SQL Server 2008R2 Security Best Practices

 

 

SQL Server 2008 R2 Security Best Practices – Operational and Administrative Tasks

SQL Server White Paper

 

Author: Bob Beauchemin, SQLskills

Technical Reviewers: Raul Garcia, Lara Rubbelke, Darmadi Komo

 

Published: December 2010

Applies to: SQL Server 2008 R2 and SQL Server 2008

 

 

 

Summary:

Security is a crucial part of any mission-critical application. This paper describes best practices for setting up and maintaining security in SQL Server 2008 R2.

Copyright

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

 

© 2010 Microsoft Corporation. All rights reserved.

 

Microsoft, <plus, in alphabetical order, all Microsoft trademarks used in your white paper> are trademarks of the Microsoft group of companies.

 

All other trademarks are property of their respective owners.

 

 

Contents

Introduction. 3

Compliance. 4

Surface Area Reduction. 4

Policy-Based Management 6

Service Account Selection and Management 7

SQL Server Best Practices Analyzer and other analysis utilities. 9

Patching and Automatic Windows Update. 10

Industry Compliance. 10

Encryption. 11

Data and Database Encryption. 11

SSL Encryption. 15

Access Control 15

Administrator Privileges. 15

Database Ownership and Trust 16

Lockdown of System Stored Procedures. 17

Schemas. 18

Authorization. 20

Catalog Security. 22

Execution Context 22

Remote Data Source Execution. 24

Authentication. 25

Authentication Modes and Logins. 25

Password Policy. 27

Network Security. 28

Auditing. 30

Conclusion. 33

 

Introduction

This white paper covers some of the operational and administrative tasks associated with Microsoft® SQL Server™ 2008 R2 security and enumerates best practices and operational and administrative tasks that will result in a more secure SQL Server system. Each topic describes a feature and best practices. For additional information on the specifics of utilities, features, and DDL statements referenced in this white paper, see SQL Server 2008 R2 Books Online. Features and options that are new or defaults that are changed for SQL Server 2008 and SQL Server 2008 R2 are identified. The target audience for this whitepaper is the Operational DBA, that is, the administrator responsible for SQL Server setup and day-to-day operations, and provides prescriptive guidance on a task-by-task basis. Coding examples for operational tasks use Transact-SQL, so understanding Transact-SQL is required for you to get the most out of this paper.

Compliance

Surface Area Reduction

SQL Server 2008 R2 installation minimizes the “attack surface” because by default, optional features are not installed. During installation the administrator can choose to install:

  • Database Engine
  • Analysis Services Engine
  • Reporting Services
  • Integration Services
  • Tools
  • Documentation

It is a best practice to review which product features you actually need and install only those features. Later, install additional features only as needed. SQL Server 2008 R2 does not install any samples or sample databases; the official SQL Server samples are now available on the CodePlex website. Each item of official sample code has undergone a review to ensure that the code follows best practices for security. Each sample uses Microsoft Windows® security principals and illustrates the principal of least privilege.

SQL Server has always been a feature-rich database and the number of new features in SQL Server 2008 R2 can be overwhelming. One way to make a system more secure is to limit the number of optional features that are installed and enabled by default. It is easier to enable features when they are needed than it is to enable everything by default and then turn off features that you do not need. This is the installation policy of SQL Server 2008 R2, known as “off by default, enable when needed.” One way to ensure that security policies are followed is to make secure settings the default and make them easy to use.

SQL Server 2008 contains a new Policy-Based Management feature that makes it possible to define, deploy, and validate policy, and thereby enforce best practices. This feature subsumes and extends the SQL Server Surface Area Configuration tool that was introduced in SQL Server 2005. Although the Surface Area Configuration tool does not ship with SQL Server 2008, Microsoft provides some predefined policies that correspond to the settings that were managed with the Surface Area Configuration tool. These policies are available as XML files and include:

  • Surface Area Configuration for Database Engine 2005 and 2000 Features
  • Surface Area Configuration for Database Engine 2008 Features
  • Surface Area Configuration for Service Broker Endpoints
  • Surface Area Configuration for SOAP Endpoints
  • Surface Area Configuration for Analysis Services Features
  • Surface Area Configuration for Reporting Services 2005 Features
  • Surface Area Configuration for Reporting Services 2008 Features

Although there are other utilities (such as Services in Control Panel), server configuration commands (such as sp_configure), and APIs such as WMI (Windows Management Instrumentation) that you can use, the SQL Server Policy-Based Management combines this functionality into a single feature for ease-of-use. Policy-Based Management is usually configured through the graphic user interface, but can also be configured through system stored procedures or by using PowerShell scripts.

SQL Server Policy Based Management’s Surface Area Configuration policies divide configuration into two subsets: endpoints and features. The database engine features included in the predefined policy are:

  • CLR Integration
  • Remote use of a dedicated administrator connection
  • OLE Automation system procedures
  • System procedures for Database Mail and SQL Mail
  • Ad hoc remote queries (the OPENROWSET and OPENDATASOURCE functions)
  • xp_cmdshell availability
  • SQL Server Web Assistant (this was removed in SQL Server 2008)

You can use the SQL Server Configuration Manager tool to view the installed components of SQL Server and the client network interfaces for each engine component. The startup type for each service (Automatic, Manual, or Disabled) and the client network interfaces that are available can be configured on a per-instance basis.

As of SQL Server 2005, SQL Server Browser functionality was factored into its own service and is no longer part of the core database engine. Additional functions are also factored into separate services. Services that are not a part of the core database engine and can be enabled or disabled separately include:

  • SQL Server Active Directory Helper
  • SQL Server Agent
  • SQL Server Full-text Filter Daemon Launcher
  • SQL Server Browser
  • SQL Server VSS Writer

The SQL Server Browser service needs to be running only to connect to named SQL Server instances that use TCP/IP dynamic port assignments. It is not necessary to connect to default instances of SQL Server 2008 R2 and named instances that use static TCP/IP ports. For a more secure configuration, always use static TCP/IP port assignments and disable the SQL Server Browser service. The VSS Writer allows backup and restore using the Volume Shadow Copy framework. This service is disabled by default. If you do not use Volume Shadow Copy, disable this service. If you are running SQL Server outside of an Active Directory® directory service, disable the Active Directory Helper.

Best practices for surface area reduction

  • Install only those components that you will immediately use. Additional components can always be installed as needed.
  • Enable only the optional features that you will immediately use.
  • Review optional feature usage before doing an in-place upgrade and disable unneeded features either before or after the upgrade.
  • Develop a policy with respect to permitted network connectivity choices. Use SQL Server Policy-Based Management to standardize this policy.
  • Develop a policy for the usage of optional features. Use SQL Server Policy-Based Management to standardize optional feature enabling. Document any exceptions to the policy on a per-instance basis.
  • Turn off unneeded services by setting the service to either Manual startup or Disabled.

Policy-Based Management

Policy-Based Management can not only be used to manage and configure the Surface Area, but can also be used to detect out-of-compliance conditions, although there is no strong guarantee that it can stop any behavior that would put you out of compliance with the policy. In addition to the Surface Area Configuration policies mentioned previously, SQL Server 2008 includes a set of security best practices policies. These policies include:

  • Asymmetric Key Encryption Algorithm
  • CmdExec Rights Secured
  • Guest Permissions
  • Public Not Granted Server Permissions
  • SQL Server Login Mode
  • SQL Server Password Expiration
  • SQL Server Password Policy
  • Symmetric Key Encryption for User Databases
  • Symmetric Key for master Database
  • Symmetric Key for System Databases
  • Trustworthy Database

You can implement these policies as-is, or customize them to enforce and insure compliance with your shop standards. Some sample policies to assist in monitoring compliance are provided as part of the SQL Server 2008 Compliance Guide and also in the whitepaper “Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS)” by John Bastow.

SQL Server Policy-Based Management allows you to export and import policies using XML files and includes a PowerShell cmdlet that accomplishes the policy evaluation and can be used to script policy evaluation on a custom schedule.

SQL Server 2008 introduced a feature called Central Management Server to make it easier to manage groups of SQL Server instances. Using a Central Management Server you can evaluate a set of policies against a set of SQL Server instances. This enables you to standardize the configuration of a group of SQL Server 2008 instances. Note that, using a Central Management Server, you can evaluate policies against SQL Server 2000 and 2005 instances as well as SQL Server 2008.

As an adjunct and extension to the Policy-Based Management feature, the Enterprise Policy Management Framework CodePlex project allows management, history storage, and reporting on a set of SQL Server instances using a Central Management Server, PowerShell scripts, a history database, and SQL Server Reporting Services.

Best practices for policy-based management

  • Develop a policy for network connectivity, usage of optional features, and the implementation of SQL Server security best practices. Use SQL Server Policy-Based Management to standardize this policy.
  • Use Central Management Servers to standardize and enforce security policies across sets of servers in the enterprise.
  • Use Enterprise Policy Management Framework to consolidate history and reporting of sets of enterprise-wide policies.

Service Account Selection and Management

SQL Server 2008 R2 executes as a set of Windows services. Each service can be configured to use its own service account. This facility is exposed at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage these accounts. In addition, these accounts can be set programmatically through the SQL Server WMI Provider for Configuration. When you select a Windows account to be a SQL Server service account, you have a choice of:

  • Domain user that is not a Windows administrator
  • Local user that is not a Windows administrator
  • Network Service account
  • Local System account
  • Local user that is a Windows administrator
  • Domain user that is a Windows administrator

When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should not only be different from one another, they should not be used by any other service on the same server. Only the first two account types in the list above (and Network Service account when running on Windows Server 2008 operating system) have both of these properties. Making the SQL Server service account an administrator, at either a server level or a domain level, or using Local System, bestows too many unneeded privileges and should never be done. The Local System account is the worst choice; it is not only an account with too many privileges, but it is a shared account on pre-Windows 2008 operating systems, and might be used by other services on the same server.

If you install SQL Server on an operating system older than Windows Server 2008, any other service that uses this account has the same set up privileges as the SQL Server service that uses the account. Although Network Service has network access and is not a Windows super-user account, it is a shareable account. This account is useable as a SQL Server service account only if you can ensure that no other services that use this account are installed on the server.

Windows Server 2008 introduced per-service security identifiers (known as per-service SIDs) to address this behavior. A per-service SID creates, in essence, an identity for each service which enables access control using the existing Windows access control model.  Services can now apply explicit access control lists (ACL’s) to resources that are private to the service – preventing other services as well as the user from accessing that resource.

Using a local user or domain user that is not a Windows administrator is the best choice. With the introduction of Service SIDs in Windows Server 2008, Network Service is as good of a choice, and also alleviates the need to change service passwords. If the server that is running SQL Server is part of a domain and must access domain resources such as file shares or uses linked server connections to other computers running SQL Server, a domain account is the best choice. If the server is not part of a domain (for example, a server running in the perimeter network (also known as the DMZ) in a Web application) or does not need to access domain resources, a local user that is not a Windows administrator is preferred.

Creating the user account that will be used as a SQL Server service account is easier in SQL Server 2005 or later than in previous versions. When SQL Server 2005 or later is installed, a Windows group is created for each SQL Server service, and the service account is placed in the appropriate group. To create a user that will serve as a SQL Server service account, simply create an “ordinary” account that is either a member of the Users group (non-domain user) or Domain Users group (domain user). During installation, the user is automatically placed in the SQL Server service group and the group is granted exactly the privileges that are needed.

If the service account needs additional privileges, the privilege should be granted to the appropriate Windows group, rather than granted directly to the service user account. This is consistent with the way access control lists are best managed in Windows in general. For example, the ability to use the SQL Server Instant File Initialization feature requires that the Perform Volume Maintenance Tasks user rights be set in the Group Policy Administration tool. This privilege should be granted to SQLServerMSSQLUser$MachineName$MSSQLSERVER group for the default instance of SQL Server on server “MachineName.”

SQL Server service accounts should be changed only by using SQL Server Configuration Manager, or by using the equivalent functionality in the WMI APIs. Using Configuration Manager ensures that the new service account is placed in the appropriate Windows group, and is thus granted exactly the correct privileges to run the service. In addition, using SQL Server Configuration Manager also re-encrypts the service master key that is using the new account, although this happens automatically when SQL Server starts, thanks to a redundant copy of the service master key protected by DPAPI (machine key), even if the service account is changed from the Windows SCM. For more information on the service master key, see Encryption later in this paper. Because SQL Server service accounts also abide by Windows password expiration policies, it is necessary to change the service account passwords at regular intervals. In SQL Server 2005 and later, it is easier to abide by password expiration policies because changing the password of the service account does not require restarting SQL Server.

The SQL Server Agent service account requires sysadmin privilege in the SQL Server instance that it is associated with. In SQL Server 2005 and above, SQL Server Agent job steps can be configured to use proxies that encapsulate alternate credentials. A CREDENTIAL is simply a database object that is a symbolic name for a Windows user and password. A single CREDENTIAL can be used with multiple SQL Server Agent proxies. To accommodate the principal of least privilege, do not give excessive privileges to the SQL Server Agent service account. Instead, use a proxy that corresponds to a CREDENTIAL that has just enough privilege to perform the required task. A CREDENTIAL can also be used to reduce the privilege for a specific task if the SQL Server Agent service account has been configured with more privileges than needed for the task. Proxies can be used for:

  • ActiveX scripting
  • Operating system (CmdExec)
  • Replication agents
  • Analysis Services commands and queries
  • SSIS package execution (including maintenance plans)

Best practices for SQL Server service accounts

  • Use a specific user account or domain account rather than a shared account for SQL Server services. The Network Service account can also be used if SQL Server is running on Windows Server 2008 and later operating systems.
  • Use a separate account for each service.
  • Do not give any special privileges to the SQL Server service account; they will be assigned by group membership.
  • Manage privileges through the SQL Server supplied group account rather than through individual service user accounts.
  • Always use SQL Server Configuration Manager to change service accounts.
  • Change the service account password at regular intervals.
  • Use CREDENTIALs to execute job steps that require specific privileges rather than adjusting the privilege to the SQL Server Agent service account.
  • If a user needs to execute a job that requires different Windows credentials, assign them a proxy account that has just enough permissions to get the task done.

SQL Server Best Practices Analyzer and other analysis utilities

SQL Server 2008 R2 Best Practices Analyzer has been released and you can download it from the Microsoft Download Center, SQL Server 2008 R2 Best Practices Analyzer page. SQL Server 2008 R2 Best Practices Analyzer (BPA) gathers data from Microsoft Windows and SQL Server configuration settings.  Best Practices Analyzer uses a predefined list of SQL Server 2008/2008 R2 recommendations and best practices to determine if there are potential security issues in the database environment.

Microsoft Baseline Security Analyzer (MBSA) is a utility that scans for common insecurities in a SQL Server configuration. Run MBSA on a regularly scheduled basis, either locally or across the network. MBSA 2.2 scans for Windows operating system, security principal, network, and file system insecurities and tests for SQL Server 2000 and 2005 patch levels, but does not incorporate SQL Server 2008-specific checks yet. It will check to see if SQL Server 2005 is patched to the latest Service Pack version.

You can also use Microsoft Security Compliance Manager to manage security in general on machines running SQL Server. Part of Trustworthy Computing, this tool provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to efficiently manage the security and compliance process.

Best practice analysis utilities recommendations

  • Run SQL Server Best Practices Analyzer against SQL Server 2008/2008 R2.
  • Regularly run MBSA 2.2 to ensure latest SQL Server 2005 patch level
  • Use Microsoft Security Compliance Manager to provide centralized security baseline management.

Patching and Automatic Windows Update

The best way to ensure the security of the server software and to ensure the security of SQL Server 2008 R2 is to install security hotfixes and service packs as soon as possible. Use manual updates on an operating system basis by using Windows Update or Microsoft Update. You can enable automatic updates using Windows Update or Microsoft Update as well, but updates should be tested before they are applied to production systems. SQL Server 2005 and above incorporate SQL Server hotfixes and service packs into Windows Update. All hotfixes should be installed immediately and service packs should be tested and installed as soon as possible. This requirement cannot be emphasized enough. For suggestions on minimizing downtime when installing hotfixes and service packs, see Preventing Reboots, Installing Multiple Updates, and More on Microsoft TechNet.

Best practices for patching SQL Server

  • Always stay as current as possible.
  • Enable automatic updates whenever feasible but test them before applying to production systems.

Industry Compliance

SQL Server 2008 R2 has achieved Common Criteria Compliance, allowed C2 auditing, helping administrators achieve industry compliance such as PCI, HIPAA, and FIPS 140-2. For more information in general refer to the Common Criteria Portal. For more information about C2 and Common Criteria Auditing, refer to the Auditing section of this whitepaper. For more information about complying with specific industry standards, refer to whitepapers such as SQL Server 2008 in FIPS 140-2-compliance mode, PCI Compliance with SQL Server 2008 and the associated webcast, HIPAA Compliance with SQL Server 2008 and the associated webcast.

