SQL users: Despite recent security moves, Microsoft needs to do more

Those affected by the Slammer worm are particularly concerned

SEATTLE -- Microsoft Corp. appears to be trying to make the security of its SQL Server database more watertight, but it still has a ways to go, according to users.

That was the message from SQL Server database administrators here at the Professional Association for SQL Server Community Summit, some of whom were hit hard by the Slammer worm last winter.

"Security is the most important thing in our business," Gordon Mangione, vice president of SQL at Microsoft, told the user conference, adding that the company had already started to focus resources on security before the Slammer outbreak. He pointed to a team at the company whose job now "is to try to preemptively break the product."

With security in mind, the company will turn off bundled capabilities in Yukon, the next SQL Server release, such as Web services that could be attacked by hackers or other threats. But Mangione also urged users to do their part by using Microsoft's Baseline Security Analyzer product to help detect vulnerabilities in their systems.

"Definitely, pre-Yukon, there were things we saw that could certainly be improved," said Rebecca Lewis, director of systems at Townsend Analytics Ltd., a Chicago-based provider of financial software and services that runs SQL Server 2000.

Even though Microsoft alerted her to the potential attack, Slammer "had a large impact on us," Lewis said. Because the attack took place on a Friday, it did not slow the company's operations -- but it took a lot of work over the following weekend to recover.

The default-off feature in Yukon, for instance, is a good step for the company, she said. But it would have been helpful if Microsoft had offered some sort of way to automate the process in SQL Server 2000, which the Townsend staff had to perform manually. (Microsoft said the 2000 architecture doesn't permit the process to be automated.)

Other users called on Microsoft to help train database staff on how to implement all of the security features that exist.

"It's hard to be a security expert, developer and database administrator," said Don Watters, data group manager at PhotoWorks Inc., a Seattle-based film processing company that runs SQL 2000 and SQL Active Service Pages to deliver Web pages. Though PhotoWorks wasn't affected by Slammer, Watters pointed to a problem in the way patches are publicized -- something he said isn't necessarily a Microsoft problem alone.

Once hackers hear about a vulnerability, he said, they immediately attack it. Watters suggested the need for a more private way of sending patches to users.

Despite Microsoft's efforts, there "is still a long ways to go" in terms of making it easier for database administrators to add hot fixes and services and install them without taking systems down, said Jose Amado-Blanco, database administrator for customer support operations at Verizon Communications. His unit, based in Temple Terrace, Fla., runs SQL Server 2000 Enterprise Edition to support customer-facing applications and was affected by Slammer. Currently, he said, adding patches requires a command line interface; he would prefer a simpler-to-use Microsoft-style graphical user interface.

Microsoft said support for installing hot patches online will be available in Yukon.

The issues may be more than technical, however. Many of the security problems around SQL Server are often caused by poor management policies or processes, said analyst Charlie Garry at Meta Group Inc., a Stamford, Conn.-based firm. However, the Best Practices Analyzer management and configuration tool should help reduce the "user culpability" issues (see story).

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon