configuring SQL Access for the Web ( 679.9 KB)
Session ( MB)

January 2014
Code-Less Securing of SQL Server
Presenter: Argenis Fernandez

Learn from a Microsoft Certified Master how to secure your SQL Server infrastructure and your Windows installations to enhance resiliency and minimize exposure to attacks—all without touching any of your code!

Session recording:2014-01-23 10.00 Code-Less Securing of SQL Server.wmv (46.9 MB)

2013 Presentations
December 2013
SQL Security Best Practices & Shrinking Your Attack Surface
Presenter: Matthew Brimer

SQL Security is a very broad and scary topic, one which many days could be dedicated to speaking on it. In this session Matt will give a high level overview of what Database Security is, what tools Microsoft gives you to accomplish it and some simple things that you can do to shrink your attack surface.

Slide deck and other session files:Database Security.pptx (1499 KB)
Session (331.7 MB)

November 2013
Presenter: Andy Warren ( blog|@sqlandy)

Are you storing or planning to store credit card numbers? If so, you need to learn all you can about the requirements for PCI compliance. We'll cover how PCI works from the requirements to the final audit, and eveything in between that you'll need to know something about. We'll talk about encryption, key management, logging, alerting, administration access, granular permissions, tokenization, and as much more as we can fit into an hour. It's a complex topic, but that just makes it more interesting!

Slide deck and other session files:PCI for the SQL (2.1 MB)
Session recording:PCI For The SQL DBA (50.4 MB)

Implementing a HIPAA Compliance Strategy with SQL Server
Presenter: Brandon Leach (@SQLServerNerd)

HIPAA puts a lot of responsibility on our companies and compliance can be hard to maintain. Today medical data is more valuable on the black market than a social security number or a credit card. As DBAs we're charged with the security of our data and thus act as front line defense. In this hour long session We'll delve into the Health Insurance Portability and Accountability Act (HIPAA) and what implications it has for us as data professionals. We'll discuss SQL Server best practices that can help protect ourselves, our company, and the people whom we serve. We'll also dive into features in SQL Server that can help in this endeavor.

Slide deck:ImplementingAHIPAAComplianceStrategy.pptx (1341 KB)
Session (35.64 MB)

August 2013
Cure your sysadmin addiction
Presenter: Ronald Dameron

Learn how to use the Separation of Duties Framework and a Privileged Identity Management suite to minimize the permissions needed by DBAs to do routine work. I'll review the Separation of Duties Framework and an easy to implement, low hassle solution that provides DBAs the minimum necessary access required to maintain the server but not be able to view user data. I will prove that sysadmin is not always required more often than most DBAs think. Also, attendees will learn how to define a permission set with a single script that allows your company’s DBAs to do routine work and how to elevate DBA permissions quickly to respond to production emergencies.
Slides and (668 KB)
Session recording: Not available due to technical difficulties.

July 2013
SQL Server Encryption Decrypted
Presenter: K. Brian Kelley (blog|@kbriankelley)

In this session we'll look at Microsoft SQL Server's built-in encryption options and how best to use them. We'll discuss best practices with respect to speed and security in the options available to us. Also, we'll briefly cover Transparent Data Encryption, a new feature in SQL Server 2008 Enterprise Edition, which encrypts the whole database at rest.

Slides and (248 KB)
Session recording:2013-07-18 10.02 SQL Server Encryption (22 MB)

For updates on future meetings and events, follow us on Twitter at @PASS_SecurityVC.
Back to Top