Guide to protect SQL Server against speculative execution side-channel vulnerabilities





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







0















I am going through this link. My question is regarding Scenario 1 under recommendation as most of our SQL Servers run on physical machine




SQL Server runs on "bare metal" (no virtual machines)



AND no other untrusted application logic (application tier) is run on
the same machine



AND no untrusted SQL Server extensibility interfaces are being used
(see below for list).




What does it mean by untrusted application logic?



Does a webserver running on the same server with internally developed site constitute untrusted application logic?



What about a third party services that monitors the server?






sql-server sql-server-2014







share|improve this question














bumped to the homepage by Community 3 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • The definition of "untrusted" is simply up to your judgement. Assuming you trust Microsoft's software, if you trust your web developers and the website is using IIS, then the website is not untrusted. Again, for the monitoring software--do you trust the developer? If it's freeware that you downloaded from www.bobsmalware.com, then probably not, but if it's a major, reputable software developer, then probably.

    – Tony Hinkle
    Jan 8 '18 at 18:12











  • Thanks @TonyHinkle, i was under the impression that the word "Trust" had some technical meaning in programming. Something like the executionpolicy setting in powershell or clr secury.

    – sercurity
    Jan 8 '18 at 19:59











  • @security - now you know, in programming, trusted not secure has no meaning at all :)

    – kakaz
    Jan 10 '18 at 7:56













  • This is probably the most disturbing example of untrusted application logic: en.m.wikipedia.org/wiki/… Notice that antivirus companies was involved in this scam, and AFAIK Symantec was paid for lack of detection. Another example: latest Kaspersky scam.

    – kakaz
    Jan 10 '18 at 8:05


















0















I am going through this link. My question is regarding Scenario 1 under recommendation as most of our SQL Servers run on physical machine




SQL Server runs on "bare metal" (no virtual machines)



AND no other untrusted application logic (application tier) is run on
the same machine



AND no untrusted SQL Server extensibility interfaces are being used
(see below for list).




What does it mean by untrusted application logic?



Does a webserver running on the same server with internally developed site constitute untrusted application logic?



What about a third party services that monitors the server?






sql-server sql-server-2014







share|improve this question














bumped to the homepage by Community 3 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • The definition of "untrusted" is simply up to your judgement. Assuming you trust Microsoft's software, if you trust your web developers and the website is using IIS, then the website is not untrusted. Again, for the monitoring software--do you trust the developer? If it's freeware that you downloaded from www.bobsmalware.com, then probably not, but if it's a major, reputable software developer, then probably.

    – Tony Hinkle
    Jan 8 '18 at 18:12











  • Thanks @TonyHinkle, i was under the impression that the word "Trust" had some technical meaning in programming. Something like the executionpolicy setting in powershell or clr secury.

    – sercurity
    Jan 8 '18 at 19:59











  • @security - now you know, in programming, trusted not secure has no meaning at all :)

    – kakaz
    Jan 10 '18 at 7:56













  • This is probably the most disturbing example of untrusted application logic: en.m.wikipedia.org/wiki/… Notice that antivirus companies was involved in this scam, and AFAIK Symantec was paid for lack of detection. Another example: latest Kaspersky scam.

    – kakaz
    Jan 10 '18 at 8:05














0












0








0








I am going through this link. My question is regarding Scenario 1 under recommendation as most of our SQL Servers run on physical machine




SQL Server runs on "bare metal" (no virtual machines)



AND no other untrusted application logic (application tier) is run on
the same machine



AND no untrusted SQL Server extensibility interfaces are being used
(see below for list).




What does it mean by untrusted application logic?



Does a webserver running on the same server with internally developed site constitute untrusted application logic?



What about a third party services that monitors the server?






sql-server sql-server-2014







share|improve this question














I am going through this link. My question is regarding Scenario 1 under recommendation as most of our SQL Servers run on physical machine




SQL Server runs on "bare metal" (no virtual machines)



AND no other untrusted application logic (application tier) is run on
the same machine



AND no untrusted SQL Server extensibility interfaces are being used
(see below for list).




What does it mean by untrusted application logic?



Does a webserver running on the same server with internally developed site constitute untrusted application logic?



What about a third party services that monitors the server?






sql-server sql-server-2014




sql-server sql-server-2014






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 8 '18 at 4:16









sercuritysercurity

434




434





bumped to the homepage by Community 3 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 3 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • The definition of "untrusted" is simply up to your judgement. Assuming you trust Microsoft's software, if you trust your web developers and the website is using IIS, then the website is not untrusted. Again, for the monitoring software--do you trust the developer? If it's freeware that you downloaded from www.bobsmalware.com, then probably not, but if it's a major, reputable software developer, then probably.

    – Tony Hinkle
    Jan 8 '18 at 18:12











  • Thanks @TonyHinkle, i was under the impression that the word "Trust" had some technical meaning in programming. Something like the executionpolicy setting in powershell or clr secury.

    – sercurity
    Jan 8 '18 at 19:59











  • @security - now you know, in programming, trusted not secure has no meaning at all :)

    – kakaz
    Jan 10 '18 at 7:56













  • This is probably the most disturbing example of untrusted application logic: en.m.wikipedia.org/wiki/… Notice that antivirus companies was involved in this scam, and AFAIK Symantec was paid for lack of detection. Another example: latest Kaspersky scam.

    – kakaz
    Jan 10 '18 at 8:05



















  • The definition of "untrusted" is simply up to your judgement. Assuming you trust Microsoft's software, if you trust your web developers and the website is using IIS, then the website is not untrusted. Again, for the monitoring software--do you trust the developer? If it's freeware that you downloaded from www.bobsmalware.com, then probably not, but if it's a major, reputable software developer, then probably.

    – Tony Hinkle
    Jan 8 '18 at 18:12











  • Thanks @TonyHinkle, i was under the impression that the word "Trust" had some technical meaning in programming. Something like the executionpolicy setting in powershell or clr secury.

    – sercurity
    Jan 8 '18 at 19:59











  • @security - now you know, in programming, trusted not secure has no meaning at all :)

    – kakaz
    Jan 10 '18 at 7:56













  • This is probably the most disturbing example of untrusted application logic: en.m.wikipedia.org/wiki/… Notice that antivirus companies was involved in this scam, and AFAIK Symantec was paid for lack of detection. Another example: latest Kaspersky scam.

    – kakaz
    Jan 10 '18 at 8:05

















The definition of "untrusted" is simply up to your judgement. Assuming you trust Microsoft's software, if you trust your web developers and the website is using IIS, then the website is not untrusted. Again, for the monitoring software--do you trust the developer? If it's freeware that you downloaded from www.bobsmalware.com, then probably not, but if it's a major, reputable software developer, then probably.

– Tony Hinkle
Jan 8 '18 at 18:12





The definition of "untrusted" is simply up to your judgement. Assuming you trust Microsoft's software, if you trust your web developers and the website is using IIS, then the website is not untrusted. Again, for the monitoring software--do you trust the developer? If it's freeware that you downloaded from www.bobsmalware.com, then probably not, but if it's a major, reputable software developer, then probably.

– Tony Hinkle
Jan 8 '18 at 18:12













Thanks @TonyHinkle, i was under the impression that the word "Trust" had some technical meaning in programming. Something like the executionpolicy setting in powershell or clr secury.

– sercurity
Jan 8 '18 at 19:59





Thanks @TonyHinkle, i was under the impression that the word "Trust" had some technical meaning in programming. Something like the executionpolicy setting in powershell or clr secury.

– sercurity
Jan 8 '18 at 19:59













@security - now you know, in programming, trusted not secure has no meaning at all :)

– kakaz
Jan 10 '18 at 7:56







@security - now you know, in programming, trusted not secure has no meaning at all :)

– kakaz
Jan 10 '18 at 7:56















This is probably the most disturbing example of untrusted application logic: en.m.wikipedia.org/wiki/… Notice that antivirus companies was involved in this scam, and AFAIK Symantec was paid for lack of detection. Another example: latest Kaspersky scam.

– kakaz
Jan 10 '18 at 8:05





This is probably the most disturbing example of untrusted application logic: en.m.wikipedia.org/wiki/… Notice that antivirus companies was involved in this scam, and AFAIK Symantec was paid for lack of detection. Another example: latest Kaspersky scam.

– kakaz
Jan 10 '18 at 8:05










1 Answer
1






active

oldest

votes


















0














Untrusted application logic means any application or service running any logic that you(r organization) does not trust.



For your purpose, if you want to be lenient (potentially less secure) you can substitute "unauthorized" for "untrusted" - if the server is running any unauthorized code, it falls under that category.



If you want to be conservative (potentially more secure), assume all your servers run untrusted application logic and move on with that as a founding security assumption, applying the more secure recommendations to them.






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "182"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f194855%2fguide-to-protect-sql-server-against-speculative-execution-side-channel-vulnerabi%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Untrusted application logic means any application or service running any logic that you(r organization) does not trust.



    For your purpose, if you want to be lenient (potentially less secure) you can substitute "unauthorized" for "untrusted" - if the server is running any unauthorized code, it falls under that category.



    If you want to be conservative (potentially more secure), assume all your servers run untrusted application logic and move on with that as a founding security assumption, applying the more secure recommendations to them.






    share|improve this answer




























      0














      Untrusted application logic means any application or service running any logic that you(r organization) does not trust.



      For your purpose, if you want to be lenient (potentially less secure) you can substitute "unauthorized" for "untrusted" - if the server is running any unauthorized code, it falls under that category.



      If you want to be conservative (potentially more secure), assume all your servers run untrusted application logic and move on with that as a founding security assumption, applying the more secure recommendations to them.






      share|improve this answer


























        0












        0








        0







        Untrusted application logic means any application or service running any logic that you(r organization) does not trust.



        For your purpose, if you want to be lenient (potentially less secure) you can substitute "unauthorized" for "untrusted" - if the server is running any unauthorized code, it falls under that category.



        If you want to be conservative (potentially more secure), assume all your servers run untrusted application logic and move on with that as a founding security assumption, applying the more secure recommendations to them.






        share|improve this answer













        Untrusted application logic means any application or service running any logic that you(r organization) does not trust.



