Microsoft has taken a bit of a leap with the integration of .net into SQL Server, and a lot of developers(Myself included) are worrying about what security implications this could have. DevX.com have taken an in-depth look into the guts of it, and spilled them onto a page for us all to look at.

CAS provides a code-based rather than user-based authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005′s own, newly enhanced security features? By default your .NET code is reasonably secure, but it’s all too easy for the two security schemes to butt heads and cause you grief. In this article I’ll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.

They seem suitably impressed, but sensibly wary at the same time.

The good news is that Microsoft did a great job bringing together the security systems of SQL Server and the Common Language Runtime, with tools to control code. But there are some interesting features’ both to watch for and to take advantage of!

So over a month down the line, our SQL2005 upgrade project should now be in the workable prototype stage. But as with all things that “should” be(More security in IE, Great Britain ruling the world and my kitchen being fitted), it’s not, it’s not even close. On top of this our company is currently undergoing some “painful but neccessary steps to streamline our profitiablility in the european market”. In other words, lots of people are about to get the chop. Anyhow, on with the analysis.

SQL Server 2000 -> 2005 upgrade tool.

Overall I’m impressed with the upgrade tool, it made a fine job of upgrading our code and data, with almost everything going straight into 2005. All our DTS’s were wiped as expected, and our custom written security mod was discarded as a “fault” in the 2000 install(Not a big deal), but everything else looked fine. Little were we to know a shitstorm was about to start when we released the 2005 run site to a small group of testers. As a constant piece of self-evaluation we allow some users to run there own SQL code, it’s nothing major, just simple “Get this from here” stuff, but it allows us to monitor what users can access and when we have to change security or file flow we can be sure that normal users cannot access sensitive data. Unfortunately 2005 didn’t have the same notion of security that we do, and decided that encrypted fields that were created using our custom mod weren’t really that important, so it unencrypted them all using our mod(Hang on, I thought our mod was a “Fault”?) and then removed the permissions, allowing users to get direct access to the data. That’s a bad thing. So we pulled the plug immediately and scrapped the whole server, experiment over.

We learnt a couple of important lessons there, the main one being, dont trust the update tool. It un-encrypted the data without informing us, and removed permissions without raising an error(Allthough the permissions removal was later found buried in the upgrade log).

Initial impressions

There was some fairly impressive(From an MS point of view) changes to how SQL installs that caught our eye, namely the large number of components and features that were disabled by default. Not least XP_cmdshell, that is generally used to execute external programs or hack into sql databases. About fucking time too.

If your an MSSQL2000 regular you’ll be hoping to just boot up 2005 and have your permissions all working, but unfortunately its not that simple. The security model has changed radically, and your going to have to work a lot harder to keep things secure, but the means to do so have actually been provided this time. With principals and securables being included this time around, you will have to be a lot more careful, but once your in the know your a lot more secure. As always the best place to read up on this stuff is the MSDN, particularly this section on the changes between 2000 and 2005.

Enterprise Server Pricing

While I’m harping on about how great MSSQL2005 is, a lot of you are sat there wondering why were not using Oracle. Well the price is the the main reason, and I was going to have a detailed breakdown of the difference in costs between MSSQL2005 and Oracle with our current setup. But as a friend of mine quite rightly pointed out our setup could be radically changed by deploying Oracle, with us maybe needing less servers and therefore less licenses. So I’ll work on the principle that were upgrading to an identical network, but its not a 100% accurate comparison.

MSSQL2005 has a fairly simple licensing scheme, with no issues involving DC or HT chips, and a clear definition of what a “user” is and where that user can access the data from. On average a 1 processor license of SQL Server standard will set you back £4500GBP($8300USD), which is a tiny cost for any medium to large company. If your a fairly small company you can get a 5 CLT(Not to sure what the acronym is, but its a Client Access License) for around £600GBP($1100USD). Now for us we would be looking at per processor, and we have 23 processors running SQL2000, with the rest of the boxes using MSDN versions for development. So in total for our entire setup to go 2005 it would cost us £103500GBP($192000USD), which is again a fairly small amount of money for us to spend on replacing our entire database setup.

Now, Oracle. Its a little bit harder to find out what Oracles charges, and I’m not going to go into the details, you can find all the relevant info on there website if you wish to check what I’ve come up with. I’ve used the price offered by oracle themselves for a perpetual processor license(£23236GBP($42996USD)), but oracles pricing is per core for there enterprise product, and considering nearly all our servers run on xeons, were looking at a hefty bill. In total we have 43 “Oracle” processors, giving us a total bill of £999148GBP($1900000USD). Yes, thats almost one million pounds. Again thats not an enormous amount of money for a company our size, but when your compairing the two side by side, you have to wonder where all that extra cost comes from.

For next time

Round 3 will involve us upgrading one of our smaller and less mission critical databases(IT Support) and trying to switch over. Then we can have a bash at breaking it.

The shocking statistic first, “56% of consumers do not have active anti-virus on their PCs”, ok not that shocking but still a bit worrying. Allthough asking if your average user doesn’t protect themselves on the internet conjures up images of the pope squatting in the woods.

The basic F-Secure anti-virus product protects against viruses and spyware. When installed it scans a machine and alerts users if it finds malicious programs installed.

A spokesman for Barclays denied that the deal was a way to limit its liabilities if customers were defrauded.

“We have a guarantee that if anyone is defrauded through no fault of their own we guarantee their money is safe,” he said.

“We’re trying to stop fraud happening in the first place which is beneficial to them and us,” he added.

Barclays is the latest bank to try to stop customers falling victim to viruses or other computer-borne scams.

So Barclays bank have leapt into action and decided its time to act on it, 4 years after their online service was activated. Their giving all their online customers free AV protection, provided by F-Secure. Barclays have bought 1.6million licenses (I wonder what per unit price they got on that?) and the software will include 2 years free updates. What happens after that? Probably 56% of their customers will be unprotected again.

Source: BBC News

If your familiar with asp.net, you’ll know the feeling of wasting hours searching through countless settings to get an app working, and then the many more hours it takes to tweak IIS to get your site running smoothly. But this is nothing compaired to getting authentication and domain controllers properly integrated. On Microsofts asp.net newsgroup the biggest single security issue mentioned is user error and bad setup, sometimes allowing things as stupid as anonymous users having full control of a web app.

4GuysFromRolla regular .net author Scott Mitchell has written a kick-ass guide to all things membership and role based, and if your producing an intranet or just a large webapp you will want to take a look. Allowing .net to manage your permissions and users can not only save you time, but takes out some of the many errors that can sneak in when your managing a large sites security manually.

At the place I pretend to work, the time has come that most developers equally fear and love, upgrade time. We’ve been using MSSQL2000 for 90% of our work for about 4 years now, and it’s served us well, but when a change as big as 2005 server comes along, you have to make the leap and upgrade. I suppose a little background is in order, but I’ll have to keep it fairly general as we have some strict rules on what we talk about with people outside the development team.

What we do now

The company I work for is a travel company, one of the big ones, and as with most big travel companies we do a huge variety of things. We own resorts, broker our own insurance, sell for third parties, sell our own holidays, own/rent cruise ships, provide resort management for small hotels, and many other things, all of which is managed through 3 internal sites. We handle the telephone auto-diallers in the call centre, stock-management at our red-sea resort, the links to the main UK flight database, the payment system, our SMS marketing servers, basically, everything.
We have 3 main centres, our corporate headquarters in America, the headquarters in the UK and 1 huge sales centre in the UK also. In addition to that we have either fixed line or internet linked terminals at all our resorts, most of the major airports, all of which connects to our headquarters in the UK(It’s an ex-cupboard upstairs). Because of the international nature of our business, and the resort links the sites must run with 100% uptime 24/7, even though they are all internal.

The sites run on a variety of different platforms, but the vast majority run on old style ASP and SQL server 2000, with a heavy focus on SQL server. To put the workload in perspective, our ASP apps use approximately 5% of our server’s total resources, with SQL server taking the other 95% and another magical 1% running Reporting Services (An excellent application if you’ve never used it). We have a multitude of databases, but we currently run on 4 SQL servers with the databases split as equally as we can get them to avoid having to deal with load balancing. The databases range greatly in size, from a few MB for the HR database, too over 50GB for the lead details database (Call centre data).

Why were upgrading

Due to the size and complexity of the database, performance is extremely important and we have our indexes and maintenance jobs tuned to absolute perfection or the entire thing would come crashing down around us, and we would have a lot of angry people looking to have our heads. But recently we have hit SQL server 2000′s “roof”, which is one of the reasons MSSQL has never challenged Oracle in the big enterprise market, and its proving a big problem for us. SQL server 7 was never meant to be an enterprise level database server, and in typical MS style a lot of SQL server 2000 has come from that original code, as have a lot of the problems, mainly its inability to handle truly massive database. 2005 fixes this.

SQL server 2000 was also limited in that it handled everything via transactions and locking, so if you want to retrieve data from the database in an editable format you have to basically lock that information so nobody else can access it. This can cause all kinds of problems, such as one user being told they can’t perform an action, because their locking themselves (Usually through bad coding) or a deadlock which is data being altered while they are waiting for a lock to end. 2005 borrows from Oracle in that is uses a combination of locking and versioning, which takes a copy of the data, performs the action on it and then puts it back into the database. This presents its own problems, but it does mean users can always get to their data.

There are also some significant coding changes, including some very cool stuff that is new to database servers as a whole. The ability to include code from other languages is one of the main talking points, which basically allows you to execute .net code within your stored procs. This may not sound so great, but you have to consider how it changes the way a DBA will work. At the moment database code needs to be specific, because speed is always an issue the server has to constantly optimize the way it works, and it can’t do this with vague and dynamic code. For example…

Select * from Invoice

Would bring back everything from the invoice table. But what if we just wanted a price field?

Select Invoice.Price From Invoice

That’s easy enough. But what if we wanted the gross price, for example, from insurance items, but the net price for everything else. We would do this(Pseudo-code);

Select (if Invoice.catagory = ‘INSURANCE’ then Invoice.Gross else Invoice.net end if) from Invoice

Again, it looks simple enough, but unfortunately the real code to do this is very complicated and grossly in-efficient at the moment, not to mention completely impossible in certain situations. In 2005 the method above would be perfectly legal, and using Microsoft’s CLR compiler to pre-compile the code, it’s considered adequate (It’s still not as good as plain SQL, but its good enough). This and the performance improvements in the new server would be enough to warrant an upgrade on their own.

What were doing next

We have setup 2 MSDN’d 2005 servers and mirrored our web server as a test bed for upgrading our code. Fortunately the vast majority of our code will still work, but to take advantage of the upgrades and new features we will have to re-write vast swathes of code. And all of our 500+ DTS’s and jobs will have to be completely re-written. And then comes the fun of learning an entirely new interpreter and compiler, and tuning it for maximum performance.

I’ll keep you updated

Im a tinkerer. I can’t say I’m expert in anything more than ASP and MSSQL, but I make a point of playing and learning anything new and wanky. I’ve tweaked dBase, fiddled with Python, installed Apache, destroyed MS2003 server, plugged in SUN boxes, screamed at VisualStudio, urinated on Fedora, set fire too Game Maker, avoided Ajax, winked at Web2.0, beat the crap out of Oracle, been mentally scarred by DreamWeaver and made mad passionate love to ASP.net.

Bottom line, if it exists, I’ve probably played with it. My main expertise lies in Microsoft web and database technologies, namely ASP, anything .net, mssql(From 6.5 up to 2005) and associated web technologies. I spend 80% of my time on an intranet, the other 20% on our outward facing sites, and the other 20% my boss imagines I have, working on private projects. In my spare time I play some mmorpgs, spend time with my wife, work on some websites(Except my own), and I’m currently building a huge crossbows and catapults set for fun and the possible destruction of my flat.