The Mole #23: Technical Answers from Inside Microsoft - Crypto Exports, Same Domain Name, Secure SQL Server, Shared Printers
December 6, 1999
Editors Note The questions and answers below are from the Inside Microsoft column that appears regularly on the TechNet Web site at the following location: https://www.microsoft.com/technet/community/columns/insider/default.mspx. To find out how to submit questions of your own, see the end of this article or go to https://www.microsoft.com/technet/community/columns/insider/default.mspx.
The TechNet Mole provides expert answers from deep within Microsoft to questions from IT professionals. This installment focuses on these issues:
Mole's Short Course on International Cryptography Exports
Double your trouble--same domain name?
Safeguarding SQL Server data on the Internet
Nice guy, shared printers
On This Page
Mole's Short Course on International Cryptography Exports
Double your trouble--same domain name?
Safeguarding SQL Server data on the Internet
Nice guy, shared printers
Got Questions? Mail the Mole
Credits
Mole's Short Course on International Cryptography Exports
Hi Mole,
In 193505: Event 2048 When Trying to Connect from French Client Workstation it seems that a French NT workstation will never connect to a US Terminal Server 'because of the French law'.
The French law now allows crypto. Can the TS client now behave like it should even on a French NT workstation?
Is there a new 'unleashed' release of the TS client? Is it possible to force encryption even on a French workstation (via the registry, or whatever)?
Olivier
Dear Olivier,
You're quite right.
As of January 1999, the French government officially declared that legitimate Internet businesses would no longer be prevented by law from using 128-bit encryption, which allows banks to secure online financial transactions, just because terrorists might use the technology to their own nefarious ends. With law enforcement agencies on one side of the issue and commercial interests on the other, the policy didn't come easy, but e-commerce proponents eventually prevailed. French businesses no longer need to register their encryption keys with a third party. They do have to reveal them to the authorities in cases of real or suspected criminal activity.
Okay, that's part one of a complex issue. Now for part two.
Microsoft has been licensed by the U.S government to export 128-Bit encryption to financial institutions since June of 1997. In September of this year, the White House announced a new encryption policy that would permit the export of "retail encryption commodities and software of any key length to any country/region except for the seven state supporters of terrorism."
The catch is, this policy doesn't change any existing encryption regulations.
The good news is, the U.S. administration has promised to CLARIFY its new policy and publish it in the export regulations by December 15, 1999.
You can keep track of the latest with frequent visits to the Bureau of Export Administration Web page (https://www.bxa.doc.gov/encryption/). Click "Government Issues."
And, of course, you can stay current on security products and strategies by keeping the Microsoft Security Advisor Web site (https://www.microsoft.com/security/default.mspx) among your Favorites.
Don't you just love politics? Don't you just love lawyers?
Finally, in response to your nitty gritty technology question, the answer is No; you can't 'force' a higher-level encryption on the workstation. Software updates are on hold until policy comes clear in mid-December, but since it's the server rather than the workstation that controls security levels, it seems to Mole that's the area more likely to be addressed. Just a guess, though.
Regards,
Mole
Double your trouble--same domain name?
Dear Mole:
We are at a client site that has a development domain called "DTV" and a production domain called "DTV" both running NT 4.0 SP4. I have heard that each domain has a different SID number and that is what the system will look at. Is this true and can I create a trust between 2 domains of the same name. If I need to change the domain name what is the best option for all the servers and workstations within that domain?
Craig Martin
Dear Craig:
Mole hopes for their sake you never father twins. You sound like the kind of guy who might call them Craig Jr. and Craig Jr. (Just kidding.)
As to your domains, you might say you have it half right. In Windows NT®, a domain is uniquely identified both by a NetBIOS name and by a Security Identifier (SID). Bottom line, you need to rename one of your domains. Mole suggests it be the development domain. How about DTV Jr? (Kidding again.)
Mole addressed the domain-renaming question at some length in a recent column, September 13 of this year, to be precise. Read "Renaming a Windows NT Domain" From The Mole #17: Technical Answers from Inside Microsoft - Upgrading IE, Passwords, DHCP, NT Domains, WINS, NT Configuration.
Remember, it only hurts for a little while.
Mole
Safeguarding SQL Server data on the Internet
Dear Mole:
My ISP hosts my Windows NT 4.0 Server running IIS 4. I have some applications that I would like to deploy that require SQL 7.0. If I install SQL 7.0 on my NT box that is hosted by my ISP, is it possible to make the SQL databases secure even though they are on a web server right on the Internet? If so, are there any whitepapers available that specifically state what should be changed and don't simply discuss theories of security with SQL?
Jay Griffin
Dear Jay,
Thanks for sending Mole the kind of climb-on-a-soapbox-and-hold-forth question he likes best.
In the situation you describe, you have multiple components (Windows NT, IIS, SQL Server, plus apps) to manage, and one big goal: To keep your data safe.
Mole recommends a three-pronged, three-P solution. Yep. Passwords. People. Ports. To wit:
Passwords: Implement an extremely strong password on the SA login. SQL Server passwords can be up to 128 characters, including any letters, symbols, and numbers. Do not forget this password. Do not write this password on a sticky note and put it on your monitor. Do not inscribe it on the waistband of your underwear or write it on the palm of your hand.
People: Disable the Guest user account. Guest really isn't a person, anyhow. More like a ghost.
Ports: Change the default IP port that SQL Server listens on. Everyone in the world knows that the default port for SQL Server is number 1433. Change it to some other secret, valid port. For information on how to tell SQL Server to listen on another port, issue the query "port listen" in SQL Server 7.0 Books Online.
Using stored procedures to promote data security
Richard Waymire, program manager with the SQL Server development group, writes a Q&A column available on the SQL Server website (https://www.microsoft.com/technet/archive/default.mspx). Here's his response to "What's the best way to achieve a secure database with SQL Server 7.0?" (And Mole quotes.)
"Never give a user direct access to your tables. If you want them to access your database using an interactive tool like Microsoft Access 2000, then give them rights only to views and stored procedures instead of directly to the tables."
This is good advice whether you're providing data to the WWW community or to your own company's workforce.
Complementing Richard's suggestion, you can also encrypt the stored procedures that create the views. SQL Server will encrypt the syscomments table entry containing the text of the CREATE PROCEDURE statement. Encrypting the stored procedure is done as part of the CREATE PROCEDURE T-SQL command, using the ENCRYPTION argument.
Since winter is almost upon us here in the northern hemisphere, Mole feels compelled to supply a reading list for those who want to hibernate with a good technical manual or two. In Chapter 8 – Security of the Internet Information Server Resource Kit, check out "IIS Authentication Models", "Security for Web Applications", which includes sub-topics on SQL Server, and the section on defending against malicious attacks. The bibliography at the end of Chapter 8 will keep you in good books at least till Groundhog Day.
Most everything you ever wanted to know about TCP/IP Port Numbers
Port numbers are divided into three ranges: the Well-Known Ports, the Registered Ports, and the Dynamic and/or Private Ports. The Well-Known Ports are those from 0 through 1023.The Registered Ports are those from 1024 through 49151. The Dynamic and/or Private Ports are those from 49152 through 65535.
Well-Known Ports are assigned by Internet Assigned Numbers Authority (IANA) and should only be used by System Processes or by programs executed by privileged users. An example of this type of port is 80/TCP and 80/UDP. These ports are privileged and reserved for use by the HTTP protocol.
Registered Ports are listed by the IANA and on most systems can be used by ordinary user processes or programs executed by ordinary users. An example of this type of port is 1723/TCP and 1723/UDP. Although other processes can use these ports, they are generally accepted as the connection control port for Point To Point Tunneling Protocol (PPTP).
Dynamic or Private Ports can be used by any process or user, and are unrestricted.
IANA maintains a list of ports on their Web site (https://www.isi.edu/in-notes/iana/assignments/port-numbers)
Regards,
Mole
Nice guy, shared printers
Hi Mole,
I have a printer connected to an NT workstation called HRD and is shared by the name sales (Shared in workgroup mode). My users get connected to Novell and print to this printer. My problem is that each time I have a new user, I have to create this user on this HRD machine. Is there any way out I can avoid creating this new user on this HRD machine and also use the shared printer for this user?
Anil Khatri
Hi Anil,
What you need to do is enable the Guest account on the Windows NT machine. The Guest account is not enabled by default on Windows NT. Select Start > Programs > Administrative Tools > User Manager. Once User Manager starts, double-click on the Guest account and un-check the "Account Disabled" box. This will allow anyone to map a share on your Windows NT machine, whether it's a shared directory or a shared printer, without having to create individual accounts for each user.
The catch is that enabling the Guest account will also allow anyone to walk up to the Windows NT workstation and log on. Mole strongly recommends that if you do choose to enable the Guest account, you remove the "Log on Locally" right from the Guest account. This is done in User Manager and it would be best to do it immediately after you enable the Guest account. To remove the "Log on Locally" right, select Policies from the User Manager menu, then "User Rights…" Click on the Guest account and Remove the "Log on Locally Right" and exit out of User Manager.
None of this, of course, will keep your printer from running out of paper and/or ink. For those printer headaches, pursue a carbon-based solution.
Got Questions? Mail the Mole
Communicate with Mole at [closed account]. Send him your toughest questions. And if you think you have a better answer than Mole's, or a different one, send that along, as well. Please include the following:
Your name
Your title
Your company
Your e-mail address
Your question/solution/compliment
Credits
Lon Collins. He's the man.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.