Mwp.Reid at Queens-Belfast.AC.UK
Mwp.Reid at Queens-Belfast.AC.UK
Thu Apr 17 16:36:45 CDT 2003
This my bounce from the SQL list but this is THE site to read up on this stuff http://www.sqlsecurity.com/DesktopDefault.aspx Kill the sa account and block the port. First two REAL WORLD STEPS TO TAKE. Martin Quoting "Jim Lawrence (AccessD)" <accessd at shaw.ca>: > Hi Francisco: > > Thanks for your input. I have heard so much discussion one way or the > other > that I simply do not know what to believe. My particular comments were > gleamed from a conversation with a system's fellow from MS, itself. Of > course, a person on contract to MS is going to support the product, but > I > did not feel he was not giving their product a blank-cheque, so to > speak, > but really felt that leaving the ports alone was correct. If you find > more > information to the contrarily or supporting facts, I would be great > appreciative. I may be setting up another site in the near future and > will > need to make some important decisions. > > Jim > > -----Original Message----- > From: dba-sqlserver-bounces at databaseadvisors.com > [mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of > Francisco H Tapia > Sent: Wednesday, April 16, 2003 2:56 PM > To: dba-sqlserver at databaseadvisors.com > Subject: Re: [dba-SQLServer]IP Connection to SQL > > > this is one area where you can disagree all you like but it is a > common > practice by most Sql Server dba's (just check out sqlservercentral.com > or > sswug.org). Changing the port that Sql Server listens on (1433) to > anything > else, helps avoid your most common attacks by "drive by hackers" if > you > will. Plus Arthur mentioned that this was for a customer of his, so > it's > doubtful that a game port would be acceptable in that environment. > > -Francisco > http://rcm.netfirms.com > > On Wednesday, April 16, 2003 1:42 PM [GMT-8], > Jim Lawrence (AccessD) <accessd at shaw.ca> wrote: > > : Hi Arthur: > : > : The port 1433 is only dangerous if you have not upgraded the > : appropriate SQL patch. No port number is not vulnerable because most > : intruders simple scan all ports when attempting to gain access. It > is > : not worth trying to change the port value as the port number might > be > : used by some other product, like a game. Also all the clients would > : have to setup individually as they will automatically be expecting > to > : access the SQL server through that 1433 port number. > : > : I personally would not waste my time with changing port numbers, for > : security but I would turn off the SQL login, 'sa' and setup strong > : Server side NT authentication. > : > : My thoughts > : Jim > : > : -----Original Message----- > : From: dba-sqlserver-bounces at databaseadvisors.com > : [mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of > Arthur > : Fuller > : Sent: Wednesday, April 16, 2003 12:01 PM > : To: dba-sqlserver at databaseadvisors.com > : Subject: RE: [dba-SQLServer]IP Connection to SQL > : > : > ::: Yes, this is exactly what happens, w/ Sql Server authentication > you > ::: don't > : need a domain, just the IP/Port and uid/pwd for the server. > : Routers/Firewalls have the port opened in this case 1433. What is > : dangerous about this situation is that port 1433 is a common known > : port which hackers and script kiddies can use to infiltrate said > : network. > : > : What if I use a different port number? > : > : Even if I don't, will it matter? In client 1's case, I can see the > : whole SQL database, but only because I have privileges. I can't see > : any other machines, or any drives on the server, or anything but the > : database itself. And I can only get into that with appropriate uid > : and pswd. So where's the threat? Automated manufacture of > : logins+pswds? > : > : Again, since I know nothing about this level of technology, this > : might be a really stupid question, but so be it :-) > : > : Imagine if you will 3 roles: webUser, Data-Entry and Manager. All > : that is already set up in SQL. Suppose we tell the router to listen > : on some different port. I think there are port-sniffers or whatever > : they're called, but still, if the router simply forwards the > incoming > : traffic to SQL and the traffic fails SQL authentication, where's the > : risk? > : > : A. > : > : -----Original Message----- > : From: dba-sqlserver-bounces at databaseadvisors.com > : [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of > : Francisco H Tapia > : Sent: April 16, 2003 2:30 PM > : To: dba-sqlserver at databaseadvisors.com > : Subject: Re: [dba-SQLServer]IP Connection to SQL > : > : > : Yes, this is exactly what happens, w/ Sql Server authentication you > : don't need a domain, just the IP/Port and uid/pwd for the server. > : Routers/Firewalls have the port opened in this case 1433. What is > : dangerous about this situation is that port 1433 is a common known > : port which hackers and script kiddies can use to infiltrate said > : network. > : > : -Francisco > : http://rcm.netfirms.com > : > : > : _______________________________________________ > : dba-SQLServer mailing list > : dba-SQLServer at databaseadvisors.com > : http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > : http://www.databaseadvisors.com > : > : _______________________________________________ > : dba-SQLServer mailing list > : dba-SQLServer at databaseadvisors.com > : http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > : http://www.databaseadvisors.com > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > >