GRAND PRIZE
Kent Post
Solutions Architect,
Akamai Technologies,
San Mateo, California
Years in IT: 20
Fun Facts: Airplane and helicopter pilot; hang-gliding instructor; shares a birthday with Windows IT Pro Senior Editor Anne Grubb
Notable Quote: "I think our role as IT professionals at the top levels of experience and involvement is increasingly becoming more of a development role."
Email: kent@akamai.com
SOX-Compliant Password System
For Akamai Technologies, attaining compliance with the Sarbanes-Oxley Act (SOX) required developing a new system for rotating passwords and maintaining a history of password versions. Kent Post's answer was to build an application that uses a secret key to automatically generate strong local and administrator account passwords on Windows systems, rotate passwords on a cycle, and track previously generated passwords.
Akamai's legacy system consisted of a flat file containing a list of passwords. Administrators generated passwords and entered them in the file—a process that risked human error and made enforcing a password policy difficult. Unable to find a commercial product to meet his requirements, Kent devised a homegrown solution. A serviced component (i.e., a COM object) acts independently of the operator and in an isolated security context to broker specific requests for password management.
The heart of Kent's solution is the secret key that's used to generate the password. "I used a hashing mechanism based on the local account's unique data, the host name, and a secret key. The secret key is never exposed and is completely held in a private process. Users can request entry points into this process to do very specific things, which are regulated by permissions. But the process takes care of all password management and computation. And the keys are iterated, so when we need to generate a new key, we can retire the old key and create a new one. All the passwords derived from that key are automatically updated."
An administrative UI uses an ASP.NET 2.0 treeview control to let IT staff control which organizational unit (OU) containers are included in or excluded from password management (e.g., OUs that don't contain Windows systems). For local accounts, password information such as the date and status of the last successful password rotation, including failure information but excluding the actual password value, are stored in a Microsoft SQL Server 2005 table; administrators can retrieve information for a particular account via the UI.
Kent is expanding the solution to include domain and local service identity accounts in the password-rotation scheme; tiered access; key, certificate, and password age monitoring with automated email alerts; and revocation. He'd also like to adapt it to manage passwords on non-Windows systems.
HONORABLE MENTION
Wayne Hewitt
Senior Database Administrator,
SunGard,
Christchurch, New Zealand
Email: wayne.hewitt@sungard.com
Faster Database Restores
The New Zealand support and development location of SunGard AvantGard performs 90,000 backups (excluding tape backups), restores, and clones per year of SQL Server and Oracle databases. SunGard IT staff needed to be able to load databases quickly without having extensive database knowledge or elevated security access. To meet this need, Senior DBA Wayne Hewitt created the AutoImport program, which consists of several batch files, a SQL Server stored procedure, and a small text-file job request that specifies details about the database-restore job, including what directory should be monitored, what priority jobs to run, and how long to wait between runs.
"Phase 1 of AutoImport automatically restores SQL Server and Oracle databases by using a simple text file that ends in '.AutoImport,'" Wayne explains. The text file contains the backup filename, the destination database server, and the target database's name. The customizable AutoImport checks for restore requests in the monitored directory, determines the destination-server settings, and restores the database. Restore requests originate either manually (from a staff member who copies and pastes an edited version of the AutoImport text file into the monitored directory) or automatically (via an automated quality assurance—QA—script global call that uses IBM Rational Robot and copies the AutoImport file into the correct monitored directory). The stored procedure builds the necessary restore command for the batch file (which connects via the OSQL utility) by reading the physical SQL Server backup file.
After completing a restore, AutoImport analyzes the results and generates a user-friendly log confirming all the restore details or explaining the cause of errors. "QA scripts can easily automate database restores without human intervention by submitting a job and checking whether the log exists once a minute, then reading the return code to ensure that the QA script can continue," says Wayne. "Initiating a restore manually is also quick and easy for end users, since they just have to put a text file in a directory and wait for the log to be returned."
AutoImport has saved SunGard a huge amount of time on database restores, which translates to better customer service. "The AutoImport program saves around five to 10 minutes per SQL Server database and 10 to 20 minutes for Oracle databases," says Wayne.
Prev. page
1
2
[3]
4
5
6
next page 
