http://www.eweek.com/article2/0,4149,1539058,00.asp By Lisa Vaas February 25, 2004 In an effort to make it more secure, Microsoft Corp.'s "Yukon" version of its SQL Server database will ship with certain features turned off, according to Microsoft Director of Product Management for SQL Server Tom Rizzo, in Redmond, Wash. Rizzo said that, while it's too early to say exactly which features will be turned off, core functionality features will be left on in order to ensure that getting the database running out of the box won't be a nightmare. "We don't want you to go to install it and find it won't work out of the box," he said. Microsoft engineers are also working to ensure that customers won't have to go through painful gyrations to turn on the turned-off features. "New functionality - extensions and things that make the server even better—we'll turn off by default, but we'll make it easy to turn those back on. We don't want customers to say, 'Hey, I like XYZ feature, but I have to go through this nightmare process to turn it on.'" There are signs that the second beta of "Yukon" (which is the code name for Microsoft Corp.'s update of its SQL Server database), originally expected in late spring or early summer, is already well on its way. While Beta 1 is a closed beta for past testers and certain customers only, Beta 2 will be public, and people interested in Yukon will be able to participate in Microsoft's Customer Preview Program. While customers await Yukon, however, SQL Server itself has been getting more secure, Rizzo said. Microsoft has been spending extra money on security, as executives acknowledged during the company's second-quarter financial conference call, with much of the funds getting pumped into educating developers and customers. One security-related educational venture has been the recent launch of the new Security Guidance Center on Microsoft's TechNet site. Launched about two weeks ago, the Center is a portal for all things security-related that might concern SQL Server customers. Security-related funds are also going to other initiatives, including Webcasts, written articles and other educational ventures for outside partners and customers, Rizzo said. Rizzo also pointed to Microsoft's automated Baseline Security Analyzer tool as proof that the company is helping customers to secure SQL Server. Released some two years ago, this free tool seeks out unpatched Windows systems and applications on networks, then tells users what they need and where to find patches. Finally, the company is aiming to come out with a SQL Server-specific update feature similar to its current Windows Update, which notifies users when patches or drivers are available, though a release date has yet to be determined. Customers are clamoring for such a feature in hopes that it could protect them from catastrophes such as that wrought by Slammer. Slammer, a SQL Server worm that brought down the Internet some 13 months ago, preyed on machines that lacked a patch that had been available for some time. As a result, many small to medium-sized businesses with small and/or overworked IT staffs voiced need for some help with patch management. Microsoft's security efforts have borne fruit. For example, SQL Server 2000 has only had one critical alert since Service Pack 3 shipped over a year ago. For its part, Yukon is being designed using a three-part process. First, Microsoft sends program managers, developers and testers through security training so they'll understand what the most common types of flaws are in developers' code. Such common flaws include opening ports, buffer overruns and integer overruns, Rizzo said. Next, as product features are being designed, product managers follow a ritual of asking security-related questions about the feature, such as, what's the security of this feature? Does it open ports? And, is it vulnerable to injection attacks?Only then are developers free to go off and build a given feature. The third leg of security comes in with the use of automated tools that scan each line of code, plucking out commonly made mistakes. Such automated tools are a help. Line-by-line, manual code analysis was performed on SQL Server 2000 and 7.0—a process that took some three months, Rizzo said—back when Microsoft's security push resulted in Service Pack 3. Microsoft has also been staffing up its SWAT teams, which consist of ethical hackers who try to crack Yukon and other SQL Server versions. Rizzo said that recently Microsoft added "a whole bunch" of ethical hackers to the SQL Server team but declined to name how many new staffers were brought on-board. "Of the 1,000 people who work on SQL Server, security's top of mind," he said. "Even though we have a SWAT team, everyone's on the SWAT team." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 02:26:23 PST