Microsoft SQL services (including MSDE - Microsoft SQL Developer Edition) pose a significant risk to computing resources if due diligence is not exercised to ensure a secure installation, and contributes to a majority of FNAL cyber security incidents. Many useful Windows applications are built on the MSSQL database and may silently install a SQL instance without user knowledge. The MSSQL service at times may also only be active during the execution of the installed application and may automatically disable itself after the application is terminated, contributing to the complexity of scanning and detection. Because the default deliverable of a MSSQL installation provided by many developers and software publishers often has little or no deviation from the default of little or non existent security model, MSSQL is a prime and easy target for hackers and worms. Because of the risk imposed by these types of 'unmanaged' MSSQL installations, and the dynamic nature of their installations, FNAL can no longer tolerate the exposure of this service to the general Internet. MSSQL services (default: TCP/1433 & UDP/1434 OR any other TCP port configured) may not permit open access to the general Internet. Since a site wide block of the default MSSQL service listener impacts other legitimate business services and file transfers, local host based protection controls must be used to protect MSSQL (and MSDE) installations. All intended installations of MSSQL Server and MSDE must implement host based controls to limit network access to only the desired source addresses requiring remote use of the MSSQL service. Unintended and vulnerable MSSQL (MSDE) installations will be scanned by FNAL Computer Security from both on-site and off-site addresses and will alert the registered sysadmin of found violations to remediate by the following: - Remove the MSSQL (MSDE) application OR - Install host based protection (Windows IP Security Filters, XP Firewall, Personal Firewalls) - Ensure the latest MSSQL (MSDE) Service Pack and Hotfixes are installed - Perform a Nessus scan with MSSQL options enabled - Set a complex password on ALL MSSQL user accounts (including the 'sa' account) AND as much of the following as possible - Disable the network listener - Use Windows Only authentication - Follow the SQL Security Checklist located at SQLSECURITY.COM - Remove or revoke access rights to the following Standard and Extended Stored Procedures - xp_cmdshell - xp_dirteee - xp_enum* - xp_get* - xp_instance* - xp_IsNTAdmin - xp_loginconfig - xp_MSLocalSystem - xp_ntsec_enumdomains - xp_reg* - xp_runwebtask - xp_sendmail - xp_servicecontrol - xp_SetSQLSecurity - xp_updateFTSSQLAccount - xp_unpackcab - sp_sdidebug - xp_availablemedia - xp_deletemail - xp_dropwebtask - xp_dsninfo - xp_eventlog - xp_findnextmsg - xp_fixeddrives - xp_grantlogin - xp_logevent - xp_logininfo - xp_makewebtask - xp_msver - xp_perfend - xp_perfmonitor - xp_perfsample - xp_perfstart - xp_readerrorlog - xp_readmail - xp_revokelogin - xp_runwebtask - xp_schedulersignal - xp_snmp_getstate - xp_snmp_raisetrap - xp_sprintf - xp_sqlinventory - xp_sqlregister - xp_sqltrace - xp_sscanf - xp_startmail - xp_stopmail - xp_subdirs - xp_unc_to_drive Systems with unregistered sysadmins, NULL or weak MSSQL passwords, remediation failure or repeat violations are subject to immediate denial from network access until remediation steps are satisfied, including proof of a current Nessus scan. |
For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006. (Address comments about page to the Computer Security Team.) |