Joe Webb Blog

Musing and observations about SQL Server, other technogies, and sometimes just life in general

Think holistically about securing your systems

A recent ZDNet article highlighted an event where two United Kingdom officials demonstrated just how vulnerable a new, but not updated, Microsoft Windows system can be.

It took one official from the Serious Organized Crime Agency a mere 11 minutes to discover the target computer on a wireless network, crack into it using open source tools that are commonly available on the Internet, and steal password files.

Why should a database professional care about such demonstrations, especially when its stated purpose was to edify consumers and small businesses on security practices?

Well, consider this. Many organizations have followed Microsoft's recommendations and actively use Windows Authentication as their preferred means for database authentication. And with good reason; it is in many ways more secure than SQL Server authentication.

However, that means that we, as database professionals responsible for the integrity and security of the data in our charge, rely on security implementations that are outside of our control. How so?

There are a number of ways. For example, if we choose to create Logins for Windows groups, we are relying on the Network Administrators to make sure that the group membership is right.

And as the demonstration in the UK so dramatically illustrates, we are also relying on the client services team to update the organization's desktop computers regularly to prevent breaches.

We also depend on the Active Directory folks to put the proper Group Policies in place to require sufficiently difficult passwords and lockout limits to eliminate brute force attacks.

None of this even considers the additional levels of threats created when employees are allowed to telecommute, using their home PCs to remote into the corporate network.

Now, I'm not a doomsayer screaming that the sky is falling. Far be it from me to do that (especially when I regularly work remotely). However, I do believe that database professionals should take a more holistic approach when considering the integrity and security of our database systems. If you haven't already done so, work with the other teams in your environment to protect your data. Make sure that the other areas, not just SQL Server, are secured to minimize your exposure.

As an aside, I found and downloaded a Windows password cracking utility from the Internet. I tried it out against what I thought was a pretty good and complex password that meets most every requirement put in place by most GPOs. My system was up to date and had antivirus software installed.

It was cracked in just over 2 minutes.

Something to think about.


kick it on