This was reposted from SQL Server http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/DBI317 written by (author unknown). They get all the credit for this, not me.
In this session, learn what you should be looking at within your virtual environment to ensure you are getting the performance you should out of it. This includes how to look for CPU performance issues at the host level. We also discuss the Memory Balloon drivers and what they actually do, how you should be configuring them, and why. We discuss some of the memory sharing technologies which are built into vSphere and Hyper-V and how they relate to SQL Server. We finish up with some storage configuration options to look at. #TEDBI317
Additional reading can be found at the original author’s post.
So as we all know Microsoft hates allowing upgrades of OSs from Beta/CTP/RC/RP (or whatever) to RTM (Release To Manufacturing) bits. However thankfully Microsoft has made it easy enough to do anyway. Simply take your ISO/USB/CD/DVD or whatever install media you plan on using and make it writeable in some way (I’ll leave this to you to figure out based on your media type).
Find the n:\sources\cversion.ini file on the media and open it with notepad. Change the two numbers from 8508 to 7100 and save and close the file.
Now run the installer from within Windows 8 Beta/CTP/RC/RP (or whatever) and you’ll be nicely upgraded to Windows 8. I would imagine that this works for Windows 2012 when that is released as well.
This was reposted from BlogHer https://www.blogher.com/snippets/heres-how-you-support-women-tech written by Virginia Debolt. They get all the credit for this, not me.
Want to find out how to throw a tech event, get women to participate along with the men, and make them feel good about the experience after it’s over? Lauren Bacon from Curious for a Living has seen it done and has a list of ideas that you can apply to your event.
I ‘ve worked in tech for fifteen years. In those fifteen years, women have remained a small minority in the sector, particularly in technical jobs (read: programmers/engineers/developers). A lot of people I know have bemoaned the numbers, and discussed various ways we might address the gender imbalance, but I haven’t seen a lot of success stories (There are some – don’t get me wrong. Just not a ton.)
A few weeks ago, though, something big and wonderful happened. And it is going to change the ratio.
Hacker School by jolly_sonali via Flickr
via (title unknown) https://www.blogher.com/snippets/heres-how-you-support-women-tech
Additional reading can be found at the original author’s post.
What happens to most obsolete web based applications at most companies? They sit idle on a web server for months, sometimes years. Why is this a problem? Because many of these old applications can be easily exploited via SQL Injection allowing access into the SQL Server databases which they connected to. The reason that these old apps are a great way into the SQL Server is because they are old, and were probably written before things like SQL Injection protection became more common place.
This tweet from Daniel (@DaniSQL) is a perfect example of this.
An old application that isn’t being used anymore is still available on the Internet facing web farm. Because this application isn’t being used any more it wasn’t on any lists of deployed applications, so when security audits were done it wasn’t seen as it wasn’t listed as an active application. However it was apparently able to provide a hacker with a way into the database because it was still connected to a SQL Server instance and it was susceptible to SQL Injection.
The solution to this problem is sadly easy, remove the web based application from the web farm as the application isn’t being used anywhere. It’s a lot easier than fixing the application, and a whole lot cheaper (10 minutes of a system administrator’s time versus weeks or months of a developers time).
I urge you to audit the applications and websites which are deployed to your web farms, especially the Internet facing web farms and see what’s on there. When you audit them, don’t audit them against the list of what’s there. Actually dig into the IIS config of each and every server (yes I’m well aware that doing this sucks) and actually see what’s configured on each machine. If you don’t know if an application is actually being used ask around. If it isn’t, remove it (or at least stop the site in IIS) so that you don’t have to worry about scripts breaking into your database and updating your data.
Now thankfully this current attack which is going around is just updating data, but it could easily enough be changed by the attacker to gather data as well, so do yourself a favor and protect yourself.
This week I’ve found some great things for you to read. These are a few of my favorites that I’ve found this week.
- SharePoint Adventures : Access Denied errors when using RS 2012 with a Claims SharePoint Site
- Stop Storing Unencrypted Passwords!
- Data type mismatches causing SQL Server performance issues
- Database Maintenance For Non-DBAs
- How To Prevent SELECT * The Evil Way
Hopefully you find them as useful as I did. Denny
On October 12th 2012 I’ll be presenting an all day session titled “Storage and Virtualization for the DBA” as a pre-con session for SQL Saturday 145 in Nashville, TN (links to all four pre-cons can be found on the SQL Saturday 145 page). This popular pre-con session has been presented in locations like the SQL PASS Summit, SQL Day 2012 in Poland, SQL Bits X in London, SQL Saturdays in Florida and California and now the session is coming to Nashville, TN.
This session will be a two part session in which we will be focusing on two of the biggest topics in the DBA field. How to properly design your SAN storage solution and how to properly design your virtualization solution.
The storage portion of this session will focus on SAN storage, but most of the material will apply to direct attached storage as well.
In the first half of the session we’ll be focusing on the storage array. Storage can be one of the biggest bottlenecks when it comes to database performance. It’s also one of the hardest places to troubleshoot performance issues because storage engineers and database administrators often do not speak the same language. In this session, we’ll be looking at storage from both the database and storage perspectives. We’ll be digging into LUNs, HBAs, the fabric, as well as the storage configuration.
After going over the components we’ll dig into some advanced storage configurations. This includes RAID groups, multi-pathing software, and proper redundant storage network design. We will also be digging into some advanced storage array backup techniques including taking storage level clones and snapshots. After going over these advanced techniques we will dig into how these can best be used to backup the SQL Server environment to provide maximum redundancy with no recurring tape costs.
In the second half of the day we’ll be looking into the pros and cons of moving SQL Servers into a virtual server environment. Specifically we’ll be looking into when it’s a good idea and when it’s probably not a good idea. Like everything in the database world there are no hard set answers as to if virtualization is a good idea or not, but there are some times when virtualizing a SQL Server is a good idea, and can save you some money. There are some other times when you will be shooting yourself in the foot and virtualization isn’t a good idea. We’ll be focusing on when how to make this decision, and how to gather the metrics that you need in order to come to this decision.
We’ll look into how tie the virtual platforms to the storage array so that you can maximize the storage performance for your SQL Servers and the virtual environment.
I hope to see you there,
It’s that time of year again, it is time for the SSWUG virtual conference. There is a great set of speakers for this virtual conference including myself, Kalen Delaney, Eric Johnson, Kevin Kline, Brian Knight, Lynn Langit, Bill Pearson and Jason Strate and more. Every one of these speakers is a top notch speaker but most are also very good friends of mine and I can say for sure that this virtual conference will be time and money well spent.
One of the great things about these virtual conferences is that you don’t need to travel to attend. Sessions can be watched from home or work, all you need is a computer and a set of speakers (or headphones). Looking over the schedule, there are going to be a lot of really good SQL Server 2012 sessions on the schedule.
Now when you go and register for the virtual conference (it only costs $159 for three days of great training material) be sure to use VIP Code VCDENNY (you have to click the “Update Registration” button for the code to take). So stop stalling and get registered. There’s another bonus when you register for the virtual conference, because there is so much great material which will be available, you may not be able to see all the sessions you want to the day of the virtual conference. Because of that you can view the recordings of the sessions for 30 days after the conference ends for free.
I’ll see you at the conference (in the chat rooms at least),
In case you missed the blog post over on securingsqlserver.com, I wanted to repost it here…
I’m afraid that I’ve got some bad news. You can no longer pre-order Securing SQL Server 2nd Edition from Amazon.
Instead you have to settle for ordering the book outright and having it shipped to you. That’s right, no more being a pre-order book, it’s published and available to be shipped directly to you. Currently Amazon is selling the book at full price which is $49.95, but if you have Amazon Prime it is available for Amazon Prime shipping. Because it is considered to be a text book you get a $5 Amazon MP3 Credit (what ever terms and conditions that Amazon chooses do apply).
This is a totally updated edition of the book including all sorts of new information about security within SQL Server 2012. I of course cover things like how to secure AlwaysOn Availability Groups, how to use user defined server roles, contained users, etc. I also dive into how to properly secure SQL Server Reporting Services and SQL Server Analysis Services so they can’t be used to access data that people shouldn’t have access to.
All in all this book is much larger with Amazon showing it at 408 pages compared to just 272 pages for the 1st edition. If you find someone cheaper to purchase it make sure that you are in fact ordering the second edition. The ISBN number is 1597499471.
I hope that you pick up a copy of the book and that it is useful for you in securing your SQL Server environment.
By now hopefully everyone knows about AlwaysOn Availability Groups in SQL Server 2012 and the high availability options that they provide to databases. One problem with AlwaysOn Availability Groups when combined with third party applications is that the third party application may configure the connection string and not allow you to change it. When you want to install one of these third party applications within a SQL Server 2012 availability group this can give you some problems as typically you would typically create the database then add the database to the availability group. However this requires that you change the connection string which in this case we are trying to avoid.
There however is some good news to this little problem. The good news in this case is that you can create a SQL Server availability group, which has an availability group listener, without putting any databases in it. This is done by creating the availability group without using wizard that is available within SQL Server Management Studio. Instead of starting the wizard select the “New Availability Group…” option from the Availability Group context menu as shown below.
This will allow you to create an Availability Group without any availability groups and with only a single replica. Once the availability group is created, the listener can be created for the availability group. The 3rd party application can then use the listener to connect to the database engine and create the database. The database once created can be added to the availability group as can the additional replicas.
While using this technique is a lot harder than going through the wizard as it requires that the database backups and restores be done manually and the configurations be all done by hand instead of the handy wizard it’ll meet the requirements of the application which is to not change the connection string.
The title of this post pretty much says it all. If you store sensitive data in a database you have to work under the assumption that someone is going to try and break into the system and steal that data. Thinking otherwise simply isn’t responsible as the developer and/or administrator of the system. By not encrypting your sensitive data, such as users logins and passwords you could easily enough end up like Yahoo! did on July 11, 2012 with the usernames and passwords of all of the customers of a service being posted on the Internet for all to see.
Not only was this breach a major embarrassment for Yahoo! but it is a potential nightmare for their customers. If those customers (there were a few hundred thousand in the list) use the same email address and password on other websites they’ve now had the username and password for those other services leaked as well.
Now I know that best practice for Internet security says that every website should have a different password, but for the bulk of Internet users this simply isn’t going to happen. Among IT professionals the percentage of people that actually use a different password for each website is probably pretty close to zero. I know that I personally use dozens of different websites a month, and for most people that it probably pretty normal between banks, credit card companies, Facebook, Twitter, work sites, Gmail, etc. that quickly gets up to dozens or hundreds of passwords which need to be remembered. There are plenty of password vault type applications, but general Internet users aren’t going to be using them. As IT professionals we need to remember that we are dealing with the general public and the general public isn’t going to know that they need to do this, no matter how many times we talk about it within the IT field.
One reason that there is lots of unencrypted data out there is that converting older applications from using plain text data to encrypted data is pretty hard to do. There are lots of places within the application which need to be touched and there are possibly lots of different applications which need to be updated all at once. Then there is the possibility of needing to take an outage to do the actual data change. When it comes down to is biting the bullet and taking the outage and making the change. It is well worth it to take the outage and encrypt all the data now, rather than have to worry about a data breach later.
There are lots of techniques which you can use to do this data encryption, to many to list in a single blog post so look for blog posts from me later on how to handle this change. There are also plenty of consultants, including myself, who are happy to help with projects like this.