Microsoft Security Changes and SQL Server

For almost as long as I've been working as a data professional, NTLM has been the security protocol used in Windows. Microsoft added Kerberos over 20 years ago, but NTLM is still a fallback. Like so many things Microsoft has worked on, they loathe breaking backwards compatibility, so NTLM has been available. However, it has issues, like the double hop problem, and there are numerous security issues with the protocol. I tested a security product over 20 years ago that could break NTLM passwords in under an hour. On old Pentium-based computers.

This week Rebecca Lewis posted an article about the upcoming changes in Windows where NTLM is being phased out. She audits various clients and finds many are still using NTLM for SQL Server connections. Her observation is many people aren't aware of this, and I'd concur. There is an informational message that is written to the SQL Server error log, but how many of you are checking the log and acting on this or even understand what it means? How many of you might have developers (or yourself) using named pipes and be unaware? That's an NTLM only connection.

Heck, I've got a friend fighting through SSL connections with SQL Server, which is something I rarely seen. This person will eventually no longer need to "trust server certificate" in every connection string, but I bet many of you are years away from implementing that. That's another change Microsoft wanted implemented, and why modern drivers no only set this to true by default.

Later this year, NTLM v1 will phase out, but that's not likely what most of you use with SQL Server. However, the next major Windows server release will disable NTLM v2, and you won't remember this editorial or the announcement then. What will happen is Windows admins will upgrade systems and you won't be able to connect.

Rebecca gives you some things to check, but since many of you might work in large estates, you'll need time to ensure clients and servers get updated and NTLM isn't the protocol you depend on. Trust me, if Windows or even a client driver upgrade remove this, you are in for a bad day (or week, or weeks) trying to get things working.

I'd also suggest you learn how SQL Server SSL connections work. I don't know that many orgs will require this, but some might as security becomes more automate-able and more CSOs start to ask that we ensure no man-in-the-middle attacks reach our servers.

Celebrate Success

by Grant Fritchey

SQLServerCentral

Today Grant reminds us to not only think about the things we can do better, but remember the good things that we accomplish.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2019-09-28

165 reads

Discuss

Fantasy SQL Server

by Steve Jones

SQLServerCentral

This week Steve looks back at this month's T-SQL Tuesday invitation.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2019-09-14

297 reads

Discuss

Always Check on the Basics

by Steve Jones

SQLServerCentral

The basics are important, especially with regards to backup and restore in SQL Server.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2019-08-31

354 reads

Discuss

Do You Have the Gifts to Be a DBA?

by drsql@hotmail.com

SQLServerCentral

Database Weekly

This editorial was originally published on Jul 13, 2019. It is being re-run as Steve is out of town. I recently had the pleasure of catching Paul McCartney in concert, and he was amazing. I have been a fan forever and have heard him tell the same stories he over and over with great delight. […]