Re: Slammer Worm and SQL Server Network Protocols

From: Sufliarsky Richard (sufo@GRATEX.COM)
Date: 01/30/03

  • Next message: Chip Andrews: "Re: Slammer Worm and SQL Server Network Protocols" 
    Date:         Thu, 30 Jan 2003 18:36:57 +0100
From: Sufliarsky Richard <sufo@GRATEX.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Unfotunately it isn't resolution.
    I have enabled only Named Pipes and my server was infected.
    When you disable TCP/IP, server stops listening on TCP port 1433 but it is still listening on UDP port 1434.

    Richard Sufliarsky
    mailto:sufo@gratex.com
    Technology Consulting Group
    Gratex International
    http://www.gratex.com

    -----Original Message-----
    From: Alan J. Post, Ph.D. [mailto:alan@VANBELKUM.COM]
    Sent: 30. januára 2003 17:08
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    Subject: Slammer Worm and SQL Server Network Protocols

    I don't remember if this solution has been discussed before, but here's my
    two cents on the Slammer worm and SQL Server worms in general. Protecting
    against buffer overrun bugs such as this can be a problem when you have
    applications all over running MSDE that you are not aware of. It becomes
    even more difficult when you can't apply a patch because the software vendor
    doesn't support it. Here's the stance that I take whenever I run across a
    machine running SQL server or MSDE.

    If the application using SQL Server or MSDE is running on the same machine
    the best protocol for the app to use is Named Pipes. This is because Local
    Pipes (Not Network Pipes) run in Kernel mode on the local machine and are
    extremely fast. However, if network users need to access the instance of
    SQL Server this is not the case (see SQL Server books online for more
    information on protocols). Anyway, if you find a machine running SQL
    Server/MSDE and that server is only accessed by a local application via
    Named Pipes you can probably safely remove the TCP/IP protocol support from
    SQL Server. SQL server will then stop listening on UDP port 1434 and should
    be safe from the Slammer and other similar worms. To disable TCP/IP run the
    SQL Server Network Utility (svrnetcn.exe - location varies depending on your
    version and installation directory) and remove TCP/IP from the "Enabled
    Protocols" list. You will have to restart SQL Server for this to take
    effect. IMHO, this should be the default for programs that install MSDE for
    local database use.

    I do not claim to be a SQL server expert nor do I play one on TV. There may
    be holes in this scenario that I am unaware of so please offer any other
    advice that you may have.

    Thanks.

    Alan J. Post, Ph.D.
    Chief Information Officer
    Van Belkum Companies, Inc.
    alan@vanbelkum.com (616) 974-8201 x141

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
    with PROMO "TS0103" at www.2test.com. NO membership fees, certification
    good for 2 years. Price for international delivery just $296.25 US, with
    this offer. Offer cannot be combined with any other special and expires
    3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages

    • Re: Fix of problem connecting VS2005 to remote Sql 2000 server
      ... | I'm not referring to the named pipes vs tcp when I refer to "tools", ... | I'm also a little confused, because the ISA server at the remote server ... client to use the named pipe protocol to connect to the SQL server. ...
      (microsoft.public.dotnet.languages.csharp)
    • RE: SQL Server Named Instance Active/Active Cluster IIS TCP/IP Con
      ... If I removed the named pipes Im not able to failover the nodes anymore. ... server, otherwise you may have different issues. ... > alias to configure the ports, or specify the port number in your connection ... We can connect to both instances of sql server ...
      (microsoft.public.sqlserver.clustering)
    • RE: SBS 2003 Unable to connect to database STS_Config
      ... Uninstall the SQL server from the SBS 2k3 server from add/remove programs ... Uninstall Microsoft SQL Server Desktop Engine (SHAREPOINT) ... If AV software install any extra IIS virtual directory, ...
      (microsoft.public.windows.server.sbs)
    • Re: Memory issues with 64-bit SQL Server 2005 on 64-bit Win 2003 C
      ... I also checked the individual patch levels for the .NET drivers, SQL Server ... The SQL Server is fully patched, however Windows Update reported that the OS ... Lock pages in memory -- I guess you might have taken care of it as well. ...
      (microsoft.public.sqlserver.clustering)
    • RE: migrating from wmsde to sql server
      ... Click Start, point to All Programs\Microsoft SQL Server, and then click ... then click New SQL Server Registration. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)