This month’s T-SQL Tuesday is hosted by Kenneth Fisher (blog | twitter) and the topic is security. Security is a topic that I’m pretty serious about and have decided to join in the conversation.

Security is one of those subjects that most DBAs have to deal with regardless of specialty. So, as something we all have to work with at some point or another what are some tips you’d like to share? What’s the best security design? You’ve picked up a legacy system and the security is awful, how do you fix it? Any great tools out there you’d like to share? Hate it or love it I’m betting we all have something to say.

About 11 years ago, I had the opportunity to work with Microsoft Philippines to deliver their security workshops to partners and customers. As I was discussing the 10 Immutable Laws of Security, one of the trainees stood up, picked up a call and started talking on his phone. The entire class could hear him as he was talking on the phone, probably because the other person on the line could barely hear him and because the walls of the training room were not properly insulated to loud sounds. As I was explaining Law #5, every one on the class heard how he loudly spelled out his credentials – both login and password – on the phone. That got the whole room laughing as he got back to his seat. To which, I responded, “You might want to call your buddy back and tell him to change the credentials on that server.” Unfortunately, even after more than a decade, some things have not changed. Need proof? Just check out this Twitter account. Or maybe see a visualization of the world’s largest security breaches.

Security is only as strong as the weakest link.

If you look at the  10 Immutable Laws of Security, you’ll notice that the first seven laws have something to do with the individual’s responsibility towards a computing system. That individual could either be the end user interacting with the system or the administrator managing it. Take away the human factor and we decrease the possibilities of security incidents (it also takes away the real value computing systems offer to people using it.) Unfortunately, organizations spend more on the technology solutions in improving security systems without taking into account Law #10 – technology is not a panacea. Since humans are the main cause of security issues, only humans can provide the means to addressing them. Maybe it’s time for organizations and individuals to start investing on the human aspect of security to make sure its not the weakest link.

Education and Awareness

We need to constantly educate users and administrators of the impacts and risks of security so they don’t end up being like the guy who was shouting out his password loud enough for every one to hear. As I constantly tell IT professionals, “Security is a state of mind.” It has got to become a lifestyle for it to become second nature.  And since we are all on different levels of learning and experience, systems and processes have to be put in place to constantly educate everyone within the organization. This could come as quarterly mandatory newsletters and training programs that everyone has to read and go thru. Because when mindset changes, behaviour changes. You’ll be surprised at how everyone in the organization – end users and IT folks alike – will now be accustomed to security practices both on and off the job. When I first moved up here in Canada, people were laughing at me when they saw me carrying multiple RSA tokens for my bank accounts back in Singapore, when I close the secure entrance at the office before I start walking away and why I would keep my desk free from any clutter. But when we put on a different mindset, behaviour change comes after. They came to realize why I do what I do when they were made aware of the security impacts each one of us has in the entire organization.

Our Role

We all have a part to play to keep every one safe. Start by self-education and being aware. Share what you know with a friend or colleague. Organize brown bag sessions in the office or inform your management about your learnings. As you are increasing awareness, measure the the impacts so you can see the benefits. You have my permission to put on a new title aside from being a DBA, developer, analyst, etc. And let me congratulate you on becoming your organization’s Chief Security Officer.

Have you ever wondered why your Remote Desktop Connection on your Mac works well on one system but not on another?

I was testing out my connectivity to some of my customers’ network using Remote Desktop Connection on my MacBook Pro. This used to work on one of their environments but now it doesn’t. I was under the impression that there must be something that changed on my system. So I did a quick check but couldn’t find anything that has changed on my MacBook Pro (it simply means that I rely so much on VMs that my host machines – whether PC or Macs – don’t get changed that often.) What’s even more frustrating is that it works on one environment but not on another. This clearly means that there must be something that was changed on my customer’s environment.

After asking a bunch of questions, it appears that they have upgraded their server operating system from Windows Server 2003 to Windows Server 2008 R2. Since Windows Server 2008 R2 is secure by default, some of the security policies in place may be preventing the Remote Desktop Connection for Mac client from establishing a connection. But here’s where my confusion lies. The error message does not tell me anything related to those security policies.

You were disconnected from the Windows-based computer because of problems during the licensing protocol.

I mean, seriously, how does that error message help me? The reason I ask is because I have configured a Windows Server 2008 R2 Terminal Services server in the past and I was able to connect from a MacBook using the Remote Desktop Connection for Mac client. Because I cannot do anything on the server to fix this issue, I decided to dig deeper (a.k.a do a Google search.) It seems that there are a lot of people who are experiencing this same issue. A very popular forum post regarding this issue is from Microsoft TechNet where the thread kept going for more than a year. Somebody pointed out a Microsoft KB article that outlines the steps that you need to do on the Terminal Server. As I mentioned, this is not the path that I can take unless I’m the server administrator. One thing did work for me: v2.1.2 of the Microsoft Remote Desktop Connection for Mac. I have searched for it on the Microsoft Download Center but could not find it anywhere. Technically, this is still an unsupported product so be aware that you might not get any help from Microsoft when using this. Install it on your Mac, run it and test your connectivity to a Windows Server 2008 (or higher) Terminal Server.

NOTE: Please remove the PDF file extension from the file after downloading.

While I do not advocate such workarounds as it opens up additional security loopholes, it still is a workaround. And as I usuallly say, WARNING: This is not a recommended approach. Use at your own risk

Microsoft has a documented procedure to enable null sessions shares and while the KB article mentions Windows 2000, it does work for Windows Server 2003. This should be done on the Windows machine that hosts the shared folder. A word of caution if you intend to use this approach – document every step that you do and make sure you rollback any changes made after generating your database backup. Tasks like enabling the Guest user account (this is disabled by default), modifying the registry, etc. should be rolled back as soon as you’re done, otherwise, you’re opening up security vulnerabilities across your network.