Training users to be security-conscious [Re: Securing MS-SQL port 1433]
On Tue, 1 Mar 2005 22:06:48 -0500, Dave Watts [EMAIL PROTECTED] wrote: How is this any different than the corporate education about opening attachments (bad) and phishing (bad)? Most people, I'd put forth, *do* know that the internet isn't all that safe and they should be running a firewall. WinXP SP2 finally has it builtin, for gosh sakes. While most people may know that they should be running a firewall, I doubt very much that most of these people even know what a firewall is. And when their system pops up a little message saying do you want to allow traffic from [socket 1] to [socket 2], they'll click the OK button in many cases even if they don't know the import of their actions. And again, your analogy with corporate education about attachments just highlights the idiocy of our industry - we find it more efficient to train untold thousands of people not to double-click something, rather than design a safe system in the first place! If we built cars, we'd tell people don't drive downhill because the brakes don't work, rather than just fixing the damn brakes. How idiotic is that? On a related note, Kevin Mitnik (quite famous convicted hacker) spoke about security and (normal) employees recently (http://www.zdnet.com.au/news/security/0,261744,39183334,00.htm) -- his conclusion? Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no' I'm pretty sure he's not eligible to sit for the CISSP (that whole ethics thing) but he does know a thing or two about penetrating security. So while it certainly is *annoying* that we have to train users not to open attachments containing Ann/Paris/Brittany pics, not to give their passwords out over the phone, and not to blithely use unencrypted wifi access points, and all the rest -- it's not foolish or stupid at all. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197427 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Training users to be security-conscious [Re: Securing MS-SQL port 1433]
If we could just train our users not to write their username and password on a Post-It on their monitor, I'd be happy. ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197441 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Training users to be security-conscious [Re: Securing MS-SQL port 1433]
What about Joey from friends, he scratched his PIN into the side of the cash machine(ATM)! I thought that was class :OD -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: 04 March 2005 14:58 To: CF-Talk Subject: RE: Training users to be security-conscious [Re: Securing MS-SQL port 1433] If we could just train our users not to write their username and password on a Post-It on their monitor, I'd be happy. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.6.0 - Release Date: 02/03/2005 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197452 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Training users to be security-conscious [Re: Securing MS-SQL port 1433]
We have to use secure pin to access the servers - how secure do you want to do ;-) Passwords alone as simply not enough. -Original Message- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: 04 March 2005 12:17 To: CF-Talk Subject: Training users to be security-conscious [Re: Securing MS-SQL port 1433] On Tue, 1 Mar 2005 22:06:48 -0500, Dave Watts [EMAIL PROTECTED] wrote: How is this any different than the corporate education about opening attachments (bad) and phishing (bad)? Most people, I'd put forth, *do* know that the internet isn't all that safe and they should be running a firewall. WinXP SP2 finally has it builtin, for gosh sakes. While most people may know that they should be running a firewall, I doubt very much that most of these people even know what a firewall is. And when their system pops up a little message saying do you want to allow traffic from [socket 1] to [socket 2], they'll click the OK button in many cases even if they don't know the import of their actions. And again, your analogy with corporate education about attachments just highlights the idiocy of our industry - we find it more efficient to train untold thousands of people not to double-click something, rather than design a safe system in the first place! If we built cars, we'd tell people don't drive downhill because the brakes don't work, rather than just fixing the damn brakes. How idiotic is that? On a related note, Kevin Mitnik (quite famous convicted hacker) spoke about security and (normal) employees recently (http://www.zdnet.com.au/news/security/0,261744,39183334,00.htm) -- his conclusion? Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no' I'm pretty sure he's not eligible to sit for the CISSP (that whole ethics thing) but he does know a thing or two about penetrating security. So while it certainly is *annoying* that we have to train users not to open attachments containing Ann/Paris/Brittany pics, not to give their passwords out over the phone, and not to blithely use unencrypted wifi access points, and all the rest -- it's not foolish or stupid at all. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197454 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Wed, 2 Mar 2005 09:32:10 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: My point is that if you are running 818 you are NOT fully patched. Not disputing that at all. And even having MS-SQL fully patched on a Windows box that is missing OS patches doesn't necessarily make you safe either, considering the other known vulnerabilities in a base Windows install. But as you probably know from reading the security bulletins, the overwhelming majority of the vulnerabilities MS issues patches for can be mitigated by controlling and limiting either remote access (e.g. blocking external access to services) or securing physical access -- not fixed for sure, but mitigated. And that certainly gives you time to assess the effect of the patch/update on your systems in a calm and controlled way. My original point wasn't that you have to be fully patched to be safe -- it was that leaving the door wide open to a known and widely publicized problem was foolish and stupid, which would make such a person an idiot. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197247 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
