SQLServerCentral / Editorials / SQLServerCentral.com / A Fundamental Security Mistake / Latest Posts

RE: A Fundamental Security Mistake

L' Eomot Inversé — Mon, 08 Feb 2010 18:43:52 GMT

I agree with Steve - this is a fundamental security error. It is crazy to push products without this capability.It isn't a panacea, but that's no reason not to offer it - particularly if you have MS's reputation (whether deserved or not - if not, you shouldn't start trying to earn it) for failing to offer reasonable security.

RE: A Fundamental Security Mistake

Matt Miller (#4) — Thu, 24 Dec 2009 10:57:30 GMT

[quote][b]Steve Jones - Editor (12/24/2009)[/b][hr]Matt, you are correct, but security is a series of hurdles. If you lose the laptop, there's an x% chance that someone will get the data if you have TDE and a strong password. However there's a 100% chance someone will get the data if you don't have any security.Every hurdle, from decent Windows passwords, to TDE, would lower the percentage of people that could access the data, or even try. Not that you should rely on it, but having a few more tools to enhance security would be good.[/quote]Understood, and I agree with you. I just wanted that little tidbit known so we don't set up a "false sense of security": those are usually when the big breaches happen.This will discourage those casual thieves who are interested in the laptop more than its contents, so in that sense, it might help prevent an escalation of the theft. It might be just enough to encourage them to simply wipe the drive and move on (which in the greater scheme of things is possibly the best outcome for the original owner).

RE: A Fundamental Security Mistake

Steve Jones - SSC Editor — Thu, 24 Dec 2009 08:41:01 GMT

Matt, you are correct, but security is a series of hurdles. If you lose the laptop, there's an x% chance that someone will get the data if you have TDE and a strong password. However there's a 100% chance someone will get the data if you don't have any security.Every hurdle, from decent Windows passwords, to TDE, would lower the percentage of people that could access the data, or even try. Not that you should rely on it, but having a few more tools to enhance security would be good.

RE: A Fundamental Security Mistake

Matt Miller (#4) — Wed, 23 Dec 2009 11:00:55 GMT

Sorry if I am being hard-headed in this case - but it would be a disservice not to mention this.With Microsoft publishing tools like DaRT (Diagnostics and Recovery Toolset), please don't ever rely on a standalone PC's NTFS or security to secure your system. For what it's worth DaRT used to be called ERD commander in its previous iterations.It takes two reboots and about 4 minutes to reset any password in the local hive. In other words - anything tied to windows security is wide open at that point. There are freeware packages that can do the same thing for much much less than DaRT.Physical access to the PC and the local security hive is currently too much of a leg up to rely on the OS to help you secure anything. In this case - not being able to prevent someone who is a local admin from also becoming the SA in your database is the fundamental issue.The only way your data is essentially secure in that scenario is if the database service itself and the SA cannot read or understand the data. Meaning, encrypted data being stored in the DB (which will be at a terrible price since no indexes will work etc....)Perhaps when you add in certain encryption solutions like the PGP ones (allowing you to encrypt an entire drive, and requiring biometric access) you can make something secure enough. But the OS alone is not enough.

RE: A Fundamental Security Mistake

Steve Jones - SSC Editor — Mon, 21 Dec 2009 17:07:53 GMT

TDE is transparent to the user. no configuration, nothing to worry about, doesn't affect APPs, so it would have no impact on the user having to figure things out. This is unlike encryption in SQL server, which is complex.Matt brings up a good point in terms of the user logging on. But if you lose your laptop, it's not necessarily the person logging on, but someone accessing your NTFS drive without being logged on. That's the issue. You could enable TDE and limit Windows access, which while a possible pain, would better protect data.

RE: A Fundamental Security Mistake

Matt Miller (#4) — Mon, 21 Dec 2009 16:33:34 GMT

[quote][b]Lynn Pettis (12/21/2009)[/b][hr]It isn't an end all or silver bullet. But that doesn't mean it isn't something that can be enhanced and further developed to enhance the security of local databases.Have to remember, locks only keep honest people honest.[/quote]Agreed - I just prefer to have locks on the back door AND the front door before I call it "secure". I'd hate to think of anyone using this to secure, say - our medical records (e.g. visitng nurse, etc..) or anything financial.

RE: A Fundamental Security Mistake

Clive Chinery — Mon, 21 Dec 2009 15:46:34 GMT

Steve May I suggest that you post your suggestion on the MS Connect site at https://connect.microsoft.com/dashboard/?wa=wsignin1.0 and post the URL of your suggestion to this thread.Anybody with a Microsoft Live / Hotmail account can vote for your suggestion. I can see the Wisdom of your suggestion and would vote for it.I also suggest that you post a note on the Free-For-All section of forums.asp.net. This will reach a large number of people who use SQL Express.

RE: A Fundamental Security Mistake

Gift Peddie — Mon, 21 Dec 2009 14:42:41 GMT

RE: A Fundamental Security Mistake

Lynn Pettis — Mon, 21 Dec 2009 14:31:29 GMT

It isn't an end all or silver bullet. But that doesn't mean it isn't something that can be enhanced and further developed to enhance the security of local databases.Have to remember, locks only keep honest people honest.

RE: A Fundamental Security Mistake

Gift Peddie — Mon, 21 Dec 2009 14:17:31 GMT

[quote][b]Lynn Pettis (12/21/2009)[/b][hr]Standard answer here, It Depends. I would not have it as a default, but a development team working on a distributed app may see the usefulness of using TDE to encrypt an express edition database that is written for a specific application that must retain confidential data on the client.[/quote]I actually think a distributed application team should look into RMO (replication management object) and take care of security there or use the many encryption tools in the platform.

RE: A Fundamental Security Mistake

Matt Miller (#4) — Mon, 21 Dec 2009 14:11:12 GMT

[quote][b]Lynn Pettis (12/21/2009)[/b][hr]I know, and you have to explicitly code for the encryption, you can't just encrypt the database like you can with TDE in SQL Server 2008 EE. That is what we are talking about, that TDE should, perhaps, be available at all levels of the product not just EE.[/quote]I'd agree with you if there was any way to prevent the laptop owner from just making themselves the owner of the database. There isn't so TDE would never work for securing local data. Making your code encrypt the data locally (so that the database cannot just open the stuff up once you get into SSMS) is the only viable solution for any semblance of security on a laptop. Any yes - you'd have to built the key right into your code, so it's not easy to get a hold of.That's the thing - convenient secure encryption ain't either.

RE: A Fundamental Security Mistake

Lynn Pettis — Mon, 21 Dec 2009 14:06:20 GMT

Standard answer here, It Depends. I would not have it as a default, but a development team working on a distributed app may see the usefulness of using TDE to encrypt an express edition database that is written for a specific application that must retain confidential data on the client.

RE: A Fundamental Security Mistake

Gift Peddie — Mon, 21 Dec 2009 14:01:07 GMT

RE: A Fundamental Security Mistake

Lynn Pettis — Mon, 21 Dec 2009 13:56:49 GMT

I know, and you have to explicitly code for the encryption, you can't just encrypt the database like you can with TDE in SQL Server 2008 EE. That is what we are talking about, that TDE should, perhaps, be available at all levels of the product not just EE.

RE: A Fundamental Security Mistake

David.Poole — Mon, 21 Dec 2009 13:55:45 GMT

As far as I am concerned encryption and data security should be present in all editions.I can understand the lesser editions having limits on CPU and RAM they can use.I can understand that certain features are omitted from the lower editions.Some feature omissions really annoy me.1. Replication. I want to publish/subscribe on all editions even if I can't distribute.2. Partitioning. I could understand some limitation on partitioning but the need for it is defined by database size rather than the edition.3. Security as mentioned aboveI don't mind a lower edition of SQL Server having a slower performing feature than Enterprise Edition (providing this doesn't apply to management studio) but omitting the feature all together seems a little harsh.

RE: A Fundamental Security Mistake

Gift Peddie — Mon, 21 Dec 2009 13:49:30 GMT

[quote][b]Lynn Pettis (12/21/2009)[/b][hr]If it can be done transparently at the database level there may be a better chance of developers making use of the technology when it is needed without specialized coding.[/quote]We are talking the same thing SQL Server 2005 and up comes with DPAPI check the links below there is T-SQL code in the first link.[url]http://msdn.microsoft.com/en-us/library/ms179331(SQL.90).aspx[/url][url]http://msdn.microsoft.com/en-us/library/ms189586(SQL.90).aspx[/url]

RE: A Fundamental Security Mistake

Lynn Pettis — Mon, 21 Dec 2009 13:34:49 GMT

If it can be done transparently at the database level there may be a better chance of developers making use of the technology when it is needed without specialized coding.

