|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sufliarsky Richard (sufo_at_GRATEX.COM)
Date: Thu Jan 30 2003 - 11:36:57 CST
Unfotunately it isn't resolution.
I have enabled only Named Pipes and my server was infected.
When you disable TCP/IP, server stops listening on TCP port 1433 but it is still listening on UDP port 1434.
Richard Sufliarsky
mailto:sufo
gratex.com
Technology Consulting Group
Gratex International
http://www.gratex.com
-----Original Message-----
From: Alan J. Post, Ph.D. [mailto:alanVANBELKUM.COM]
Sent: 30. januára 2003 17:08
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Slammer Worm and SQL Server Network Protocols
I don't remember if this solution has been discussed before, but here's my
two cents on the Slammer worm and SQL Server worms in general. Protecting
against buffer overrun bugs such as this can be a problem when you have
applications all over running MSDE that you are not aware of. It becomes
even more difficult when you can't apply a patch because the software vendor
doesn't support it. Here's the stance that I take whenever I run across a
machine running SQL server or MSDE.
If the application using SQL Server or MSDE is running on the same machine
the best protocol for the app to use is Named Pipes. This is because Local
Pipes (Not Network Pipes) run in Kernel mode on the local machine and are
extremely fast. However, if network users need to access the instance of
SQL Server this is not the case (see SQL Server books online for more
information on protocols). Anyway, if you find a machine running SQL
Server/MSDE and that server is only accessed by a local application via
Named Pipes you can probably safely remove the TCP/IP protocol support from
SQL Server. SQL server will then stop listening on UDP port 1434 and should
be safe from the Slammer and other similar worms. To disable TCP/IP run the
SQL Server Network Utility (svrnetcn.exe - location varies depending on your
version and installation directory) and remove TCP/IP from the "Enabled
Protocols" list. You will have to restart SQL Server for this to take
effect. IMHO, this should be the default for programs that install MSDE for
local database use.
I do not claim to be a SQL server expert nor do I play one on TV. There may
be holes in this scenario that I am unaware of so please offer any other
advice that you may have.
Thanks.
Alan J. Post, Ph.D.
Chief Information Officer
Van Belkum Companies, Inc.
alanvanbelkum.com (616) 974-8201 x141
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]