        For your purpose, if you want to be lenient (potentially less secure) you can substitute "unauthorized" for "untrusted" - if the server is running any unauthorized code, it falls under that category.



        If you want to be conservative (potentially more secure), assume all your servers run untrusted application logic and move on with that as a founding security assumption, applying the more secure recommendations to them.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 10 '18 at 2:56









        Anti-weakpasswordsAnti-weakpasswords

        1,464712




        1,464712






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Database Administrators Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f194855%2fguide-to-protect-sql-server-against-speculative-execution-side-channel-vulnerabi%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            ف. موراي أبراهام

            Image
            ف. موراي أبراهام F. Murray Abraham ف. موراي أبراهام في 2008 معلومات شخصية الاسم عند الولادة فريد مراد إبراهيم Fahrid Murray Abraham الميلاد 24 أكتوبر 1939 (العمر 79 سنة) شاكبيتسبرغ، بنسيلفانيا مواطنة الولايات المتحدة  أسماء أخرى فرانك موراي أبراهام Frank Murray Abraham الحياة العملية المدرسة الأم جامعة تكساس في أوستن  التلامذة المشهورين جون كيل [1]   المهنة ممثل تلفزيوني،  وممثل أفلام،  وممثل تعبيري،  وممثل مسرحي  سنوات النشاط 1971–الآن موظف في كلية بروكلين  الجوائز جائزة الأوسكار لأفضل ممثل  (عن عمل:أماديوس)   المواقع IMDB صفحته على IMDB  السينما.كوم صفحته على السينما.كوم  تعديل   ف. موراي أبراهام (بالإنجليزية: F. Murray Abraham ) ، ممثل أمريكي من اصل سوري أرثوذكسي من ناحية الاب وإيطالي من ناحية الام وهو ممثل أمريكي من مواليد 24 أكتوبر 1939، حاصل على جائزة الأوسكار 1984 كأفضل ممثل عن دوره في فيلم أماديوس كما حصل بنفس الدور على جائزة الغولدن غلوب 1985 كأفضل ممثل في فيلم د...
            Read more

            صرب

            Image
            صرب التعداد الكلي 11.5–12.5 مليون [a] مناطق الوجود المميزة يبلغ عدد سكانها أكثر 100,000 في يوغوسلافيا السابقة   صربيا (excl. كوسوفو) 5,988,150 (2011)   البوسنة والهرسك 1,086,733 (2013) [1]   الجبل الأسود b 178,110 (2011) [2]   كوسوفو 90–120,000 (2012 قالب:Estimation) a   سلوفينيا 38,964 (2002) [3]   جمهورية مقدونيا 35,939 (2002) [4] بقية أوروبا · ·   ألمانيا بحدود 500,000 (2014 قالب:Estimation)   النمسا بحدود 300,000 (2010 قالب:Estimation) [5]   سويسرا بحدود 71,260 (2015 قالب:Estimation) [6]   فرنسا بحدود 120,000 (2002 قالب:Estimation) [7]   السويد بحدود 110–120,000 (قالب:Estimation)   المملكة المتحدة بحدود 70,000 (2001 قالب:Estimation) [8]   رومانيا 18,076 (2011) [9] أمريكا الشمالية ·   الولايات المتحدة c 199,080 (2012) [10]   كندا c 80,320 (2011) [11] بقية العالم ·   أستراليا c 69,544 (2011) [12] ...
            Read more

            كأس إنترتوتو

            Image
            كأس إنترتوتو شعار كأس إنترتوتو معلومات عامة الرياضة كرة القدم انطلقت 1968 (1995 من قبل اليويفا) انتهت 2008 المنظم الاتحاد الأوروبي لكرة القدم عدد الطبعات 35 نسخة رسمية تواترها سنوية عدد المشاركين 50 فريق الموقع الرسمي الموقع الرسمي الأكثر تتويجا هامبورغ شتوتغارت شالكه 04 نادي فياريال (لقبين) التسلسل الزمني للمنافسة تعديل   كأس إنترتوتو (بالإنجليزية: UEFA Intertoto Cup ) هي مسابقة كرة قدم صيفية لأندية كرة القدم الأوروبية التي لم تأهل للبطولات الكبرى المختلفة التي تقام سنوياً تحت رعاية الاتحاد الأوروبي لكرة القدم؛ مثل دوري أبطال أوروبا وكأس الاتحاد الأوروبي سابقاً. وقد أنشئت المسابقة في موسم 1961–62 كبطولة ودية تضم عدة أندية كرة قدم أوروبية، قبل أن يقوم الاتحاد الأوروبي لكرة القدم بإضافتها لقائمة البطولات المعترفة بها في عام 1995. وفي عام 2008 قام الاتحاد الأوروبي لكرة القدم بدمج بطولة كأس إنترتوتو مع بطولة كأس الاتحاد الأوروبي، [1] وبهذا أصبحت كل من بطولة كأس الاتحاد الأوروبي و كأس إنترتوتو وكأس الكؤوس الأوروبية مدموج...
            Read more