Steps you can take

By Jim Rapoza  |  Posted 2004-01-12 Print this article Print

to lock down SQL Server"> The first and most obvious step in security for SQL Server is to stay up-to-date with the service packs for SQL Server 2000. All the most recent packs include fixes for the problems that cause SQL Slammer, as well as for other potential security problems.

In addition, we recommend that when dealing with a new or unpatched SQL Server system, IT managers take that system offline or put it on a closed network. Given how quickly Slammer can strike, any IT staff is bound to end up with an infected system while patching a new system.

This will also provide an opportunity to do offline testing of the patch to ensure it doesnt adversely affect your applications.

Outside of SQL Slammer, a poorly secured SQL Server implementation can make it easy for malicious attackers to crack applications and databases and access sensitive information. One of the most common mistakes is poor or nonexistent authorization security. Weve been stunned the numerous times weve seen a SQL Server system with a blank sa (system administrator) password. We recommend using a strong, regularly changed sa password and, if applications permit, using Windows authentication.

Another common-sense step to take in securing SQL Server is to block the ports on which it listens for connections—namely, TCP port 1433 and User Datagram Protocol port 1434. If the systems that need to connect to SQL Server are the only ones that can connect to it, you will have more protection against unknown problems that may arise.

Next page: Web resources for SQL Server security

Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr RapozaÔÇÖs current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel