Slammer Worm and SQL Server Network Protocols
From: Alan J. Post, Ph.D. (alan@VANBELKUM.COM)
Date: 01/30/03
- Previous message: Russ: "Survey: SQL Slammer"
- Next in thread: Sufliarsky Richard: "Re: Slammer Worm and SQL Server Network Protocols"
- Maybe reply: Sufliarsky Richard: "Re: Slammer Worm and SQL Server Network Protocols"
- Reply: Chip Andrews: "Re: Slammer Worm and SQL Server Network Protocols"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Jan 2003 11:08:17 -0500 From: "Alan J. Post, Ph.D." <alan@VANBELKUM.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I don't remember if this solution has been discussed before, but here's my
two cents on the Slammer worm and SQL Server worms in general. Protecting
against buffer overrun bugs such as this can be a problem when you have
applications all over running MSDE that you are not aware of. It becomes
even more difficult when you can't apply a patch because the software vendor
doesn't support it. Here's the stance that I take whenever I run across a
machine running SQL server or MSDE.
If the application using SQL Server or MSDE is running on the same machine
the best protocol for the app to use is Named Pipes. This is because Local
Pipes (Not Network Pipes) run in Kernel mode on the local machine and are
extremely fast. However, if network users need to access the instance of
SQL Server this is not the case (see SQL Server books online for more
information on protocols). Anyway, if you find a machine running SQL
Server/MSDE and that server is only accessed by a local application via
Named Pipes you can probably safely remove the TCP/IP protocol support from
SQL Server. SQL server will then stop listening on UDP port 1434 and should
be safe from the Slammer and other similar worms. To disable TCP/IP run the
SQL Server Network Utility (svrnetcn.exe - location varies depending on your
version and installation directory) and remove TCP/IP from the "Enabled
Protocols" list. You will have to restart SQL Server for this to take
effect. IMHO, this should be the default for programs that install MSDE for
local database use.
I do not claim to be a SQL server expert nor do I play one on TV. There may
be holes in this scenario that I am unaware of so please offer any other
advice that you may have.
Thanks.
Alan J. Post, Ph.D.
Chief Information Officer
Van Belkum Companies, Inc.
alan@vanbelkum.com (616) 974-8201 x141
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Next message: Sufliarsky Richard: "ierk8243.sys and IPSEC Helper Services"
- Previous message: Russ: "Survey: SQL Slammer"
- Next in thread: Sufliarsky Richard: "Re: Slammer Worm and SQL Server Network Protocols"
- Maybe reply: Sufliarsky Richard: "Re: Slammer Worm and SQL Server Network Protocols"
- Reply: Chip Andrews: "Re: Slammer Worm and SQL Server Network Protocols"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
