Re: SQL Server solutions going forward

From: Schmehl, Paul L (pauls@UTDALLAS.EDU)
Date: 01/26/03

  • Next message: Russ: "Re: Products which use MSDE? - List started"
    Date:         Sun, 26 Jan 2003 11:06:20 -0600
    From: "Schmehl, Paul L" <pauls@UTDALLAS.EDU>
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    At lot of assumptions have been made, due to this crisis, about the laziness or even incompetence of network admins. Frankly, they've gotten me quite irritated. The blame for this mess falls squarely on the shoulders of Microsoft (for writing crappy software) and the perpetrator(s) who wrote and released this worm.

    People have speculated, "Why would someone open up port 1434 to the Internet?" "Why wouldn't admins patch their boxes in a timely manner?"

    The latter question is easily answered by the partial list that Russ provided. In some cases, admins didn't even *know* that SQL was running on a box, because it was some other app entirely. Who would have thought, for example, that Visio used SQL?

    The former question is na´ve. Try working in education for a while. Most don't have firewalls, and if they do, the policy is close what you know is bad, not open what you know is safe. You may rest assured that most of edu now has port 1434/UDP closed and has a good strong argument for keeping it that way.

    If you really just feel compelled to blame the victims in this mess, blame the administrators/CEOs who wilt under political pressure and refuse to implement good strong security measures. A lot of us have been fighting this battle for a while now, and we will continue to, but we are swimming against a tide of tradition from a position of no power.

    Just because your little domain with three Linux boxes is immune to attack doesn't mean you have any comprehension of what it takes to "admin" a network of tens of thousands of computers, most of which you have no control over, and many of which have default installs because the "owners" aren't even aware that's a problem.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    http://www.utdallas.edu/~pauls/
    AVIEN Founding Member

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo



    Relevant Pages

    • Re: Connection Failed - SMS Admin Console
      ... SQL database in different ways. ... via the SMS Provider. ... >SMS Admins group? ...
      (microsoft.public.sms.admin)
    • Re: Non-admins cannot connect on SQL 2000
      ... I can connect as a non-domain admin using SQL Enterprise Manager. ... also has its own program security and no users other than Domain Admins ... Can non-domain admins connect to SQL Server through say Query Analyzer or ... I have no idea what this package is doing, ...
      (microsoft.public.sqlserver.security)
    • Re: Linux...Is it REALLY FREE? How much is YOUR TIME WORTH?
      ... MS SQL ... operations (including patch management) with little to no expertise in ... On Slammer, Microsoft ... I blame the admins who dropped the ...
      (alt.os.linux.suse)
    • Re: Security Configuration Advice
      ... First, note that "network admin"s do not need to be SQL admins, ... Without SQL "sa", then the accounts will only have access in SQL ... If the application allows for configuring access control (as to what ...
      (microsoft.public.windows.server.security)
    • Account to Run SQL under?
      ... our network/server/domain admins have admin control of our sql ... One manager wants to run sql under a special local admin account ... Can I run it under "local system", and restrict machine ...
      (microsoft.public.sqlserver.server)