@Dashrender said in SQL security over the LAN:

Setup a TS and run the app from there. RDP into TS.

we already do that for half the users.

@tonyshowoff said in SQL security over the LAN:

@Donahue said in SQL security over the LAN:

Ok, so I have this vulnerability. Short of stopping use of this application, what can be done to mitigate the risk this presents?

Not if the application does not have it built in, such as TLS/SSL connections. There are way to mitigate it over the network such as a tunnel between the client and server, but on the client there's no defence at all, and that's really your vulnerable part.

that's what I thought.

I'm trying SQL injections now

Ok, so I have this vulnerability. Short of stopping use of this application, what can be done to mitigate the risk this presents?

now it's time to learn Hyper-V

@travisdh1 said in What Are You Doing Right Now:

@Donahue said in What Are You Doing Right Now:

I just got my new host from xByte.

Specs for all us hardware nerds?

R740XD
Single Gold 6130
384GB Ram
H740P
(5) 3.84TB PM1633a's in Raid 6
(2) Intel X710 10GB cards with 2 SFP+ ports each
plus the normal Dell stuff.

I just got my new host from xByte.

@tonyshowoff said in SQL security over the LAN:

@Dashrender said in SQL security over the LAN:

@tonyshowoff said in SQL security over the LAN:

@Donahue said in SQL security over the LAN:

I don't know this this is to be expected, but a lot of the traffic is also smb2

Since SQL Server 2008 you can use SQL over SMB2 rather than just TCP/IP or named pipes or shared memory. So I imagine that's how they're doing it, seems like needless overhead but based on everything else that's to be expected.

Curious - why would you want to do it over SMB?

It's sort of pseudo-configureless, you need not worry about ports or IPs and just go by name. The other side of that is you have to deal with SMB locking and other problems and it slows things down sometimes significantly.

plus, it probably ties the customer in tighter into the MS ecosystem.

I don't know this this is to be expected, but a lot of the traffic is also smb2

so more digging. I have found both the SA password and my application password being passed encrypted, I did not find any clear text versions of those. Man, there is a lot of extra junk that goes over the wire. Simple actions in the application generate a lot of requests to SQL, for stuff that isnt even related to the request. Other times, it get a lot of data that may be too much from a security standpoint. When I open one of my timecards, it pulls a list of every employee for example. It probably does this to cache it or something, but that seems unnecessary.

I tried several things to try and see if I could gain confidential information based just on what was already traveling over the wire. There is some good news and bad news. The good news seems to be that it appears like all numeric or date type fields are obscured or encrypted in some way. I see a lot of "dummyTS" and "dummy textptr" where the results from those columns should be. This means that when I look up things like payroll, I cannot see actual amounts. But the bad news is that all string types look to be sent in the clear, so with the payroll example, I would be able to see if someone had to pay child support, just not how much. It got worse when I checked my employee record. I can see basically all of my personal information include SSN and full bank details because we use optional direct deposit.

i recently saw the trailer for the live action aladdin.

@NerdyDad said in Non-IT News Thread:

Hasbro makes Monopoly edition for Millennials

"But players can forget buying property. They can't afford that anyway." Sounds about right. Can they add a part about crippling student loans? that would make it authentic, doubly so if they can get a degree in a field that has no job prospects.

@scottalanmiller no, since we talked about it the last time, I don't feel like this a limitation any more, or at least not nearly to the degree that I used to. I am at the point where If I think we need a solution that I think of as "cloud", or if I think someone else would think of it as "cloud", then I am going to pursue it anyways. I've earned a lot of leverage and my opinion holds a lot of respect within my company now because I have demonstrated that I try and approach everything from a business perspective. A lot of it is just the trust they have in me. So for me personally, I no longer feel burdened by this, but it has been the company's historical position.

they still want windows to look good at 800x600

how many people, especially the millenials and younger, are so careless about what they do post online? That's probably even worse than having no online presence. How many people lose out on good opportunities in life, because of what their online selves showcase about their lives, good or bad?

It reminds me of the idea of what is worse, bad credit or no credit?

@NerdyDad said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

@Donahue LOL, yes.

Heh, more like behind you and to the left a little bit.

back, and to the left

In my case however, I have heard many times in discussions with more than one person, where person A mentions the word 'cloud' and person B says something like "we can never do that", and it was never me bringing it up. I don't generally bring it up, because then I would be forced to break their preconceived notions and likely have a much more detailed and technical conversation than either of us would want.

My point was that the OP is probably getting a uneducated requirement from his client, and there is probably not a good way to meet the requirement that would be universally agreed upon by people who were educated, and probably not even by the non-tech crowd. Instead of trying to work around a arguably nonsensical requirement, I think it may be more beneficial to steer the conversation to the heart of the matter and discover the reason for the requirement. I find this a lot, not just in IT, that people ask for one thing, but really want something else, or think they want something because they don't really understand it. It happens to the best of us.

because, legacy.

@scottalanmiller is it going to be more like this?

@mlnews said in Random Thread - Anything Goes:

ouch

having no personal experience with full VDI, but understanding the basic principles of it, my question is this. Why does the user need to care if the computation is happening locally or remotely? The average PC user in my experience interacts almost exclusively with the keyboard, mouse, and monitor(s). I see the advantages in VDI, but I don't think it would be common for non-tech users to appreciate the reasons why they are assigned a thin client vs a thick. To me, VDI seems like a decision based on business or IT goals, and the experience, if done right, should be transparent to the user anyways.

I think most of us agree that the OP's requirements seem to eliminate virtually all options, based on the way we interpret the definition of the terms. I would go further and ask where this requirement was coming from? This sounds like the client's management throwing a blanket statement out there because there is a fundamental lack of understanding about modern computing and how intermingled everything is today. The lines between thick and thin, PC and magic box can be very fuzzy.

I have a similar situation at work where my management has historically had a flawed understanding of what "the cloud" is, to the point where it has been a forbidden word in some conversations. Explaining to them that we basically already have a private cloud does not seem to matter to them because they don't want to take the time or effort to understand the technology and realize all the ways that it can benefit us. This type of mentality makes it easy to push through bad requirements that either push inappropriate solutions, or reject appropriate solutions, because of buzzwords or something their buddy's uncle told them.