The Mole 31: Technical Answers from Inside Microsoft - SQL Encryption, Connecting NT Networks, BackTalk

  • Article

March 27, 2000

Editors Note The questions and answers below are from the Inside Microsoft column that appears regularly on the TechNet Web site at the following location: https://www.microsoft.com/technet/community/columns/insider/default.mspx. To find out how to submit questions of your own, see the end of this article or go to https://www.microsoft.com/technet/community/columns/insider/default.mspx.

The TechNet Mole provides expert answers from deep within Microsoft to questions from IT professionals. This installment focuses on these issues:

  • Data Encryption on SQL Server?

  • Connecting Two NT Networks

  • BackTalk:

    -Tom wants to restore his administrative shares

    -Steve singes Mole's fur

    -John solves his own problem

On This Page

Data Encryption on SQL Server?

Connecting Two NT Networks

BackTalk

Credits

Data Encryption on SQL Server?

Dear Mole,

Does Microsoft SQL server 6.5 or 7.0 offer the ability to completely encrypt the physical data (the data stored on the database device). I have seen references to encrypting comments for stored procedures and passwords. However, we want our back end data to be encrypted. However, this would not affect the query or retrieval of data from database tables. We want SQL server to perform the un-encryption before serving up the data.

Matt Toll, Matrix Technical Solutions

Hey Matt,

Nope, SQL Server doesn't do encryption. The efficiency of a database and the performance overhead of encryption services—usually around 25%—are sort of, how shall Mole say it?—mutually exclusive. Which doesn't mean a lack of good options for protecting your data.

Use the encryption option of the Multi-Protocol Network Library to secure all client-server (and server-client) traffic "over the wire." Use SQL Server's built-in security procedures to restrict access to data—no fewer than 51 system stored procedures are classed as "security"—and be aware that the most administratively convenient options—like passwords that never expire—are not always the best choices if security is a big priority.

Finally, make common cause with your operating system. NT's security features can lock down the drive on which your database files reside. By formatting the drive as NTFS and implementing restrictive access permissions, you should be able to rest easy. On the purely physical side, put your server in a locked room and be careful about where you keep that key.

Regards,

Mole

Connecting Two NT Networks

Dear Mole,

I am hoping you can help me win an argument. A customer of mine who has two NT networks some kilometers apart and wishes to connect them together to share data across both networks. My competitor says that the only way to do this is by adding two Linux boxes to act as gateways. I insist (perhaps foolishly) that the two servers can be connected directly and allow all users to have access to both servers.

So OK I am told to prove it.

I have set up two test servers to prove my point (I hope).

I have downloaded RRAS and installed it. Now my questions.

  1. What services need to be installed under Network in control panel.

  2. Both networks have different domain names. Do you need to set up a trust relationship or is the granting of dial in permission in User Manager sufficient.

  3. What TCP/IP address would be best to use. Currently Server_North is set to 192.168.100.10 with a subnet of 255.255.255.0. Server_South is set to 192.168.200.10 with subnet of 255.255.255.0. Server_north has 8 clients Server_South has 3 clients.

  4. The default gateway is set to the same address as the servers. Is this OK.

I have read Demand Dial Routing - MS Windows NT 4.0 with RRAS but not been able to solve my problem (and big mouth, but I just could not let them use Linux). All help, directions and support greatly appreciated in advance.

Regards

Andrew Lee

Dear Andrew,

You win. It is possible to "join" two remote NT networks so that users from each domain can access the resources of each domain. An honest Mole must note, however, that "possible" in this case does not mean "easy." Nor would it be any easier with Linux than it is with Microsoft products. The fault, dear Andrew, is not in the operating system but in the router, a nifty technology but not a mature one.

As to your specific questions, you're playing in the right ballpark when you choose RRAS. All the services you need to perform your network join are automatically installed when you install RRAS.

As to trust relationships: If you want users in domain A to be able to access resources in domain B and users in B to access resources in A, then you will need to set up two trust relationships. On domain A, where A trusts B and on domain B, where B trusts A.

