Not too long ago the developer community got a fantastic resource called Stack Overflow. It's a question and answer site, so it's like forums, only it's not. The interface is well done, finding questions to answer is easy because of the tag system, and the site has in place a capability to give people who are active more and more capabilities to help manage the site. It's a really neat idea. The issue with Stack Overflow is it is development-centric and by design. So the powers over Stack Overflow have created a sister site called Server Fault which is for IT professionals - Same interface, same tags, and same increasing ability to help be responsible for the community site.

Now Server Fault is currently in "private" beta, but that should last only a week or two based on the post about Server Fault in the Stack Overflow blog. If you've been somewhat active on Stack Overflow, check out that blog post, because it tells you how you can get active on Server Fault right now. It is actively being used. If you don't meet the criteria, don't worry, one or two weeks go by fast.

Does this replace technology centric sites like SQL Server Central? Not really, it's just another resource. The great thing about SQL Server Central is it covers all things SQL Server. So there are a lot of great SQL Server pros at SSC and at SSC you don't have to worry about going to a different site if you have a programming question or a system administration/SQL Server administration type of question. SSC covers it all with respect to SQL Server. And you'll see a lot of us on both sites. I'm a bit more active on Server Fault right now only because I'm trying to stay ahead of Brent Ozar on reputation and to get a chance to answer some questions there. Brent is a question hawk who will snatch out your prey right from under you! If you post there on a subject related to SQL Server, SANs, or virtualization, do it quick and do it thorough, lest Brent swoop down from on high! Okay, I'm kidding about that. When he's on, he's just trying to help, just like the rest of us, and he has a very great in-depth knowledge of multiple technologies. He also helps support the actual Stack Overflow site as their DB performance expert.

This is something that hit me as I was presenting to the Charlotte SQL Server User Group last night.

Back in the Windows 2000 days I wrote an article on Encrypting File System and explaining how it could be used to protect the database files at rest. In my Fortress SQL Server presentations I've been briefly mentioned that Transparent Data Encryption in SQL Server 2008 gives similar protection, but it can be used to impede the administrators a bit more than with EFS. With EFS you should properly define recovery agents so that if something were to happen to the service account SQL Server is running under, you could still recover the database files. So there's always that backdoor through EFS. There's another one, and that's the SQL Server service account. If you know it, you can get to the files.

Of course, if you have the SQL Server service account, you can connect to SQL Server as a sysadmin level account. And that means TDE is not an obstacle, either. Really, TDE doesn't stop an enterprising attacker who has administrative rights over where the SQL Server is installed. Because of the ability to start up the SQL Server in single user mode, any member of the local Administrators group can force himself or herself in. And this can't be stopped. It can be audited for, but that's an after the fact type of security control. With the SQL Server service account, though, you don't even need to do this. You can access SQL Server using the service account and you have access to the TDE-enabled database. There is no stopping and starting of SQL Server. There is no outage reported. Plus, no one knows it was you. After all, the security event logs showed that the SQL Server service account was used. Uh-oh.

Well, what if you've taken solid precautions and no one knows the SQL Server service account? The problem with that is if your SQL Server is running on Windows 2000 Server or Windows Server 2003, any member of the local Administrator can grab it at any time. The key is to go after LSA Secrets. Tools like Cain use a DLL injection attack and are able to dump the username/password every service is set to run under in plaintext. In a matter of seconds. Depending on how your antivirus (AV) is configured (are you running antivirus on your SQL Servers?), it may detect the Cain executable and quarantine it or it may not. Of course if you're not running AV, and you don't have some other sort of HIPS product installed, you can't stop Cain. And once those username/password combinations are dumped, how do you know who the attacker is? And how do you stop them from accessing a TDE-enabled database or taking an EFS encrypted database offline using ALTER DATABASE and then, under the context of the SQL Server service account, copying the database files off, say, to a USB drive (since most modern servers are sporting USB slots instead of floppies nowadays) or to a network share to be retrieved at a later time? This sort of attack really limits the usefulness of EFS or TDE.

I did say Windows 2000/2003. With Vista/Windows 2008, Microsoft took some steps to make accessing LSA Secrets a might bit harder. So far, no one has been able to put together all the pieces. So for right now, you're okay if your SQL Server is on Windows Server 2008 (yet another reason to upgrade). But if it gets cracked, too, then EFS and TDE become just as futile as on Windows Server 2008 platforms as they are on Windows 2000/2003 (and XP, of course). Now, there's a proviso there and I'd be guilty of FUD if I didn't point it out. The merely curious will be stopped by EFS and TDE. The focused attacker will not. But then again, the focused attacker will try social engineering, brute force attempts, and other OS, application, or database platform weaknesses to get in. If you don't catch said attacker through solid auditing and a well-trained and security conscious staff, the attacker is going to eventually get in.