 

The Common Criteria represents the outcome of efforts to develop criteria for evaluation of IT security that are widely useful within the international community. It stems from a number of source criteria: the existing European, US, and Canadian criteria (ITSEC, TCSEC, and CTCPEC respectively). The Common Criteria resolves the conceptual and technical differences between the source criteria. Both SQL Server 2005 SP2 and SQL Server 2008 have been certified to conform to the Common Criteria Specification. At the time of this writing, SQL Server 2005 SP2 conforms at EAL Level 4+ and SQL Server 2008 has been certified at EAL Level 1. The Common Criteria certification includes a required audit configuration (supplied as a trace setup DDL file), a product integrity check procedure, and a Guidance Addendum / Installation/ Startup document.

SQL Server 2005 SP2 and above allows configuring an option that provides three elements required for Common Criteria compliance. These elements can be configured by using an instance configuration option:

  • Residual Information Protection, which overwrites memory with a known bit pattern before it is reallocated to a new resource.
  • The ability to view login statistics.
  • A column-level GRANT does not override table-level DENY.

You can configure an instance to provide these three elements for Common Criteria compliance by setting the configuration option common criteria compliance enabled as shown in the following code.

 

sp_configure ‘show advanced options’, 1;

GO

RECONFIGURE;

GO

sp_configure ‘common criteria compliance enabled’, 1;

GO

RECONFIGURE;

GO

 

In addition to enabling the Common Criteria options in a SQL Server instance, you can use login triggers in SQL Server 2005 SP2 and above to limit logins based upon time of day or based on an excessive number of existing connections. The ability to limit logins based on these criteria is required for Common Criteria compliance.

SQL Server can be configured to support auditing that is compliant with C2 certification under the Trusted Database Interpretation (TDI) of the Trusted Computer System Evaluation Criteria (TCSEC) of the United States National Security Agency. For more information about C2 auditing reference the Auditing section of this whitepaper

Best practices for compliance with industry standards

  • Use the guides provided at the SQL Server Compliance portal as adjuncts to achieving compliance with specific standards
  • Enable C2 auditing or Common Criteria compliance only if required.

Encryption

Data and Database Encryption

SQL Server 2008 R2 has built-in data encryption, both at a cell level and encryption of an entire database. Data encryption at a cell level and is accomplished by means of built-in system procedures. Database-level data encryption (known as transparent data encryption or TDE) is accomplished by using DDL statements. TDE is an Enterprise version-only feature that is new in SQL Server 2008; cell level encryption has been around since SQL Server 2005.

Encrypting data requires secure encryption keys and key management. A key management hierarchy is built into SQL Server. Each instance of SQL Server has a built-in service master key that is generated at installation; specifically, the first time that SQL Server is started after installation. The service master key is encrypted by using both the SQL Server Service account key and also the machine key. Both encryptions use the DPAPI (Data Protection API). A database administrator can define a database master key by using the following DDL.

 

CREATE MASTER KEY

WITH ENCRYPTION BY PASSWORD = ’87(HyfdlkRM?_764#GRtj*(NS£”_+^$(‘

 

This key is actually encrypted and stored twice by default. Encryption that uses a password and storage in the database is required. Encryption that uses the service master key and storage in the master database is optional; it is useful to be able to automatically open the database master key without specifying the password. The service master key and database master keys can be backed up and restored separately from the rest of the database.

SQL Server 2008 can use DDL to define certificates, asymmetric keys, and symmetric keys on a per-database basis. Certificates and asymmetric keys consist of a private key/public key pair. The public key can be used to encrypt data that can be decrypted only by using the private key. Or, for the sake of performance, the public key can be used to encrypt a hash that can be decrypted only by using the private key. Integrity check generation to ensure non-repudiation is known as signing. Alternatively, the private key can be used to encrypt data that can be decrypted by the receiver by using the public key.

A symmetric key consists of a single key that is used for encryption and decryption. Symmetric keys are generally used for data encryption because they are orders of magnitude faster than asymmetric keys for encryption and decryption. However, distributing symmetric keys can be difficult because both parties must have the same copy of the key. In addition, it is not possible with symmetric key encryption to determine which user encrypted the data. Asymmetric keys can be used to encrypt and decrypt data but ordinarily they are used to encrypt and decrypt symmetric keys; the symmetric keys are used for the data encryption. This is the preferred way to encrypt data for the best security and performance. Symmetric keys can also be protected by individual passwords.

SQL Server 2008 R2 makes use of and also can generate X.509 certificates. A certificate is simply an asymmetric key pair with additional metadata, including a subject (the person the key is intended for), root certificate authority (who vouches for the certificate’s authenticity), and expiration date. SQL Server generates self-signed certificates (SQL Server itself is the root certificate authority) with a default expiration date of one year. The expiration date and subject can be specified in the DDL statement. SQL Server does not use certificate “negative lists” or the expiration date with data encryption. A certificate can be backed up and restored separately from the database; certificates, asymmetric keys, and symmetric keys are backed up with the database. A variety of block cipher encryption algorithms are supported, including DES, Triple DES, and AES (Rijndael) algorithms for symmetric keys and RSA for asymmetric keys. A variety of key strengths are supported for each algorithm. Stream cipher algorithms, such as RC4 are also supported but should NOT be used for data encryption. Support for RC4 is deprecated for SQL Server 2008 and will be removed in subsequent versions of SQL Server.  Some algorithms (such as AES) are not supported by all operating systems that can host SQL Server. User-defined algorithms are not supported. The key algorithm and key length choice should be predicated on the sensitivity of the data.

The master database in SQL Server contains some built-in certificates with names that begin with “##MS_”. These certificates are used for system functionality and should not be deleted.

As an alternative for some parts of the key management built into SQL Server, SQL Server 2008 introduces support for Extensible Key Management. Using Extensible Key Management (EKM) means that keys can be managed by an external source, such as a hardware security module. The external source is referred to in SQL Server as a cryptographic provider. TDE supports asymmetric keys that are provisioned by EKM. No other form of asymmetric key is supported by TDE and database certificates cannot currently be provisioned through EKM. EKM is supported for cell-level encryption through symmetric and asymmetric keys. It is highly recommended that you use EKM with both database- and cell-level encryption for more comprehensive key management and hardware-based cryptography. Extensible Key Management is an Enterprise-version only feature.

SQL Server can encrypt data on a cell level—data is specifically encrypted before it is stored into a column value and each row can use a different encryption key for a specific column. To use data encryption, a column must use the VARBINARY data type. The length of the column depends on the encryption algorithm used and the length of the data to be encrypted (see Choosing an Encryption Algorithm in SQL Server Books Online). The KEY_GUID of the key that is used for encryption is stored with the column value. When the data is decrypted, this KEY_GUID is checked against all open keys in the session. The data uses initialization vectors (also known as salted hashes). Because of this, it is not possible to determine if two values are identical by looking at the encrypted value. This means, for example, that I cannot determine all of the patients who have a diagnosis of Flu if I know that Patient A has a diagnosis of Flu. Although this means that data is more secure, it also means that you cannot use a column that is encrypted by using the data encryption routines in indexes, because data values are not comparable.

SQL Server 2008 introduces database-level encryption as an adjunct and alternative to cell-level encryption. In addition, recent versions of the Microsoft Windows operating system (Windows Server 2008 and beyond and some versions of Windows Vista and Windows 7) provide disk volume encryption using BitLocker. Both TDE and BitLocker encrypt data as it in written to disk and decrypt data as it is read from disk. Either one can be added to the disk storage media without any change to the database. Access to the encrypted data in SQL Server is controlled through normal SQL Server permissions.

Transparent Data Encryption encrypts data files, log files, tempdb, and database backups, but does not encrypt data stored using SQL Server 2008’s new FILESTREAM storage feature. BitLocker encrypts the entire volume, which would include FILESTREAM storage and non-SQL Server database files. As a general rule, it probably makes more sense to use BitLocker on portable computers (even those without SQL Server) as it protects the entire volume. If laptop data is compromised, presumably this happens due to physical access to the media and BitLocker protects against this. On a server, however, it probably makes more sense to use SQL Server TDE. If a server storage volume is compromised, it is typically through network access and BitLocker does not protect against this because when using TDE, the encryption is bound to the database files, not to the disk, in such a way that even if the database files are copied to another drive/tape, they will continue being encrypted. BitLocker is volume-bound, so copying to another disk would effectively copy a cleartext file.

Note that you can also perform encrypted backups on all SQL Server databases using Data Protection Manager (DPM). Part of System Center, DPM provides seamless and continuous protection of multiple SQL Server backups to integrated disk, tape, and cloud. For more information, download the SQL Server-specific whitepapers from the Microsoft System Center website.

Enabling TDE on a database requires two keys: a database encryption key that uses symmetric key encryption to affect the encryption of the database and a certificate in the master database that protects the database encryption key. Because the certificate in the master database is needed to restore the database, care should be taken to back this certificate up.

Data encryption is becoming more commonplace with some vendors and industries (for example, the payment card industry). Use data encryption only when it is required or for very high-value sensitive data. In some cases, encrypting the network channel or using SQL Server permissions is a better choice because of the complexity involved in managing keys and invoking encryption/decryption routines.

Because unencrypted data must be stored in memory buffers before being transmitted to clients, it is impossible to keep data away from an administrator who has the ability to debug the process or to patch the server. Memory dumps can also be a source of unintended data leakage. If symmetric keys are protected by asymmetric keys and the asymmetric keys are encrypted by using the database master key, a database administrator could impersonate a user of encrypted data and access the data through the keys. If protection from the database administrator is preferred, Extensible Key Management is the first choice, followed by encryption keys secured by passwords if EKM is not available, rather than by the database master key. To guard against data loss, encryption keys that are secured by passwords must have an associated disaster recovery policy (offsite storage, for example) in case of key loss. You can also require users to specify the database master key by dropping encryption of the database master key by the instance master key. Remember to back up the database in order to back up the symmetric keys, because there are no specific DDL statements to back up symmetric and asymmetric keys, just as there are specific DDL statements to back up certificates, the database master key, and the service master key.

For more information about SQL Server encryption, see the whitepaper Database Encryption in SQL Server 2008.

Best practices for data encryption

  • Encrypt high-value and sensitive data.
  • Use symmetric keys to encrypt data, and asymmetric keys or certificates to protect the symmetric keys.
  • Password-protect keys and remove master key encryption for the most secure configuration.
  • Do not delete pre-provisioned system certificates in the master database
  • Always back up the service master key, database master keys, and certificates by using the key-specific DDL statements.
  • Always back up your database to back up your symmetric and asymmetric keys.
  • TDE is recommended for encrypting existing applications or for performance sensitive applications.
  • Cell-level encryption can be used for defense in depth both for a database encrypted by TDE and for limited access control through the use of passwords.
  • Use EKM with both database-level and cell-level encryption for more comprehensive key management and hardware-based cryptography.

SSL Encryption

SQL Server 2008 R2 can use an encrypted channel for two reasons: to encrypt credentials for SQL logins, and to provide end-to-end encryption of entire sessions. Using encrypted sessions requires using a client API that supports these. The Microsoft OLE DB, ODBC, JDBC 1.2, and ADO.NET clients all support encrypted sessions. The other reason for using SSL is to encrypt credentials during the login process for SQL logins when a password is passed across the network. If an SSL certificate is installed in a SQL Server instance, that certificate is used for credential encryption. If an SSL certificate is not installed, SQL Server 2008 R2 can generate a self-signed certificate and use this certificate instead. Using the self-signed certificate prevents passive man-in-the-middle attacks, in which the man-in-the-middle intercepts network traffic, but does not provide mutual authentication. Using an SSL certificate with a trusted root certificate authority prevents active man-in-the-middle attacks and provides mutual authentication.

Bear in mind that the TDS protocol version that SQL Server uses is negotiable. Using an older version of TDS (e.g. older versions of FreeTDS) to connect to SQL Server may result in the encrypted channel for login not being used. Therefore, it is a best practice to always use modern drivers/providers with SQL Server.

Best practices for SSL channel encryption

  • If you must support SQL logins, install an SSL certificate from a trusted certificate authority rather than using SQL Server 2008 self-signed certificates.
  • Use “allow only encrypted connections” only if needed for end-to-end encryption of sensitive sessions.
  • Do not use older TDS protocol versions; this always that SQL Login information is always encrypted.

Access Control

Administrator Privileges

SQL Server 2008 makes all permissions grantable and also makes grantable permissions more granular than in previous versions. Privileges with elevated permissions now include:

  • Members of the sysadmin server role.
  • The sa built-in login, if it is enabled.
  • Any login with CONTROL SERVER permission.

CONTROL SERVER permission was introduced in SQL Server 2005. If you are upgrading from SQL Server 2000, be sure to change your auditing procedures to include any login with CONTROL SERVER permission.

Beginning in SQL Server 2008, SQL Server does not automatically grant the server’s Administrators group (BUILTIN\administrators) the sysadmin server role. When installing SQL Server 2008, you are required to add at least one Windows login to the sysadmin role. This is true for SQL Server Analysis Services as well as the database engine.

When running SQL Server Express, setup incorporates the specification of a specific principal to act as administrator. SQL Server Express setup also allows command-line options to turn user instances on or off (ENABLERANU) and to add the current Set Up user to the SQL Server Administrator role (ADDCURRENTUSERASSQLADMIN). For more detailed information, see How to: Install SQL Server 2008 R2 from the Command Prompt in SQL Server 2008 R2 Books Online.

For accountability in the database, avoid relying on the Administrators group and add only specific database administrators to the sysadmin role. Another option is to have a specific DatabaseAdministrators role at the operating system level. Minimizing the number of administrators who have sysadmin or CONTROL SERVER privilege also makes it easier to resolve problems; fewer logins with administrator privilege means fewer people to check with if things go wrong. The permission VIEW SERVER STATE is useful for allowing administrators and troubleshooters to view server information (dynamic management views) without granting full sysadmin or CONTROL SERVER permission.

Best practices for administrator privileges

  • Use administrator privileges only when needed.
  • Minimize the number of administrators.
  • Have multiple distinct administrators if more than one is needed.
  • Avoid dependency on the builtin\administrators Windows group.

Database Ownership and Trust

A SQL Server instance can contain multiple user databases. Each user database has a specific owner; the owner defaults to the database creator. By definition, members of the sysadmin server role (including system administrators if they have access to SQL Server through their default group account) are database owners (DBOs) in every user database. In addition, there is a database role, db_owner, in every user database. Members of the db_owner role have approximately the same privileges as the dbo user.

SQL Server can be thought of as running in two distinct modes, which can be referred to as IT department mode and ISV mode. These are not database settings but simply different ways to manage SQL Server. In an IT department, the sysadmin of the instance manages all user databases. In an Internet service provider environment (say, a Web-hosting service), each customer is permitted to manage their own database and is restricted from accessing system databases or other user databases. For example, the databases of two competing companies could be hosted by the same Internet service provider (ISV) and exist in the same SQL Server instance. Dangerous code could be added to a user database when attached to its original instance, and the code would be enabled on the ISV instance when deployed. This situation makes controlling cross-database access crucial.

If each database is owned and managed by the same general entity, it is still not a good practice to establish a “trust relationship” with a database unless an application-specific feature, such as cross-database Service Broker communication, is required. A trust relationship between databases can be established by allowing cross-database ownership chaining or by marking a database as trusted by the instance by using the TRUSTWORTHY property. An example of setting the TRUSTWORTHY property follows:

 

ALTER DATABASE pubs SET TRUSTWORTHY OFF

 

Enabling the TRUSTWORTHY property may open an Elevation of Privilege path from DBO to sysadmin (depending on the permissions of the DBO for that database), therefore it is highly recommended to not enable the TRUSTWORTHY property on any user-defined database that is owned by a sysadmin.

 

Best practices for database ownership and trust

  • Have distinct owners for databases; not all databases should be owned by sa.
  • Minimize the number of owners for each database.
  • Confer trust selectively.
  • Leave the Cross-Database Ownership Chaining setting off unless multiple databases are deployed at a single unit.
  • Migrate usage to selective trust instead of using the TRUSTWORTHY property.

Lockdown of System Stored Procedures

SQL Server uses system stored procedures to accomplish some administrative tasks. These procedures almost always begin with the prefix xp_ or sp_. Even with the introduction of standard DDL for some tasks (for example, creating logins and users), system procedures remain the only way to accomplish tasks such as sending mail or invoking COM components. System extended stored procedures in particular are used to access resources outside the SQL Server instance. Most system stored procedures contain the relevant security checks as part of the procedure and also perform impersonation so that they run as the Windows login that invoked the procedure. An example of this is sp_reserve_http_namespace, which impersonates the current login and then attempts to reserve part of the HTTP namespace (HTTP.SYS) by using a low-level operating system function.

Because some system procedures interact with the operating system or execute code outside of the normal SQL Server permissions, they can constitute a security risk. System stored procedures such as xp_cmdshell or sp_send_dbmail are off by default and should remain disabled unless there is a reason to use them. In SQL Server 2005 and above, you no longer need to use stored procedures that access the underlying operating system or network outside of the SQL Server permission space. SQLCLR procedures executing in EXTERNAL_ACCESS mode are subject to SQL Server permissions, and SQLCLR procedures executing in UNSAFE mode are subject to some, but not all, security checks. For example, to catalog a SQLCLR assembly categorized as EXTERNAL_ACCESS or UNSAFE, either the database must be marked as TRUSTWORTHY (see Database Ownership and Trust) or the assembly must be signed with a certificate or asymmetric key that is cataloged to the master database. SQLCLR procedures should replace user-written extended stored procedures in the future.

Some categories of system stored procedures can be managed by using SQL Server Policy-Based Management. These include:

  • xp_cmdshell – executes a command in the underlying operating system
  • Database Mail procedures
  • SQL Mail procedures
  • COM component procedures (e.g. sp_OACreate)

Enable these procedures only if necessary.

The system stored procedures should not be dropped from the database; dropping these can cause problems when applying service packs. Removing the system stored procedures results in an unsupported configuration. It is usually unnecessary to completely DENY all users access to the system stored procedures, as these stored procedures have the appropriate permission checks internal to the procedure as well as external.

Best practices for system stored procedures

  • Disable xp_cmdshell unless it is absolutely needed.
  • Disable COM components once all COM components have been converted to SQLCLR.
  • Disable both mail procedures (Database Mail and SQL Mail) unless you need to send mail from SQL Server. Prefer Database Mail as soon as you can convert to it.
  • Use Policy-Based Management to enforce a standard policy for extended procedure usage.
  • Document each exception to the standard policy.
  • Do not remove the system stored procedures by dropping them.
  • Do not modify the default permissions on system objects.
  • Do not DENY all users/administrators access to the extended procedures.

Schemas

SQL Server 2005 introduced schemas to the database. A schema is simply a named container for database objects. Each schema is a scope that fits into the hierarchy between database level and object level, and each schema has a specific owner. The owner of a schema can be a user, a database role, or an application role. The schema name takes the place of the owner name in the SQL Server multi-part object naming scheme. In SQL Server 2000 and previous versions, a table named Employee that was part of a database named Payroll and was owned by a user name Bob would be payroll.bob.employee. In SQL Server 2008, the table would have to be part of a schema. If payroll_app is the name of the SQL Server 2008 schema, the table name in SQL Server 2005 is payroll.payroll_app.employee.

Schemas solve an administration problem that occurs when each database object is named after the user who creates it. In SQL Server versions prior to 2005, if a user named Bob (who is not dbo) creates a series of tables, the tables would be named after Bob. If Bob leaves the company or changes job assignments, these tables would have to be manually transferred to another user. If this transfer were not performed, a security problem could ensue. Because of this, prior to SQL Server 2005, DBAs were unlikely to   allow individual users to create database objects such as tables. Each table would be created by someone acting as the special dbo user and would have a user name of dbo. Because, in SQL Server 2008, schemas can be owned by roles, special roles can be created to own schemas if needed—every database object need not be owned by dbo. Not having every object owned by dbo makes for more granular object management and makes it possible for users (or applications) that need to dynamically create tables to do so without dbo permission.

Having schemas that are role-based does not mean that it’s a good practice to have every user be a schema owner. Only users who need to create database objects should be permitted to do so. The ability to create objects does not imply schema ownership; GRANTing Bob ALTER SCHEMA permission in the payroll_app schema can be accomplished without making Bob a schema owner. In addition, granting CREATE TABLE to a user does not allow that user to create tables; the user must also have ALTER SCHEMA permission on some schema in order to have a schema in which to create the table. Objects created in a schema are owned by the schema owner by default, not by the creator of the object. This makes it possible for a user to create tables in a known schema without the administrative problems that ensue when that user leaves the company or switches job assignments.

Each user has a default schema. If an object is created or referenced in a SQL statement by using a one-part name, SQL Server first looks in the user’s default schema. If the object isn’t found there, SQL Server looks in the dbo schema. The user’s default schema is assigned by using the CREATE USER or ALTER USER DDL statements. If the default schema is specified, the default is dbo. Using named schemas for like groups of database objects and assigning each user’s default schema to dbo is a way to mandate using two-part object names in SQL statements. This is because objects that are not in the dbo schema will not be found when a one-part object name is specified. Migrating groups of user objects out of the dbo schema is also a good way to allow users to create and manage objects if needed (for example, to install an application package) without making the installing user dbo.

Users that are mapped to Windows groups cannot have default schemas. When a user that is mapped to a Windows group creates database object (i.e., a table) with a one-part name, the following occurs:

  • A database user named after the actual user is created
  • A schema named after the actual user is created
  • The table is created in the schema named after the user
  • This can circumvent the strategy of database users not having their own schemas.

For more information on using schemas reference the whitepaper SQL Server 2008 Database Object Schemas Best Practice.

Best practices for using schemas

  • Group like objects together into the same schema.
  • Manage database object security by using ownership and permissions at the schema level.
  • Have distinct owners for schemas or use a user without a login as a schema owner.
  • Not all schemas should be owned by dbo.
  • Minimize the number of owners for each schema.
  • Use two-part names for database object creation, especially when users mapped to Windows groups are involved.

Authorization

Authorization is the process of granting permissions on securables to users. At an operating system level, securables might be files, directories, registry keys, or shared printers. In SQL Server, securables are database objects. SQL Server principals include both instance-level principals, such as Windows logins, Windows group logins, SQL Server logins, and server roles and database-level principals, such as users, database roles, and application roles. Except for a few objects that are instance-scoped, most database objects, such as tables, views, and procedures are schema-scoped. This means that authorization is usually granted to database-level principals.

In SQL Server, authorization is accomplished via Data Access Language (DAL) rather than DDL or DML. In addition to the two DAL verbs, GRANT and REVOKE, mandated by the ISO-ANSI standard, SQL Server also contains a DENY DAL verb. DENY differs from REVOKE when a user is a member of more than one database principal. If a user Fred is a member of three database roles A, B, and C and roles A and B are GRANTed permission to a securable, if the permission is REVOKEd from role C, Fred still can access the securable. If the securable is DENYed to role C, Fred cannot access the securable. This makes managing SQL Server similar to managing other parts of the Windows family of operating systems.

SQL Server 2005 makes each securable available by using DAL statements and makes permissions more granular than in previous versions. For example, in SQL Server 2000 and earlier versions, certain functions were available only if a login was part of the sysadmin role. Now sysadmin role permissions are defined in terms of GRANTs. Equivalent access to securables can be achieved by GRANTing a login the CONTROL SERVER permission. However, in rare cases (e.g. permissions granted to use DBCC subcommands), role permissions are still used.

An example of better granularity is the ability to use SQL Server Profiler to trace events in a particular database. In SQL Server 2000, this ability was limited to the special dbo user. The new granular permissions are also arranged in a hierarchy; some permissions imply other permissions. For example, CONTROL permission on a database object type implies ALTER permission on that object as well as all other object-level permissions. SQL Server 2005 also introduces the concept of granting permissions on all of the objects in a schema. ALTER permission on a SCHEMA includes the ability to CREATE, ALTER, or DROP objects in that SCHEMA. The DAL statement that grants access to all securables in the payroll schema is:

 

GRANT SELECT ON schema::payroll TO fred

 

The advantage of granting permissions at the schema level is that the user automatically has permissions on all new objects created in the schema; explicit grant after object creation is not needed. For more information on the permission hierarchy, see the Permission Hierarchy section of SQL Server Books Online.

A best practice for authorization is to encapsulate access through modules such as stored procedures and user-defined functions. Hiding access behind procedural code means that users can only access objects in the way the developer and database administrator (DBA) intend; ad hoc changes to objects are disallowed. An example of this technique would be permitting access to the employee pay rate table only through a stored procedure “UpdatePayRate.” Users that need to update pay rates would be granted EXECUTE access to the procedure, rather than UPDATE access to the table itself. In SQL Server 2000 and earlier versions, encapsulating access was dependent on a SQL Server feature known as ownership chains. In an ownership chain, if the owner of stored procedure A and the owner of table B that the stored procedure accesses are the same, no permission check is done. Although this works well most of the time, even with multiple levels of stored procedures, ownership chains do not work when:

  • The database objects are in two different databases (unless cross-database ownership chaining is enabled).
  • The procedure uses dynamic SQL.
  • The procedure is a SQLCLR procedure.

SQL Server 2005 and above contain features to address these shortcomings, including signing of procedural code, alternate execution context, and a TRUSTWORTHY database property if ownership chaining is desirable because a single application encompasses multiple databases. All of these features are discussed in this white paper.

A login only can only be granted authorization to objects in a database if a database user has been mapped to the login. A special user, guest, exists to permit access to a database for logins that are not mapped to a specific database user. Because any login can use the database through the guest user, it is suggested that the guest user not be enabled except in the MSDB database. In order for some SQL Server features to work, the guest user must be enabled in MSDB.

SQL Server 2005 introduced a new type of user, a user that is not mapped to a login. Users that are not mapped to logins provide an alternative to using application roles. You can invoke selective impersonation by using the EXECUTE AS statement (see Execution Context later in this paper) and allow that user only the privileges needed to perform a specific task. Using users without logins makes it easier to move the application to a new instance and limits the connectivity requirements for the function. You create a user without a login using DDL:

 

CREATE USER mynewuser WITHOUT LOGIN

 

For more information about database object authorization strategies, reference the technical article SQL Server 2008 Separation of Duties for Application Developer.

 

Best practices for database object authorization

  • Encapsulate access within modules.
  • Manage permissions via database roles or Windows groups.
  • Use permission granularity to implement the principle of least privilege.
  • Do not enable guest access in any database except MSDB.
  • Use users without logins instead of application roles

Catalog Security

Information about databases, tables, and other database objects is kept in the system catalog. The system metadata exists in tables in the master database and in user databases. These metadata tables are exposed through metadata views. In SQL Server 2000, the system catalog was publicly readable and, the instance could be configured to make the system tables writeable as well. In SQL Server 2005 and later, the system metadata tables are read-only and their structure has changed considerably. The only way that the system metadata tables are readable at all is in single-user mode. As of SQL Server 2005, the system metadata views were refactored and made part of a special schema, the sys schema. So as not to break existing applications, a set of compatibility metadata views are exposed. The compatibility views may be removed in a future release of SQL Server.

SQL Server 2005 and above makes all metadata views secured by default. This includes:

  • The new metadata views (for example, sys.tables, sys.procedures).
  • The compatibility metadata views (for example, sysindexes, sysobjects).
  • The INFORMATION_SCHEMA views (provided for SQL-92 compliance).

The information in the system metadata views is secured on a per-row basis. In order to be able to see system metadata for an object, a user must have some permission on the object. For example, to see metadata about the dbo.authors table, SELECT permission on the table is sufficient. This prohibits browsing the system catalog by users who do not have appropriate object access. Discovery is often the first level of prevention. There are two exceptions to this rule: sys.databases and sys.schemas are public-readable. These metadata views may be secured with the DENY verb if required.

Some applications present lists of database objects to the user through a graphic user interface. It may be necessary to keep the user interface the same by permitting users to view information about database objects while giving them no other explicit permission on the object. A special permission, VIEW DEFINITION, exists for this purpose. Note that VIEW DEFINITION will also allow the caller to see the definition of objects such as stored procedures.

Best practices for catalog security

  • The catalog views are secure by default. No additional action is required to secure them.
  • Grant VIEW DEFINITION selectively at the object, schema, database, or server level to grant permission to view system metadata without conferring additional permissions.
  • Review legacy applications that may depend on access to system metadata when migrating the applications from SQL Server 2000.

Execution Context

SQL Server always executes SQL statements and procedural code as the currently logged on user. This behavior is a SQL Server-specific behavior and is made possible, in the case of procedural code, by the concept of ownership chains. That is, although a stored procedure executes as the caller of the stored procedure rather than as the owner, if ownership chaining is in place, permissions are not checked for object access and stored procedures can be used to encapsulate tables, as mentioned previously in this paper. In SQL Server 2005 and above, the creator of a procedure can declaratively set the execution context of the procedure by using the EXECUTE AS keyword in the CREATE PROCEDURE, FUNCTION, and TRIGGER statements. The execution context choices are:

  • EXECUTE AS CALLER – the caller of the procedure (no impersonation). This is the only pre-SQL Server 2005 behavior.
  • EXECUTE AS OWNER – the owner of the procedure.
  • EXECUTE AS SELF – the creator of the procedure.
  • EXECUTE AS ‘username’ – a specific user.

To maintain backward compatibility, EXECUTE AS CALLER is the default. The distinction between AS OWNER and AS SELF is needed because the creator of the procedure may not be the owner of the schema in which the procedure resides. In this case, AS SELF refers to the object creator (the user who executes the DDL statement that creates the object), AS OWNER refers to the object owner (the schema owner). In order to use EXECUTE AS ‘username’, the procedure creator must have IMPERSONATE permission on the user named in the execution context.

One reason to use an alternate execution context would be when a procedure executes without a particular execution context. An example of this is a service broker queue activation procedure. In addition, EXECUTE AS OWNER can be used to circumvent problems that are caused when ownership chains are broken. For example, ownership chains in a procedure are always broken when dynamic SQL statements (such as sp_executeSQL) are used.

Often what is needed is to grant the appropriate permissions to the procedural code itself, rather than either changing the execution context or relying on the caller’s permissions. SQL Server 2005 and above offer a much more granular way of associating privileges with procedural code—code signing. By using the ADD SIGNATURE DDL statement, you can sign the procedure with a certificate or asymmetric key. A user can then be created for the certificate or asymmetric key itself and permissions assigned to that user. When the procedure is executed, the code executes with a combination of the caller’s permissions and the key/certificate’s permissions. An example of this would be:

 

CREATE CERTIFICATE HRCertificate

WITH ENCRYPTION BY PASSWORD = ‘HacdeNj162kqT’

CREATE USER HRCertificateUser

FOR CERTIFICATE HRCertificate

GRANT UPDATE ON pension_criteria TO HRCertificate

— this gives the procedure update_pension_criteria

— additional privileges of HRCertificate

ADD SIGNATURE TO update_pension_criteria BY CERTIFCATE HRCertificate

— backup the private key and remove it from the certificate,

— so that the procedure cannot be re-signed without permission

BACKUP CERTIFICATE HRCertificate

TO FILE = ‘c:\certs_backup\HRCertificate.cer’

WITH PRIVATE KEY (FILE = ‘c:\certs_backup\ HRCertificate.pvk’,

ENCRYPTION BY PASSWORD = ‘jBjebfP43j1!’,

DECRYPTION BY PASSWORD = ‘HacdeNj162kqT’) — must match CREATE password

ALTER CERTIFICATE HRCertificate REMOVE PRIVATE KEY

 

EXECUTE AS can also be used to set the execution context within an SQL batch. In this form, the SQL batch contains an EXECUTE AS USER=’someuser’ or EXECUTE AS LOGIN=’somelogin’ statement. This alternate execution context lasts until the REVERT statement is encountered. EXECUTE AS and REVERT blocks can also be nested; REVERT reverts one level of execution context. As with EXECUTE AS and procedural code, the user changing the execution context must have IMPERSONATE permission on the user or login being impersonated. EXECUTE AS in SQL batches should be used as a replacement for the SETUSER statement, which is much less flexible.

If the execution context is set but should not be reverted without permission, you can use EXECUTE AS … WITH COOKIE or EXECUTE AS … WITH NO REVERT. When WITH COOKIE is specified, a binary cookie is returned to the caller of EXECUTE AS and the cookie must be supplied in order to REVERT back to the original context.

When a procedure or batch uses an alternate execution context, the system functions normally used for auditing, such as SUSER_NAME(), return the name of the impersonated user rather than the name of the original user or original login. A new system function, ORIGINAL_LOGIN(), can be used to obtain the original login, regardless of the number of levels of impersonation used.

Best practices for execution context

  • Set execution context on modules explicitly rather than letting it default.
  • Use EXECUTE AS instead of SETUSER.
  • Use WITH NO REVERT/COOKIE instead of Application Roles.
  • Consider using code signing of procedural code if a single granular additional privilege is required for the procedure.