RE: A Fundamental Security Mistake

Gift Peddie — Mon, 21 Dec 2009 13:30:58 GMT

[quote][b]Lynn Pettis (12/21/2009)[/b][hr]I could see developers writing client apps that using Compact and Express editions for holding data in flight locally. TDE may be necessary if those apps hold critical data, particularly if these apps are remote apps using replication back to a central server.[/quote]SQL Server 2005 and up comes with standard .NET encryption which allows sensitive data to be encrypted as needed not the whole database.

RE: A Fundamental Security Mistake

Lynn Pettis — Mon, 21 Dec 2009 13:27:33 GMT

I could see developers writing client apps that using Compact and Express editions for holding data in flight locally. TDE may be necessary if those apps hold critical data, particularly if these apps are remote apps using replication back to a central server.

RE: A Fundamental Security Mistake

Gift Peddie — Mon, 21 Dec 2009 13:22:38 GMT

[quote]the company I work for is managing some hundred client sales applications in the pharm business. Most of these are express edition, some larger clients have workgroup edition. I'm a member of the db-development team.Since customer data in pharm / health care business is very sensitive, we (and most of our customers) would prefer to have stronger security on their data. [/quote]I am with Matt on this Express does not need TDE because SQL Server Express was created to help Access users stop using Access with Asp.net 2.0 and other developers help small companies use .NET 2.0. When last I checked Pharma and Healthcare don't qualify as small companies but both industries like wasting money on a lot of other things technology not included.

RE: A Fundamental Security Mistake

Matt Miller (#4) — Mon, 21 Dec 2009 13:18:04 GMT

[quote][b]CirquedeSQLeil (12/21/2009)[/b][hr]I agree with Steve. I would prefer to have extra security on the laptops - not to the level of fully encrypting the entire hard drive. Security as options should be standard across all editions of SQL Server. If the DBA employs those options, that is their decision. As the DBA, I would rather the option be available so I can use it, than be the one questioned, since it is a database, and not have a legitimate answer for the lost data on the laptop.[/quote]And yet - if you use Express (with the built-in SSMS for express, and the default user = SA), how is the encryption helping anyone? You just fire up SSMS, and voila, instant access to the data and all of its contents. The database automatically decrypts the data for anyone who's authorized, so the owner oof the laptop STILL cannot be denied access to the data.

RE: A Fundamental Security Mistake

SQLRNNR — Mon, 21 Dec 2009 12:21:16 GMT

I agree with Steve. I would prefer to have extra security on the laptops - not to the level of fully encrypting the entire hard drive. Security as options should be standard across all editions of SQL Server. If the DBA employs those options, that is their decision. As the DBA, I would rather the option be available so I can use it, than be the one questioned, since it is a database, and not have a legitimate answer for the lost data on the laptop.

RE: A Fundamental Security Mistake

blandry — Mon, 21 Dec 2009 12:07:34 GMT

I completely agree with Steve on this one... Arguments about who does what with SQL Express and that there is no DBA involved are hardly adequate when one is talking about a feature as important as the TDE. The feature should be there and then let the user choose whats done or not with it.But I think this is overall just another indicator of how out of touch Microsoft is these days. Those of us who loaded Visual Studio 2008 only to find that it causes Winzip to cease to function have been all over Microsoft for months. Then Microsoft announced that the bug was "resolved". What was the resolution? They announced it will be fixed in the 2010 version. THAT IS A RESOLUTION?!?!?!Or how about Office 2007 and the now infamous "ribbon". We delivered Office 2007 to a large segment of our client base. To date, more than a 1/2 of them have thrown it out the window and gone back to Office 2003. Microsoft responded to us "Well, they don't have to use the ribbon..." Yeah??? WELL WHY BUILD IT IN THERE THEN?!?!?For 30 years I have been supportive of Microsoft, but over these last two years well, I have to admit I find the company often intolerable. They have lost their edge, and their way. They love over-complexity and gaping holes in products (like the TDE missing). This is a company so focused on selling us "new" products every couple years that they don't seem to care very much about the crud that goes out their doors.As well, business wise, MS is stumbling badly too - read about it at any of these links...http://www.huffingtonpost.com/2009/12/03/steve-ballmer-laughs-at-i_n_378518.htmlhttp://www.huffingtonpost.com/ron-galloway/steve-ballmer-is-carnac-t_b_148556.htmlhttp://www.huffingtonpost.com/2009/12/01/steve-ballmer-blue-screen_n_376013.htmlI just thank God that in a couple years I can retire and be done with this kind of mediocrity. But as I look back I see one fatal flaw in the business model of this country. We should NEVER allow any one company to control things as MS has done. It stifles competition and level-headed thinking - and that is why the TDE is not there, and VS2008 is more like a virus than a product, and Office 2007 is like shoving rotted hamsters down a lion's mouth.Microsoft - Where DONT you want to go today?

RE: A Fundamental Security Mistake

crowhill — Mon, 21 Dec 2009 11:26:34 GMT

the company I work for is managing some hundred client sales applications in the pharm business. Most of these are express edition, some larger clients have workgroup edition. I'm a member of the db-development team.Since customer data in pharm / health care business is very sensitive, we (and most of our customers) would prefer to have stronger security on their data. The customers - with a few exception - do not have admin permission on their servers, so TDE would make perfect sense for us. Enterprise edition is way out of scope. After all, we are often struggling to explain the need for a workgroup edition if data volume makes this unavoidable.

RE: A Fundamental Security Mistake

Matt Miller (#4) — Mon, 21 Dec 2009 10:16:15 GMT

I don't quite get what benefit there would be from TDE on Express. TDE only is useful for the data "at rest": if you have physicial access to the server and you're SA on the server (i.e. the default setting in Express), you have full access to everything in the database. Sure you're can't steal a backup for the database, but then again - you can simply go in and execute "select * from mytable".I don't deny that it could be useful to ensure that your backup media is encrypted (unless you don't keep track of your keys in a separate place, in case you're essentially scr***d, but still - I think we're overselling its usefulness.

RE: A Fundamental Security Mistake

GSquared — Mon, 21 Dec 2009 10:15:34 GMT

[quote][b]sjsubscribe (12/21/2009)[/b][hr][quote][b]GSquared (12/21/2009)[/b][hr][quote][b]sjsubscribe (12/21/2009)[/b][hr]Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.[/quote]I prefer that as an option, not a default. Could be default in a business setting, but would be a pain in the butt at home. I prefer to be able to recover files off my hard drives directly, especially since I build my own computers.[/quote]If you build your own computers, then the solution is for you to override the default encryption. All others get strong encryption by default. This is the trend anyway in thinking among all major operating systems.[/quote]And when I need to help a family member recover data from a crashed computer, it will be impossible.Pictures from their last motorcycle vacation, gone. Downloaded music, gone. Etc.Part of the whole purpose of security is balancing cost of protection vs cost of loss vs cost of exposure. Most people, most of the time, will have a higher cost of loss than cost of exposure, for the vast majority of their personal files.Do you have steel bars, an alarm system, motion sensors, night-vision CCV cameras sending real-time video to a secure remote location, pressure pads, steel doors with 12-digit PIN mag locks, reinforced concrete walls with penetration-sensing mesh, and seismic records for detecting tunneling, for your garage? Those are all valid security systems that could be built into your home, but most people have locked doors and windows, and [i]maybe[/i] an alarm system with a 4-digit PIN and a motion sensor in one or two rooms.Why? Because the cost of protection would far outweigh the cost of exposure and loss.At the same time, do you park your car downtown with the engine running and the doors unlocked? Or do you do like most people and turn it off, take the keys out, and lock the doors and leave the windows closed? Why? Because that level of cost of protection is far below the cost of exposure/loss.You have to balance these things, or you're not actually doing security, you're just involved in some OCD neurosis about "must protect stuff".You say it's okay for me to turn off the security on a computer I build for myself, but to force most people to have that same security. I say "force", because most won't know that it exists, much less how to make decisions about it. Why does that make sense?Take a look at the most hated feature of Windows Vista, User Account Control (UAC). It forced most people to have a much higher level of security, at very low actual cost. That and lies from Apple, cost them a huge piece of the market (most businesses) and gave them a serious PR black eye.Why? Because the perceived cost of protection was higher than the perceived cost of exposure. Microsoft didn't balance those correctly, and they got hurt for it. Rightly so.So no, I don't buy the argument that, "it's okay for you to turn your security off if you happen to be a computer professional who knows how to do so, but let's put most people at higher exposure for loss without any real expectation of benefit".If you disagree with that, lay out the expected benefit for encrypting personal computer files universally, and the expected loss resulting from that, and quantify the two measures, and prove that I'm wrong.

