• Inside Microsoft SQL Server 2005: The Storage Engine
• Microsoft SQL Server 2005 Analysis Services Step-by-Step
• Programming Microsoft SQL Server 2005

I recently had the opportunity to review NGS Software's updated Typhon III general vulnerability scanner. I had previously reviewed it two years ago and was impressed with the product then. The updated version has some nice, new features. You can read my review here: A Review of Typhon III. It'll hit the main page of SQLServerCentral.com on Feburary 5, 2007.


Technorati Tags: DATABASE | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | MySQL | Security | Database Security | Network Security | Windows Security

Sean McCown writes in the latest Database Underground about how DBAs should try and make things better for users of an organization. I think Sean hits upon an important point not just for DBAs but for all IT workers. Too often IT is seen as a cost center, an impediment, as something as necessary for an organization but not necessarily glorified or appreciated. As technicians we may find ourselves amazed at how the business people don't see value in what we do, we may groan and complain about they don't understand how hard we work or we may think they don't care. From the business perspective, though, it's hard to understand why it takes so much to do some of the things we do. But then again, we sometimes marvel at some of the things the business folks do and we shake our heads and say, "I don't get it." However, they do and it is their turn to wonder why we don't understand how hard they work and wonder why we don't care.

Responsible IT workers seek to make a positive difference for the company beyond their "day jobs." It may not be helping automate a user's spreadsheet, after all, some system administrators may not have much expertise on the latest business software, but there is certainly something every IT worker can do to add value to the organization. A similar point was made by Vanessa Williams in her blog, fridgebuzz. In a recent post titled The Long Tail of Web Services she talks about how Amazon.com occasionally gets recognition for some of its initiatives which don't seem to have any relation to its core business. Google is the new "hot company" but just like Amazon.com, Google is investing heavily in its infrastructure. However, while Google has incredible expertise, they aren't utilizing it as a profit center.

For Amazon.com, the model is already built. Amazon.com invested heavily in its infrastructure. Now it's seeking to use those investments to allow third-party vendors to partner and piggy-back on the great work its personnel have accomplished. Ultimately, that means a greater and more stable source of revenue for Amazon.com beyond selling warehouses full of books, CD, and DVDs. But for Amazon.com to be positioned to have such a strong infrastructure, that means someone in IT had to think beyond "web store." Then someone had to consider what to do with all that infrastructure and how to make money for Amazon.com. That's adding value, something we can all do. And when we start doing this enough, the organization will see IT as an asset and a wise investment rather than as "overhead."

Technorati Tags: Life | Work | Information Technology | Adding Value

I read through a lot of blogs each day in a variety of technology categories. I've always fashioned myself as a jack-of-all-trades and that helps me a great deal with my current position. However, it does mean consuming a lot of feeds to try and stay up in all the areas I have a profound interest in. Here are my shared feeds on share.opml.org.

Google Reader has a nice feature where I can share items I find interesting. There are a ton of good blog posts each day, so I've started marking them to be shared. There are two ways to view these shared items: one is the web page and the other is through the RSS feed.


Technorati Tags: Google Reader | Blogging | Sharing Feeds | RSS | OPML | Reading List

Jason Haley used to post his Interesting Finds about every day, if not multiple times a day. The interesting finds were a collection of blog posts and other links he had come across from his various RSS feeds which is put together for others who were interested in the same sorts of things he was (Microsoft development topics, Boston happenings, and after his move to Seattle, Seattle happenings, career development articles, etc.). He took a break for several week, but it's nice to see that he's begun posting them again, starting back around Thanskgiving.

Here's his RSS feed for those who might be interested: JasonHaley.com blog feed.


Technorati Tags: Microsoft | Programming | DATABASE | SQL | T-SQL | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Life | Work

If you're like me and rely a lot on the resource kit tools, you may have found that it's relatively easy to find the Windows Server 2003 Resource Kit tools in searches on the Microsoft site. However, if you still have Windows 2000 computers (including Windows 2000 Active Directory domain controllers), some of the tools re-written for Windows Server 2003 may not work properly on Windows 2000 systems. Microsoft has put together a Knowledge Base article which includes all of the commonly used administrative tools in one place:

  Windows 2000 Resource Kit Tools for Administrative Tasks (927229)


Technorati Tags: Microsoft | Windows 2000 | Active Directory

Several SysInternals Tools have been updated. One of the big updates was to the PSTools Suite - now you can pass the EULA acceptance in a command line format. When the tools first appeared on the Microsoft TechNet site, there was a GUI-based EULA that popped up when the tool was run. This broke any scripts which relied on the tools.. A new download is all of the SysInternals Tools wrapped into a single download: SysInternals Suite. This is great because now all the tools can be downloaded and extracted at one time into a directory where before there were a lot of little individual downloads. Even better, if the PATH variable is set to include that directory, they can be run from the command line no matter what directory you happen to be in. For command-line tool junkies like me, this is essential.



Technorati Tags: Microsoft | Windows 2000 | Windows 2003 | Windows XP | Windows Vista

Laurentiu Cristofor has an excellent blog post, Who needs encryption?, which presents some point blank facts about encryption and the correlations you can draw from those facts. This post isn't a SQL Server or even a database specific post. It's about encryption in general.

I love his Fact #1: Encryption does not eliminate the need to protect some data. I was recently talking with some peers about whole disk encryption technologies. The idea behind whole disk encryption technologies is if someone were able to steal the hard drive (such as by taking a laptop), as long as the hard drive was powered off, by powering it on they wouldn't immediately get access to to the data. They would have to decrypt the hard drive. Well, there's two ways to go about this. You can either try and decrypt the whole hard drive, or you can try and decrypt the portion that stores the key to decrypt the whole hard drive. Any serious attacker is going to go after the latter because once you get it, you get the whole hard drive. And that's the point. You no longer are in the business of safeguarding all the data. The encryption does that for you with the exception of the key itself. You must safeguard it. The discussion with respect to whole disk encryption turned to wanting to make the encryption on the key weaker than on the rest of the drive because people were having to enter in too many combos of characters when they forgot their password and the admins needed to unlock the drive. My point was that whichever was weaker, that was the level to which the hard drive was effectively encrypted. Therefore, weaking the encryption algorithm on the key to make it easier for customer support reps and end users to being able to unlock the hard drive in the case of a forgotten password wasn't a good idea.

Fact #4 is a sticking point for me, too. When developers who aren't very knowledgeable on encryption say, "Hey, I'll just build an encryption algorithm because I don't feel like using one of these others. How hard can it be?"  that drives me crazy. A lot of developers understand that here laziness is the right approach. If it's a rock-solid algorithm that has undergone the scrutiny of the crypto community and survived, it's a good candidate. Just figure out how to implement it. Unless you have advanced degrees in mathematics and time in the field, it is extremely arrogant to think you can design an algorithm better than what's already out there. Granted, you might, but given some of the algorithms developed, you've wasted a lot more time doing so when you could have been doing other activities for your organization.



Technorati Tags: Security | Database Security | Network Security | Windows Security

If you aren't familiar with Network Monitor, it's a packet sniffer that's a Windows component on the server builds (Control Panel >> Add/Remove Programs >> Add/Remove Windows Components >> Management and Monitoring Tools >> Network Monitor Tools if you're using Windows Server 2003). The version that has previously been released with SMS has always been more robust than the one that can be added via the location I just gave. Microsoft has built a 3.0 version which is now free for download through connect.microsoft.com. You can read more about it here at the Network Monitor blog:

Network Monitor 3.0 has released!!

A lot of times when I'm troubleshooting connectivity issues between a SQL Server and a client I fall back on packet sniffer and Network Monitor usually does the job. Even when I was strictly a DBA I found this to be a great tool in my toolbelt. However, most organizations have strict rules on who can use sniffers and when they can use it because of the security implications. Before you download and install it, verify that you're allowed to so by your organization. And before you use a packet sniffer, always be sure to clear it first in writing (such as via email).

Although this is free, some prefer the tried and true Ethereal. I'm partial to it myself, but it requires the installation of WinPcap, which you may not necessarily be able to get permission to install on the server. Network Monitor 3.0 doesn't require any additional installations.



Technorati Tags: Windows 2003 | Windows XP | Windows Vista | Security | Database Security | Network Security | Windows Security

It wasn't too long ago that Mark Russinovich announced he was becoming a Microsoft employee (new link as his old blog redirects to his new blog on TechNet). Now there is a new SysInternals section of the TechNet website. You can find the majority of the old SysInternals tools here:

Microsoft: SysInternals TechCenter

There is also a new tool, Process Monitor, which basically combines FileMon and RegMon (since it's not unusual to need to use both together). If you are a fan of the SysInternals tools, check out the new site. In addition, there is a SysInternals blog that may be of interest to some. This blog is different from Mark's.


Technorati Tags: Windows 2000 | Windows 2003 | Windows XP | Windows Vista | Security | Network Security | Windows Security

I saw this post on using Fiddler to tell the difference between an NTLM and a Kerberos connection to a web server.

Two easy ways to pick Kerberos from NTLM in an HTTP capture

If you aren't aware of what Fiddler is, it's a web proxy that will allow you to see the communications between a web browser and a server. You point to is as a proxy server and then you can display the traffic in the Fiddler application itself. This kind of tool can help a lot when performing security analysis, such as penentration testing a web application (you can alter what's being sent back to a web server without having to code up a web page), but it can also be useful when troubleshooting why a given application isn't working.

One such application is SQL Server Reporting Services. If you're connecting via Windows authentication and the Reporting Services is installed on a different server than SQL Server, you have a double-hop situation (one hop between the client and the SSRS server and a second hop between the SSRS server and SQL Server). That leads to a failure when NTLM is used because it doesn't support a double hop. Kerberos does, when properly configured. When it's not, clients tend to drop back to NTLM... thereby leading to a failure. Fiddler can help you spot whether or not the initial connection to the web server is via NTLM or Kerberos. How does help troubleshoot a Reporting Services issue? Well, if the issue is because of security where you're seeing NT Authority\Anonymous Logon on the SQL Server side, understanding how the client the connecting to the web server can tell us where to start looking for issues.

If it's connecting via NTLM, you need to look at the client and SSRS server to determine what is misconfigured. The client may be set to only pass credentials automatically when the server is in the Intranet zone and the client doesn't recognize the server is in the Intranet zone. The client may be set up where it doesn't use integrated Windows Authentication (this is the default with IE 6 SP1, unfortunately). The NTAuthenticationProviders setting for the web site may not be set to use Negotatie, which is Kerberos. These are some of the more likely possibilities.

It's the connectiong is being made with Kerberos, than that means the connection between the SSRS and the SQL Server is likely where the issue is. In that case it could be the web server isn't setup to allow delegation in Active Directory, the application pool identity isn't set up to delegate within Active Directory (if Network Service is used, this is the computer account itself, which the first setting takes care of), if the application pool identity isn't Network Service it may not have a Service Principal Name (SPN) for HTTP, if you're using a common name that's differerent from the actual server name an SPN might be required, or it could mean the SQL Server doesn't have a properly registered (SPN).

Now, can you get the same information using a network sniffer? Yes. However, using Fiddler may be easier for those who aren't experienced with dealing with packet traces.



Technorati Tags: SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Windows 2000 | Windows 2003 | Windows Security

Encrypting File System, or EFS, first debuted in Windows 2000 and gave users to encrypt files without a 3rd party tool. There were some limitations in EFS under Windows 2000, among them the default Data Recovery Agent was the local Administrator account. This meant that if you tried to use EFS on, say, a laptop, while the files would be encrypted if someone tried to use a Live CD or a Linux boot disk, should the administrator account be cracked, the files could still be accessed. Changes within Windows XP and Windows Server 2003 did away with vulnerabilities such as this one. There are still ways around this, since laptops usually have cached credentials which can be cracked, but it's another step an attacker would have to take. If you aren't familiar with EFS, check out this short article, appropriately titled:

Understanding EFS

EFS isn't "whole disk encryption," but secures files and folders. That means that on a laptop, you are dependent on the user to place files in the proper locations. Tightening down file permissions works when the users aren't running with administrator privileges, but with quite a few apps still requiring more than normal user rights, this isn't so easy. Until Vista's BitKeeper comes on the scene, that means a 3rd party solution is required.

On servers EFS can be used to encrypt files such that only the service account has access to them. I wrote about this with respect to SQL Server, but the article is a little out of date, being written for Windows 2000. I'll need to update it one of these days. Be aware, that as with any encryption, you are likely to experience some performance degradation. After all, the encrpytion/decryption does require additional cycles than straight data access. But the performance hit under Windows 2000 was often less than 5% and I doubt it has gotten worse with Windows XP and 2003.


Technorati Tags: Security | Database Security | Network Security | Windows Security | DATABASE | SQL | T-SQL | SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Windows 2000 | Windows 2003 | Windows XP | Windows Vista

Check out this post:

Things to consider before submitting an incident to Microsoft

Getting the information together before you make that phone call can speed up resolution to the issue. Also, if you do have a Technical Account Manager, that person can help drive the support call to a happy resolution (or as happy as the problem allows for).

Another point is to take a look at the MPS reports (a link to the KB is given in the blog post). From them you can glean what bits of information  Microsoft PSS personnel are interested in. Knowing what they're interested in points us to the information we should be interested in. And that can often put us a step ahead in ourown troubleshooting efforts where we might not have to make the support call in the first place!


Technorati Tags: SQL Server | Microsoft SQL Server | SQL Server 2000 | SQL Server 2005 | Windows 2000 | Windows 2003 | Windows XP | Windows Vista

A blog posting from the WinFS team caught me a bit by surprise today. Apparently I wasn't the only one, judging by the comments. WinFS was supposed to give us a relational file system. There are security ramifications with doing that, as demonstrated in this video from BlueHat 2006 (from Channel 9), where the first part has a security program manager from WinFS talks about some of the things he learned.

However, when you consider what the benefits can be (a comment gives the example of deleting thousands of files and how long that takes... this would be near instantaneous with a properly implemented relational database structure), many folks were looking forward to getting WinFS. And Vista was supposed to deliver it. But then Microsoft made the announcement that WinFS wouldn't ship with Vista. Instead, it'd be stand-alone and it could be installed later. Now today we learn that it won't be shipped later. Mature parts of WinFS are being integrated into Katmai, the next version of SQL Server.

I'm still considering what all this means for SQL Server and for the OS. Certainly it's a loss on the OS side. We're not going to get that relational file structure we've been looking forward to. The venerable NTFS is going to have to plod on a bit longer. But on SQL Server's side, there certainly is gain. And with file integration, there is the potential to deal with BLOBs better. That makes sense given that Microsoft is trying to get more into the enterprise document management sector with Sharepoint Server 2007. But I know that integrating a file system hasn't always been as great as it sounds. Exchange Installable File System (ExIFS or just IFS) is an example. It sounded great in Exchange Server 2000, but they scaled it back in Exchange Server 2003. It'll be interesting to see how they make this work in Katmai.