Now things get a little murkier, in part because you've not specified what version of NT is installed on each of your servers, and which Service Pack versions. The gateway settings may cause headaches, and it's hard to troubleshoot without the specific info. One way to track your demons is to see if you're getting errors logged in the Event Viewer that pertain to RRAS or TCP/IP. If you are, take that information to the Knowledge Base and start digging.

Mole's found a couple of pretty good Knowledge Base articles that describe several scenarios and suggest things to verify when configuring two networks to access each other over RRAS.

  • 200834: How to Use OSPF with RRAS Demand-Dial and VPN Connections describes how to implement Open Shortest Path First (OSPF) over Routing and Remote Access Services (RRAS) Dial-on-Demand (DOD) connections. The implementation of this protocol is the same for both direct-dial modem connections and virtual private network (VPN) connections over the Internet.

  • 178993: How to Use Static Routes with Routing and Remote Access Service explains how to add static routes to a computer running Windows NT Server and the Routing and Remote Access Service (RRAS) Update or Windows 2000, so that it can route packets to a remote network. The information in this article only pertains to those environments where no routing protocols are configured, such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

  • 205027: Dead Gateway Detection with RRAS and Demand Dial Connections describes in detail the operation of Dead Gateway Detection (DGD) and its interaction with the Routing and Remote Access Service (RRAS) Update.

Then there's Mole's own archive. In the January 17 column, I address a couple of RRAS inquiries in depth. In addition to that, you'll want to search the Knowledge Base for any fixes to RRAS implemented in Service Packs newer than the ones you have installed. And don't forget to study up on the RRAS release notes, in the "README.DOC" file that comes with RRAS. Lots about services there.

Finally, here's some feedback for you from one of those late night Mountain Dew guzzling sessions in subterranean Microsoft. It is the consensus of Mole's colleagues that, assuming you are a seasoned IT pro, you will most likely get within one support call of winning your bet, and that call will be a short one. Considering that 1) there are dozens of hefty tomes in the computing section of Amazon.com exclusively devoted to RRAS configuration, and 2) Cisco (responsible for 80% of Internet routers) Support will only talk to you at all if you're a Cisco-certified specialist, Mole figures this is really pretty good.

Of course, if you're a real hotshot, you may not need to make the call.

Let Mole know.

BackTalk

Tom wants to restore his administrative shares

Hi,

Previously you stated that WINNT$, C$, D$ are persistent and that they cannot be removed permanently. I have an NT 40 workstation SP6A(128) with the second edition resource kit and the current version of SCM. While exploring these items the aforementioned default shares disappeared, and if an attempt to recreate is made they evaporate on reboot. As you stated and I had firmly believed this was not possible it has happened.

Short of starting over how do I restore them?

Tom Vaughan

Tom,

Many of Mole's readers pointedly informed Mole that he was, well, wrong saying that administrative shares can not be removed permanently. They can be.

OK, are you happy now?

Anyhow, the solution to your perplexing problem is described in the Knowledge Base article titled, **245117:**Administrative Shares Do Not Appear on Server. There you will find the magic formula to restore your shares. In addition to the un-do advice, the article also describes how not to have administrative shares in the first place. Think of it as a two-fer.

Source: https://support.microsoft.com/default.aspx?scid=KB;en-us;245117&sd=tech

Mole

Steve singes Mole's fur

Mole,

I'll have to disagree with you on a few points, mainly in your opening paragraph to Paul:

"It sounds to Mole as if your first task here is more evangelical than technical. Like, how to convince a cost-conscious (should we say, penny pinching?) client that using a BDC in a Windows NT network is as essential as an umbrella in Seattle, as snow tires in Maine, as sunscreen in Belize? The fact is, the cost of downtime if their PDC goes south is a whole lot more than the cost of that second server will ever be. It's spelled I-N-S-U-R-A-N-C-E. Only a fool drives, or computes, without it. Take it from Mother Mole."

  1. There are clients out there to whom A$2000 is a LOT of money to spend on a server, let alone more (> A$1500) for all the extra s/w licenses, so calling them penny-pinching is a bit harsh without knowing the circumstances of their situation.

  2. I have no idea about any of your references to Seattle, Maine or Belize. You see I don't live in the USA like most people on this planet, and consequently your analogies are meaningless to me. FWIW I thought Maine was in Florida, which I'm pretty sure is a tropical environment, evidently that was incorrect. :-)

  3. A BDC in an NT Network is NOT essential. In a situation like Paul's, even if I did have a BDC, if all the users files are on the PDC having a BDC is NOT going to help very much. Yes they can log in, but they can't do a heck of a lot.

  4. The cost of downtime if a PDC goes down may be more than the cost of a 2nd server—it also may not! "How long is it down for"—tends to be the decider here—and how critical is the computer to the business in question.

  5. Yes insurance is a good thing - but insurance should ALWAYS be measured against the risk/threats involved. You wouldn't put a $20,000 firewall in to protect your home PC, so why get carried away elsewhere???

  6. RAID is not necessarily cheap insurance. A RAID controller is around $1200, and 9Gb SCSI disk's are around $500. To someone to whom a basic server is an expensive option, you've just doubled its cost. In this cost conscious case, s/w raid would be far more appropriate.

  7. Heaven forbid that a client should be using ONE server for TWO mission critical applications!!!!!!!!!!!! GOSH! Maybe I should be buying 3 more PCs for my desk: 1: For Word processing (mission critical) 2: For email (mission critical) 3: network management (very mission critical) 4: All the other bits and pieces that make up my day (not so mission critical, but frequently important) This has got to be the most silly thing I've ever heard. People have been using servers for more than one task for a very long time, and will for even longer. In most small organizations, one server will do pretty much everything, and in some cases is also a users workstation! As a direct example: Are you suggesting that in our case of our PDC being also the DNS, WINS and DHCP server, I should have one server for each task? When our current 5 year old P100/32Mb box is more than adequate to the task???? Physical space for all those servers starts to become an issue too you know!

  8. Backing back to my point 5, I'd be advising Paul to first establish a definite cost to the client of losing access to their data for various time periods at least up to a week of downtime, LONG before spouting technical solutions. You have to establish baselines of what the problem is before giving solutions.

I recognize that this is a technical forum for answering technical questions, but surely given a problem that has it's grounds more on the business side, we should attempt to solve that, before we look to a technical solution.

Your "solution" reads more like marketing/sales pitch, than a true technical solution.

Regards, Steve

Systems and Networks fellaA Big Multinational IT Services company

Thanks, Steve. Mole needed that.

Seriously, your passion is impressive, and you're absolutely right—IT Pros should always weigh the cost and risks of downtime against the cost of hardware that would mitigate the impact. And then find the most workable compromise between what they want and what they can afford.

That said, Mole would like to say in his defense that in his letter to Mole, Paul stated that his client wanted "…a fully redundant backup server that can take over within seconds in the event the PDC fails." The same client wanted to keep costs to a minimum. Mole thought that he was giving pretty good advice by suggesting that Paul put in a BDC, which will perform those tasks that the PDC does in the event that the PDC dies. If the PDC goes down and there's no BDC to service logon requests or validate access permissions, etc, then you're pretty much stuck. Having two servers doesn't mean that one or both can't perform a multitude of functions besides domain controlling.

Without the luxury of a personal back-and-forth chat with each correspondent, Mole can't analyze business needs and cost/benefit ratios with any great degree of reliability. Thanks for writing in, Steve, and giving your IT fellows something to think about.

Regards,

Mole

John solves his own problem

Mole,

Problem: When attempting to shut down Windows 2000, instead of the "It is now safe to shutdown your computer" message, the system would automatically reboot.

Cause: Although the system board and the majority of the components in the system in question support Advanced Power Management (ATM), the power supply does not. With ATM turned on, the motherboard was receiving a shutdown command, which it could not pass on to the power supply, so the system would reboot instead.

Solution: Disable "Advanced Power Management support" on the ATM tab of the Power Options in Control Panel.

Windows 2000 now shuts down correctly and displays the appropriate message letting me know that it is safe to turn off the computer.

Thanks anyway. Hope this helps someone else who might be having the same problem.

Sincerely,

John A. Chick

CommTel InternetSystems Administrator

Credits

Mole thanks Lon Collins and Mike Torbenson.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.