Infrastructure Architecture

Closing down this blog

2006-07-20T18:38:00.000-04:00

I've done more posting on the SQL Server Central side and I've decided to focus my efforts there. You can read my future blog posts at:

http://blogs.sqlservercentral.com/blogs/brian_kelley/default.aspx

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

2006-07-11T10:55:00.000-04:00

Found this link on one of the security mailing lists I peruse. You can find an archive of the original post here. Here is the link:

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

This should be of interest to not only DBAs, but also system administrators, managers, HR personnel, etc. There are many ways data can be breached... it's not just an insecure database. Quite a few of these are equipment related (stolen backup tapes, stolen laptops, etc.) which underscore the human element. This is further reinforced by the incidents where fraudsters and scam artists have been to penetrate systems, usually through social engineering. Security isn't just a technology solution. It also has to include people solutions.

Microsoft Active Directory Webcasts

2006-07-11T07:46:00.000-04:00

If you're looking for a single link to take you to the majority of the Microsoft webcasts on Active Directory, here you go:

http://www.microsoft.com/events/series/adaug.mspx

I say majority because I think there were one or two I didn't see (Active Directory Disaster Recovery part 2 of 2, for instance).

New Article: SQL Server 2005 Logins

2006-07-05T08:56:00.000-04:00

I wrote a new article for SQL Server Central on SQL Server 2005 Logins. It covers the basics. This is the first in a series of articles on SQL Server 2005 security.

Microsoft Office 2007 Delayed

2006-06-29T22:38:00.000-04:00

It looks like Microsoft Office 2007 will be delayed due to performance issues. It was supposed to release in conjunction with Vista, but that's apparently not going to happen now.

Office 2007 Delayed Again (InternetNews.com)

I don't see anything on the Microsoft's PressPass portion of their web site, but I'm sure something will be posted there soon. This announcement is interesting given the very positive PressPass story from just a few days ago:

Put the Pedal to the Metal: Take the 2007 Microsoft Office System Out for a Spin

WinFS rolled into next version of SQL Server

2006-06-27T11:09:00.000-04:00

A blog posting from the WinFS team caught me a bit by surprise today. Apparently I wasn't the only one, judging by the comments. WinFS was supposed to give us a relational file system. There are security ramifications with doing that, as demonstrated in this video from BlueHat 2006 (from Channel 9), where the first part has a security program manager from WinFS talks about some of the things he learned.

However, when you consider what the benefits can be (a comment gives the example of deleting thousands of files and how long that takes... this would be near instantaneous with a properly implemented relational database structure), many folks were looking forward to getting WinFS. And Vista was supposed to deliver it. But then Microsoft made the announcement that WinFS wouldn't ship with Vista. Instead, it'd be stand-alone and it could be installed later. Now today we learn that it won't be shipped later. Mature parts of WinFS are being integrated into Katmai, the next version of SQL Server.

I'm still considering what all this means for SQL Server and for the OS. Certainly it's a loss on the OS side. We're not going to get that relational file structure we've been looking forward to. The venerable NTFS is going to have to plod on a bit longer. But on SQL Server's side, there certainly is gain. And with file integration, there is the potential to deal with BLOBs better. That makes sense given that Microsoft is trying to get more into the enterprise document management sector with Sharepoint Server 2007. But I know that integrating a file system hasn't always been as great as it sounds. Exchange Installable File System (ExIFS or just IFS) is an example. It sounded great in Exchange Server 2000, but they scaled it back in Exchange Server 2003. It'll be interesting to see how they make this work in Katmai.

Top 100 Network Security Tools

2006-06-26T13:56:00.000-04:00

This is a bit dated (it came out last week), but here is the list of the top 100 network security tools, as compiled from a survey by Fyodor:

http://SecTools.Org

Since Fyodor conducted the survey, nMap was disqualified, so you won't see it on the list. Most of the tools are well known and have been around for a while.

SANS Stay Sharp Course - SEC351: Computer and Network Security Awareness

2006-06-21T02:03:00.000-04:00

A few years ago I took the SANS GIAC Security Essentials Course on-line. Included in it was an attempt at the GSEC certification itself, something which I finished up. The GSEC certification is SANS' entry level certification, but it isn't an industry entry level certification, if that makes sense. I have found that information provided in the coursework for that certification has proven valuable in my day-to-day job working with servers and server security. This is definitely a course I recommend for anyone who is serious about hands-on security, not a management focus on security, like the CISSP. For those who aren't able to attend a class, there still exists the online option through SANS' OnDemand program. The GSEC coursework is found under SEC 401: SANS Security Essentials.

But what if you're not interested in a hardcore security course but you did want to become more knowledgeable on the subject? You may want to take a look at SANS' SEC351 offering, Computer and Network Security Awareness. It, too, is available on-line. The course is inexpensive and includes a free attempt at the SANS Stay Sharp Program - Computer and Network Security Awareness certificate (SSP-CNSA). This is a course you can go through in a few days without too much trouble and most certainly learn something from. When I took it as a member of the GIAC Awareness Council, I learned a couple of things myself. I will advise that the certificate attempt isn't required. And before you attempt it, review your notes from the course itself. Not all of the questions in the attempt were easy.

By the way, this course is good for any end user who wants to becomes more security aware. If you have someone in your family who doesn't understand phishing attacks, basic social engineering mechanisms, and the importance of keeping systems up-to-date with antivirus definitions and security patches, this course helps teach why. It is as applicable to the home user as the business user, possibly even more so.

SysInternals EULA Updated

2006-05-06T01:25:00.000-04:00

The SysInternals licensing has been updated on the SysInternals website. The new licensing is something you'll want to take a look at if you use these tools. There is a change with respect to "embedding" a SysInternals tool within another program, script, etc. You can find the new licensing agreement here:

http://www.sysinternals.com/Licensing.html

The portion that is catching everyone's attention is the following:

A commercial license is required to use the software in any way not covered above, including for example:

Redistributing the software in any manner, including by computer media, a file server, an email attachment, etc.
Embedding the software in or linking it to another program including internal applications, scripts, batch files, etc.
Use of the software for technical support on customer computers

The way I read this, if you use a script which calls a SysInternals product, you now need a commercial license. If that's the case, then something like the example given by Microsoft.com Operations would need just such a commercial license.

Scaling Out SQL Server 2005

2006-05-05T12:44:00.000-04:00

This article appeared just recently on MSDN.

Scaling Out SQL Server 2005

It's a relatively high level document which covers how to think about the data before going with a scale out solution, what factors impact a scale out solution (such as how often the data is updated), and what the main options are.

Going to TechEd 2006 in Boston!

2006-05-05T12:32:00.000-04:00

As of right now, it looks like I'm going to TechEd 2006 in Boston. If you're going to be there and want to meet up, let me know!

How Microsoft patches microsoft.com web servers

2006-05-01T23:15:00.000-04:00

Microsoft.com operations has posted an interesting blog entry on how they patch their web servers:

Scripting Patch Management of Enterprise Web Clusters on Microsoft.com

I found a few things interesting in all of this:

They are using Windows network load balancing instead of a 3rd party hardware load balancer. At least, they make no mention of such.
They aren't using a fancy patch management product like those from Shavlik or St. Bernard Software.
The core of their patching solution is a simple script written in VBScript.
They are using psexec from Sysinternals.

Sharing Internet Connections?

2006-04-30T17:53:00.000-04:00

This study out of the University of Illinois at Urbana-Champaign sounds great:

Software Allows Neighbors To Improve Internet Access At No Extra Cost

The way they are accomplishing higher throughput makes sense: use multiple paths. However, I'm not so sold on how secure this will necessarily be. The software has some allowances for security but basically it means willingly allowing another onto your private network. Don't get me wrong. Wireless as implemented in most homes isn't anywhere near to secure, however, I think this type of solution may present folks with a false sense of security: "This software handles security for me so I don't have to do anything else."

A couple of years ago I saw a presentation at Black Hat about how firewalls and the concepts we have for perimeter-based security models aren't going to cut it in the future (Keynote:
Thinking Outside the Box–Embracing Globalization). The trick then is to ensure each individual system is secure and that they talk with each other using secure mechanisms. While this may end up being the rule in the enterprise, I doubt the average home user is going to get to a point where he or she is going to be able to lock down a computer system to be reasonably secure in an environment such as this.

SQLServerCentral.com blogs are back up

2006-04-26T08:49:00.000-04:00

The SQLServerCentral.com blogs are back up at the following URL:

http://blogs.sqlservercentral.com/blogs/

I've begun posting SQL Server related entries again there.

Internet Explorer Vulnerability

2006-03-28T16:52:00.000-05:00

If you're using Internet Explorer, be advised Microsoft has released a
security advisory for Internet Explorer. This would allow an attacker
to run code under the context of the logged on user. The only
workaround is to disable active scripting, which isn't such a great
workaround because it breaks so many sites. You can find the Microsoft
Advisory here:

Microsoft Security advisory (917077)

There are a number of sites which are already using exploits for the
vulnerability, so if you haven't been lately, start practicing safe
browsing habits again. All that's required is a visit to activate the
exploit. If you're interested in potential patches, there are two out
by a couple of security companies. Neither fix the problem but instead
mask the vulnerability as fixing it would require changing Microsoft's
files. However, neither are supported by Microsoft (no big surprise).
Microsoft has previously said they plan on releasing an update on 4/11,
the normal monthly patch day, but who knows? They may move it up.
Read, consider risk, etc. As far as the two patches:

eEye Digital Security

Determina

And yes, this does affect up to Internet Explorer 7 beta.

Understand the threat...

2006-03-13T13:16:00.000-05:00

The following was an opening paragraph replying to the question of "How secure is a domain controller?"

Secure from what? Pick your risks and then make an assessment based on that. I have personally found that a fully patched Domain Controller is not secure from Denial of Service Attacks that involve a large truck running the DC over. May sound extreme but only you can really start to guess what your risks are and what you should start looking at.

The point made is a valid one: consider your threats and protect accordingly. Truth be told, we can run around in circles, chasing our tails, if we don't take the time to understand what we're protecting, what we need to protect it against, and the business factors that go into both of those things.

You can find the actual post here , in the archives for the ActiveDir (Active Directory) mailing list.

Mavericks don't make it

2006-02-18T14:37:00.000-05:00

One of the blogs I most enjoy reading is Life Beyond Code. This blog allows me to take off my technology hat and think about things like my career, my direction with information technology, and how to better develop not only my technical but also my personal and interpersonal skills. The posting "You don't have to go ALONE!" is one that is hard for me, but I understand the wisdom in what is being said.

Very little in our lives is about something we did alone, without a shred of help. This is especially true when it comes to our careers. Someone likely inspired us, challenged us, encouraged us, or gave us a helping hand for every major accomplishment we count in our lives. But we often don't think that way. We count them as personal accomplishments and that doesn't make a whole lot of sense. Therefore, it makes even less sense to try and plan and scope our careers without stopping to consider where we might obtain help.

For instance, once upon a time a guy by the name of Chad Silva, an airman in my unit in the US Air Force, introduced me to Active Server Pages and what you could do with an Microsoft Access back-end. We then got into SQL Server, then version 6.5, together. Truth be told, I was riding on his coattails, learning about all this great new technology. After all, my primary job was as a project manager, the Air Force in its infinite wisdom deciding that a guy with degrees in physics and mathematics and a professional background as a developer with Visual Basic experience was best suited managing computer contracts. Therefore, everything I dealt with technology wise was completely on the side. Chad kept feeding me the nuggets of new technology, keeping me from losing all hope and converting to the dark side known as project management.

Fast forward almost ten years. I write for SQLServerCentral.com and SQL Server Standard Magazine. I've been an infrastructure architect for an enterprise class organization for over four years. I penned an eBook on SQL Server performance monitoring. And Chad? He's a .NET architect with his organization, a multinational corporation. You won't likely find him on a Google search because Chad has been and probably always will be a very private person. However, for those who know him, he'll do just about anything to help them. If I have a question about anything programming related, Chad's the first guy I email or call on the phone. A lot of where I am today is due to my friend, Chad.

But Chad is only one of many people who have helped me to get where I am today. And I'm sure as others think about their own paths, they'll find a whole litany of people who helped them, too. Which brings up the critical question, "If we didn't get to where we are alone, why do we think we can get to where we want to go by ourselves?" That's enough to slap down any ego.

Reading List

2006-02-16T03:18:00.000-05:00

In the tradition of many others, I decided to add a reading list to my professional site. The reading list comprises those books I am currently reading. Folks like Steve Jones write reviews on quite a few of the books they read. I'm not sure if I have that kind of time, but I'll certainly post a review or two as a book warrants it.

My Reading List

Nmap 4.01 Released

2006-02-11T10:15:00.000-05:00

Nmap 4.0 released only a short time ago, but Fyodor indicated that there is already a 4.01 due to a few bugs. If you use this tool, take a look:

http://www.insecure.org/nmap/download.html

Reviews Section Added to Web Site

2006-02-09T00:53:00.000-05:00

I've been thinking about doing this for a whole and I finally got around to building a reviews section into the web site. There you'll find reviews on books, tools, training, and web sites as I get to writing them. I've posted an initial review of Microsoft's first eLearning security clinic. More to come in the days ahead.

My reviews

PromptSQL Review

2006-01-18T11:52:00.000-05:00

I had the opportunity recently to take a look at PromptSQL and offer a
review on it. That review hit SSC.com's front page today. If you're
interested in an inexpensive IntelliSense tool for Query Analyzer,
Visual Studio, or SQL Server Management Studio, take a look at the
review to get some information on this product.

PromptSQL Review

Awesome Interview on Windows Vista Kernel Architecture

2006-01-07T23:23:00.000-05:00

This actually premiered on Channel 9 right before Christmas. It is an interview with Rob Short, a Microsoft VP in charge of the team working on Vista's kernel architecture. With him are Darryl Havens, Richard Ward, and Rich Neves, all architects who work under him. The interview is quite candid about issues that have been experienced in the Windows kernel to date and how they are going about trying to fix the issues by laying out a roadmap of where they want to be and attacking the problems in small chunks. Listening to the compartmentalizing of the operating system and segmenting state better makes one appreciate the work that goes into making a robust operating system work. It's just short of 50 minutes long but well worth the time.

Going deep into Windows Vista's kernel architecture

Guidance on .WMF patch from Mike Nash, Microsoft Corporate VP

2006-01-05T15:54:00.000-05:00

There is a new posting from Mike Nash on the Microsoft Security Response Center blog:

http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx

Relevant quote:

So the thing that I know you are all wondering is what should I do? So here is my advice. If you are a consumer or a small business, you should use either Windows Update (or ideally Microsoft Update) to automatically install the update. If you are running Windows XP SP2, you are likely already at least using Windows Update or Automatic Update. If you are an enterprise customer, you should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft.

Microsoft WMF Patch Releasing Today (out-of-cycle)

2006-01-05T15:21:00.000-05:00

Microsoft has announced they will release a security hotfix at 2 PM PST for the WMF design flaw. More details here:

Microsoft Security Bulletin Advance Notification

The number of exploits taking advantage of this design flaw are continuing to grow. Consider testing this patch immediately on non-production systems.

Basic Philosophy on Soldiering

2006-01-01T20:24:00.000-05:00

This is taken from the book About Face:The Odyssey of an American Warrior. The author is Col. David "Hack" Hackworth, one of the most decorated soldiers in the history of the United States. He served in post-WWII Europe in Trieste, spent two tours in Korea during the Korean War, was on the line in Germany during the Cold War, and fought in Viet Nam. He was described by many as a "soldier's soldier." Unfortunately, Hack passed away in May of 2005 due to cancer, possibly caused by Agent Blue, one of the defoilants like Agent Orange used in Viet Nam.

This basic philosophy of soldiering comes from one of Hack's commanders, Col. Glover S. Johns, whom Hack described as the finest senior infantry commander Hack had ever seen. Hack took these bullets from Col Johns' farewell speech. These are taken verbatim from Hack's book because I doubt I could write them any better.

Strive to be small things well.
Be a doer and a self-starter - aggressiveness and initiative are two most admired qualities in a leader - but you must also put your feet up and think.
Strive for self-improvement through constant self-evaluation.
Never be satisfied. Ask of any project, How can it be done better?
Don't overinspect or oversupervise. Allow your leaders to make mistakes in training, so they can profit from the errors and not make them in combat.
Keep the troops informed; telling them "what, how, and why" builds their confidence.
The harder the training, the more troops will brag.
Enthusiasm, fairness, and moral and physical courage - four of the most important aspects of leadership.
Showmanship - a vital technique of leadership.
The ability to speak and write well - two essential tools of leadership.
There is a salient difference between profanity and obscenity; while a leader employs profanity (tempered with discretion), he never uses obscenities.
Have consideration for others.
Yelling detracts from your dignity; take men aside to counsel them.
Understand and use judgment; know when to stop fighting for something you believe is right. Discuss and argue your point of view until a decision is made, and then support the decision wholeheartedly.
Stay ahead of your boss.

Most of these fit in with my own views of leadership from my four years at The Citadel and from my four years of active duty with the US Air Force. They also fit with many of the tenets my father taught me as I was growing up. He is a retired Marine GySgt and spent most of his career leading others in the NCO and staff NCO ranks. The profanity one I'd toss aside, but the rest definitely make up a great philosophy. This philosophy doesn't just apply to the military. It applies to leadership in any arena.