[dba-SQLServer]IP Connection to SQL

Mwp.Reid at Queens-Belfast.AC.UK Mwp.Reid at Queens-Belfast.AC.UK
Thu Apr 17 16:36:45 CDT 2003


This my bounce from the SQL list but this is THE site to read up on this stuff

http://www.sqlsecurity.com/DesktopDefault.aspx

Kill the sa account and block the port. First two REAL WORLD STEPS TO TAKE.

Martin


Quoting "Jim Lawrence (AccessD)" <accessd at shaw.ca>:

> Hi Francisco:
> 
> Thanks for your input. I have heard so much discussion one way or the
> other
> that I simply do not know what to believe. My particular comments were
> gleamed from a conversation with a system's fellow from MS, itself. Of
> course, a person on contract to MS is going to support the product, but
> I
> did not feel he was not giving their product a blank-cheque, so to
> speak,
> but really felt that leaving the ports alone was correct. If you find
> more
> information to the contrarily or supporting facts, I would be great
> appreciative. I may be setting up another site in the near future and
> will
> need to make some important decisions.
> 
> Jim
> 
> -----Original Message-----
> From: dba-sqlserver-bounces at databaseadvisors.com
> [mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of
> Francisco H Tapia
> Sent: Wednesday, April 16, 2003 2:56 PM
> To: dba-sqlserver at databaseadvisors.com
> Subject: Re: [dba-SQLServer]IP Connection to SQL
> 
> 
> this is one area where you can disagree all you like but it is a
> common
> practice by most Sql Server dba's (just check out sqlservercentral.com
> or
> sswug.org).  Changing the port that Sql Server listens on (1433) to
> anything
> else, helps avoid your most common attacks by "drive by hackers" if
> you
> will.  Plus Arthur mentioned that this was for a customer of his, so
> it's
> doubtful that a game port would be acceptable in that environment.
> 
> -Francisco
> http://rcm.netfirms.com
> 
> On Wednesday, April 16, 2003 1:42 PM [GMT-8],
> Jim Lawrence (AccessD) <accessd at shaw.ca> wrote:
> 
> : Hi Arthur:
> :
> : The port 1433 is only dangerous if you have not upgraded the
> : appropriate SQL patch. No port number is not vulnerable because most
> : intruders simple scan all ports when attempting to gain access. It
> is
> : not worth trying to change the port value as the port number might
> be
> : used by some other product, like a game. Also all the clients would
> : have to setup individually as they will automatically be expecting
> to
> : access the SQL server through that 1433 port number.
> :
> : I personally would not waste my time with changing port numbers, for
> : security but I would turn off the SQL login, 'sa' and setup strong
> : Server side NT authentication.
> :
> : My thoughts
> : Jim
> :
> : -----Original Message-----
> : From: dba-sqlserver-bounces at databaseadvisors.com
> : [mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of
> Arthur
> : Fuller
> : Sent: Wednesday, April 16, 2003 12:01 PM
> : To: dba-sqlserver at databaseadvisors.com
> : Subject: RE: [dba-SQLServer]IP Connection to SQL
> :
> :
> ::: Yes, this is exactly what happens, w/ Sql Server authentication
> you
> ::: don't
> : need a domain, just the IP/Port and uid/pwd for the server.
> : Routers/Firewalls have the port opened in this case 1433.  What is
> : dangerous about this situation is that port 1433 is a common known
> : port which hackers and script kiddies can use to infiltrate said
> : network.
> :
> : What if I use a different port number?
> :
> : Even if I don't, will it matter? In client 1's case, I can see the
> : whole SQL database, but only because I have privileges. I can't see
> : any other machines, or any drives on the server, or anything but the
> : database itself. And I can only get into that with appropriate uid
> : and pswd. So where's the threat? Automated manufacture of
> : logins+pswds?
> :
> : Again, since I know nothing about this level of technology, this
> : might be a really stupid question, but so be it :-)
> :
> : Imagine if you will 3 roles: webUser, Data-Entry and Manager. All
> : that is already set up in SQL. Suppose we tell the router to listen
> : on some different port. I think there are port-sniffers or whatever
> : they're called, but still, if the router simply forwards the
> incoming
> : traffic to SQL and the traffic fails SQL authentication, where's the
> : risk?
> :
> : A.
> :
> : -----Original Message-----
> : From: dba-sqlserver-bounces at databaseadvisors.com
> : [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of
> : Francisco H Tapia
> : Sent: April 16, 2003 2:30 PM
> : To: dba-sqlserver at databaseadvisors.com
> : Subject: Re: [dba-SQLServer]IP Connection to SQL
> :
> :
> : Yes, this is exactly what happens, w/ Sql Server authentication you
> : don't need a domain, just the IP/Port and uid/pwd for the server.
> : Routers/Firewalls have the port opened in this case 1433.  What is
> : dangerous about this situation is that port 1433 is a common known
> : port which hackers and script kiddies can use to infiltrate said
> : network.
> :
> : -Francisco
> : http://rcm.netfirms.com
> :
> :
> : _______________________________________________
> : dba-SQLServer mailing list
> : dba-SQLServer at databaseadvisors.com
> : http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> : http://www.databaseadvisors.com
> :
> : _______________________________________________
> : dba-SQLServer mailing list
> : dba-SQLServer at databaseadvisors.com
> : http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> : http://www.databaseadvisors.com
> 
> 
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
> 
> 


More information about the dba-SQLServer mailing list