SQL Server Users Focus on Database's Security

Microsoft plans to tighten controls with Yukon release

SEATTLE -- In the aftermath of the Slammer worm that wreaked havoc with many SQL Server users early this year, Microsoft Corp. is trying to make its database software more secure. But there's still room for improvement, several database administrators said last week.

In response, Microsoft officials said at a conference held here by user group the Professional Association for SQL Server that they're taking steps to tighten security in the next version of the database, which is code-named Yukon and due for release in the second half of next year. For example, Web services capabilities and other functionality deemed to be nonessential will be turned off by default when the software is shipped.

"Security is the most important thing in our business," said Gordon Mangione, vice president in charge of SQL Server. Microsoft had already started to focus more resources on SQL Server security before Slammer's outbreak, Mangione said, adding that users should install the company's existing Baseline Security Analyzer tool to help detect system vulnerabilities.

Townsend Analytics Ltd., a Chicago-based financial software vendor that runs SQL Server 2000, is beta-testing the 64-bit Yukon release. "Pre-Yukon, there were things we saw that could certainly be improved," said Rebecca Lewis, director of systems at Townsend. Lewis added that Slammer "had a large impact on us," requiring Townsend's IT staff to spend a weekend working to repair its systems.

The default shut-off of some features in Yukon is a good step, Lewis noted. However, she said it would have been helpful if Microsoft had offered some way to automate the process of turning off services in SQL Server 2000, which her staff has had to do manually.

Don Watters, data group manager at film processor PhotoWorks Inc. in Seattle, said Microsoft may have to offer more resources to train database managers on how to take advantage of the security features built into SQL Server. "It's hard to be a security expert, developer and database administrator," Watters said.

Microsoft also has "a long way to go" to make it easier to add so-called hot fixes to systems running SQL Server without taking them off-line, said Jose Amado-Blanco, a database administrator at Verizon Communications' customer support operations in Temple Terrace, Fla.

Microsoft officials said SQL Server 2000 can't support the kind of automation sought by Lewis. They added that the Yukon software will include support for applying hot fixes without rebooting systems.

The security issues facing Microsoft and its database users aren't just technical ones, said Charlie Garry, an analyst at Meta Group Inc. Many of the security problems involving SQL Server are caused by poor database management policies or processes on the part of IT managers, Garry said. But, he added, the Best Practices Analyzer configuration tool announced last week for SQL Server 2000 should help reduce "user culpability" for database security breaches.

1by1.gif

How Microsoft Is Improving SQL Server Security

blue_square.gif
All nonessential database services will be turned off by default in the upcoming Yukon release, requiring authorized DBAs to activate them.
blue_square.gif
In some cases, Yukon users also will be able to install software patches without rebooting their database servers.
blue_square.gif
The company announced a new tool that IT managers can use to analyze SQL Server 2000 installations for common configuration errors.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon