Re: [Full-Disclosure] SQL Server patch - why doesn't Windows update help?

From: Darren Reed (avalon@coombs.anu.edu.au)
Date: 01/30/03

  • Next message: kr0nograffik: "RE: [Full-Disclosure] The worm author finally revealed!" 
    From: Darren Reed <avalon@coombs.anu.edu.au>
To: netw3_security@hushmail.com
Date: Fri, 31 Jan 2003 09:22:40 +1100 (Australia/ACT)

    > Windows Update does not cover SQL Server. You need to use the Microsoft
    > Baseline Security Analyzer if you are looking for an automated method
    > in this case. MBSA handles a few things that WU does not, for instance
    > SQL Server, and Exchange. Admins sometimes become complacent, thinking
    > that "I run Windows Update and so now I'm secure". WU helps, but is only
    > a piece of the Windows patching pie. MBSA is useful, although I've found
    > that it misreports a variety of items, so you still have to vigilant.

    Well, I downloaded MBSA and from the start it did not make a good
    impression. I asked the installer not to put an icon on the desktop
    and what does it do? Put an icon on the desktop.

    As for running it, did it help ? No.

    I got "Could not perform the security update scan." as a result for the
    "Security Update Scan Results" for "Windows Security Updates",
    "SQL Server Security Updates", "Windows Media Player Security Updates"
    and "Exchange Server Security Updates". IIS it realised wasn't installed
    but why wasn't it intelligent enough to work out Exchange wasn't either ?

    Having said that, it did do an SQL server scan but failed to say that
    the patch was missing, only that a bunch of SQL server settings were
    problematic. Does this mean I have installed the patch but in stealth
    mode where "Add/Remove Programs" doesn't show it?

    It also didn't like the idea of me defining my own security zones and
    using them (Custom) in preference to High, etc. mmm, Higher security.

    Darren
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • Re: Mac OS X Security - Not Quite as Strong as you Thought
      ... These do not use the installer. ... That's probably why the majority went windows early on. ... .NET was to provide wrappers around code that code get hacked or compromised to help plug up some of their security holes. ... M$ track record even for the NT line wasn't all that good compared to any Unix. ...
      (comp.sys.mac.advocacy)
    • Re: Cannot open database requested in login
      ... Assuming your goal is to use windows integrated ... security then leave out the username ... ASP.NET service) as a login to SQL Server and with access to the ... >> you should see security tab, change authentication to "SQL ...
      (microsoft.public.sqlserver.security)
    • Re: Reason: Not associated with a trusted SQL Server connection.
      ... but does that mean ASP uses the IUSR account to access the SQL ... > There are two sets of authentications: Windows, and SQL Server. ... If using integrated security, ...
      (microsoft.public.inetserver.asp.db)
    • ASP.NET "Custom" Security
      ... SQL Server, DB2, MySQL, Oracle, ... Windows server at the other end. ... to be authenticated by the stored procedure against the ... Is this a reasonable security model? ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Is there any way to prevent hacker trying to guess sa password?
      ... the Space Shuttle has some very strong windows -- get my point. ... doubt THE single most significant security flaw -- this is the green light ... spoofing was known about when the protocol was introduced and Microsoft did ... > need to use some other mechanism to connect to SQL Server. ...
      (microsoft.public.sqlserver.security)