RE: A Fundamental Security Mistake

sjsubscribe — Mon, 21 Dec 2009 09:41:07 GMT

[quote][b]GSquared (12/21/2009)[/b][hr][quote][b]sjsubscribe (12/21/2009)[/b][hr]Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.[/quote]I prefer that as an option, not a default. Could be default in a business setting, but would be a pain in the butt at home. I prefer to be able to recover files off my hard drives directly, especially since I build my own computers.[/quote]If you build your own computers, then the solution is for you to override the default encryption. All others get strong encryption by default. This is the trend anyway in thinking among all major operating systems.

RE: A Fundamental Security Mistake

Steve Jones - SSC Editor — Mon, 21 Dec 2009 09:40:12 GMT

I agree with the OS. There might be times I want those things encrypted, like the podcasts. Need to protect them :), but not by default.

RE: A Fundamental Security Mistake

GSquared — Mon, 21 Dec 2009 09:28:17 GMT

[quote][b]Steve Jones - Editor (12/21/2009)[/b][hr]I'd like to see it as the default for some files. Like SQL Server files. Adding this option to Express, AND making it the default, would make things more secure. That along with an annoying message about the certificates and a "copy to" dialog at the end of an install.Same for Quicken files, and other types of high security items. Makes some sense to have them encrypted automatically.[/quote]Yes, but that would be managed by the applications, not by the OS. The OS might (or might not) provide the encryption, but it would be something called in the application.Quicken could certainly encrypt the database and files. So could Outlook, if that's desired (probably should be, at least on laptops). And so on. But why would I want my mp3 files and video files and such encrypted? If the OS defaults that way, they would be. And there go my compression options, too.

RE: A Fundamental Security Mistake

Steve Jones - SSC Editor — Mon, 21 Dec 2009 09:23:59 GMT

I'd like to see it as the default for some files. Like SQL Server files. Adding this option to Express, AND making it the default, would make things more secure. That along with an annoying message about the certificates and a "copy to" dialog at the end of an install.Same for Quicken files, and other types of high security items. Makes some sense to have them encrypted automatically.

RE: A Fundamental Security Mistake

GSquared — Mon, 21 Dec 2009 09:17:53 GMT

[quote][b]sjsubscribe (12/21/2009)[/b][hr]Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.[/quote]I prefer that as an option, not a default. Could be default in a business setting, but would be a pain in the butt at home. I prefer to be able to recover files off my hard drives directly, especially since I build my own computers.

RE: A Fundamental Security Mistake

sjsubscribe — Mon, 21 Dec 2009 09:12:23 GMT

Encryption in general should be a default install at the OS level and apply to all files, not just to database files or express editions. Files like formatted reports, xls and csv dumps, sql scripts, and what not could all use such protections.

RE: A Fundamental Security Mistake

GSquared — Mon, 21 Dec 2009 07:32:22 GMT

[quote][b]Adi Cohn-120898 (12/20/2009)[/b][hr]I’m not so sure that users will use the TDE on Express edition. Most of the time Express edition is not managed by a DBA. In fact in most of the time the Express edition is being installed by another software and many times the DBA is not even aware of those editions that are installed in his organization. The users that use those applications are not database professionals and wouldn’t know what TDE is and how to use it (in fact many times they also are not aware that SQL Server Express edition is used by their software). In short I think that if TDE will be supported on Express edition, it will hardly be used.Adi[/quote]I have to disagree with the point of your post.I agree with Steve that it should be available. As with all security (and almost all other features), use of it is up to the DBA, whether that's a pro DBA or someone who "knows computer stuff" and doesn't even know how to spell "DBA".The attitude you're expressing is comparable to saying, "Why even have keys for cars? Some people just leave the key in and the doors unlocked, so why bother even making cars that use keys?"

RE: A Fundamental Security Mistake

Adi Cohn-120898 — Sun, 20 Dec 2009 02:39:26 GMT

I’m not so sure that users will use the TDE on Express edition. Most of the time Express edition is not managed by a DBA. In fact in most of the time the Express edition is being installed by another software and many times the DBA is not even aware of those editions that are installed in his organization. The users that use those applications are not database professionals and wouldn’t know what TDE is and how to use it (in fact many times they also are not aware that SQL Server Express edition is used by their software). In short I think that if TDE will be supported on Express edition, it will hardly be used.Adi

A Fundamental Security Mistake

Steve Jones - SSC Editor — Sat, 19 Dec 2009 12:23:03 GMT

Comments posted to this topic are about the item [B]A Fundamental Security Mistake[/B]