So new customers still need to apply SP3 as a separate installation, but you’re making it readily available on the same distribution media?

Yes. In addition, the release-to-manufacturing (RTM) install will remove the Slammer vulnerability so that, out of the box, you can deploy and know that your system won’t get hit by Slammer before you apply the service pack or any of the security bulletins. But the install will include only that additional fix. Again, we highly recommend that customers test and deploy SP3 on all their SQL Servers.

In terms of dollars spent, we’ve heard that 25 percent of Yukon's cost relates in some way to enhancing security. What are you doing in Yukon to improve SQL Server’s security?

We’re disabling network access by default and disabling the User Datagram Protocol (UDP) instance resolution service that listens to port 1434 by default. Multiple instances will still work; they just won't be visible to strangers scanning your network. We’re also instituting the principle of least privilege, role-based security, and secure defaults.

We’ll help administrators use best practices by defaulting to the highest level of security possible and guiding them to grant additional privileges as needed. Role-based security makes administering security privileges easier than assigning specific privileges to each user. Secure defaults, such as turning off network access and defaulting to Windows Security rather than mixed mode, also help encourage best practices.

Why does SQL Server use its own encryption algorithms? Shouldn’t you be leveraging the services offered by Windows? Will Yukon do this?

SQL Server, in general, uses encryption algorithms supported by the underlying operating system, and all new features depend on OS-supplied encryption. For historical reasons, some features have depended on weaker mechanisms, but we’re committed to moving these to OS-supplied mechanisms as aggressively as possible.

Microsoft has consistently argued that with SQL Server’s ease of use and management, companies can and should have their DBAs focus more time on business issues than on traditional DBA activities. Then comes a security problem like Slammer, and most organizations complain that they just don't have the staff to keep up with the constant flow of software patches. How does Microsoft reconcile these two scenarios?

You’re right. Microsoft’s goal is to automate the routine, tactical tasks that DBAs must accomplish in an effort to free them up for more strategic work. Although manageability tools are a strength of SQL Server, we know that we have to do a better job of patch management. Microsoft’s principle is to be proactive in issuing patches as we discover vulnerabilities. The key will be to make these patches easier for customers to understand and deploy while minimizing downtime.

We’ll continue to build on the security tools and the installer we released, and we want to continue the dialog with customers about how to help them with patch management, which is an issue across the industry. This is a huge priority for us, and you have my commitment that we will make it better.

End of Article

Prev. page     1 2 3 4 [5]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Here's another reason why SQL Server support staffs don't immediately apply service packs. Just because a service pack is available doesn't mean that it is completely tested and error free for your systems. We have a server that we just applied SP3 on last week. Immediately after the upgrade, we found applications that used to run in 2 minutes running over 55 minutes. After running and re-running sp_updatestats, we had no improvement. fter running Update Statistics TABLE with fullscan (a supposed solution if the SP_updatestats doesn't help), we again had no improvement. After studying all other possible causes, including memory settings, we could find no solution. I finally uninstalled SQL Server 2000 with SP3 (sure would be nice to have an uninstall) and then re-installed with SP2--the problem immediately went away, and we had our 2 minute response time. Now, you might say we could tune our applications and add indexes to solve this. Probably true. However, when I upgrade the server to the new and improved service pack, I shouldn't have to retune the performance of software that we have installed at 100+ customer sites. Therefore, you can see why a DBA might be reluctant to start running new service packs when they are announced as available. Beta testing service packs is not a cost-efficient endeavor.

Thanks..Ted Henderson

Ted Henderson- April 28, 2003

The ongoing emphasis by Microsoft on not using mixed mode authentication is particularly frustrating. Microsoft needs to do a better job of motivating 3rd party software vendors to support Windows authentication. NOt only don't they support it now, but when you ask when they will your question is met with silence. They have no plans to move to it. It is these vendors that make the decision for us. We have no discretion in choosing our authentication mode! Kay

Kay Conheady- May 01, 2003

To the question of why DBAs didn’t apply the patch Mr. Mangione responds, “The key will be to make these patches easier for customers to understand and deploy..." But problem is that Microsoft is becoming a victim of its our own “ease of use” success. So I was very disappointed to hear this response.

Lets be honest, “ease of use” is a double edged sword. On one side we have a product that should take care of mundane tasks BUT on the other it can dumb down a shop, lower everyone’s salaries, and ends up causing a downward spiral (dumb people doing dumb things requiring even more “ease of use”) eventually leading customers to dump SQL Server for more robust products (products that require skilled keepers). I have experience seeing this happen. Its to the point where many IT managers consider SQL Server DBAs to be mere babysitters preferring Oracle DBAs for the “real” work. And I was even been told by a MS SQL Server evangelist that for enterprise class shops they would recommend hiring Oracle DBAs.

IT shops are not hiring qualified people for MS products because MS pitches the idea that its products are self-maintaining and requires only semi-skilled labor (read as lower wages/cost). I would really like to see an honest discussion about if this minimally qualified work force is where we want to take things or not. I think if this trend continues the creative people in this field will leave perhaps for other careers or other platforms. And if we don’t want to be replaced by monkeys or robots, having all our salaries lowered to minimum wage, and work in dreadfully boring spaces with dreadfully boring people then how can we improve SQL DBA training/certification? Currently, the training and cert programs are not well respected nor do they adequately prepare one for being a DBA/database developer. BUT I don’t see anyone talking about this issue! At least not in this magazine.

Mike- May 01, 2003

 
 

ADS BY GOOGLE