SQL Server patch pros and cons

The problem is that many DBAs and network administrators aren't aware of just what can happen when vulnerabilities created by lack of patching are exploited by a trusted insider. This goes for SQL Server software, the Windows OS and other software running on the same host, such as VNC, backup software and IIS. Many claim that even if a serious vulnerability were present on their SQL Server systems, no one on their network would have a clue about how to take advantage of it. A logical argument, but that's not the point.

Fact is, all it takes is a trusted insider (or outsider via an unsecured wireless connection) downloading free security tools off the Internet, playing around with them a bit and then using them maliciously to gain full access into the sacred database system. BackTrack and, specifically, Metasploit come to mind.

With the right tools and the right amount of time – both of which are on the side of trusted insiders – anything's fair game. For instance, there are several known SQL Server vulnerabilities (fixed by patches of course) that are easily exploited using Metasploit and commercial alternatives for those who have access to them. This means that anyone with just a basic network connection can gain full admin-level Windows command prompt access to SQL Server systems. They don't even need a Windows or SQL Server login! Physical acc

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions SQL Server Migration Strategies and Planning Using Microsoft Hyper-V for SQL Server consolidation Migrating to SQL Server 2008 and leveraging new features The challenges of SQL Server consolidation Testing a SQL Server environment before an upgrade SQL Server Consolidation Fast Guide SQL Server consolidation strategies and best practices Does upgrading to SQL Server 2008 fit your business? A guide to advanced new features in SQL Server Management Studio 2008, part 2 A guide to basic new features in SQL Server Management Studio 2008, part 1 SQL Server virtualization pros and cons: Weigh the performance impact Database Administration Setting up SQL Server Service Broker for secure communication Top load balancing methods for SQL Server Performance implications of transaction log autogrowth in SQL Server The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 Working with sparse columns in SQL Server 2008 Determining the source of full transaction logs in SQL Server Implementing SQL Server 2008 FILESTREAM functionality Improving SQL Server full-text search performance Using the OPENROWSET function in SQL Server

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ess to the network is all it takes.

The following screenshots are an example of how an insider can exploit the Slammer worm buffer overflow vulnerability on an unpatched SQL Server system. "Slammer," you say? Don't laugh, I still find SQL Servers vulnerable to it.

[IMAGE]Figure 1: Using Metasploit to gain access to an unpatched SQL Server system's command prompt

[IMAGE]Figure 2: Full admin-level access to SQL Server files is made possible

There are even more possibilities for gaining this type of access by exploiting other unpatched applications running on the same system. And this is just the beginning. Using vulnerability scanning tools, users can find other exploits specific to SQL Server, including privilege escalation, denial of service and access to the system table. Again, this is all because the recommended patches haven't been applied. No external firewall is going to keep these internal misdeeds from happening.

You've got to ask yourself what's worse: 1) installing a hotfix or service pack that brings your database server down (or even creates data corruption) for a relatively short period of time until it's backed out (or restored) or 2) presenting low-hanging fruit in the form of unpatched software for unruly insiders to exploit? Don't get me wrong, I've been burned very badly in the past by being too eager to patch Microsoft software. But that was years ago. Based on my experience, the quality of patches has greatly improved (albeit not perfect).

There is no great answer, but it boils down to a balance of risk and a matter of choice. In the end, I'd rather suffer through a botched patch install than face the consequences.

Envision yourself answering to executives, customers or regulators who are asking why countermeasures to a known exploit were never put in place after identity theft, data destruction or a related incident occurs. If a patch install creates problems, at least you were doing what was in the best interest of the business. You can't say that when patches are simply ignored. Heck, if a problem does arise due to a patch, at least you now have a good reason to push for a test environment that everyone knows they need but can't seem to justify having.

[TABLE]