SqlBits

SqlBits podcast

Liam Westley — Sun, 21 Oct 2007 21:50:10 GMT

Craig Murphy was wily enough to record an interview with both myself and fellow developer Matt Barrett after the SqlBits conference. Enhanced by the 80's music of Reading Bowl you can now experience the effect that several (free) pints of Guinness has on my diction;

http://www.craigmurphy.com/blog/?p=743

Thanks to Craig for the tidy editing (he must have done some, believe me).

SqlBits - notes from grok on using NTFS file encryption to secure SQL Server databases on laptop computers

Liam Westley — Wed, 10 Oct 2007 07:32:38 GMT

This is a summary of the grok talk I gave at the SqlBits day at Microsoft UK in Reading on 6th October 2007. Thanks for all the delegates who finished lunch early to make the grok talks and I hope it proved useful.

The target audience for this grok talk was those developers using SQL Server (2000 or 2005) on their laptops who might want to secure those databases. This issue is becoming more important as horror stories of lost laptops containing sensitive customer information now seem to appear every other week.

Admittedly if you use Windows Vista Ultimate / Windows Vista Enterprise and you can make use of BitLocker to encrypt the entire hard drive the job is already done for you. This is especially true if you have a built in TPM module and a fingerprint reader to accompany it.

If you have any other flavour of Windows Vista (including, unbelievably, Vista Business) or Windows XP, we don't have BitLocker and we have a security hole. If your laptop is stolen, the drive can be removed placed in an external caddy, and straight away the MDF and LDF can be copied to another SQL Server. NTFS standard file security is implemented by the operating system booting from that drive, so read only access is easy and once an MDF/LDF is attached to another database, user rights within the original SQL Server don't apply.

One solution is to make use of NTFS file encryption.

Ideally don't start with an existing SQL Server installation, as you want to install SQL Server as a known user, not as the default 'Local System' or 'Network service'.

Create a new user (say, Sql2005Developer) with a complex password
Install SQL Server as a named instance, running as this new user
(optional) During install you can specify a separate data directory, say C:\encrypted\Sql2005Dev
Once everything is installed - login as the new user, and use Windows Explorer to encrypt your data directory (make a cup of tea if you have any decent sized DBs in this directory - it takes time to encrypt/decrypt large files)

The reason for using a named user is to give you the ability to easily encrypt/decrypt directories by logging in as that user.

Extra 1 - Don't forget the password for SQL Server user (or see Extra 2)

If you forget the SQL Server user password, and you reset it from the Administrator account the encryption key is reset and all the currently encrypted files will become unreadable. So make a backup with ...

Extra 2 - command line encryption tool CIPHER (see cipher /help for command line options for this tool)

cipher /e /a /f <directory-name> ENCRYPTS directory, including all files
cipher /d /a /f <directory-name> DECRYPTS directory, including all files

Demo of cipher

Create the following directories, c:\temp\encrypted and c:\temp\not-encrypted
At a command line use cipher to encrypt directory (if viewed in Windows Explorer the folder name should be a different colour to indicate it is encrypted)
Now create a new text file in 'encrypted', copy to 'not-encrypted' - it is still encrypted, encryption moved with file
Create a new text file in not-encrypted (this should not appear in a different colour as it is not encrypted)
At a command line open a new command line running under the administrator user, runas /user:administrator cmd, and try to edit the encrypted text files (can't read either, encryption followed file)
If you need to backup the encryption keys use, cipher /r:<cert-filename> <directory-name> to backup the keys to the two key files. These can then used to restore encrypted files, see additional information on the cipher tool on microsoft.com.

Extra 3 - removing the new SQL Server named user from fast user switching user list

If you do have a named user for SQL Server, this appears on the user list in Windows XP (only appears if fast user switching is enabled, and not for machines on a domain).

In regedit, locate SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ in the HKEY_LOCAL_MACHINE branch.
Right click on the UserList and select New, DWORD value
Rename New Value #1 to the new SQL Server named user account

The name will now disappear from the user list. This prevents the easy method of logging in as the SQL Server user to perform encryption operations via Windows Explorer. However, you can always choose to use the runas command to login as the SQL Server named user, opening a new command window in which you can run the cipher tool.

SqlBits - a great conference

Liam Westley — Sun, 07 Oct 2007 18:49:24 GMT

Just a quick scribble to thank the organisers of SqlBits for a superb event on Saturday.

There were some great sessions, especially David McMahon's Top 10 SQL Keywords. Not for the Led Zep Top Of The Pops countdown, but some real gems of knowledge. I've never been to a session where you can hear all the biros in the room simultaneously clicking open and furiously scribbling down notes. The nugget being scribbled was the SQL full text query search term FORMSOF(INFLECTION, 'ride') - which will match ride, ridden, riding etc. I know, I wrote it down too.

I came away eager to investigate some new areas, and humbled by the DBAs and professional DB guys who slug through databases day in and day out rather than dabbling as a general developer (as I do).

The day was expertly organised, with everything running smoothly. The free transport from Reading station was top stuff (thanks to sponsors Redgate), and I really enjoyed the evening out at Reading 10 pin bowling (thanks to Solid Quality Mentors). I may be baised on the bowling as I got the top score of 142, helped by what can only be described as a very spawny three strikes in row. I never knew Guiness was such a good sporting aid.

Roll on next summer for SqlBits II (or will it be released as 'SqlBits 2008' in ~~November~~ ~~March~~ July).

P.S. for those who attended my lunchtime grok talks on 'SQL Server Alias usage' and 'Using NTFS file encryption to secure your laptop databases' I'll be posting the sample code and bullet points via this blog in the next few days.

UK SQL Server community day, 6th October 2007, now open for registration

Liam Westley — Mon, 27 Aug 2007 23:18:40 GMT

Following on from the highly regarded DeveloperDeveloperDeveloper days, some top guys from the UK developer community have organised a similar event for those dabbling with SQL Server.

More details, and registration are now available at http://www.sqlbits.com. Just like DDD it will be held on a Saturday at Microsoft's UK headquarters in Reading.

This is a welcome addition to the community calendar, given that database sessions at DDD can often become neglected as they aren't seen as dealing with the latest whizz-bang framework or development paridigm. I would also hope that by concentrating on SQL Server for a full day like this, it can bring in DBAs as well as developers in a similar manner to the manner in which WebDD attracted designers as well as developers.

Technorati tags: sqlbits