Re: some thoughts on the Slammer fiasco

From: Hal Berenson (haroldb@truemountainconsulting.com)
Date: 01/26/03 

From: "Hal Berenson" <haroldb@truemountainconsulting.com>
Date: Sun, 26 Jan 2003 10:05:10 -0800

Sid,

You make the assumption that everyone using SQL Server is running a big IT
shop. That's not the case. MILLIONS of people are running SQL Server on
their desktops, on small multi-purpose servers in their homes, or embedded
inside applications where they have little or no idea it is even present.
Of course you won't find Oracle in these environments, it's virtually
incapable of existing in an environment that doesn't have a full-time
professional DBA. SQL Server is designed to fit into situations from a
professionally-managed enterprise IT environment all the way down to being
embedded inside an application running on your grandmother's desktop. So in
the newsgroup we need to expect a wide variation in the environments people
will have SQL Server and in their expertise.

A software firewall is a perfectly fine answer for a home, or even SOHO,
environment. And they are generally far more capable than the low-cost
NAT-style hardware firewalls that you'd typically purchase for these
environments. Personally, I like the combination (a firewall built into my
router plus a software firewall on each machine, primarily to block trojan
horses).

On one front I agree with you. Here we have a DoS attack that was TRIVIALLY
preventable by (a) following the generally recommended practice of setting
your firewall to block all ports that you don't explicitly need to open OR
(b) installing a patch that has been available for 6 months. I understand
how the complexities of IT shops (vendor software compatibility, change
control policies, staffing limitations) can make installing patches
difficult, but I'll bet that was the "justification" in fewer than 5% of the
impacted installations. And, in installations with rigid policies around
installing new software, you'd expect to have found the most stringent
policies about blocking ports at the firewall! So, in something close to
100% of IT-managed SQL Server installations there was no excuse for Slammer
to have succeeded.

On another front, Microsoft clearly has (and is trying) to do better.
Distributing SQL security patches through Windows Update would dramatically
increase the likeliness they are installed even in installations without a
professional DBA. Using a real installer for these patches (as opposed to
forcing you to manually copy files) would make it more likely customers
installed them. Hopefully Microsoft is working on both of those. Most
importantly, Microsoft has to become more pro-active in keeping these bugs
out of circulation in the first place. SP3 is a good start on that path,
where Microsoft spent months doing code and design reviews and fixing
potential security problems. Their security effort applies to all future
versions, so that should dramatically reduce the need for security patches.
After another couple of weeks for any SP3 problems to shake out, there
really should be an aggressive effort to get sites to adopt it whether they
seem to need it or not. 

--
Hal Berenson
True Mountain Consulting
"Sid" <gotmail@aol.com> wrote in message
news:eTNsOqVxCHA.1620@TK2MSFTNGP11...
>
> These are my thoughts regarding some of the moronic posts seen here
> recently.
>
> WTF are you running a software firewall on an SQL box for.  SQL should
stand
> alone.  And please buy a hardware firewall.
>
> Here is a question someone running Oracle would not ask.  "Can (software
> firewall of your choice) block port X.
>
> I am an SQL Server DBA and quite frankly ashamed of the low level of
> knowledge and lack of willingness to keep up with simple security updates
on
> the part of the losers here whining about how to keep their servers safe.
> Either learn how to play, or get of the field.  And people wonder why SQL
> Server DBAs make less than a DBA for Oracle, DB2, Sybase, etc.
>
> "But is was sooo easy to install, I clicked next.  I'm safe now, right?"
> Personally, I hope the IT slump goes on for 5 more years to weed out
> wannabes like the people here.
>
> Sid
>
>

Relevant Pages

  • Re: SQL Server write
    ... Compare the profiler traces between the two installations. ... database and nothing is being captured. ... > Is there a way to see the differences between the two installations of SQL server. ...
    (microsoft.public.sqlserver.server)
  • Re: More date format grief
    ... > production environments against at least five different database ... Many installations use SQL Server and have been running ... Das Internet is nicht fuer gefingerclicken und giffengrabben... ...
    (comp.lang.java.databases)
  • Re: SQL2008 Fails VSShellInstalledRule
    ... Visual Studio 2008 SP1 may be required for SQL Server 2008 installations ... If you have to install SQL 2008, deselect all the Visual Studio based components. ...
    (microsoft.public.sqlserver.setup)
  • Re: SQL Network Interfaces, error: 26
    ... In the case of the SQL Express named instance ... For SQL Server 2000, it's the same. ... but most installations create a named instance which needs to be added in ... Just specify you PC name in the connection string ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: SQL Network Interfaces, error: 26
    ... what happens is that SQLExpress is the default name used for its named instance. ... For SQL Server 2000, it's the same. ... but most installations create a named instance which needs to be added in order to ... Just specify you PC name in the connection string ...
    (microsoft.public.dotnet.framework.aspnet)