SQL Server Security
Home > SQL Server Tips >
SQL Server Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Use SQLPing to prevent outside access


By Serdar Yegulalp, Contributor
10.17.2005
Rating: --- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


SQL Server 2000 is accessed through the network, either through a named pipe or a network protocol, such as TCP. For this reason, a SQL Server deployment has to be set up to accept connections only from trusted sources. If you're running SQL Server on only one machine (possibly in conjunction with a Web server on the same box), then you'll want to make sure it's only accessible to that machine and not to unauthorized remote clients who may try to connect.

Even when SQL Server 2000 only uses named pipes as its network protocol, it can still be accessed from the outside world if the host server does not block connections from UDP port 1434. SQL Server listens on UDP port 1434 for a handshake (a packet payload of value 0x02) and then replies with detailed information about all the available instances of SQL Server on that computer. This includes the names of the server instances, the network connections (such as named pipe info) and the version(s) of SQL Server running. This is obviously a major problem!

To help combat this problem, a team of programmers from the SQLSecurity.com site created SQLPing, a simple command-line tool to determine if a given machine has its SQL Server listening port open for public access. The program is simple enough: Invoke it from the command line with either an IP address or a hostname, and it will attempt to contact UDP port 1434 on the target machine and report any results returned.

If you run SQLPing across the Internet and are able to retrieve information from a given SQL Server, that box should be locked down as soon as possible. Block UDP port 1434 wherever possible, or simply set up an appropriate firewall and only open ports as needed. Even if that instance of SQL Server isn't set to accept connections from the Internet at large, the information revealed can be used in other contexts.

About the author: Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!

More information from SearchSQLServer.com

  • Tip: Hacker's-eye view of SQL Server
  • Tip: Top 10 security enhancements in SQL Server 2005
  • Topic: Get best practices and expert advice for locking down SQL Server


    • Rate this Tip
    To rate tips, you must be a member of SearchSQLServer.com.
    Register now to start rating these tips. Log in if you are already a member.




    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    SQL Server Security
    Meet compliance requirements with improved database security practices
    Hardening the network and OS for SQL Server security
    Securing the server and database in SQL Server
    SQL Server security made simple and sensible
    Blog: Protect your databases from the internal threat
    Setting up SQL Server Service Broker for secure communication
    The keys to database backup protection for SQL Server
    Understanding transparent data encryption in SQL Server 2008
    The fine line between not encrypting your databases and breach notification
    Securing SQL Server with access control, login monitoring and DDL triggers

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    data corruption  (SearchSQLServer.com)
    data hiding  (SearchSQLServer.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary

    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



    SQL Server Development - .NET, C#, T-SQL, Visual Basic
    HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2005 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts