Forwarded from: Eric Hacker <isn@private> You'd think that by now Microsoft would have figured out that security goes way beyond secure coding and turning things off. From this article it seems they still have not learned. > Microsoft engineers are also working to ensure that customers won't > have to go through painful gyrations to turn on the turned-off > features. "New functionality - extensions and things that make the > server even better—we'll turn off by default, but we'll make it > easy to turn those back on. We don't want customers to say, 'Hey, I > like XYZ feature, but I have to go through this nightmare process > to turn it on.'" I'd like to see them go to great pains to turn on the features that help us secure the system that the database is only a part of. That means easy ways of encrypting the transmission of data using open standards. That means with documentation on how to do it without a Microsoft Certificate Authority and without any horrible protocols like MSRPC in the mix. > One security-related educational venture has been the recent launch > of the new Security Guidance Center on Microsoft's TechNet site. > Launched about two weeks ago, the Center is a portal for all things > security-related that might concern SQL Server customers. Security- > related funds are also going to other initiatives, including > Webcasts, written articles and other educational ventures for > outside partners and customers, Rizzo said. I haven't had the opportunity to peruse these yet. Maybe there is something practical there. Maybe they tell you how to do log shipping without opening SMB between the two systems. > Microsoft's security efforts have borne fruit. For example, SQL > Server 2000 has only had one critical alert since Service Pack 3 > shipped over a year ago. The fact that a platform has not had a vulnerability does not mean that it is possible for others to deploy it securely for sensitive data. SQL server is an embedded component of many programs and has historically not provided the tools to make those programs secure. Just try passing user authentication data back to the MS SQL database securely. I know one application from a security vendor that uses the Windows server user repository instead of the database to house authentication data to get around that issue. This seems cool until one realizes that one has to grant terminal server access to the users so that they can change their passwords. DOH! > Microsoft has also been staffing up its SWAT teams, which consist > of ethical hackers who try to crack Yukon and other SQL Server > versions. Rizzo said that recently Microsoft added "a whole bunch" > of ethical hackers to the SQL Server team but declined to name how > many new staffers were brought on-board. They should have the crackers go after the applications developed on to of MS SQL. Then they'll learn a thing or two about real security engineering. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Feb 27 2004 - 04:21:23 PST