Post reply

Are the posted questions getting worse?

  • May 6, 2015 at 2:11 am

    #1795850

    Congratulations on passing the STIg audit

  • May 6, 2015 at 2:45 am

    #1795854

    I thought that this was the Stig:

    -- Gianluca Sartori

  • May 6, 2015 at 9:23 am

    #1795978

    This is the DBA Stig

  • May 6, 2015 at 11:33 am

    #1796031

    Hahaha. Brent is always a star!

    -- Gianluca Sartori

  • May 6, 2015 at 12:28 pm

    #1796044

    jasona.work (5/5/2015)

    Bloody heck I hate dealing with DISA STIGs!

    I'm also surprised that (in my quick Googleing) there aren't more discussions / blog post / articles around the web on applying and interprepting them. And frankly, that's what it comes down to, the intrerpretation of the wording of the STIG.

    Some are fairly straight-forward to understand (no login should have the "CONNECT SQL" privilege directly granted," or "no privileges with GRANT WITH GRANT") others, well, not so clear.

    Making it worse, of course, is you have multiple, competing interpretations:

    1. The DBA trying to apply the STIG

    2. The security teams interpretation

    3. DISAs interpretation

    Quite often with #2 and #3 being done by non-technical people.

    Anyone want to see if we can get Steve to spin up a sub-forum just for discussing SQL STIGs?

    😉

    I'm glad someone else is dealing with the exact same problems I am. I suspect few people are discussing it because they aren't sure if its allowed.

    I find it interesting that we aren't supplied with jobs or policies that can be loaded per instance so that every DECC has the same method/settings. That's assuming someone is creating the STIGs who actually knows how SQL functions though. Based on the Fix Text syntax supplied, it's someone who hasn't written TSQL since SQL2000.

  • May 6, 2015 at 12:40 pm

    #1796048

    SqlSanctum (5/6/2015)

    jasona.work (5/5/2015)

    Bloody heck I hate dealing with DISA STIGs!

    I'm also surprised that (in my quick Googleing) there aren't more discussions / blog post / articles around the web on applying and interprepting them. And frankly, that's what it comes down to, the intrerpretation of the wording of the STIG.

    Some are fairly straight-forward to understand (no login should have the "CONNECT SQL" privilege directly granted," or "no privileges with GRANT WITH GRANT") others, well, not so clear.

    Making it worse, of course, is you have multiple, competing interpretations:

    1. The DBA trying to apply the STIG

    2. The security teams interpretation

    3. DISAs interpretation

    Quite often with #2 and #3 being done by non-technical people.

    Anyone want to see if we can get Steve to spin up a sub-forum just for discussing SQL STIGs?

    😉

    I'm glad someone else is dealing with the exact same problems I am. I suspect few people are discussing it because they aren't sure if its allowed.

    I find it interesting that we aren't supplied with jobs or policies that can be loaded per instance so that every DECC has the same method/settings. That's assuming someone is creating the STIGs who actually knows how SQL functions though. Based on the Fix Text syntax supplied, it's someone who hasn't written TSQL since SQL2000.

    I've figured that the STIG writers are probably someone whose idea of high technology is their Motorola StarTac flip phone from the 90s', who has been provided a copy of the best practices guide, a whip, and a team of 100 trained monkeys with typewriters...

    It's interesting that people would wonder if they can or can't discuss the STIGs, seeing as they are freely and publicly available...

    Kind of indicates to me, go ahead and discuss them, as long as you don't give out details of your workplace / environment.

  • May 6, 2015 at 1:23 pm

    #1796051

    I'm so confused on what's going on right now. I started looking on Google and bumped into the NSA and now I'm back to The Stig. 😀

  • May 6, 2015 at 1:53 pm

    #1796059

    jasona.work (5/6/2015)

    SqlSanctum (5/6/2015)

    jasona.work (5/5/2015)

    Bloody heck I hate dealing with DISA STIGs!

    I'm also surprised that (in my quick Googleing) there aren't more discussions / blog post / articles around the web on applying and interprepting them. And frankly, that's what it comes down to, the intrerpretation of the wording of the STIG.

    Some are fairly straight-forward to understand (no login should have the "CONNECT SQL" privilege directly granted," or "no privileges with GRANT WITH GRANT") others, well, not so clear.

    Making it worse, of course, is you have multiple, competing interpretations:

    1. The DBA trying to apply the STIG

    2. The security teams interpretation

    3. DISAs interpretation

    Quite often with #2 and #3 being done by non-technical people.

    Anyone want to see if we can get Steve to spin up a sub-forum just for discussing SQL STIGs?

    😉

    I'm glad someone else is dealing with the exact same problems I am. I suspect few people are discussing it because they aren't sure if its allowed.

    I find it interesting that we aren't supplied with jobs or policies that can be loaded per instance so that every DECC has the same method/settings. That's assuming someone is creating the STIGs who actually knows how SQL functions though. Based on the Fix Text syntax supplied, it's someone who hasn't written TSQL since SQL2000.

    I've figured that the STIG writers are probably someone whose idea of high technology is their Motorola StarTac flip phone from the 90s', who has been provided a copy of the best practices guide, a whip, and a team of 100 trained monkeys with typewriters...

    It's interesting that people would wonder if they can or can't discuss the STIGs, seeing as they are freely and publicly available...

    Kind of indicates to me, go ahead and discuss them, as long as you don't give out details of your workplace / environment.

    Your assessment of the STIG writers is probably too close to the truth for comfort >_<

    I was a bit surprised the day I realized they were publicly available, so I assume others would be too. At least where I am at, there's not much of a mentality to look for help outside the building for STIG related issues.

    I've been creating policies almost non stop for the past week so hopefully we can breeze through audits, at least until the next STIG comes out...

  • May 7, 2015 at 1:40 am

    #1796119

    Steve, great picture. I managed not take any pictures of Rob or Brent that night. Although to be fair I didn't think The Stig was Brent, but a paid actor :-O

    But how I missed Rob I just don't know. Must try harder next year!

    Rodders...

  • May 7, 2015 at 6:53 am

    #1796193

    SqlSanctum (5/6/2015)

    jasona.work (5/6/2015)

    SqlSanctum (5/6/2015)

    jasona.work (5/5/2015)

    Bloody heck I hate dealing with DISA STIGs!

    I'm also surprised that (in my quick Googleing) there aren't more discussions / blog post / articles around the web on applying and interprepting them. And frankly, that's what it comes down to, the intrerpretation of the wording of the STIG.

    Some are fairly straight-forward to understand (no login should have the "CONNECT SQL" privilege directly granted," or "no privileges with GRANT WITH GRANT") others, well, not so clear.

    Making it worse, of course, is you have multiple, competing interpretations:

    1. The DBA trying to apply the STIG

    2. The security teams interpretation

    3. DISAs interpretation

    Quite often with #2 and #3 being done by non-technical people.

    Anyone want to see if we can get Steve to spin up a sub-forum just for discussing SQL STIGs?

    😉

    I'm glad someone else is dealing with the exact same problems I am. I suspect few people are discussing it because they aren't sure if its allowed.

    I find it interesting that we aren't supplied with jobs or policies that can be loaded per instance so that every DECC has the same method/settings. That's assuming someone is creating the STIGs who actually knows how SQL functions though. Based on the Fix Text syntax supplied, it's someone who hasn't written TSQL since SQL2000.

    I've figured that the STIG writers are probably someone whose idea of high technology is their Motorola StarTac flip phone from the 90s', who has been provided a copy of the best practices guide, a whip, and a team of 100 trained monkeys with typewriters...

    It's interesting that people would wonder if they can or can't discuss the STIGs, seeing as they are freely and publicly available...

    Kind of indicates to me, go ahead and discuss them, as long as you don't give out details of your workplace / environment.

    Your assessment of the STIG writers is probably too close to the truth for comfort >_<

    I was a bit surprised the day I realized they were publicly available, so I assume others would be too. At least where I am at, there's not much of a mentality to look for help outside the building for STIG related issues.

    I've been creating policies almost non stop for the past week so hopefully we can breeze through audits, at least until the next STIG comes out...

    I've moved from doing T-SQL and other programming into Cyber Security at a Nuclear Plant in the US. What was said above is the regulations for Cyber Security by the NRC. And Nuclear is doing the same... not looking outside the building. Our regs come, largely, from NIST 800-53 which is designed for server/workstation environments... not industrial plants that haven't upgraded much since 1985.

  • May 7, 2015 at 8:56 am

    #1796270

    Catch the comment in this post: http://www.sqlservercentral.com/Forums/FindPost1683559.aspx

  • May 7, 2015 at 9:11 am

    #1796276

    Lynn Pettis (5/7/2015)

    Catch the comment in this post: http://www.sqlservercentral.com/Forums/FindPost1683559.aspx

    The problem is that this newborn isn't really a newborn, but keeps asking questions and making comments that show that he hasn't learned a thing or has just learned misconceptions.

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2

  • May 7, 2015 at 10:53 am

    #1796311

    Luis Cazares (5/7/2015)

    Lynn Pettis (5/7/2015)

    Catch the comment in this post: http://www.sqlservercentral.com/Forums/FindPost1683559.aspx

    The problem is that this newborn isn't really a newborn, but keeps asking questions and making comments that show that he hasn't learned a thing or has just learned misconceptions.

    True, but I think the real question lies in asking which one is better? On one side we have the statement itself and on the other side, we have poor Lynn spitting soda out his nose. I've been there and I assure you it is not comfortable.

    Tally Tables - Performance Personified
    String Splitting with True Performance
    Best practices on how to ask questions

  • May 7, 2015 at 11:26 am

    #1796323

    Ed Wagner (5/7/2015)

    Luis Cazares (5/7/2015)

    Lynn Pettis (5/7/2015)

    Catch the comment in this post: http://www.sqlservercentral.com/Forums/FindPost1683559.aspx

    The problem is that this newborn isn't really a newborn, but keeps asking questions and making comments that show that he hasn't learned a thing or has just learned misconceptions.

    True, but I think the real question lies in asking which one is better? On one side we have the statement itself and on the other side, we have poor Lynn spitting soda out his nose. I've been there and I assure you it is not comfortable.

    That's serious, not only his health is compromised, also the integrity of his computer or any other electronic device near him.

    Luis C.
    General Disclaimer:
    Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

    How to post data/code on a forum to get the best help: Option 1 / Option 2

  • May 7, 2015 at 11:57 am

    #1796330

    Ok, I need to write something.

    Article requests?

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

Viewing 15 posts - 48,361 through 48,375 (of 66,749 total)

You must be logged in to reply to this topic. Login to reply