database exposure survey

Executive Summary

In his most recent publication The Database Exposure Survey 2007 (not yet published), David Litchfield conducted a survey on how many database servers exist on the internet, are listening on their default TCP ports and are not protected by a firewall. According to the survey, 157 SQL Servers and 53 Oracle Servers were found. Key findings as reported in his survey include:

· Database customers are vulnerable to security risks via default TCP ports and are not protected by a firewall

o With no firewall, databases are exposed to hackers, putting corporate data at risk

· A large percentage of legacy SQL Server installations are running on unsupported versions and have not installed the latest Service Pack updates

· 4% of legacy SQL Server systems were found to be completely un-patched and therefore still vulnerable to the Slammer virus

· 66% Oracle Server systems were running versions known to be vulnerable to critical vulnerabilities

Call to Action

Ensure our customers are deploying and maintaining Microsoft SQL Servers using our published best practice security

guidance.

· All customers should follow the SQL Server security best practices (See below for the best practices links).

· Database and system administrators should ensure that the host firewall is configured properly, in accordance with local security policies.

· Network administrators should ensure that perimeter access is configured properly, and that interior hosts are not exposed to unwanted traffic. In most cases, that means blocking access to port 1433/TCP from outside the network perimeter.

· Customers running SQL Server 2000 versions must upgrade to the supported service pack which is SQL Server 2000 SP4 (8.0.2039).

§ How to obtain latest service pack for SQL Server 2000?

- [Note: Older SQL Server 2000 versions include SQL Server 2000 RTM (8.0.194), RTMa (8.0.194), SP1 (8.0.384), SP2 (8.0.534), SP3 (8.0.760) or SP3a (8.0.760)]

· Customers running SQL Server 2005 RTM version must upgrade to the supported service packs which are SQL Server 2005 SP1 (9.0.2047) and SQL Server 2005 SP2 (9.0.3042).

§ How to obtain latest service pack for SQL Server 2005?

· How can customers identify their SQL Server version and edition?

· How can customers detect if they are impacted?

i. Tool to scan SQL Server instance on the network/home – run nmap from an external host

Best practices to secure our SQL Servers

· SQL Server 2005 Security Best Practices - Operational and Administrative Tasks (refer to Network Connectivity section)

· SQL Server 2005 Deployment Guidance for Web Hosting Environments (SQLCAT Recommended)

· SQL Server 2000 – Security Best Practices Checklist (refer to Firewalls and Strong passwords section).

- [Note: The SQL Server 2000 SP3 best practices are valid for SQL Server 2000 SP4]

· CIS security lockdown guide for SQL Server 2005

Always Promote Upgrading

By default, SQL Server 2005 delivers enhanced security features for enterprise data management through multiple

levels. This is especially true if customers require significant configuration changes. In our direct conversations with

customers we must promote the value SQL Server 2005 provides to developers and database administrators to create

and maintain secure line-of-business applications. Please review the Why Upgrade? Whitepaper for more details on the

value upgrading customers to the most current version of SQL Server.

Thanks,

Itay Braun Premier Field Engineer - SQL Server Microsoft Services - UK

E-Mail: itayb@microsoft.com Mobile: +44-796-928-9996 Blog: http://sqlblogcasts.com/blogs/thepremiers/

Veni Vidi Fixit

Published 20 November 2007 05:51 PM by ThePremiers

Filed under: Security

Comments

# Web Hosting » database exposure survey said on 21 November, 2007 12:41 AM: PingBack from http://hosting.yourblogsearch.com/?p=5824

The Premiers

database exposure survey

Executive Summary

Call to Action

Comments

Search

This Blog

Tags

Navigation

Archives

Syndication