Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

Fixes and Patches

Microsoft has this 3 pronged approach to ensuring your infrastructure is secure, but you have to do stuff as well.  This 3D security goes like this:

Secure by Design.  According to Wikipedia, “means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input.

Secure by Default.  Anyone installing SQL Server 2005/8 for the first time will know that having done that, there are further tasks needed to get access to the environment remotely as all the connectivity options are turned off.  This gives the DBA the opportunity to configure security before everybody turns up to use it.

Secure by Deployment.  This is where Microsoft and some other software suppliers, provide resources to ensure that your systems continue to be secure.  This can take several forms:

  • People. Education and training both general and about specific threats.
  • Process.  Toolkits and resources to ensure your infrastructure is as secure as possible.
  • Technology:
    • Tools to evaluate risks such as the Baseline Security Advisor 
    • Updates and fixes to mitigate security issues in its products.
    • Security tools including free tools like defender and the windows firewall as well as licensed products like Forefront
  • Communications. There are security bulletins which you can subscribe to, and a dedicated e-mail account to report vulnerabilities.

This last section is all about trust, You trust your Microsoft or whatever vendor to be open and honest about security issues it has detected and to develop the appropriate resolution.  Your vendor and your users need to trust you to implement the advice and resources that have been provided.  I mention this because I noticed this ComputerWorld Security article that cites most (+70%) of Oracle DBA’s are not keeping up with applying patches to their systems.   This isn’t any criticism of Oracle rather it’s illustrative. However I am hoping I am evangelising to the converted to the SQL Server DBA’s here!