I totally agree, it's the responsibility of the network administrator to make sure that the desktop computers are behind a firewall, and therefore don't have any open ports. This way even if users have MSDE on their computer without their knowledge, it won't be open to the world (And now you only need to worry about somebody bringing in an infected laptop or having their home pc infected and using the VPN, or an insider attack...)
Russ -----Original Message----- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 3:16 PM To: CF-Talk Subject: Re: Securing MS-SQL port 1433 On Tue, 1 Mar 2005 14:32:04 -0500, Dave Watts <[EMAIL PROTECTED]> wrote: > > How many of your servers have open, externally accessible > > MS-SQL ports? Maybe you should go open your MS-SQL box to the > > world because you certainly wouldn't be an idiot to keep it > > open, right? > > > > Ignoring *fundamental* security issues is at best, negligent. > > Ignoring know, common, dangerous, documented, publicized > > security issues seems to me to count as "idiotic" but you can > > call it "poor practice", "negligent", "a mistake" or some > > other less offensive word if you need to. > > I think you're missing my point. My servers are adequately secure because > it's my job to know how to secure them. But if you install any number of > third-party products that contain MSDE onto your desktop, are you an idiot > for (a) not being a network administrator, or (b) not being aware of > database server security? I would argue that the onus for security of > desktop applications is largely the responsibility of the creators of said > applications. I totally get that point. And I'll concede that MSDE may be installed without your direct knowledge, though the lists I've seen of apps that install MSDE are overwhelmingly enterprise/admin apps (and thus would be installed either in a corporate environment with security/network professionals, right?) One list is here: http://www.sqlsecurity.com/applicationslistgridall.aspx. And the (admittedly only 2) of these manufacturers that I've dealt with for MSDE-related software issued advisories to their clients about installing SP3 for MSDE. The onus of responsibility has to be shared in any nontrivial application between the creators and the implementors. Unfortunately for the creators of apps based on MSDE, there was a flaw in one of their components (MSDE) that they had no direct control over. This happens -- and is endemic to every level of the software stack -- so implementors need unfortunately need to take proactive steps to mitigate risk. Consider the Feb batch of Microsoft monthly security updates (which made NPR Morning Edition among other popular media outlets) -- is a company that built an application that's deployed on a vulnerable Windows platform stupid for using Windows? No (despite the cries from the Linux folks...) But take a look at that batch of security updates -- if you read the the bulk of them are mitigated by using a firewall. That's not significantly different than the MS-SQL/MSDE vulnerability that Slammer took advantage of. *Knowing* that there an unknown number of potential exploits in the os, application, etc, you reduce your risk by following basic security practices. So while you should probably apply any of the patches relating to services you use, there's no need to panic while you do if you've already done some basic mitigation. So no, you don't need to be (a) a network administrator or (b) aware of database security to reduce your risk of exposure to security issues. You simply need to take some basic precautions (relating to the triumvirate of anti-virus, firewall, and potentially spyware) that are basic to the reality of the Internet. As an aside, Slashdot today ran a link (http://it.slashdot.org/article.pl?sid=05/02/28/2228245&tid=172&tid=218) about a test of 6 computers being attached unprotected to the Internet for a week which probably doesn't point out any new information, but is interesting in the context of this discussion. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197004 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
