Re: Yukon to Ship with Features Securely Off

[InfoSec News <isn () c4i org>]

Forwarded from: Eric Hacker <isn () erichacker com>

You'd think that by now Microsoft would have figured out that security
goes way beyond secure coding and turning things off. From this
article it seems they still have not learned.

>  Microsoft engineers are also working to ensure that customers won't
>  have to go through painful gyrations to turn on the turned-off
>  features. "New functionality - extensions and things that make the
>  server even better—we'll turn off by default, but we'll make it
>  easy to turn those back on. We don't want customers to say, 'Hey, I
>  like XYZ feature, but I have to go through this nightmare process
>  to turn it on.'"

I'd like to see them go to great pains to turn on the features that
help us secure the system that the database is only a part of. That
means easy ways of encrypting the transmission of data using open
standards. That means with documentation on how to do it without a
Microsoft Certificate Authority and without any horrible protocols
like MSRPC in the mix.

>  One security-related educational venture has been the recent launch
>  of the new Security Guidance Center on Microsoft's TechNet site.
>  Launched about two weeks ago, the Center is a portal for all things
>  security-related that might concern SQL Server customers. Security-
>  related funds are also going to other initiatives, including
>  Webcasts, written articles and other educational ventures for
>  outside partners and customers, Rizzo said.

I haven't had the opportunity to peruse these yet. Maybe there is
something practical there. Maybe they tell you how to do log shipping
without opening SMB between the two systems.

>  Microsoft's security efforts have borne fruit. For example, SQL
>  Server 2000 has only had one critical alert since Service Pack 3
>  shipped over a year ago.

The fact that a platform has not had a vulnerability does not mean
that it is possible for others to deploy it securely for sensitive
data. SQL server is an embedded component of many programs and has
historically not provided the tools to make those programs secure.

Just try passing user authentication data back to the MS SQL database
securely. I know one application from a security vendor that uses the
Windows server user repository instead of the database to house
authentication data to get around that issue. This seems cool until
one realizes that one has to grant terminal server access to the users
so that they can change their passwords. DOH!

>  Microsoft has also been staffing up its SWAT teams, which consist
>  of ethical hackers who try to crack Yukon and other SQL Server
>  versions. Rizzo said that recently Microsoft added "a whole bunch"
>  of ethical hackers to the SQL Server team but declined to name how
>  many new staffers were brought on-board.

They should have the crackers go after the applications developed on
to of MS SQL. Then they'll learn a thing or two about real security
engineering.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.