Remote Data Source Execution

There are two ways that procedural code can be executed on a remote instance of SQL Server: configuring a linked server definition with the remote SQL Server and configuring a remote server definition for it. Remote servers are supported only for backward compatibility with earlier versions of SQL Server and should be phased out in preference to linked servers. Linked servers allow more granular security than remote servers. Ad hoc queries through linked servers (OPENROWSET and OPENDATASOURCE) are disabled by default in a newly installed instance of SQL Server 2005 an above.

When you use Windows to authenticate to SQL Server, you are using a Windows network credential. Network credentials that use both NTLM and Kerberos security systems are valid for one network “hop” by default. If you use network credentials to log on to SQL Server and attempt to use the same credentials to connect via a linked server to a SQL Server instance on a different computer, the credentials will not be valid. This is known as the “double hop problem” and also occurs in environments that use Windows authentication to connect to a Web server and attempt to use impersonation to connect to SQL Server. If you use Kerberos for authentication, you can enable constrained delegation, that is, delegation of credentials constrained to a specific application, to overcome the “double hop problem.” Only Kerberos authentication supports delegation of Windows credentials. For more information, see the whitepaper How to Implement Kerberos Constrained Delegation with SQL Server 2008.

Best practices for remote data source execution

  • Phase out any remote server definitions.
  • Replace remote servers with linked servers.
  • Leave ad hoc queries through linked servers disabled unless they are absolutely needed.

Use constrained delegation if pass-through authentication to a linked server is necessary.

Authentication

Authentication Modes and Logins

SQL Server has two authentication modes: Windows Authentication and Mixed Mode Authentication. In Windows Authentication mode, specific Windows user and group accounts are trusted to log in to SQL Server. Windows credentials are used in the process; that is, either Kerberos or NTLM authentication credentials. SQL Server 2008 can use Kerberos authentication with all protocols; previous versions only used Kerberos with the TCP/IP protocol. Windows accounts use a series of encrypted messages to authenticate to SQL Server; no passwords are passed across the network during the authentication process. In Mixed Mode Authentication, both Windows accounts and SQL Server-specific accounts (known as SQL logins) are permitted. When SQL logins are used, SQL login passwords are passed across the network for authentication. This makes SQL logins less secure than Windows logins.

It is a best practice to use only Windows logins whenever possible. Using Windows logins with SQL Server achieves single sign-on and simplifies login administration. Password management uses the ordinary Windows password policies and password change APIs. Users, groups, and passwords are managed by system administrators; SQL Server database administrators are only concerned with which users and groups are allowed access to SQL Server and with authorization management.

SQL logins should be confined to legacy applications, mostly in cases where the application is purchased from a third-party vendor and the authentication cannot be changed. Other uses for SQL logins are with cross-platform client-server applications in which the non-Windows clients do not possess Windows logins and applications that require logins from untrusted domains. Although using SQL logins is discouraged, there are security improvements for SQL logins in SQL Server 2005 and later. These improvements include the ability to have SQL logins use the password policy of the underlying operating system and better encryption when SQL passwords are passed over the network. We’ll discuss each of these later in the paper.

SQL Server 2005 and above use standard DDL statements to create both Windows logins and SQL logins. Using the CREATE LOGIN statement is preferred; the sp_addlogin and sp_grantlogin system stored procedures are supported for backward compatibility only. SQL Server 2005 and above also provide the ability to disable a login or change a login name by using the ALTER LOGIN DDL statement. For example, if you install SQL Server 2005 in Windows Authentication mode rather than Mixed Mode, the sa login is disabled. Use ALTER LOGIN rather than the procedures sp_denylogin or sp_revokelogin, which are supported for backward compatibility only.

If you install SQL Server in Windows Authentication mode, the sa login account is disabled and a random password is generated for it. If you later need to change to Mixed Mode Authentication and re-enable the sa login account, you will not know the password. Change the sa password to a known value after installation if you think you might ever need to use it.

SQL Server contains some pre-defined logins such as NT AUTHORITY\SYSTEM and ##MS_PolicyEventProcessingLogin##. These logins are used for SQL Server built-in functionality and should not be deleted.

Logins can be based on Windows Groups in addition to being based on Windows Users. Using Windows Logins instead of Windows Group provides the ability to identify individual Windows Users for tracking purposes. Also, because a SQL Server login is tied to a default database and default language, if Windows Groups are used for logins and a Windows Users is a member of multiple Windows Groups with SQL Server logins, which default database and default language is non-deterministic. For example, if Windows User Mary is a member of WindowsFrenchGroup and WindowsEnglishGroup and each of these groups are defined with logins in SQL Server with different default languages, the last Windows group defined as a SQL Server login is used to determine the default language. Therefore, attempt to keep Windows Group logins relatively consistent with respect to default database and language, if users can belong to multiple groups.

SQL Server 2005 SP2 introduced login triggers. Logon Triggers provide extra control of access to the database by allowing custom actions during the login process.

Best practices for authentication mode and logins

  • Always use Windows Authentication mode if possible.
  • Use Mixed Mode Authentication only for legacy applications, non-Windows users, and users from untrusted domains.
  • Use the standard login DDL statements instead of the compatibility system procedures.
  • It the sa account is not going to be used, you should disable it. Change the sa account password to a known value if you might ever need to use it. Always use a strong password for the sa account and change the sa account password periodically.
  • Do not manage SQL Server by using the sa login account; assign sysadmin privilege to a knows user or group.
  • Rename the sa account to a different account name to prevent attacks on the sa account by name.
  • Do not delete internal built-in logins
  • Use Windows Logins rather than Windows Group to control access to SQL Server and use care when using Windows Group logins to prevent conflicts
  • Use login triggers for more granular control of the login process.

Password Policy

Windows logins abide by the login policies of the underlying operating system. These policies can be set using the Domain Security Policy or Local Security Policy administrator Control Panel applets or Group Policy objects. Login policies fall into two categories: Password policies and Account Lockout policies. Password policies include:

  • Enforce Password History
  • Minimum and Maximum Password Age
  • Minimum Password Length
  • Password Must Meet Complexity Requirements
  • Passwords are Stored Using Reversible Encryption (Note: this setting does not apply to SQL Server)

Account Lockout policies include:

  • Account Lockout Threshold (Number of invalid logins before lockout)
  • Account Lockout Duration (Amount of time locked out)
  • Reset Lockout Counter After n Minutes

In SQL Server 2005 and above, SQL logins can also go by the login policies of the underlying operating system. CREATE LOGIN parameters determine whether the login goes by the operating system policies. These parameters are:

  • CHECK_POLICY
  • CHECK_EXPIRATION
  • MUST_CHANGE

CHECK_POLICY specifies that the SQL login must abide by the Windows login policies and Account Lockout policies, with the exception of password expiration. This is because, if SQL logins must go by the Windows password expiration policy, underlying applications must be outfitted with a mechanism for password changing. Most applications currently do not provide a way to change SQL login passwords. In SQL Server 2008, both SSMS and SQLCMD provide a way to change SQL Server passwords for SQL logins. Consider outfitting your applications with a password-changing mechanism as soon as possible. Having built-in password changing also allows logins to be created with the MUST_CHANGE parameter; using this parameter requires the user to change the password at the time of the first login.  Administrators should be aware of the fact that password length and complexity policies, but not expiration policies, apply to passwords used with encryption keys as well as to passwords used with SQL logins. For a description of encryption keys, see the Encryption section of this whitepaper.

Best practices for password policy

  • Mandate a strong password policy, including an expiration and a complexity policy for your organization.
  • If you must use SQL logins, use password policies.
  • Outfit your applications with a mechanism to change SQL login passwords.
  • Set MUST_CHANGE for new logins.

Network Security

 

A standard network protocol is required to connect to the SQL Server database. There are no internal connections that bypass the network. As part of SQL Server 2008 R2 installation, a warning message will occur if Windows Firewall is not enabled on the server machine. It is a general network security best practice to enable Windows Firewall and restrict network protocols and ports to the minimum necessary for SQL Server operation.

SQL Server 2005 introduced an abstraction for managing any connectivity channel—entry points into a SQL Server instance are all represented as endpoints. Endpoints exist for the following network client connectivity protocols:

  • Shared Memory
  • Named Pipes
  • TCP/IP
  • VIA
  • Dedicated administrator connection

In addition, endpoints may be defined to permit access to the SQL Server instance for:

  • Service Broker
  • Database mirroring
  • HTTP Web Services (these endpoints are deprecated in SQL Server 2008)

Following is an example of creating an endpoint for Service Broker.

 

CREATE ENDPOINT BrokerEndpoint_SQLDEV01

AS TCP

( LISTENER_PORT = 4022  )

FOR SERVICE_BROKER

( AUTHENTICATION = WINDOWS )

 

 

In keeping with the general policy of “off by default, enable only when needed,” no Service Broker, HTTP, or database mirroring endpoints are created when SQL Server 2008 R2 is installed, and the VIA endpoint is disabled by default. In addition, in SQL Server 2008 R2 Express Edition, SQL Server 2008 R2 Developer Edition, and SQL Server 2008 R2 Evaluation Edition, the Named Pipes and TCP/IP protocols are disabled by default. Only Shared Memory is available by default in those editions. The dedicated administrator connection (DAC) that was added in SQL Server 2005 is available only locally by default, although it can be made available remotely. Note that the DAC is not available in SQL Server Express Edition by default and requires that the server be run with a special trace flag to enable it. Access to database endpoints requires the login principal to have CONNECT permission. By default, no login account has CONNECT permission to Service Broker or HTTP Web Services endpoints. This restricts access paths and blocks some known attack vectors. It is a best practice to enable only those protocols that are needed. For example, if TCP/IP is sufficient, there is no need to enable the Named Pipes protocol.

Although endpoint administration can be accomplished via DDL, the administration process is made easier and policy can be made more uniform by using the SQL Server Configuration Manager tool and Policy-Based Management. SQL Server Configuration Manager provides granular configuration of server protocols. With SQL Server Configuration Manager, you can:

  • Choose a certificate for SSL encryption.
  • Allow only encryption connections from clients.
  • Hide an instance of SQL Server from the server enumeration APIs.
  • Enable and disable TCP/IP, Shared Memory, Named Pipes, and VIA protocols.
  • Configure the name of the pipe each instance of SQL Server will use.
  • Configure a TCP/IP port number that each instance listens on for TCP/IP connections.
  • Choose whether to use TCP/IP dynamic port assignment for named instances.
  • Configure Extended Protection for both service binding and channel binding in SQL Server 2008 R2 (refer to SQL Server 2008 R2 Books Online topic for more information)

The dialog for configuring TCP/IP address properties such as port numbers and dynamic port assignment is shown in Figure 1.

 

 

 

Figure 1   TCP/IP Addresses configuration page in SQL Server Configuration Manager

 

In SQL Server 2008, you can GRANT, REVOKE, or DENY permission to CONNECT to a specific endpoint on a per-login basis. By default, all logins are GRANTed permission on the Shared Memory, Named Pipes, TCP/IP, and VIA endpoints. You must specifically GRANT users CONNECT permission to other endpoints; no users are GRANTed this privilege by default. An example of granting this permission is:

 

GRANT CONNECT ON MyHTTPEndpoint TO MyDomain\Accounting

 

 

Best practices for network connectivity

  • Enable Windows Firewall and limit the network protocols supported.
  • Do not enable network protocols unless they are needed.
  • Do not expose a server that is running SQL Server to the public Internet.
  • Configure named instances of SQL Server to use specific port assignments for TCP/IP rather than dynamic ports.
  • Use extended protection in SQL Server 2008 R2 if the client and operating system support it.
  • Grant CONNECT permission only on endpoints to logins that need to use them. Explicitly deny CONNECT permission to endpoints that are not needed by users or groups.

 

Auditing

 

SQL Server 2008 adds a native auditing capability in the database engine. The new SQL Server Audit feature maintains all the capabilities of the SQL Server 2005 auditing solutions and provides enhancements such as flexibility in audit data targets and granular auditing. SQL Server 2008 Audit is available as an Enterprise feature. Earlier versions of SQL Server support login auditing, trigger-based auditing, and event auditing by using a built-in trace facility.

The SQL Server 2008 Audit feature is meant to replace trace-based auditing as the preferred auditing solution. This feature was designed with the following goals in mind:

  • Security – The audit feature, and its objects, must be truly secure.
  • Performance – Performance impact must be minimized.
  • Management – The audit feature must be easy to manage.
  • Discoverability – Audit-centric questions must be easy to answer.

SQL Server 2008 Audit can use file as an auditing target but can also audit to the Windows Application Log or Windows Security Log. The Windows Security log is considered to be resistant to tampering and nonrepudiation, although its usage is generally controlled by a group policy object. Auditing to the Windows Security also enables integration with the Audit Collection Service (ACS) of the Microsoft System Center Operations Manager, which can securely collect audit information from the security logs of multiple machines and generate consolidated reports. SQL Server 2008 Audit metadata is defined using DDL and therefore can be managed using standard SQL Server permissions. Changes to the audit metadata, as well as enabling and disabling audit sessions, are also audited.

If SQL Server Audit is unable to write its audit events to the audit target, you can configure the audit object to shut down the server instance. This is necessary for meeting requirements of the Common Criteria to ensure that the server cannot operate without its activity being audited. If the instance cannot start because of a SQL Server Audit, it can be brought up using the –m or –f trace flags in order to issue the audit DDL necessary to fix the problem with auditing.

SQL Server Audit uses the new Extended Events feature in SQL Server 2008 to minimize impact on performance. Extended Events are events that are built into the SQL Server code to have minimal impact. Audits can be written synchronously or asynchronously, with a configurable queue delay to accommodate a trade-off between database performance and possible audit record loss. Another way to minimize performance impact is to use more granular auditing. SQL Server Audit allows defining audits at a database object and database login/user level, as well as providing a number of audit groups for convenience. At this time, auditing cannot be done at the column level.

Auditing can be configured through DDL as well as SQL Server Management Studio and SMO. This makes it easier to manage, because SQL Server standard management tools and permissions can be used. Three new database objects are used to manage the audit feature: AUDITs, SERVER_AUDIT_SPECIFICATIONs, and DATABASE_AUDIT_SPECIFICATIONs. An AUDIT object resides in the master database and defines where the audit information will be stored, a file rollover policy (if using file targets), a queue delay, and whether or not to shut down the instance if audit records cannot be written. A SERVER_AUDIT_SPECIFICATION or DATABASE_AUDIT_SPECIFICATION specifies what accesses and what principals to audit at a server or database level, respectively. One or more specifications is associated with an AUDIT to connect what is auditing to where the information is to be written.

Auditing information is stored in binary when written to file targets and can be read with a table-valued function fn_get_audit_file(). Because access is through this table-valued function, it is easy to select and report on audit information using ordinary Transact-SQL code. Audit information written to the Windows log can be read using any of the Windows log-reading utilities, such as Windows Event Viewer. Both file and Windows log-based auditing information can also be read directly with SQL Server Management Studio.

For more information on the SQL Server 2008 auditing feature, see the whitepaper Auditing in SQL Server 2008.

Password policy compliance is automatically enforceable through policy in SQL Server 2005 and above for both Windows logins and SQL logins. Login auditing is available by using an instance-level configuration parameter. Auditing failed logins is the default, but you can specify to audit all logins. Although auditing all logins increases overhead, you may be able to deduce patterns of multiple failed logins followed by a successful login, and use this information to detect a possible login security breech. Auditing is provided on a wide variety of events including Add Database User, Add Login, DBCC events, Change Password, GDR events (Grant/Deny/Revoke events), and Server Principal Impersonation events. SQL Server 2005 SP2 and above also supports login triggers.

SQL Server 2005 introduced auditing based on DDL triggers and event notifications. You can use DDL triggers not only to record the occurrence of DDL, but also to roll back DDL statements as part of the trigger processing. Because a DDL trigger executes synchronously (the DDL does not complete until the trigger is finished), DDL triggers can potentially slow down DDL, depending on the content and volume of the code. Event notifications can be used to record DDL usage information asynchronously. An event notification is a database object that uses Service Broker to send messages to the destination (Service Broker-based) service of your choosing. DDL cannot be rolled back by using event notifications.

Because the surface area of SQL Server 2008 is larger than previous versions, more auditing events are available in SQL Server 2008 than in previous versions. To audit security events, use event-based auditing, specifically the events in the security audit event category (listed in SQL Server Books Online). Event-based auditing can be trace-based, or event notifications-based. Trace-based event auditing is easier to configure, but may result in a large event logs, if many events are traced. On the other hand, event notifications send queued messages to Service Broker queues that are in-database objects. Trace-based event auditing cannot trace all events; some events, such as SQL:StmtComplete events, are not available when using event notifications.

There is a WMI provider for events that can be used in conjunction with SQL Server Agent alerts. This mechanism provides immediate notification through the Alert system that a specific event has occurred. To use the WMI provider, select a WMI-based alert and provide a WQL query that produces the event that you want to cause the alert. WQL queries use the same syntax for naming as does event notifications. An example of a WQL query that looks for database principal impersonation changes would be:

 

SELECT * FROM AUDIT_DATABASE_PRINCIPAL_IMPERSONATION_EVENT

 

SQL Server can be configured to support auditing that is compliant with C2 certification under the Trusted Database Interpretation (TDI) of the Trusted Computer System Evaluation Criteria (TCSEC) of the United States National Security Agency. This is known as C2 auditing. C2 auditing is configured on an instance level by using the C2 audit mode configuration option in sp_configure.

When C2 or Common Criteria auditing is enabled, data is saved in a log file in the Data subdirectory in the directory in which SQL Server is installed. The initial log file size for C2 auditing is 200 megabytes. When this file is full, another 200 megabytes is allocated. If the volume on which the log file is stored runs out of space, SQL Server shuts down until sufficient space is available or until the system is manually started without auditing. Ensure that there is sufficient space available before enabling C2 auditing and put a procedure in place for archiving the log files.

Best practices for auditing

  • Auditing is scenario-specific. Balance the need for auditing with the overhead of generating addition data.
  • Use the SQL Server 2008 Audit feature for the most secure, performant, and granular.
  • Audit successful logins in addition to unsuccessful logins if you store highly sensitive data.
  • Audit DDL and specific server events by using trace events or event notifications.
  • DML can be audited by using trace events or SQL Server Audit.
  • Use WMI to be alerted of emergency events.

Conclusion

Security is a crucial part of any mission-critical application. To implement security for SQL Server 2008 R2 in a way that is not prone to mistakes, security setup must be relatively easy to implement. The “correct” security configuration should be the default configuration. This paper describes how it is a straightforward task to start from the SQL Server 2008 R2 security defaults and create a secure database configuration according to the Trustworthy Computing Initiative guidelines.

 

 

 

For more information:

SQL Server 2008 R2 Security web site

Auditing in SQL Server 2008

Cryptography in SQL Server

Database Encryption in SQL Server 2008 Enterprise Edition

Engine Separation of Duties for the Application Developer

SQL Server 2008 Compliance Guide

SQL Server 2008 Database Object Schemas Best Practice

SQL Server 2008 R2 Security Datasheet

SQL Server 2008 R2 Security Overview Deck

SQL Server 2008 Security Overview Whitepaper

SQL Server 2008 Certifications, Compliance, and Vulnerabilities

Securing Data with SQL Server 2008 and Improving Dynamics CRM Performance

PCI Compliance with SQL Server 2008 and Webcast

HIPAA Compliance with SQL Server 2008 and Webcast

SQL Server 2008 in FIPS 140-2-compliance mode

Enterprise Policy Management Framework with SQL Server 2008

Security forum for SQL Server

SQL Server 2008 Security Overview (TechNet)

Hyper-V Security Guide

SQL Server delivers industry-leading security

Microsoft Security Compliance Manager

 

 

Did this paper help you? Please give us your feedback. Tell us on a scale of 1 (poor) to 5 (excellent), how would you rate this paper and why have you given it this rating? For example:

Are you rating it high due to having good examples, excellent screen shots, clear writing, or another reason?

Are you rating it low due to poor examples, fuzzy screen shots, or unclear writing?

This feedback will help us improve the quality of white papers we release.

Send feedback.

242 Comments to SQL Server 2008R2 Security Best Practices

  1. Hᥱya i am for the fiгѕt tіmᥱ Һᥱге.
    I fоund tҺіѕ ƅoaгd аnd
    I fіnd Ⅰt trսlү ᥙѕеful
    & іt ҺеⅼрeԀ mе οսt
    mսcһ. Ⅰ ɦоре to gіνе sοmеtҺing Ьacκ аnd ɑіԀ otһегs ⅼiке үοᥙ aіɗеԀ mе.

    Ӎy blߋǥ; derm exclusive vs meaningful beauty

    • Loren says:

      This book looks awesome! I'd love to win a copy.This morning my random cat picture generator (thank you iGoogle) had pictures of cats dressed like Bill and Ted saying "Be Excellent to Each Other." Maybe not the weirdest thing I've seen, but it is certainly up there in terms of aws)eme-nese.lwornok(atsgmail(dot)com

    • The chest just by the bed is very telling on the kind of art genre this entire blog has. WIll be reading you more.——–Ri makes and likes the offers.

    • Flavius spune:am fost cu el in service dupa ce am postat comentariul si hardul era problema…avea bug-uridupa ce a venit din service nu s a mai blocat dar se incalzeste ca naiba cand rulez jocuri sau dezarhivez sau il solicit mai tare putin….se incalzeste asa de tare incat imi incetineaza aplicatiile chiar imi inchide laptopul la un moment dat…..nu stiu ce sa mai fac cu el[] Reply:octombrie 6th, 2011 at 11:11Flavius, de curatat ai curatat laptopul. Poate ar fi timpul sa ii faci si o curatare a sistemului de racire ![]

    • Yes, your cards are sooo beautifull, i five you an Award, have a look on my blogg if you want to.I’m seeing forward to see your next art!!!Thank you for sharing.Johanna

    • سلامپوشه دی ال سی رو از دانلود سنتر و دی ال سی Û± و Û² روش Û´d1 دانلود بفرمایید.فایل های این پوشه باید مثل عکس باشند البته بجز مپ ترمینال که نباشه هم میشه بازی کرد اما نه در اون نقشه ترمینال.

    • Very good site you have here but I was wanting to know if you knew of any message boards that cover the same topics discussed here? I’d really love to be a part of online community where I can get comments from other experienced individuals that share the same interest. If you have any recommendations, please let me know. Bless you!

    • I was a little upset that one of the most asked questions was overlooked and censored out. While you could not ask every single question that was submitted, you could have at least gave us a voice for one of the most asked questions. That question is about the legalization of marijuana. While I do not condone it's use, I still think the censorship was uncalled for.

    • I am always interested in a transformation story as I feel very much that I am not yet the person I am supposed to become. That’s how I would view your continued posts on this topic — not as an alcohol v. non-alcohol post.The first thing I asked for after my second child was born was sushi

    • oh man…. finally found this blog/recaps…… missed the insights you provide since the other site (AppLost) shut down some weeks back…Glad to know you still at your bestcheers!

    • Despite not making the list, I no longer feel inferior.Why?Because I’ve finally twigged how the figures work, and basically, I think it’s time to get my eyes tested.I always thought the figures were for weekly visitors to a blog!Now I know I know they’re global popularity rankings.Mystery solved. Off to optometrist tomorrow.Best…Stan

    • You are very right my friend I’m adding an extra small system to my HHO generator. I have a free source of Aluminum, I mix it with water and drain opener and connect the pipe to the boiler of HHO generator. By doing that, I get more H in my chambers and it seems to me that it helps a bit more compared to the time of using only HHO You can get the free source of Aluminum if you have a friend who mills Aluminum with CNC machines. chips are free

    • Le bon vin se bonifie en vieillissant …oui, mais jusqu’à un certain âge. Ensuite ça bascule et la qualité dégringole rapidement. J’ai bien peur alors que Dupdup soit effectivement comme le bon vin !

    • First make sure you have ignition, take out the plug wire and put an other plug in it and place it on metal. Crank the engine and see if there is any spark. If there is, then there is a fuel problem. Could be water in the gas that froze (if possible bring it indoors for a couple of hours) or the fuel shut-off valve is off.

    • I even saw Red Lights..But it was not engaging enough.Glad you saw The Hunt for Red October-One of my all-time favourites. Have you seen Crimson Tides?

    • Don’t our government have this “Hate Crimes” act backward?… it sure looks like they do! By RMinNC on May 16, 2012 at 11:25 am————-bo’s election proves that while some Americans are incredibly stupid, most Americans are not racist.

    • hi!,I really like your writing very so much! proportion we keep in touch more approximately your article on AOL? I need a specialist in this space to unravel my problem. Maybe that is you! Looking ahead to look you.

    • I, too, have picked up curtains for a wondfully low price with the intention of turning them to some item of clothing or other. Sadly, I havent yet made use of them, but i want to soon! Freya Maythedressmakingdiaries.blogspot.com

    • TeÅŸekkür ederim cnm Ä°ki siteden de alışveriÅŸ yapmadım ama çok yapıldığını duydum. Hele de amerikadaki arkadaşına göndereceksen bence sorun olmaz. Ama daha garanti bir yer istersen Real’ları ben amazon.com’dan almıştım. Herhangi birinden alabilirsin.

    • dari dulu saya juga curiga dan skeptis dg iklan2 layanan masyarakat dr perusahaan2 tambang ato properti.sepertinya label hijau udah makin jauh dr hakikat sebenarnya ya bang, udah menjadi sekedar life-style spt majalah2 gaya hidup itu… –0–Label hijau ‘menjual’ sih, Mbak. Makanya banyak yang mau.

    • Marvellous article, there is so much honest in your content. Just conditions i reading your other postal checking and i be required to almost: you are a greatest bloger on web. When i oldest time found your locality on google, it was like “Wow, thats greate!”. From then your condition is my 1 in favorite. Amass publication!

    • Har letat efter en sÃ¥n efter att jag läste ditt förra inlägg. Men inte lyckats än:-( Letar vidare. Men NÄR ska man skära kanten?? Sist nu väntade vi 5 minuter kanske men dÃ¥ var tapeten sÃ¥ blöt sÃ¥ den bara smulade sönder sig. Förra gÃ¥ngen hade den torkat fast för länge och gick inte att fÃ¥ bort..SvÃ¥rt!!!

    • Hey Holly -Looks like you’re figuring it out!I’ve got some posts coming up soon about what equipment and to use and how to edit videos, but if you’re on a Mac, shooting with your webcam and editing with iMovie is a great place to start!

    • Smith: I tried running your numbers in several compounding calculators and using formulas in excel and were not able to come up with your numbers of $519,391 for Borrower A & $867,676 for Borrower B. Can you please explain how you got these numbers? (Was the 8% earned once a year, or was it earned monthly?)Thanks. Confused Compounder

    • pues mi problema es q quize cambiar el numero de telefono al cual me llega el codigo y al reiniciar no me dejo entras mas hace dos semana no me deja entrar no se q hace uso muchos los juegos y nada de nada ayudame

    • Do you have a source for the 11000 criminals being shot every year? I’d like to use that in a couple of ‘discussions’ I’m having with a few anti’s, but I know they will want to see a source. Thanks.

    • Hey Angel just wanted to let you know that you are so beautiful and i love the fact that you are so confident and excited about what you do. You are a inspiration to me Stay beautiful.x

    • whoever wrote this article is obviously retarded. check this out:“The iPhone 5 also features a larger display”it’s funny how they wrote that and then included a side by side visual comparison where you can physically see the larger screen size on the nexus. don’t even get me started on the other inconsistencies.

    • Hallo!Ich bin auch gerne dazu bereit dies zu unterstützen,zumal auch nicht alle in der SPD dahinter stehen,was die Regierung da gemacht hat.Ich bin auch für ein Vereintes Europa aber es soll für alle gerecht und fair zu gehen und nicht auf kosten unserer Nachkommen!

    • Good point. I hadn’t thought about it quite that way. :)

    • Fortunately for Miranda, there are plenty of guys out there that need to play the rescuer role. Not a marriage made in heaven, иако.I feel anxious for poor Miranda. I will keep hoping that she eventually figures it out. Ferd неодамна испратени..

    • Well I feel like a huge slug for being too lazy to post comments most of the time. I love the color of that sock! And the pattern that’s developing. That Ink Circles is too cute. I had fun stitching mine. So much I may stitch it twice. Oh wait, I will be – most of it appears on her Masquerade design. Missy Ann´s last post:

    • You Asians are such cheap bastards. You take over industries invented by others, manipulate your currencies, and subsidize your industries, and you still don’t want to pay. Just fork over the $ and quit your bitching. You can afford it.

    • drabner ou baqa ou sabakne ou scteka cest un dicton arabe .c’est bizarre tu ne parle pas de toutes les massacre qui font tes insurge . Mons amis je ne défend personne .ouvre tes yeux

    • dreams, yes the korres one is on my list too, might check that one before now you have come to mention it, i remember the reveiw that belle du jour did.@Kerri I am currently using the bobbi brown tinted moisturiser and it has great coverage and i love it. but i need one a little lighter in texture.

    • Beautiful photos Chelle!Dance is an important part of my life too, although I'm nowhere near as accomplished a dancer as you must be. I just go out for salsa to blow off some steam.

    • it depends on what you want to do more of but a good table saw or radial arm saw or sliding compound mitre saw. but later i would buy a lathe they are gerat for many things

    • Karl,Did some more research on those GFS pedals… According to one guy they are clones of the Biyang pedals with a new paint job and a few mods. I thought the tubescreamer pedal and delay pedal sounded good for the price. i didn’t like the black distortion pedal much. Do you know anything about the Biyang line?Tyler

    • While browsing for sites relevant to hosting and specifically comparison hosting linux plan web,your site showed up.You might be a very smart person!

    • Tapez votre commentaire Vous pouvez utiliser ces mots-clés HTML : <a> <abbr> <acronym> <b> <blockquote> <cite> <code> <del> <em> <i> <q> <strike> <strong> Prévenez moi de tous les nouveaux commentaires par email. Prévenez moi de tous les nouveaux articles par email.

    • Kiitos kommentista! Tämä vahvisti käsityksiäni siitä, millainen kirja oli kyseessä. Kuten sanottu, saatan lainata kirjan vielä uudestaankin, mutta tällä hetkellä ei kyllä harmita, että se jäi kesken. Harmittaa vain Juslinin puolesta – F & F on nostattanut varmasti paljon odotuksia häntä kohtaan ja on sääli, jos monet ovat sitä mieltä, että tämä uusin on pettymys Fridaan nähden.

    • 153Hello David, we are working on our U Box service from all points Europe to USA. I think in your case the U Box will be perfect for your things. We will have the prices and service options available in the next few weeks and once they are finalised I will get them emailed to you. Thanks Moving Doc.

    • Now I’m seriously jealous. I’ve got dibs on the Rollins! And the Barron. I’ll change my name, if I have to! I’m giving you fair warning in case Canada ever decides to invade Alaska, because I know exactly whose house I’m ransacking.

    • It’s worth noting, also, that we already have people who can not only recreate human experience, emotion and mathematical functioning but also transfer those things to other minds — we call them artists: poets, novelists, painters, musicians, composers, mathematicians and teachers: high priests of the temple of information.

    • à°¸ుà°œాà°¤ à°—ాà°°ు,à°šాà°²ా à°¬ాà°—ా à°°ాà°¸ాà°°ు. I agree with your line of thought on the issue.Its an issue we should start thinking about.

    • Hello, Ladies! It’s Tina from Being Made New on the UBP (#73). Thanks for stopping by earlier today. I still haven’t had time to browse around on any blogs yet, but wanted to come here since you visited me. :^) I think your concept – of the three of you blogging together – is really unique. :^)

    • Zdravím Vás z Trnavy.Vďaka za prianie. Dúfam, že sa situácia v Iráne upokojí a že sa cesta bude daÅ¥ uskutočniÅ¥. S dokumentáciou z cesty to bude asi slabÅ¡ie. Je tam samý zákaz foto, ale niečo zaujímavého snáď priveziem. Máte pekné zábery, hlavne z Maroka. Aký máte odtiaľ pocit? Oplatí sa?Ak budete niečo chcieÅ¥ vedieÅ¥ o Jordánsku, ozvite sa. Ale vo filme sa dá dozvedieÅ¥ väčšina.Pekný večer

    • Amigo, interessante esse seu tablet! Na maioria das vezes, o que são vendidos no Brasil são os chingling de 800mhz. Pensava que não havia tablet chingling com dual core!!Você poderia me passar algumas dicas de como você comprou o seu tablet no site internacional? Eu não sei como faço para comprar nesse site! O meu email é Muito bom o post, me ajudou a tirar algumas dúvidas de tablets!

    • Amusant, ça, un blog policier qui utilise une image dont il ne dispose pas des droits… Vous l’avez pompé où, le dessin d’Albert sur le Titanic ? En plus, vous l’utilisez assez mal à propos.

    • Heya i am for initially here. I found this board and I find It truly valuable & it helped me out much. Like I was helped by you I hope to give something back and support others.

    • Congrats on the advance copies! How exciting for you!!My blah days seem to sneak up on me. They’re usually the ones where I jump out of bed thinking “Today’s going to be FAB” only to trip over the dogs, find the cats threw up on my new jacket, and the toddler has a snotty nose… again. lol

    • Had same problem with ca3. Sliding as well. Became a huge problem because i have bunion on right foot. As for rivets, you can contact alkali on Facebook. They shipped a pair out to me within the week, and that’s something because I, I’m Singapore. I’m not impressed with chassis though, way too soft. Will probably pick up Bauer or mission EE later on.

    • Maybe you should ask yourself WHY KWA has “fanboys”. I’ve easily got $2000 of airsoft equipment from all the top manufacturers. You know what I’ve learned, everything else is inferior. I’m sorry you can’t afford to buy the best, but don’t delude yourself into thinking that your “upgraded” JG is remotely in the same category

    • Wanted to drop a remark and let you know your Rss feed isnt functioning today. I tried adding it to my Yahoo reader account and got absolutely nothing.

    • Resultado:Frelimo 1 MDM 0Mas nao desespere Daviz, o campeonato ainda nao acabou. Ha muitos bom jogadores por ai, ha espera de um treinador como o Sr.Reenforce a equipe,eleve a moral, mobilize os adeptos e vamos ao ataque…pela DEMOCRACIA.

    • #82 clotI’ve been watching prices drop in Basking Risge and Warren for over a year. I’d swear ask is down 15 to 20%. I doubt the Plunge Protection Team can stop it the avalanche that’ picking up speed.My pos townhouse we are renting continues to drop at least $3 for every $1 in rent we pay.

    • Oui mais faut pas tomber dans l’opposé… les meilleurs seront quand meme a Las Vegas… contrairement à Clearwater. Les roll down étaient pratiquement inexistant cette année comparé Clearwater. Par contre, Esprit est une bonne organisation, et c’est le week-end du ProTour en plus… alors ca vaut le coup de rester en ville…Qui veut mon appart?

    • Hi Pradeep,Well done – Personally, It looks better. And change is a good thing, every now and then. With the new look and feel the UX personally seems to be a lot more fluent, yet still visually attractive. Great job, compliments on the new theme.

    • · those incredible photos – you and tim look SO HAPPY!! what a photographer, to capture that love. seriously, talk about the wedding. it makes me happy! and now, these cookies! YUM!! thanks for the great recipe!

    • GOP deal for Cubans should be this:1) Cubans back immigration restriction. 2) In return, US replaces embargo on Cuba with 10% tariff, and uses the proceeds of that to compensate Cuban-Americans (and their heirs) whose property was expropriated by Castro.

    • Clopineje suis d’accord avec vous: Onfray est bon prof, il compile très bien et il sait restituer (je pense aux cours qu’il a donnés sur France culture et vendus partout en CD) ce qu’il lit.De là à en faire un philosophe…Putain, Joey Starr est lacanien! Et on ne nous le disait pas!!! Le surmoi de ce type m’apparaît enfin en plaine lumière!!! de toutes ses dents en or! Merci Christian!!!

    • Concordo com você, o Brasil é um país que ainda precisa rever milhares de carências com relação à educação básica. Dar um computador aos estudantes não será uma solução efetiva e gastar todo esse dinheiro com isso seria uma perda inútil, afinal, o problema maior está no conteúdo, na formação dos professores e de suas capacidades e principalmente na escassez de escolas nas regiões mais pobres e afastadas.

    • What a lovely tribute to Mr. Sheffer. Thank you, Hannah. I too have listened to him for years and will miss him. I had the pleasure to see him earlier this year when he brought Selected Shorts to Berkeley Rep. He was just as lovely and warm as I’d imagined from hearing his voice. How lucky you are to have called him your friend.

    • / Saling kritik dan saling menggulingkan memang sudah menjadi hal biasa dalam percaturan politik mas Haris, akhir2 ini memang bikin gemes aja tokoh2 partai ini.Salam kenal

    • He Erno, ook hier? Fraude mag wel, als het maar op een ‘nette’ manier gaat. Zal kijken of ik nog meer liefhebbers kan verzamelen om die Hongaarse sites uit die top5 lijst te duwen tot dan..

    • bzn,ca si cum ai spune pansament ptr. suflet.Copil fiind am trait cu muzica lor,ma doare cand vad ca numele mari pl;eaca usor,usor si lasa un gol imens in sufletele noastre.Fara ei nu imi pot imagina lumea show-bizului.In anii 80 ascutam bzn cu emotia pe care o am si acum cand ii ascult.BLUE EYES;DANCE DANCE;CHANSON D’AMOUR m-auu invatat sa iubesc si sa respectmuzica buna indiferent de regim sau de ideologii absurde.Pentru asta:MULTUMESC B Z N si domnul sa va aiba in paza!GEORGE-BALOO=CERNICA

    • 铭盛卡行(QQ1228557129)所出售卡均为一级卡源,全新无任何交易记录,资料齐全,真实身份办理,亦可指定名字办理,诚信淘宝担保交易! 例如—可以给你淘宝店刷提高您的淘宝信用记录。 例如—你想接受汇款,但又不想让对方知道自己的真实姓名。 例如—您想给领导送礼办点事情,但是又不想让自己的隐私暴露!这时您就需要到我们提供办理的卡,我们的卡可以让您随意的a转帐–送礼。给客户保密了隐私的同时也去除了客户的后顾之忧。本团队以真实代开卡【QQ:1228557129】办理、分别提供7大银行卡;中国银行—工商银行—建设银行—农业银行—交通银行—招商银行—邮政银行[网上银行(口令卡,电子证书,U盾)长期供应,保证全新开户,保证开户资料齐全,保证带真实有效开户原件,承接指定名字开户我们的宗旨是:质量+速度+信誉!我们希望与 有长期需要的客户建立长期合作关系,彼此信任,共同赢利。如有需要请联系!非诚勿扰! 客户的满意是我们的心愿欢迎光顾公司宗旨á。公司文化: 诚信—用心做事,诚信为人 规范—规范管理,依法治企 高效—真诚服务,高效便捷 和谐—同舟共济,创建和谐公司口号: 以实力、效率立足于市场 用服务、便捷来赢得口碑 崇尚职业道德,遵守法律法规  急您所急、思您所思温馨提示:在本卡行购买的卡可用于收藏使用!

    • Murat diyor ki:MerhabaLarr… Cok AcıL Benımde Ise Ihtıyacım Var ama Sadece B Sınıfı EhLıyetım Var.24 Yasındayım NıLufer BesevLerde Oturuyorum. 5 senedır Aktıf oLarak Arac kuLLanmaktayı askerLık TamamLanmıstır Askerıyede TunceLıde Tabur komutan söföruydum SaygıLar.. 5428329458

    • unfortunately, there are cases, where the body was wrecked prior to health knowledge that make fruit digestion not the best option. It sucks. I lost my thyroid when I was 15, thankyou medical science! It? has been a long slow process for me to regain my health…but some of us cannot go straight to fruit from even 2 years vegan lifestyle. I do agree your diet is the best diet for humans…but if we’ve been screwed by our past choices, we are in a different boat.

    • All I can say is that Turkey Day dinner is going to be mighty awkward (and sexually charged) AT MY PARENTS HOUSE on Thursday. And no one is even going to know it…okay every.single.one of them will know it. This IS me after all. But now I have an uninnuentional guide…LOL!

    • Adding to the “and don’t forget your pets” bit, having a couple extra bags of dry dog food around is nice because you know the dog’s going to get through it eventually, and if things go pear-shaped there’s some reasonable nutrition in the dry food. (And it’s not an obvious “steal me” item, either.)

    • Cock. Confession #386 Shower Cal’s wisdom Blinded and Bound The Little Things… lust The Witness Quiet and Still Giving and Receiving Beasts in the Bathroom Fixation: Touch The Pussy Eating

    • Hey, you used to write wonderful, but the last few posts have been kinda boring… I miss your tremendous writings. Past few posts are just a little out of track! come on!

    • i was the exact same way. but i recommend this because if the droid incredible is so incredible it’d have more memory and standby time than the motorola droid. this has 270 hours standby time i think. you’d have to go on verizon website and look at the specifications of each phone. but the incredible has like 140 hours standby time. so WAY short battery life. It cracks easily especially the screen. the motorola has 16gb memory incredible has 8gb. i’m getting this motorola. u shud 2.

    • I used this a lot on my puppy. She is now 8 month old and very observent of me! it defenitly helped shaping her the way she is now. Thank you so much for this video!

    • I have not been able to establish if GoogleBot really crawls and indexes Disqus comments. Just looking at my GWMT fetch as GoogleBot, I don't see any comments being fetched – .Perhaps a WordPress misconfiguration or the GWMT function does not show what the bot would do?

    • Larry Vermeersch of Kenora, Ontario. “My balance is back and I’m walking without a cane. I’m a pretty hard guy to convince, but getting these two procedures together has made me a believer. I’m looking forward to the physio ahead because I can feel everything coming back.” Log on to ccsviclinic. ca for more information.

    • در عصر تکنولوزی و ارتباطاعات و پیشرفت و…جای معنویت و دنبال حقیقت رفتن خالیه.تازه دارم متوجه میشم که معنی اینکه :سختی که امام زمان (عج )از مردم آخر زمان میکشه خیلی بیشتراست از سختی و رنجی که پیامبر از مردم دوران جاهلیت میکشیده …..

    • comentou em 19 de agosto de 2011 às 10:04. Carina,já recebemos a sua pergunta, mas como são muitas as dúvidas para a Julia, é preciso ter um pouquinho de paciência ;)

    • Det var bare en vennlig oppfordring, fordi den første kommentaren din bar preg av Ã¥ ikke helt ha lest skikkelig gjennom artikkelen. Men med den tonen du har i kommentarfeltet sÃ¥ er det ikke akkurat som at jeg gidder Ã¥ diskutere med deg.

    • I was really surprised by both the canning and oil museums – they are so worth a visit. I agree its great to go to the oil museum with somebody who knows the industry. I’m glad to hear somebody else liked the museums too!

    • I've got my copies on order now. Haven't a clue about Thunderbolts but I'm sure it will be cracking.So are you getting any time to work on Sweeny Todd now? That must seem like a million years ago since you started on that.

    • Stuart, if I understand correctly you are working from cafe (telecommuting)? You could do that from home I assume, could you elaborate on why you prefer not to (since it involves considerable investment of time and energy)?I enjoyed this post a lot. In London now the weather starts resembling your Ithaca descriptions, so some things may become relevant here… I have had to stop cycling over the last two weeks.

    • Absolutely pent content, thanks for information. “The bravest thing you can do when you are not brave is to profess courage and act accordingly.” by Corra Harris.

    • Great publish, very informative. I ponder why the opposite experts of this sector don’t realize this. You must continue your writing. I am confident, you have a great readers’ base already!|What’s Going down i am new to this, I stumbled upon this I’ve discovered It positively useful and it has aided me out loads. I’m hoping to contribute & help different customers like its aided me. Great job.

    • Hi,I prefer using varigated silk perle. I usually use 2 strands. I pull and cut about 10 inches of one strand and then do the same again. I put opposite ends together and it gives an interesting variation to the colors. I find that the silk perles are easy to wotk with and offers many colors. I have a seller that I buy from, but as I understand we are not supposed to advertise on this blog. I am sure all of the commercial colors will have the same affect.Thanks for all the other messages. They always give a different view on colors and card making.Marlene S.

    • the opening presentation “bad news, good news” was an incredible format in which to encourage (and as needed convict) those that may otherwise never be in attendance again. Is there a link available to that presentation? I’m certain that I can make use of it as tool to share with many others…

    • I haven’t checked in here for some time as I thought it was getting boring, but the last several posts are really great quality so I guess I’ll add you back to my everyday bloglist. You deserve it my friend. :)

    • Word, Lainus. To be fair to the filthy Hun, he did well in the 1866-1871 season. To echo Tam, in part because the Germans incorporated technical and industrial developments into war fighting.Even more so because they selected reasonable, limited targets and made sure those targets were alone. Their wars of 1914 and 1939 were acts of fundamentally stupid and personally evil leaders.

    • Ahhh… I can see how that would throw things off. There actually is no false value for block, so that was actually blocking the page. The custom field to unblock is “unblock”.Regarding the email, if users are not receiving emails, there may be an issue with wp_mail. I would initially refer you to the FAQs for ““

    • napsal:2borufka:jsem ráda, že jsem Ti vlila do žil optimismus A gratuluji k ukončení studia! Sleduji to s napÄ›tím…2Flee:To pÅ™eci stačí – máte sebe. My jeÅ¡tÄ› dÄ›ti nemáme, ale vÅ¡echno pÅ™ijde. ÄŒasem. Moc se na to oba těšíme

    • One of the most significant historian of Indo-Pak partition, she is also renowned for her snap of Mahatma Gandhi with his spinning wheel. Margaret started her career in 1929, when Fortune Magazine designated her

    • Tara,What a shining and true example YOU are…of the Girl Effect, in action. Through what you have created here in this space, through the life you live, and through the impact you have on those whom you touch with your presence! That is a gift…YOU are a gift.Thank you so much for leading the charge in getting so many people involved in giving EVERY girl what she so rightly deserves.You are an amazing, amazing light of goodness in our world.Love and peace,Lance[]

    • Can I just say what a aid to find somebody who actually knows what theyre talking about on the internet. You definitely know easy methods to deliver an issue to mild and make it important. More individuals need to learn this and understand this aspect of the story. I cant believe youre no more widespread since you positively have the gift.

    • Hmm it seems like your blog ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to the whole thing. Do you have any recommendations for newbie blog writers? I’d really appreciate it.

    • Doug,I’m on your website Earth Track and am trying to look at your publications on nuclear subsidies or any of your analyses on subsidies and nothing is coming up. Is this a website flaw or am I doing something wrong? David, NEI

    • Naukulan likat matkaavat aina lomille Mummolaan! Tulevat suht hyvin toimeen myös siellä majailevan Minni-kissan kanssa. Toivottavasti hyvä hoitopaikka löytyy!

    • I don’t believe the FAA should make public the itinerary of business aircraft, or that of aircraft owned and operated by prominent VIP’s, celebrities, or otherwise-wealthy individuals such as successful lawyers and doctors. Here is why: Kidnappers are enough of a danger to wealthy individuals and their families as it is. Why make it easier for those criminals?

    • It’s posts like this that make surfing so much pleasure

    • Can't wait to hear all about your trip! That definitely sounds like a great way to start of the day after a holiday (actually it sounds like a great way to start any day). I can never go past ordering these when I go to his cafe, I've been meaning to try making them myself for ages! You've got me extra tempted now :)

    • Hi Nat! I had stuffing in there, turkey, sweet potatoes, cranberry relish, and a mix of roasted vegetables (beets, brussel sprouts, and butternut squash. Use whatever you have! I think my creamed beets would be lovely in here too. This is especially good if you don’t have a lot of turkey left over (or you want to save most of it for sandwiches!), but have lots of sides to deal with. Nothing’s wasted!

    • Flott med en hjelpsom sønn;)…og med god service;)All erfaring tilsier at den blir ikke sÃ¥ langvarig denne “vinteren” heller…fÃ¥r hÃ¥pe jeg ikke tar feil! Men det er fint Ã¥ se pÃ¥ da;)

    • Ich habe bei mir ein Problem und zwar geht der Ton und die Ton Spur nicht immer Parallel zum Video sonder liecht verzögert was könnte man da machen

    • Some people are just self-centred, evil, smug, selfish dimwitted little shits, Grappler. Perhaps it’s that simple.And I doubt even he believes this garbage. Opportunism knocks….

    • ma piu' che altro, quello che filma a lato era nel laghetto ? e perche' lui atterra sulle strisce del tosaerba che sono molto piu' sulla sinistra, senza far spitasciare le ali sugli arbusti ?

    • Karen: Erru gæren, klart man ønsker hevn. Men noen av oss har et visst regelverk Ã¥ følge. Mulig man mÃ¥ vente til de er ferdige med skolen, skal man fÃ¥ gjort det skikkelig. ;)

    • Thank you for the comments! Sorry about not responding….internet is a bit sporatic while we are camping!!!!Madeline, I never saw such fireworks…they were spectacular! And yes, the Ring of Fire did indeed appear!Jackie, not to fear about the Murph….Michelle ran to the wee laddie and administered numerous hugs and kisses. He was not the least bit bothered by his less than graceful landing! (Scottish tenacity, I tell ya!)Thank you, Chris! Fun filled days are the (very) best!

    • shadok et Huyet: Les autres francophones ne sont pas aussi CONS que les Français: jamais ils n’iraient pomper des queues vides, par exemple ! (c’est une métaphore poétique du financement des retraites)

    • Ive been meaning to read this and just never got a chance. Its an issue that Im very interested in, I just started reading and Im glad I did. Youre a great blogger, one of the best that Ive seen. This blog definitely has some information on topic that I just wasnt aware of. Thanks for bringing this stuff to light…..,.

    • Gordon, regarding your “creative Apache rules”: it appears that each of the 4 trackback spam attempts came from different IPs, but each time, 7 seconds before the spam, there was a read of that page from 205.218.67.174. I’ve used iptables to block access from that particular IP. We’ll see if it helps.

    • Keegi ei ole siin seda veel öelnud, aga minu arust on see üks väga lahe/hea/tore/armas pilt ja ma tahtsin oma arvamuse siia lisada Kas ta ikka veel «oboe» ütleb?

    • بارك الله فيك يا استاذ محمود…للأسف آذانا الجهال كثيرا بعنصريتهم, كما خذلنا الكثير بسكوتهم و عدم ردهم. و المشكلة أن أمثال هؤالاء يجدون من يدلس عليهم و يبرر لهم بطريقة غير مباشرة ما يتقيؤنه … لكن عند الله تجتمع الخصومتحياتي و احترامي لك

    • Danke für die Tipps! Seit ich alle Geräte immer komplett aus der ziehe und auch sonst ein wenig auf mein Verbrauchsverhalten achte, hat sich mein Stromverbrauch schon spürbar verringert!

    • greatest institution weblog…Whats in excess that’s type of regarding returning via subject but Our spouse together with i is nevertheless asking one self whenever websites utilize WYSIWYG writers or perhaps should you personally technique code along with HTML. Now we are simply …

    • dit :Bonjour Maxime,Merci pour ce témoignage qui, une fois de plus, me réjoui de vivre sur cette belle planète Terre !Que tout ce que tu donnes te soit retourné au centuple.A très bientôt,Nicole

    • So Mark, instead of trying to make this about me, stay focused. Pbrain compared the candidates and issues in the upcoming elections to those this nation faced in 1776. I say it’s hyperbole. How do you feel aout it.As to the name calling, the moniker Pbrain stays. If he doesn’t like it, too bad.. He should have thought about that when Pbrain dredged up an issue from my past that had nothing to do with the subject at hand. He mocked me even though my position on the long past issue was the same as his. The difference was that I took action, he merely flaps his yap. By definition the guy is a Pbrain

    • kourasthkame re megale mo to poioi itan sto kysea kai poioi den itan kai na mi vgenei akri.kourastikame!!!!hrisi avgi na xevromisi o topos.kai oute mia hameni ψifos stin nea dimokratia.

    • What did you find broken or weird? I’m curious because I read there were glitches but so far I have only encountered one issue, and I don’t know what the cause was. It was in the first battle against the snake undead lady and I had to temporarily turn off a graphics effect. Otherwise the game has played perfectly for me so far.

    • I just like the helpful info you provide for your articles. I’ll bookmark your blog and check once more right here frequently. I am rather certain I will learn a lot of new stuff right here! Good luck for the next!

    • This was an AHA moment for me too Geri-mom. I’ve never considered that my anger could have nothing to do with the person I’m angry at. It really is mind-blowing. Realizing that negative emotions are a sign of something I have to work on inside myself is fascinating. I will try to act from love. Thank you for this new perspective.

    • We pray that he will rest in Peace, and God will give the strength to his family, and friends, to cope during this difficult situation. God bless his soul, and Rest in Peace

    • Jeg skriver dagbog, selv de mørkeste dage kan vi som regel finde mindst 3 gode ting. Det kan være at solen skinner, sidde stille og nyde sin the alt som glæder dig og ingen glæde er for lille.De sidste 15 mdr. har jeg officielt haft en depression og jeg føler med dig.

    • I have just recently started teaching my mom to play the piano. It is great to see the joy in her eyes when she realizes her potential. She never thought she could play hands-together nor memorize her piano pieces. It is something I wanted to do to give back to her for taking me to piano lessons when I was young. Definitely something every piano teacher should try!

    • Quiero agregar que en Belascaoin y Neptuno, habia una cafeteria de lujo con el nombre“El 20 de Mayo” donde se hacian los mejores Sandwichs cubanos, le echaban al pan, jamonada, no Mayonaise, como hacen aqui; habian las mejores croquetas, en fin era un lugar delicioso y que curiosamente nadie lo menciona.Dejar un comentario

    • Thank you for that sensible critique. Me & my neighbour were preparing to do some research about that. We acquired a superior book on that matter from our local library and most books where not as influensive as your info. I’m pretty glad to see these information which I was searching for a lengthy time.

  2. Coralee says:

    With the bases loaded you struck us out with that anwesr!

  3. ToddG,Of course, when not expecting it, many people are also momentarily affected by having an eyeball-melting light shone in their face, blinking or no.I agree that the "wiggle-your-finger-for-strobe" interface is lame.

  4. quelle propagande de fou !!!!!!!mais oui vous savez pas que nous les juifs sommes des voleurs tueurs et violeurs !???? pourtant ça parrait clair!c vrai quoi tout le monde le dit !mais quelllllllllllllllllllllllllllllll conneries putain quelles conneries et les gens gobent c dingueeeeeee

  5. This is the rectify Entrepreneurial Training Refreshers Is Critical For Your Online Success | morewebsitetraffic.org journal for anyone who wants to seek out out near this issue. You mention so often its virtually wearing to fence with you (not that I real would want…HaHa). You definitely put a new reel on a substance thats been codified near for eld. Metropolis squeeze, just outstanding!

  6. Superior thinking demonstrated above. Thanks!

  7. You have to come up with THE RIGHT beautiful concept, the one that HELPS sell stuff. So indeed that choice is the difficult part, not the imagination exercise. But your job is still to facilitate selling stuff, not to sell stuff.

  8. Editors note:There’s is far too much reading and writing going on here….and arithmetichowever its seems not the same 3 r’s that Osho mentioned….from those Zen monksRove , Rife and Raughterand make sure you r filled with lub …for ebrybolly, when yu talk and write about dees Oshpishas tings..now bak to dah movie….

  9. A most thought provocative and informative post Rune. Thank you. As far as I am concerned anyone is welcome to have any bits of me that might still be useful once I have departed this life.

  10. Hey there! Someone in my Myspace group shared this site with us so I came to check it out. I’m definitely enjoying the information. I’m bookmarking and will be tweeting this to my followers! Excellent blog and superb design and style.

  11. Bukan sahaja saya frat lelaki, tetapi saya berada di premed. Jangan sekali-kali percaya doktor!Larry Nevenhoven baru-baru ini disiarkan..

  12. RoGaB01April 19, 2009muchas gracias…tube el mismo problemay se resolvio con tu ayudatodos me decian que la unica opcion era el formateopero ya se que no, solo tenia que seguir buscandode nuevo mil gracias

  13. Having just managed to pass the horrible driving test its a little upsetting to see the price to insure my car, does anyone know the best place can I get cheap

  14. Utopia isn't evil, Coercion is evil. The political left's attempts to force its fake surrogates onto unwilling population is evil. Utopia is a worthy goal – when held to be a *distant* goal – the one which should be truly achieved, not faked. While distant and uncoercive, it will be a force for Good.

  15. Dr. Price, thank you for this great post. I am grateful to Bart Ehrman for one thing: reading his early books shook me up and led me to read further, and in doing that I discovered your book, “The Incredible Shrinking Son of Man” and your podcast. I haven’t looked back! Keep up the great work, and thanks for being a voice that doesn’t need majority approval.

  16. Ah, es verdad, el Lunes de Pascua! Cómo sois, eh? ;) Que coméis primatas y niñas guapas…Pues a Nos, que somos de gusto menos conceptual, no nos acaba de agradar tal nueva visión, pero mientras a Vos os plugiere, nada podríamos decir de tan turbadora imagen.

  17. I like that Rubbabu encourages imaginative play.I liked The Big Rubbabu Train set but it's out of stock right now so I guess I'm not the only one who liked it lol

  18. I only know Jonathan Adler from the designer reality show on Bravo. It’s nice to see his wonderful work. I especially like the last photo. I can picture that room with Barbie and all her teenage friends hanging out there.

  19. I always like using mapquest when traveling to Europe. Although I haven’t found an app for it as of yet, I like using it for all my travels around Europe. Google maps is also another great app to use.

  20. The new Zune browser is surprisingly good, but not as good as the iPod’s. It works well, but isn’t as fast as Safari, and has a clunkier interface. If you occasionally plan on using the web browser that’s not an issue, but if you’re planning to browse the web alot from your PMP then the iPod’s larger screen and better browser may be important.

  21. We don’t know who the Vikings really are based on the fact that they beat a San Francisco team that clearly overlooked the them. That same Viking team won solely on two special teams plays. Minnesota is still a mediocre team that will show it’s true colors as the season unfolds. Therefore I’m not concerned about Indy. Go Packers!

  22. amany, maybe you should stop sounding like a whiny little bitch whenever anyone in the world says anything that goes against your religious indoctrination.

  23. 5 juillet 2012I normally do not click random blog page links my friends share on Facebook, but your post makes me glad I clicked on yours!  

  24. Damn Field, I’m glad you have officially put Dyson in the group. He is another one of these culture pimps. I like how he went on O’Relly a couple years back and let that Klan King put him down. Then comes back at the New Negro PowWow (that event Tavis Smiley has) and talks that goodie good smack. Yo, Starr used to call him Soul Glow. (I missed that dude’s show, over most people’s head).

  25. Så fine de var i klærne, da! Sånne dager synes jeg er så herlige, familie er så bra det :) Aner jeg en viss likhet hos småtten og broren din?Håper du har en fin dag videre!Klem fra Ena

  26. Esta equipa Iniciados Porto tem alguns bons jogadores mas precisa ser reforçada. Que tal tentar fazer troca do Alan para guimaraes com alguns atletas equipa guimaraes. O alan foi um dos pilares equipa guimaraes

  27. Hej!Nu har jag hälsat på dig några gånger och känner att jag så gärna vill "ge lite tillbaka"!:)Du ger såååå mycket inspiration och såååå mycket glädje och värme här.Så otroligt mycket fint du visar!Både bilder och ideer och känslor.Jag blir glad i hela kroppen av din blogg:)Kramar från en tjej i Norrland:)

  28. I just got goosebumps when you said you wanted Olivia to be your theater date. My mom had the same with for me! We have tried to go to several shows a year since I was about 8 (I’m 26 now). We saw Cats and I became a theater addict! Its a beautiful thing to share. You two are going to be quite the pair You already are! Moms make the BEST best friends.

  29. I’ll gear this review to 2 types of people: current Zune owners who are considering an upgrade, and people trying to decide between a Zune and an iPod. (There are other players worth considering out there, like the Sony Walkman X, but I hope this gives you enough info to make an informed decision of the Zune vs players other than the iPod line as well.)

  30. This interview proves that these organizations needs must have the word ‘catholic’ stricken from their titles. Lew repeatedly throws out “CHA” as an example of catholics on board with the president’s plan…as if the CHA speaks for Catholics in an equivalent way as do the Bishops. Ridiculous. The Bishops need to remove the term ‘catholic’ now, not later.

  31. Sr "Anônimo", poderia me informar como foi que Hamilton pulverizou Alonso? Foi em pontos ou em vitórias? Antes ou depois da Mclaren começar a trabalhar contra o Alonso (declaração de Ron Denis)? Ah, os dois passões que Hamilton tomou esse ano após errar bem na frente de Alonso (Coréia e Brasil) servem para diminuir essa pulverização???

  32. Dear Isaac,As a burly and strong sales guy, I fit into the Alpha pool you describe. The problem? I have the startup equivalent of AIDS:Three funded companies, three resulting bankruptcies, one crack-addled ex-wife. I can’t get a cure for that, so, like any terminal patient, I lie and use my sociopathic charm to infect others so they understand my plight.What’s a hustla to do?Maximum Power

  33. the poll is quite polarizing, isn’t it? personally i am fascinated by the new thorntons ad – i know it doesnt have the WTF effect, but hey, i think its superb. my vote to the monkey.

  34. Next step: drop some hints that they may start flinging pork chops and Canadian bacon (flies further than regular bacon). I’m sure there are plenty of Christian tourists who would be glad to load the ‘ammunition’ for them if they don’t want to handle pork themselves.

  35. about a variety of issues. (For elections in Canada, India, or the UK, see the drop-down menu in the top right hand corner. Sad but true, elections are often won and lost on one-liners, whether they be gaffes or zingers. Now, “In Quotes” will help passionate politicos perpetuate the sound bites fast and furious. Interestingly enough, the “quotes” that appear on the front page are already soundbites culled by reporters. It would be a little more helpful if the search results provided excerpts from speeches posted on the candidates’ websites so that people could (finally) start investigating the context of what was said.

  36. The problem with Heinberg’s “solution” is that it punishes responsible people (savers and investors) and rewards irresponsible and reckless (debtors and spenders). It’s tempting to think there are simple “solutions”, but the consequence of many years of irresponsible and foolish behavior, accumulated and compounded, is pain and loss (and I can only hope economic pain and loss).

  37. Je ferai un tour dans la papeterie du coin ! Il me faut un format plus petit que de l’A4, et surtout pas de carreaux, juste des lignes horizontales. Ce qui m’attire chez Moleskine c’est l’élastique et la finition … Mais écrire « dans le même cahier qu’Hemingway », ça se paie.

  38. Wir haben unsere Kommentare auch DoFollow, was eine Menge Arbeit macht wenn man einmal auf der Liste mancher “Experten” ist. Ich denke aber, dass sich das alles in Grenzen hält wenn diese merken, dass so ein Spam-Link oder Keyword-Kommentar nicht wirklich lange online bleibt.

  39. bác ơi cho em hỏi quyển này xuất bản chưa ? Mua ở đâu, tối nay em đi lượn cả phố Đinh Lễ mà chưa tìm được =.=. Chưa xuất bản hả bác

  40. Really glad that you asked that, Addicted – have often wondered about that myself! Have just read gazza’s response and will attempt it tomorrow. From one dinosaur to another

  41. asalamu calaykum wr wb waa idin salmay layla iyo abdulaahi mashalaah tabrakalah ilaahay gacantiina ha idiin xifdiyo aduun iyo akhiiro ajar aan dhamaneen ilaahay ha idiin siyoo saan ugu bahnaa chicken waa u bahnaa mashalaah janatal fardowsaan ilaahay idinka baryeey 10 danbe ee sonkaa lagu jiraa ilaahay acmasheena ha inaga wada aqbalo ilaahayna ha noogu naxriisto alahuma amiin asc wr wb

  42. Has anyone noticed how perfectly this election matches the BDH-OV thing?Obama=B/D, Biden=H, McCain=O, Palin=VHow is Biden a Helot? His father was solidly white collar. He went to an elite, and for the time very expensive, Catholic prep school, then he went to law school. There just ain’t much H there. A lot of V and wanna-be B.

  43. what in Private View. But is that really worth £3.60? Who gives a flying fuck what some overpaid suit has been getting away with for 24 hours etc.Advertising is about adverts, there should be more about the work and the people behind it and less of the political bullshit.

  44. - Beautiful! I love the blue & yellow colour scheme… So fitting for this time of year in the Cotswolds. And Louise from Cirencester Cupcakes did an amazing job with that awesome Victoria sponge! XxMay 7, 2012 – 9:28 am

  45. The theme park is called Knott's Berry Farm. It is a great place. You should do a feature on it in a future article. An annual pass for Knott's Berry Farm is less expensive than a one day ticket to Disneyland!

  46. Hallo Doris,danke für dein Kommentar. Ja, das “Bloggen” innerhalb eines Unternehmens ist ein spannendes Thema für Unternehmen. Diese Blog-Funktion innerhalb eines Wikis, bringen z.B. das Mediawiki oder auch das Confluence-Wiki mit. Damit lässt also der von dir angesprochene “Neuigkeits-Faktor” und das “Standard-Wissen” in Kombination abbilden.

  47. hey..thts such a girlie girlie list !! Gals will be gals, won't they ! And c'mon u can pamper urself , get some of these for christmas..u wud like them :) and so wud santa, u wud reduce his load afterall :)

  48. Glad to hear how everything is going. Sounds about like the first time I was a den mother for about 8 cub scouts. They drove me wild and almost tore the house up. I survived thought until they grew up enough to go into Boy Scouts and Granpa took over.

  49. Daniele Cristina Manoel / “Eu mereço ganhar esse kit…pois faz anos que curto JNF ..desde do sucesso da Música SÓ DE VOCÊ …PRECISO COMPLETAR MINHA COLEÇÃO!!!”Bjaum fico no aguardo!!! DanieleGD Star Ratingloading…

  50. Olá Lili,Obrigada por acessar nosso site!Indicamos para você shampoo e condicionador da linha Alecrim, e máscara de hidratação óleo de Argan.Nos envie seu nome e sobrenome por favor,o endereço foi cadastrado e enviaremos algumas amostras para você. Obrigada!

  51. I will immediately seize your rss feed as I can’t in finding your e-mail subscription hyperlink or newsletter service. Do you have any? Kindly let me know so that I could subscribe. Thanks.

