Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Security Alerts and Information

By Steve Jones,

SQL Server Security Alerts and Information

Every piece of software has security issues and SQL Server is no exception. Because this is server product and many DBAs do not manage the external security for their systems, I often find unpatched servers with vulernabilities. Now there are not too many alerts for SQL Server, but there are a few. Below are links to patches as well as other resources for keeping informed.

I will continue to update this area as new alerts are released. Please check back periodically for updates. I will also be adding some articles on SQL Security and best practices that should be followed.

Security Alerts


New Security Alert (Released 6-12-01):
SQL Query Method Enables Cached Administrator Connection to be Reused

A new alert was released on June 12, 2001 that affects SQL Server 7 and SQL Server 2000

Technical description:
When a client connection to a SQL Server is terminated, it remains cached for a short period of time for performance reasons. One SQL query method contains a flaw that has the effect of making it possible for one user’s query to reuse a cached connection that belonged to the sa account.

Exploiting this vulnerability would enable an attacker to execute the query using the administrator’s security context. This would give her the ability to take any desired action on the database; moreover, it would give her the ability to run extended stored procedures, thereby giving her the opportunity to run code of her choice and assume de facto control of the server itself.


http://www.microsoft.com/technet/security/bulletin/MS01-018.asp

Visual Studio VB T-SQL Object Contains Unchecked Buffer.

If you develop applications or install applications developed in VB, this is a possible security risk. Your developers may want to apply this patch, though I am not sure how much of a risk this is.


http://www.sans.org/newlook/alerts/NTE-bank.htm

If you use NT in an e-commerce environment read this! one.

The SANS Insitute released this notice after being informed of attacks by the FBI. Eastern Europe hackers appear to be targeting NT e-commerce sites for extortion. You can get the tool to scan your systems from The Center for Internet Security here.


http://www.microsoft.com/technet/security/bulletin/MS01-013.asp

A critical alert for all Windows 2000 Servers. Let your system admins know about this one.


Service Pack 3 for SQL Server v7.0

Service pack 3 is available for SQL Server 7.0 and fixes a number of bugs and security holes. The fix list is at Q274797 and includes the version numbers for all service packs.


Patch Available for Extended Stored Procedure Parameter Parsing Vulnerability (December 2000)

A patch was posted December 1, 2000 for a vulnerability in extended stored procedures. A malicious user could cause a buffer overrun to occur with a sufficiently long parameter. While not a likely risk for most installations, you should read this to see if you are affected. SQL 7, MSDE, and SQL 2000 are affected.


Patch Available for DTS Password Vulnerability

There is a bug in v7.0 that would allow a user to view the passwords that are stored in DTS packages. The patch disallows non-sa or non-creators to access these passwords.


Patch Available for Stored Procedure Permissions Vulnerability

A user without EXECUTE permissions could possible execute a stored procedure if certain conditions exist in your server. This is NOT patched in SP2.


Service Pack 2

While you should definitely test them, Service Packs are a must install. They contain many fixes and once you have tested them, you should definitely install them on your server.


C2 Security

Microsoft SQL Server 2000 has received the C2 security rating from the National Security Administration (NSA) which was one of the goals that the SQL Server development team mentioned at TechEd 2000. One of the main items that allowed this goal to be met was the enhanced Profiler auditing of the events that occur inside SQL Server.

Microsoft has published documents that describes the C2 setup of SQL Server. There are a couple of important caveats to be aware of for securing SQL Server at the C2 level.

  • NT 4.0 is required as the OS and it must be secured as a C2 system.
  • NT authentication is required. SQL Seucrity is not supported, therefore you cannot really secure the server in many installations.
  • Only transactional replication is supported.
  • The following are not included in the evaluation: SQL Mail, Full Text Search, English Query, DTC, Meta Data Services, and Analysis Services. The SQL Mail along is a reason many sites (mine included) would not even try to implement this level of security.

I am not sure who really needs C2 (outside of the military) and it appears to require only the base RDBMS engine and a bunch of management effort. While probably worth it in some instances, I would not recommend anyone implement this as a marketing move. Unless you truly want to be a full time administrator.

The official NSA document is here.


Security resources

Screen Savers For Security Professionals - (New)

Microsoft has released screen saver that will remind you of The Ten Immutable Laws of Security and The Ten Immutable Laws of Security Administration.

The Ten Immutable Laws of Security Administration

"The most important tool here isn't a software tool – it's procedures." A direct quote from this article and worth the read alone. This is good article on security fundamentals that can apply to SQL Server.

The Definition Of A Security Vulnerability

At least according to Microsoft. This is worth a read to understand why and how patches are created and the madness behind the methodology for when they are released.

Data Security and Data Availability for End Systems

White paper discussing data security. This is more of a system administrator's view from the Windows 2000 security standpoint, but a good read for DBAs to understand some of the vulnerabilities that are out there and where security can be comprimised. It's easy to get paranoid when reading something like this, so don't go out there and start quizzing your sysops, but you might check and see how many of these things are implemented at your site.

Microsoft SQL Server 2000 Security

White paper for system administrators outlining new security features in SQL 2000.

Microsoft Security

A good source for security bulletins and patches that Microsoft has released.

Tour of the Microsoft Security Response Center

A tour as Microsoft attempts to address the security concerns. IMHO a nice step forward in providing Enterprise level products.

NT BugTraq

An independent source for tracking bugs in NT/2000 software. Maintains a mailing list as well as links to a variety of patches and commentary on bugs.

CERT

Carnegie Mellon University's Computer Emergency Response Team. This is the organization that should be informed of all attacks. They provide a clearinghouse for information related to security. Unfortunately this has not been used as much as it could.

SANS

Another security organization that I belong to and receive alerts from. They have some good resources for securing your systems.

Return to Steve Jones Home

 

Total article views: 3577 | Views in the last 30 days: 2
 
Related Articles
ARTICLE

Security Alert : SQL Server Security Bug and Patch

Happy Holidays database administrators! As a parting present before you go home for your year-end br...

FORUM

security patch????

Do we have security patch for sql server.

ARTICLE

Patch Week

This week Steve Jones notes there were quite a few patches from Microsoft for a variety of products....

FORUM

Security Patches

patching SQL Server

ARTICLE

SQL Server 2000 Post SP2 Patch Released

If you're still on SQL Server 2000 SP2, beware! Microsoft has released a number of fixes that have n...

Tags
security    
sql server 7    
strategies    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones