OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Monterey, Christina (Christina.Monterey_at_EIA.DOE.GOV)
Date: Thu Aug 15 2002 - 16:11:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Russ,

    If this is not a valid posting for BugTraq, please just let me know.

    I am concerned that there are internet web servers out there running un-patched
    versions of MSDE. This happens for 2 reasons:
    1) you don't think MSDE is vulnerable to SQL attacks.
    2) you can't get the service packs and security updates to install, so you leave
    MSDE as-is.

    More and more Windows database-dependant products require MSDE if you do not have
    a SQL server. If your server is a web server and running MSDE you need to install
    the service packs and security updates to protect this server. I know I had to
    call Microsoft to get help (and BTW, the guy I got at Microsoft Support was
    exceptionally helpful). With help, I did get the service packs and security
    fixes installed. I am posting this in an attempt to help anyone else having
    problems patching MSDE.

    (but, maybe I am the only one...if so, Russ, please don't even bother to post
    this!)

    FYI - my problem was that I did not run the setup file from a command prompt and
    specify the numeric install file (.MSI file). I chose to uninstall MSDE and
    reinstall it in this way. Then, I ran SQL SP2 from the command prompt and
    specified the numeric patch-install file (.MSP). I think it also helps to run the
    install of MSDE from a directory on the hard drive (not from a network share or a
    CD -- I also did this before the 2nd install). Non-DBAs may want to take the
    effort to get familiar with the oslq utility too (runs transact SQL commands).
    To run the security update, you need to know the instance name for your MSDE
    install. The default instance name is MSSQLSERVER. If you are trying to install
    the post-SP2 security rollup for SQL 2000 on MSDE 2000, you probably need to get
    the new version of SERVPRIV.EXE from their support office.

    If you have an install of MSDE that was customized from a vendor, none of the
    info above may apply (sorry, you have to contact the vendor). This is because
    vendors can add "merge-modules" to MSDE and these modules can change all the
    rules.

    hope this helps,
    Chris Monterey
    EIA