|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Chip Andrews (chip_at_SQLSECURITY.COM)
Date: Thu Jan 30 2003 - 11:55:55 CST
Alan,
The problem with that solution is that it does not produce the desired
effect.
Removing the TCP/IP netlib alone does NOT stop the SQL Resolution Service on
UDP 1434 from listening or responding. As evidenced by the following
SQLPing output even after configuring the server to Named Pipes only:
Response from 192.168.10.115
-----------------------------
ServerName : BASEREM2
InstanceName : MSSQLSERVER
IsClustered : No
Version : 8.00.194 (Keep in mind that this version is never current as
reported by MSSQL- It always returns the base version)
np : \\BASEREM2\pipe\sql\query
If you want the server to stop responding to UDP 1434 queries you should
disable ALL netlibs on the SQL Server instance. This will force all local
connection attempts to use the Shared Memory netlib (an oxymoron). This
netlib will only work for instances installed on the same machine but is
even more fast and efficient than your named pipes solution since no
network-layer calls are used at all.
Chip Andrews
www.sqlsecurity.com
----- Original Message -----
From: "Alan J. Post, Ph.D." <alan
VANBELKUM.COM>
To: <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Sent: Thursday, January 30, 2003 11:08 AM
Subject: Slammer Worm and SQL Server Network Protocols
> I don't remember if this solution has been discussed before, but here's my
> two cents on the Slammer worm and SQL Server worms in general. Protecting
> against buffer overrun bugs such as this can be a problem when you have
> applications all over running MSDE that you are not aware of. It becomes
> even more difficult when you can't apply a patch because the software
vendor
> doesn't support it. Here's the stance that I take whenever I run across a
> machine running SQL server or MSDE.
>
> If the application using SQL Server or MSDE is running on the same machine
> the best protocol for the app to use is Named Pipes. This is because
Local
> Pipes (Not Network Pipes) run in Kernel mode on the local machine and are
> extremely fast. However, if network users need to access the instance of
> SQL Server this is not the case (see SQL Server books online for more
> information on protocols). Anyway, if you find a machine running SQL
> Server/MSDE and that server is only accessed by a local application via
> Named Pipes you can probably safely remove the TCP/IP protocol support
from
> SQL Server. SQL server will then stop listening on UDP port 1434 and
should
> be safe from the Slammer and other similar worms. To disable TCP/IP run
the
> SQL Server Network Utility (svrnetcn.exe - location varies depending on
your
> version and installation directory) and remove TCP/IP from the "Enabled
> Protocols" list. You will have to restart SQL Server for this to take
> effect. IMHO, this should be the default for programs that install MSDE
for
> local database use.
>
> I do not claim to be a SQL server expert nor do I play one on TV. There
may
> be holes in this scenario that I am unaware of so please offer any other
> advice that you may have.
>
> Thanks.
>
> Alan J. Post, Ph.D.
> Chief Information Officer
> Van Belkum Companies, Inc.
> alanvanbelkum.com (616) 974-8201 x141
>
>
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> Delivery co-sponsored by TruSecure Corporation
>
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
> TICSA - Anniversary Special - Limited Time
>
> Become TICSA certified for just $221.25 US when you register before
3/31/03
> with PROMO "TS0103" at www.2test.com. NO membership fees, certification
> good for 2 years. Price for international delivery just $296.25 US, with
> this offer. Offer cannot be combined with any other special and expires
> 3/31/03. Visit www.trusecure.com/ticsa for full details.
>
>
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time
Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]