  52. Define editors. As I read that, there was a kitten exploring my keyboard. Is an editor one who makes changes to a work? Or is the definition stricter? Chester, batting at my keys as I type is editing my work — however unwelcome be his intentions.M

  53. %d 16UTC %B 16UTC %YHi guys,Yes, you’re right Troy, could do with translating this post. Not sure how that would sit on this blog though, where would I put it?Need to speak to someone anyway about making the blog more visually attractive, yours is so much more “technically advanced”. Any tips?

  54. Mmh… non ti arrabbi se dico che la cover originale di Eternal Sunshine mi piace di più? La tua copertina è ben realizzata ma non trasmette il romanticismo insito nel film, che invece quella originale mostra.

  55. domain name server…Thank you for sharing excellent informations. Your site is so cool. I am impressed by the details that you¡¦ve on this website. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for more articles. You, my f…

  56. you need to get schooled by your brighter fellow travelers Typical lefty arrogance. Of course, first agreeing that the Jews control everything, then preaching to us how we should think and talk, in the great tradition of Stalin and Mao.

  57. Yeah man me too… but I wouldn’t use the word “bad” to describe Quantum of Solace, I think that the fact that Casino Royale was AMAZING! And one of the best Bond films (My favorite by the way) is what made Quantm of Solace look that crappy, but it wasn’t really that bad, it just simply wasn’t as good as Casino Royale.

  58. BiiaCX / Aaah sim, ressonância! Meu professor de Física já deu essa aula e devo dizer que foi uma das mais interessantes do ano, tem um vídeo que me custar achar agora, mas é muito interessante, pois mostra uma grande ponte caindo por causa de ressonância.Mas isso aí de injetar fluídos eu não sabia, muito legal!Gostei deste comentário ou não: 2

  59. your doctor. Do not use free trial viagra if you have questionsare using free trial viagra. You may report side effects and may

  60. It saddens me to think of how few see the magnitude of this truth. What we see as unfathomable, others disregard as nothing. In the hope of removing the results, of too often a sinful act, another sin is committed. The fact remains that the physical pain of this procedure, is nothing compared to the life-time of regret and loss that every minute consumes the thoughts of those who take this step.Life is a gift, and only God should make the choice of when it begins and ends.Thanks for giving us “room to breathe” here and express our concerns,Joy

  61. Sili: the hyper-sceptical nature of your thrice repeated "How do we know that?" ignores the carefully worded nature of my comments, "was rumoured . . . is reported . . . according to the accounts". My advice would be to avoid knee-jerk reactions and to temper the hyper-scepticism with a more sympathetic reading — it will help improve the way that you engage with the scholarship.

  62. Vero che il digitale ha bisogno di batterie, ma è anche vero che una reflex digitale con due batterie al litio caricate ti può coprire una settimana di foto senza problemi. PS esistono tanti metodi per digitalizzare le diapositive, ma se fossero contemporaneamente economici e veloci violerebbero il Principio di Epstein-Heisenberg :-P

  63. HAY VIDEOS DE TESTIMONIOS, CHECALOS, AYER MISMO 4 COMPAÑEROS QUE APENAS TIENEN 2 SEMANAS DE HABER INGRESADO YA RECIBIERON SUS PRIMEROS $ 4,000, YO FUI TESTIGO, ASI QUE NO HAY DUDA. Y ES MENTIRA QUE SI NO PAGAS TU RED PAGA, SI TU YA TIENES RED YA ESTAS GENERANDO COMISIONES, ASI QUE SERIA UNA TONTERIA SALIRSE, CON UN PEQUEÑO PRESTAMO CUANDO YA ESTAS GENERANDO COMISIONES BASTANTE ALTAS.

  64. Great review! I read this one at the end of last year and enjoyed it as well. I love when a novel truly captures the spirit of the era in which it is set. Details such as day-to-day life and the treatment of women were very well integrated into the story. Learning without the feeling of reading a textbook is always a plus!

  65. This is a very rich and interesting article written by Michelle Byamugisha who also happens to be my niece. I am so proud of you, you’re quite becoming a writer. Well done! Rosette   0 likes

  66. OH MY GODDDDDD ….. am your silent reader honey :) and I tell you am so happy … you are like baby sis to me :) and am soooo excitedddd :) wish you all the best and great pregnancy :) loads of love to bundle of joy .. i will be around now to see the updates and .. STAY HAPPY and Calm :) :) few words from a mom of 3 yr old loverash

  67. Between me and my husband we’ve owned more MP3 players over the years than I can count, including Sansas, iRivers, iPods (classic & touch), the Ibiza Rhapsody, etc. But, the last few years I’ve settled down to one line of players. Why? Because I was happy to discover how well-designed and fun to use the underappreciated (and widely mocked) Zunes are.

  68. Thanks so much for the response, Cheryl. Letting go of the idea that we have to do everything perfect is definitely not easy. But it is really liberating! I'm not sure real creativity can bloom when we're trying to achieve perfection. Life is messy! Thanks for stopping by the blog and for commenting. I checked out your site as well. Your paintings are beautiful! My recent post

  69. Geht es bei der Frage der fehlenden Sharing Möglichkeiten eigentlich um iOS? Auf meinen Android Geräten kommt mir das Problem eigentlich ziemlich unbekannt vor…

  70. Eredetileg tervben volt, hogy teszek bele fehér lisztet. Aztán a bioboltban ahová járok nem volt BL 55-ös csak BL 112-es az meg félfehér. Úgy látszik minden összeesküdött ellenem, hogy fehér lisztet egyek. :-) Bár annyira nem is akartam.A kelesztÅ‘ tálra gondolsz? Hát… kicsit másabb állaga volt, mint az egy óráig kelesztett kenyeremnek és valóban ragacsos volt, de nem volt olyan nehéz kiszedni.

  71. Erika, We also lived through a season of trials as a family. While we've always done our best to celebrate a simple, Christ-centered Christmas, we are so thankful and blessed to be together under the circumstances that keeping Christmas simple won't be difficult this year. Out of adversity certainly comes strength, and I thank God for His abiding Grace, which makes it all possible.Peace and good to you and your family this blessed season. I am so glad I found you at Deep Roots at Home.

  72. People who do not work for City Government are now just finding out what most of us have known for 4 years and before: This mayor is a complete joke.He is inexperienced and unqualified..All he does is travel on the taxpayers dime and push is own tired agenda of self-aggrandizement. Anyone who flunked the California Bar 4 times is not very bright, thus we ended up with mini mayor.Instead of most of the City’s General Managers leaving the Mayor should just resign or be recalled. Hey LA….you got the mayor you deserve!

  73. Perks of Phytessence Wakame…People typically turn to western medicine to serve their demands when it comes to looking young. The naked truth is, there are hundreds of means to reduce fine lines and wrinkles. As the majority of Japanese would do, they resort to this ingredient cal…

  74. Hello Dear, are you genuinely visiting this web site regularly, if so afterward you will absolutely obtain pleasant know-how.Digital design webbdesign firms use computers to design photographs, orgraphics, and manipulate them to create graphic design print photos that are then usedin advertising, advertising and marketing, magazines, newspapers, andother media. Usually, it’s digital design graphic design firms that students have in mind whenpursuing an training in graphic design.

  75. Belís­sima lição de “a His­tó­ria tam­bém se fez assim” nos deste! sou assi­du­a­mente assi­nante das pro­sas mane­li­nas, gos­tei muito, con­cordo muito, e deixo as dúvi­das para quando o tempo não se esgotar…

  76. In virtù dei poteri conferitimi dal Nuovo Ordine Mondiale e dai mailaggi supersegreti, ecco le mie foto. E niente video? Magari con la ripetizione del saluto al fu Accademia dei pid… pedanti? :-)

  77. XLI looking awfully toppy, i give it one or two more up days, and then you had better buy some QID AND VIX, as a hedge. If XLI is to succeed in going higher, DOW must clear 14,100….zee

  78. wow holly and mike, i had no idea you guys were in the twin cities area. it was fun to see your family pics.janelle (patz) johnson

  79. Sempre faço almondegas e adoro! Inclusive fiz hoje! Mas não é necessário colocar farinha e ovo, dá de fazer só com a carne e temperos! E eu unto apenas a forma com azeite, não passo por cima das almondegas porque também não é necessário, e elas ficam douradas. Assim ficam ainda mais saudáveis! Beijos![] Respondeu:November 2nd, 2012 em 2:22 pm, existem inúmeras maneira de fazê-la saudável! Essa é apenas uma delas mil bjinhus []

  80. The injections definitely get easier, although my DH did them for me, because I was also a wimp.Sorry you have the flu (yuck!) and are having side effects from the Lupron. I didn't take Lupron but heard from others that the side effects from that were the worst part of the entire process. Hope that rings true for you as well and the rest of this process is a breeze! Thinking of and praying for you on your journey! I just know this is going to work for you!Hugs,Karawww.waitingonbabyb.wordpress.com

  81. I am so very thankful. Not for anything specific, not for just a person, or place, or thing. Just simply that. I am so very thankful.The universe is such a vast and gratifying space to be a part of.

  82. "Byzantine Jews were content to occupy a modest and inconspicuous niche".Funny, considering how the Emperors repeatedly had to suppress them. And I forget which usurper owed his throne to them…

  83. 1e4Brother Jared,Thank you for your words. I presume you are referencing something you have seen written. Instead of me going back through all of the comments could you elaborate on your concern? Your challenge for us to return to Matthew 18 seems to point out that you have seen where someone has ought against another. I see a passion and nothing more. Can you help me with exact verbiage and comment #?Blessings,Tim

  84. dude this soo good and you dont feel dum like drugs make you feelyou get so smart it opens up your mind and makes you think positiveand totaly works must try

  85. I really like your web site.. extremely wonderful shades & theme. Did you create this web site yourself? Plz reply back again as I’m looking to create my own web site and would like to know wheere u received this from. many thanks

  86. I have the time, I really like this pita bread recipe (which works well using all freshly ground whole wheat), and I like to marinate the tomato slices

  87. Chiara, sei bellissima, le tue foto sono splendide e soprattutto sei una vera signora nel rispondere alle cattiverie gratuite. Come fai? Insegnami, ti prego…

  88. Zeph,This is coming out of a simple observation:writers like to drink some don’t mind pakaloloting either. Truman Capote wrote:”In this profession it’s a long walk between drinks”In fact that slogan should be printed on your t-shirt-Therefore re-opening the Tavern it’s not a bad idea if only you leave Doctorshoot and Nesta out of it, it doesn’t take too much imagination to figure them , puking, pissing and fighting, embarassing the hell of our respectable ladies.Not to mention what they would do to the orangutan.

  89. is that sin entered the world through Adam. No one denies that. Furthermore, the context of this passage is clearly a contrast showing that God’s grace is even more pervasive than man’s sin. That is all you can say about original sin from this passage without extrapolating beyond the text.

  90. Asali, yes, I had to channel a bit of Sherlock googling for all those abbreviations. I guess we all did.I'm not sure how widely likeable this one is, but it's definitely interesting to try.

  91. Such a delight, Mary. I've read (and saw recently on Top Chef with Emeril) that cooking the roux is the whole key to a great gumbo.Thanks so much for the recipe; I've always wanted to try this.

  92. Den bliver altså god den julesok,fin ide med den lille bamse øverst :),med de fine ting du laver behøver du altså ikke blive tjekket for min skyld,tænk hvis dit geniale strikkegen forsvandt-gru da

  93. Great Content…we like to honor many other web pages on the web, even if they aren’t linked to us, by linking to them. Under are some webpages worth checking out…

  94. okayy , so i am a PROUD lady of haitian decent && i dnt like to use blow dryers && flat irons on my hair all the time but i LOVE to wear my hair straight. i do get relaxers but i have no idea what to do when i have new growth . also i dont have access to a dryer all the time. suggestions ??

  95. I do agree with all of the ideas you’ve introduced on your post. They are really convincing and will definitely work. Still, the posts are too brief for starters. May just you please prolong them a little from next time? Thanks for the post.

  96. I need to charge up my phone WOW! Where to begin! She is beautiful, SEXY and built like a goddess! Gorgeous breasts, perfect pussy and MAN, can she take it up the ass!

  97. Dear Vix, yes thankfully you look nothing like Mrs Thatcher! I love the pink blouse with the jeans and the faux fur. And the accessories really make it xx

  98. Crisis City doesnt look as batterd and beat up like it did in Sonic 06, but it still looks good. I’m still wondering how they’re gonna fight perfect chaos without being super sonic. =p

  99. Hulas.Ojo con esta tienda!, venden artículos a muy buen precio para engañar. A mi me han querido estafar 5 euros cuando les he reclamado que me devuelvan el dinero por comprar artículos que no tienen pero que ponen a la venta de igual manera.Y al informarme más para encontrar algo parecido a lo mio, he podido comprobar que los que les han llegado la compra, han tenido mucha mucha suerte, casi una quiniela de 15.V’ss

  100. Hmm it looks like your website ate my first remark (it was extraordinarily long) so I guess I will simply sum it up what I submitted and say, I’m thoroughly having fun with your blog. I too am an aspiring blog author however I’m nonetheless new to the entire thing. Do you have any suggestions and hints for first-time blog writers? I would actually appreciate it.

  101. Thanks for the thoughts you have discussed here. On top of that, I believe there are several factors which will keep your car insurance premium lower. One is, to take into account buying automobiles that are in the good set of car insurance companies. Cars that are expensive tend to be more at risk of being stolen. Aside from that insurance policies are also depending on the value of your car, so the costlier it is, then higher this premium you pay.

  102. I didn't know anything about R2P until a few days ago, I learned of it from an article about Samantha Power. It's definitely a scary concept, especially inlight of Obama commiting our forces at the whim of the Arab League and the UN. Correct me if I'm wrong, but I believe this decision to be unprecedented.I read HL's linked article and agree with G Britain, Gaffney's scenario sounds like it was taken directly from the leftwing playbook. Hopefully time will prove that wrong, the continued and increasing isolation of Israel can only lead us to one place, WWIII.

  103. Mi az, hogy “jól működÅ‘ DRM technika” ? Azt, hogy aki megveszi, meg tudja hallgatni, vagy tud vele játszani? ..mert ezt talán nem nevezné senki sem jól működÅ‘nek. Az illegális másolatoknak pedig sosem volt akadálya semilyen DRM.

  104. Mandy,this is just stunning,just Wow.Your Friend will adore this book card,Hope your hubby gets better soon. Big Congrats on being a cover girl again.Have a lovely day.Hugs Sue xx

  105. are a guest on. the higher ranked…and more well-known blogs will get you more traffic quicker.pro tip: a quality guest post can lead to several hundred hits over the lifetime of the post. weekly guest posting is a key marketing strategy that must be implemented into your…

  106. Excellent goods from most people, man. I have understand your stuff previous to and you are simply just too great. I really like everything that you’ve acquired on , really like what you are stating and the greatest you say it. You make it entertaining and also still care for to help keep it smart. I can not wait to see much more from everyone. This is actually a great website. drzwi warszawa

  107. Those are gorgeous! A better reason to comment, though, is that I lived in England for 7 years, and I’d completely forgotten about Tesco! I love that store! Dang, I wish I scrapbooked the places I went when I lived there!! ;)Nicky, now living in Alaska, USA.

  108. There’s a spot in my backyard that used to have grass growing but a couple of years ago I put a free-standing swing there. Now it blocks most of the sun during the day under the swing and the grass has stopped growing and has been taken over by clovers, which are now infiltrating the rest of the yard. I’d like to get rid of the clovers and have grass growing again. Can I do this and keep the swing in it’s place?

  109. Enos Slaughter August 31, 2011 13:47Wow…the first US president to have a relative break the law or otherwise embarrass him while in office. What a shock! And no doubt Onyango Obama’s case is vital to the debate over Barack Obama’s policies.This post must not be on the level because “compassionate bostonian” is a contradiction in terms… 3  2

  110. Il existe aussi, par chez moi, des journalistes qui essaient de comprendre, en allant un peu plus loin que la simple reprise des articles du NYT ou des avis de Hans Küng. Ils sont allés interroger des gens dont le job est de s’occuper des prêtres qui ont des problèmes. .

  111. Warum fluchen alle über Facebook wenn man es nich haben will soll mans links liegen lassen ich mag auch vieles nich sag aber nich es soll untergehen oder sonst was….. schon mal das Wort Gleichgültigkeit gehört?Wer Facebook will soll sich dort anmelden wer nich solls lassen!

  112. “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed. There was a hermit crab inside and it pinched her ear. She never wants to go back! LoL I know this is entirely off topic but I had to tell someone!

  113. Yahoo results…While searching Yahoo I found this page in the results and I didn’t think it fit…Friendly Staff  Overall Rating  Quality of Work  

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>