 

I was browsing through the new titles that are on Safari and saw some planning guides around Windows Server 2008 (Active Directory Services, File Services, etc.). Of course, all of these are published as solution accelerators, because they are designed to assist IT professionals understand, plan, and implement solutions quicker (hence the term, solution accelerator). Some of these documents have been around for a while, but the Solution Accelerators section groups them all into one place. If you've not run across them before, you can find them here:

Microsoft TechNet : Microsoft Solution Accelerators

Among them are the Infrastructure Planning and Design Guides. There's guidance on Windows Server 2008, virtualization, and even IIS. But unfortunately, none out there yet for SQL Server. If you're looking on the security side, there are the OS security guides from Windows XP on up, including for Vista and 2008. Sorry, no Windows 7 yet.

First saw this because Jason Massie twittered about it. But apparently there are enough bits of the .NET Framework in R2 Core where SQL Server installations will be possible:

Andrew Fryer's Blog: Windows Server 2008 r2 

It'll be a command-line install, since core has no GUI, but that's fine and dandy for me. One of my biggest gripes with Windows Server 2008 Core when it came out was that although the stripped down OS was ideal for a SQL Server install, because you didn't have .NET (and couldn't install it), you didn't have the ability to install SQL Server. The same was true of ASP.NET based web sites. I don't know if the ASP.NET web sites status has changed, but I'm glad to see that SQL Server has.

 

Speaker: Paul Shearer

Midlands PASS Chapter - December 4, 2008 Meeting

The Midlands PASS chapter will hold our normally scheduled meeting on Thursday, December 4, 2008. Paul Shearer will be giving a presentation entitled "Virtualization Everything" in which he'll cover virtualizing SQL Server for large scale apps using Hyper-V technology. This is definitely one you'll want to attend and invite your system administrators to as well!

The meeting will once again be held at Training Concepts off of Berryhill Road. We will begin our meet and greet time at 6:15 PM as usual and start the at 6:45 PM. Please feel free to forward this to anyone who you think would be interested in attending. If you haven’t already done so and plan on attending, please RSVP (kbriankelley {at} acm {dot} org) as soon as possible so we can ensure we have enough space and food. If you have time to help with setup, please email me and we’ll plug you in!

I'll send out an agenda, contact phone numbers, and the building code the week of the meeting.

Cesar Cerrudo of Argeniss Information Security has put out a new whitepaper (.pdf format), Data0: Next generation malware for stealing databases, describing how malware could be crafted to steal information out of databases. For the most part, it stays at a high-level, however, Cesar does give a few example queries (for SQL Server), the appropriate API calls to perform certain operations, etc., which delve a bit more into the technical side, but even these are fairly straight-forward. To demonstrate what he talks about in the whitepaper, he built a simple proof of concept (PoC), but based on what's in the whitepaper (and what is generally accepted as what's possible), nothing seemed outlandish or hard-to-do. Just for those worried about that PoC being out in the wild, Cesar states in the whitepaper he's not going to put it out for public consumption because he knows it'll be used for evil.

Which brings us to how the malware attacks. The typical anatomy for an attack is something similar to:

• Discovery
• Exploitation
• Escalate Privileges (if necessary)
• Cover Tracks

Since we're dealing with malware, the attack methods are well known. Keeping malware out of the corporate environment, especially considering most of the techniques for detecting malware are signature based, such as antivirus, is difficult. When users run as local administrators, all it takes is one person clicking on an email that sends that person to a website which exploits an Internet Explorer, Firefox, Microsoft Office, etc., vulnerability to download and install the malware. If the malware is new, there isn't a signature for it. Therefore, it'll likely pass through the scans.

But what about the web site and web filtering software used by the organization? Well, if the site hasn't been categorized yet, it really depends on how the web filtering software is configured to handle such sites (if such an option exists). Some web filtering products have heuristic engines which try to analyze the content to determine if it's objectionable or not. Some engines can scan words, others also have the capability to look at images, and the engine in question generates a score. Depending on the score, the page does or does not get displayed. (I'm greatly simplifying the process, but you get the idea.) So if you're building a page that hosts said malware, you ensure it says all the right things to look legitimate for business. In fact, it may very well be a copy of another business page because the only thing you're interested in is deploying the malware. If it has been categorized, there have been known exploits of well-known organizations, such as educational facilities and even Yahoo! in recent days. That means playing a catch up game before the individual page is categorized. So in other words, getting the malware deployed typically isn't the problem.

Therefore, Cesar concentrates on the malware itself. The pattern it follows is the following:

• Discover
• Attack
• Transmit the Data Back
• Cover Its Tracks (if necessary)

Discovery is where it locates database sources. The two most obvious, and most stealthy, is to check the ODBC DSNs on the local system and to look into existing processes to look for outbound connections to well-known ports (such as tcp/1433 for SQL Server). If necessary the malware could get substantially more noisy by doing a network scan (again, for well-known ports) or outright sniffing the network (but switched networks makes this extremely problematic and if you try to overcome this, it will be VERY noisy).

Once the targets are identified, the next step is to attack the servers. Connections, like to SQL Server, which use Windows authentication are trivial. Otherwise, it might have to resort to brute force. Brute force, in and of itself, can be noisy (depends on whether or not you are auditing failed login attempts). And once it gets in, it can check replication settings, linked servers, etc., to locate further targets, which adds to the discovery process. However, once it's in, it'll need to scan for interesting information, and this usually means looking at metadata for table and column names. Once something of interest is found, it's all about extracting the data.

After it has some data, it needs to get it off-site. Again, if you can get a site up where malware can be grabbed, getting back out isn't that difficult, either. Even if an organization is doing egress filtering, they still allow out HTTP and HTTPS. As long as the web site passes the filters, all is well. And the data is in the hands of a malicious individual or organization.

Afterwards, if necessary, the malware can cover its tracks by removing itself. This may be a good idea to make getting samples of the malware more difficult, thereby impeding a security company's ability to generate signatures on said malware.

If it is really this easy, how do you prevent this from happening? Several things make the malware's job more difficult. Some of them I've taked about how to get around, but they should still be in place.

Network Layer:

• Up-to-date web filtering software
• Firewalls with egress filtering on the perimeter
• Firewalls in front of the database servers controlling access to them
  
• Network switches (although it is nearly impossible to find an actual hub nowadays, this still needs to be looked at, especially in smaller organizations with old equipment)
• Network configuration on firewalls and switches to block udp/1434 (SQL Server Listener Service)
  
• Use of network-based Intrusion Detection/Prevention System (NIDS/NIPS, or just IDS/IPS)

Client Workstation Layer:

• Personal firewalls on systems
• Up-to-date anti-malware software
• Up-to-date on system and application patches
• User running with less than administrator privileges
• Use of Host-based Intrusion Prevention system (HIPS)

Server Layer:

• Use IPSEC Policies (Windows) to restrict IP addresses which can connect to the database system
• Use IPSEC Polcicies to block the SQL Server Listener Service (udp/1434)
  
• Use IPSEC Policies to encrypt the traffic and to require authentication to make the connection to the database system
• Up-to-date on system patches

Database System Layer:

• Up-to-date on database system patches
• Use non-standard ports (stay away from tcp/1433 for SQL Server and tcp/3306 for MySQL) - Hampers or prevents discovery
• Users running with minimal permissions - restricts access to data
• Data encryption (SQL Server 2005) on those interesting columns - simply querying the tables won't get sensitive data
• Audit failed login attempts (SQL Server) - "Noise" that may allow for detection of a brute force attempt
• Enforce Password Policies (SQL Server 2005) - Reduces likelihood of success of a brute force attack
• Locking down users by IP, where possible (MySQL) - If the end user doesn't need to access

Notice I said more difficult, not impossible. A knowledgeable attacker, with a real desire to break into a system, will find a way to do so. The goal is to make it as difficult as possible while still being reasonable in budget and in functionality for the organization. An attacker who isn't specifically going after a certain company (such as what happened to Valve for Half Life 2) will likely move on to a much easier target.


Technorati Tags: DATABASE | SQL | T-SQL| SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | MySQL | Security | Database Security | SQL Server Security

I've used Safari (the O'Reilly version) for a number of years now and it is a resource I often recommend to coworkers. Basically, it's an on-line library of technical books (since expanded to include video) from a group of publishers. O'Reilly, Microsoft Press, Cisco Press, Syngress, and many others have books and resources on-line at Safari. It came into being in 2001 but I remember a predecessor version back in the late 90s from Que Publishing/Macmillan Computer Publishing called Personal Bookshelf, which I also used. Back in those days I was in the Air Force and that provided some of the technical books I couldn't afford on an Air Force salary.

Subscribing to Safari gives one the ability to put a certain number of books onto a "bookshelf" and the books have to remain there for one month. The exception is the library subscription, which has no limit to how many books you can have on your bookshelf (favorites). Another advantage of the Library subscription level is it gives access to Rough Cuts (books in pre-release stages), Short Cuts (excerpts from books and other material on a focused topic), and Video. Library also gives one five download tokens a month (and up to 3 months can be accumulated). You can pay for some of these features separately if you don't get Library level, but the Library level, at least for me, is the best value package deal. For those interested in getting their organization's on Safari, yes, there are apparently corporate plans, too.

I initially subscribed to Safari because it was cheaper than the equivalent price of one technical book a month. Even at the Library level, it's still at the lower end of the technical book range. The number of books which I have access to far exceeds that novel price. I say novel because when I considered how much I was spending on technical books, it was well worth the price to me. I have a friend who doesn't use Safari because he indicates he can find everything on-line. To some extent this is true. However, when I was leading my organization's Active Directory migration, Safari became my Active Directory library. Having those resources readily at hand without having to lug 4 or 5 Active Directory books around was priceless.

Others have written about the value they find in Safari, such as Sean McCown (Database Underground on InfoWorld). He specifically mentions some of the books/authors he found on there as a reason to recommend Safari. The catalog is quite large and it's not unusual for a book to appear in Safari shortly after publication, say within a few months. Safari also does a good job of putting older books on-line that may be of interest to some, such as the older O'Reilly published Perl books. Here is a list of some of the books that are on-line right now which are relatively recent (within the last year or two) and relevant to this blog:

MySQL

• Learning MySQL
• MySQL 5.0 Certification Study Guide
• MySQL Administrator's Guide and Language Reference

SQL Server

• Inside Microsoft SQL Server 2005: The Storage Engine
• Inside Microsoft SQL Server 2005: T-SQL Querying
• Inside Microsoft SQL Server 2005: T-SQL Programming
• SQL Server 2005 Practical TroubleShooting: The Database Engine

Windows

• Introducing Windows Server 2008
• Microsoft Windows Server 2003 Performance Guide
• Microsoft Windows Server 2003 Troubleshooting Guide

Technorati Tags: DATABASE | SQL Server | Microsoft SQL Server | SQL Server 2005 | MySQL | Windows 2003 | Windows Server 2008 | Active Directory | Work | Books

Some time ago I was looking for a password vault and came across some recommendations for KeePass. KeePass is open source and free. It's a nice password manager and some of the features I like are:

• Strong encryption of the password database
• The ability to use a password, key file, or the combination of the two to secure access to said password database
• A password generator with a multitude of options
• The ability to copy the password to the clipboard (without ever showing it) and have it clear the password after a set amount of time
• Organize password entries by groups and subgroups (think folders)

A new version, 1.09, released in October. There is also a Portable Apps version which allows you to run it without installation. Therefore, you can stick on a USB drive and take it with you. I've also run it as a straight executable from a shared network drive.

Looking at it from a shared location, KeePass can be used by an organization to store sensitive logins, such as the root password for MySQL, the sa account password, the usernames and passwords for the SQL Server service accounts, etc. In fact, in version 1.09, if the password database is opened by another user, it's smart enough to tell the next person opening it the situation and asking if that user wants to open the database in read-only or normal mode. One way to handle this is to distribute the key file to all admins and as long as they have that, they can unlock the password database. If someone leaves the organization who had access to the password database, generate a new key and re-distribute it, and you're back in business, even if they copied the key file. Granted, the fact that the password entries stored within will have to be addressed, but this is a problem regardless of your password vault solution (or lack thereof).

Technorati Tags: Security | Database Security | Network Security | Windows Security | SQL Server Security | Work

For a variety reasons, including personal/family concerns and workload, I've not been able to write as often as I'd like. That doesn't just include the blog, but also writing articles. It's been a long while since I've written an article for SSC. I want to get back to writing at least monthly, if not more often. One of the keys to writing well is to write every day. Therefore, I'm going to provide some structure to the blog in order to make it easier to post every weekday with something that will hopefully be useful. Here's the types of posts that should be present based on the day of the week:

• Monday - Career Development
• Tuesday - Tips, Tricks, and SQL Scripts
• Wednesday - Tools, Tools, and More Tools
• Thursday - Tips, Tricks, and SQL Scripts
• Friday - Notable Resources (Blogs, Articles, Books, Podcasts)

I won't limit to one post a day, but hopefully that becomes the minimum. While I primarily focus on Microsoft SQL Server in this blog, the reality is I deal with Active Directory, security, and MySQL on a daily basis as well, meaning I'll include posts in those technology areas as well.


Technorati Tags: DATABASE | SQL | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | MySQL | Active Directory | Security | Life | Work | Writing

I've spent my spare time the last few weekends helping a non-profit called Fast Forward here in the Columbia, SC area. I don't post this here to blow my own horn but rather to point out the need many non-profit organizations have for quality IT support. Most non-profits operate on a limited budget meaning they take help where they can get it. Often times there just isn't money left in the budget for a services contract, etc., even for an organization like Fast Forward.

This is where knowledgeable folks can really make a difference. I know the usual excuse: after spending all week looking at a computer screen, the last thing anyone wants to do is spend the weekend working on computers. I've been there, so I understand that feeling completely. However, I have to say that the time I've spent working at Fast Forward has been personally rewarding. There's a sense of accomplishment knowing I've put my skills to work helping others, with no expectation of any tangible reward.

This isn't to say that there isn't some career benefit. I've read the myriad of blogs/books/articles which say volunteering at non-profits is a great way to build up skills you would like to develop. That's a true potential benefit. However, what if you're re-using the skills you've already developed? I work on servers every day. So helping out with servers and/or workstations isn't an expansion on my skill set. Fast Forward isn't likely to go and use SQL Server and experiment with Longhorn server or check out the latest features of MySQL. What's the personal gain? To that I point back to the "making a difference" reason. Sometimes it's gotta be more than just about ourselves.


Technorati Tags: Life | Work| Volunteering

The Cuckoo's Egg by Clifford Stoll has been around for a while, having been published in 1989. It details how a system administrator (a trained astronomer who had to find something else to do) tracked a malicious hacker through his system and numerous others including defense contractors and unclassified DoD systems. It's one of those books a lot of folks who work security say should be read if you're in the field. When I was a cadet at The Citadel, one of the other guys in my company was reading it and said it was a good thriller of a book. I meant to borrow it from him and never did. Then I meant to read it for some time but every time I thought about it, I would subsequently forget to go look for it or check it out from the library. Well, I finally did read it and found that my friend's assessment was a good one. I think my wife would agree as she swiped it away from me before I was done and finished it first.

As I went through the book I watched for security principles in play and what was true in 1989 in large part holds true today. Some of the things that were revealed as Mr. Stoll went through his meticulous process of tracking the intruder who was working for the KGB:

• Honeypots are effective to attract an attacker and learn about his or her methods. In the book Stoll's roommate comes up with an idea to place what look to be classified documents on a military defense system on one of the servers and to keep it updated so as to look like a regular project that is progressing. This is ultimately how they get the attacker to stay connected long enough to trace him. Honeypots are used today to attract attacks, especially automated ones, so we can analyze them and learn to defend against them.
• Dictionary based passwords don't work. The attacker in the tale kept grabbing the password file from the servers he was attacking. Stoll at first couldn't figure out why because the passwords were encrypted with a one way function which meant if you had the actual password it was easy to get the encrypted hash, but the opposite, where you have the hash and want to get the actual password wasn't true. However, the algorithm used to encrypt the passwords was well know. So if you calculate all the hashes for a set of words, you can compare the hashes and figure out what the passwords are. BTW, this is an issue with Windows passwords. Do a search for rainbow tables and you'll find several sites that have rainbow tables for Windows-based passwords.
• Just because you can't see the monitoring devices doesn't mean you aren't being watched. Stoll put a line printer before the server itself, meaning he got an output of everything that was going back and forth on the line. this allowed him to watch the attacker as he came and went. Nothing was running on the server itself. This is analogous to two things in today's world: sniffers and rootkits. Sniffers watch the wire and from the server you can't tell you're being watched. This is why encrypting sensitive data across untrusted lines is important. Rootkits are running at a level where they can intercept any calls you make to try and detect them. That's why there was so much concern over rootkits (and still is).
• When doing forensics work, keep a log. This is a no-brainer. Log everything you do, who you speak to, every step. Time and time again Stoll went back to his log. Because he had it, he was able to connect a lot about the attacker's behavior, prove he had informed the right people of what happened, etc. This is actually a good rule for troubleshooting. Log everything you do because you (a) want to be able to undo anything that didn't work and (b) you want to know how exactly you fixed a problem.
• Don't assume your system has no value. Stoll's system didn't have classfied secrets on it. But it did represent a jumping off point to attack other systems. Frequently I have conversations with folks about securing development servers. To the attacker, a development server may be just as valuable as a production server. If a system is on your production network, it needs to be secured.
• Don't assume you are secure. Stoll found several folks who assumed their systems were secured. The evidence showed otherwise. Paranoia is good in the security field. Let me rephrase that... controlled and focused paranoia is good.
• Check your logs frequently and investigate inconsistencies. Stoll stumbled onto the hacker because of a 75 cent accounting error. That's what started the whole trace. The better an attacker is, the less likely he or she is to leave clues. Therefore, even the smallest details are important.
• Change default accounts and passwords. The attacker kept breaking into systems because administrators had left default accounts and passwords active. Blank passwords, passwords of password (or some derivative), and default passwords are all bad. If an attacker is knowledgeable of the defaults and we leave them active, we've opened the door. It was amazing how many systems the attacker got into using this simple method.
  

Technorati Tags: Security | Database Security | Network Security | Windows Security | SQL Server Security

Saw this on the Windows PowerShell blog:

Since W2K3 SP2 is an update to W2K3 SP1, if you install Powershell on W2K3 SP1 and upgrade to W2K3 SP2, to uninstall PowerShell you first have to uninstall W2K3 SP2.

You can read the whole post here: Windows Server 2003 SP2 upgrade. When I first went to install a pre-release version I went to Add/Remove Programs and couldn't find PowerShell, though I knew I had installed it. So I looked it up and realized it was an OS update. I didn't think much of it then other than to say, "How odd." Now, apparently, that approach isn't without its issues. So if you want to uninstall PowerShell, be aware that once you apply SP2 you're going to have to uninstall it first before you can uninstall PowerShell.


Technorati Tags: Microsoft | Windows 2003 | PowerShell

Here is a list of what was fixed:

http://support.microsoft.com/default.aspx/kb/914962

Downloads are available off of the SP2 home page:

http://www.microsoft.com/technet/windowsserver/sp2.mspx



Technorati Tags: Microsoft | Windows 2003

If you're in the United States, chances are you've already heard about Daylight Saving Time (DST) occurring 3 weeks early this year. This is due to the Energy Policy Act of 2005, so it's not new news, but a lot of systems and applications are only now getting the updates. The Energy Policy Act of 2005 changes DST to start on the 2nd Sunday in March instead of the first Sunday in April. In addition, it now lasts one week longer, ending the first Sunday of November instead of the last Sunday in October. For this year that means DST starts on March 11.

For the most part SQL Server isn't affected. The only SQL Server component which is happens to be Notification Services. You can find information on how to update Notification Services here:

2007 time zone update for SQL Server 2005 Notification Services and for SQL Server 2000 Notification Services (931815)

Though most SQL Server components aren't affected, the operating system on which SQL Server is installed does need to be updated (with the exception of Vista). For Windows XP and 2003 there is a patch available. You can grab the update for these operating systems here:

February 2007 cumulative time zone update for Microsoft Windows operating systems (931836)

Windows 2000, since it has passed into Extended support, does not have a publically available update. As a result, these systems must be updated by making modification to the registry. More information can be found here:

How to configure daylight saving time for the United States in 2007 (914387)

Do note that if you have Outlook on the system (such as on a workstation), there are updates to Outlook which must follow almost immediately. Outlook isn't the only Microsoft based application to be affected. To find out more information on what Microsoft applications are impacted, see here:

Microsoft Daylight Saving Time Help and Support Center


Technorati Tags: Daylight Saving Time | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Windows 2000 | Windows 2003 | Windows XP

I have put the Midlands PASS site online temporarily at Truth Solutions. You can reach it here:

http://www.truthsolutions.com/MidlandsPASS/

The slides from Paul Shearer and Bill Stevenson's presentation, Performance Monitoring for SQL, has also been posted to the site. This is from the most recent meeting on February 8, 2007.


Technorati Tags: SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Professional Association of SQL Server | SQLPASS