-- My original point wasn't that you have to be fully patched to be safe I agree with that for sure. -Original Message- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 15:28 To: CF-Talk Subject: Re: Securing MS-SQL port 1433 On Wed, 2 Mar 2005 09:32:10 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: My point is that if you are running 818 you are NOT fully patched. Not disputing that at all. And even having MS-SQL fully patched on a Windows box that is missing OS patches doesn't necessarily make you safe either, considering the other known vulnerabilities in a base Windows install. But as you probably know from reading the security bulletins, the overwhelming majority of the vulnerabilities MS issues patches for can be mitigated by controlling and limiting either remote access (e.g. blocking external access to services) or securing physical access -- not fixed for sure, but mitigated. And that certainly gives you time to assess the effect of the patch/update on your systems in a calm and controlled way. My original point wasn't that you have to be fully patched to be safe -- it was that leaving the door wide open to a known and widely publicized problem was foolish and stupid, which would make such a person an idiot. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197248 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 22:06:48 -0500, Dave Watts [EMAIL PROTECTED] wrote: If someone's installing Visio Enterprise to work on flowcharts at home, they probably got it from work. Licensing issues aside (since we'll assume they're good there) then their home box gets hosed. PITA, but not much impact on the business. My point has nothing to do with impact on the business. You stated that anyone running an unprotected SQL Server was an idiot. I took issue with that, and provided a counterexample. It's as simple as that. And I'm still not convinced by your counterexample. While MSDE is certainly fundamentally SQL Server (and now officially named that in the 2005 product editions) the original point was that leaving your SQL Server wide open for TCP/IP access was an idiotic thing to do. And on a ColdFusion list, clearly from context we're talking about the SQL Server(s) interacting with the ColdFusion server(s). (I will make that clear next time ;) I think the main value of the MSDE counterexample is as a reminder that you need to secure your SQL Server against both external threats (e.g. locking down TCP/IP access) and *internal* threats that avoid or circumvent the externally-facing security measures. If Joe Homeuser picks up Slammer on his Visio-installed MSDE, that sucks for him -- but if Jane Sysadmin hasn't protected the internal systems from such a scenario then she's probably on the way to clean our her desk. How is this any different than the corporate education about opening attachments (bad) and phishing (bad)? Most people, I'd put forth, *do* know that the internet isn't all that safe and they should be running a firewall. WinXP SP2 finally has it builtin, for gosh sakes. While most people may know that they should be running a firewall, I doubt very much that most of these people even know what a firewall is. And when their system pops up a little message saying do you want to allow traffic from [socket 1] to [socket 2], they'll click the OK button in many cases even if they don't know the import of their actions. And again, your analogy with corporate education about attachments just highlights the idiocy of our industry - we find it more efficient to train untold thousands of people not to double-click something, rather than design a safe system in the first place! If we built cars, we'd tell people don't drive downhill because the brakes don't work, rather than just fixing the damn brakes. How idiotic is that? I think we both agree that it's idiotic as an industry that we have to deal with anti-virus software, spam filters, spyware, worms, phishing, and the like. It's hard to claim otherwise! But we've got the systems we've got -- if your car *doesn't* have brakes and you say to yourself Well, it should have breaks so I'm going to go down this hill anyway. It will be the engineers' fault! you are pretty foolish. If you however attach a parachute to the back of the car to slow you (or do a Fred Flinstone with your feet to stop) you've at least hedged your bets. Actually, I think the answer to your question is yes, you did have something happen to you that was completely avoidable and probably deserve it. You chose to keep your door open when they're a high likelihood of attack (we're comparing to the security of the internet, remember). You have a peculiar way of defining deserved. To think that's the result has been earned by your actions? That you merited the attack? (a few definitions just to make sure I'm using the word in a normal fashion...). I think the cracker, script kiddie, or disgruntled employee who now has access to your data would certainly think you deserved it. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197253 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
Lee: Hi my name is Lee and I'm and idiot. Half the list: Hi Lee! Lee: I installed my first Windows box in 1998. Half the list: (Sympathetic Hush) Lee: Yeah and ever since then my life has been out of control. I really need Windows but the problems it's caused... Half the list: Nodding approval... ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197264 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
Eh? -Original Message- From: Lee [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 16:15 To: CF-Talk Subject: Re: Securing MS-SQL port 1433 Lee: Hi my name is Lee and I'm and idiot. Half the list: Hi Lee! Lee: I installed my first Windows box in 1998. Half the list: (Sympathetic Hush) Lee: Yeah and ever since then my life has been out of control. I really need Windows but the problems it's caused... Half the list: Nodding approval... ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197274 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
My point is that if you are running 818 you are NOT fully patched. -Original Message- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: 01 March 2005 21:53 To: CF-Talk Subject: Re: Securing MS-SQL port 1433 On Tue, 1 Mar 2005 20:53:13 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: I would say NONE - all of the SQL boxes we have (and we have thousands) are a) protected with hardware and software security. They are all patched to the highest degree (where needs be, as not all servers require all patches for loopholes and indeed some cannot have them). Great! So by hardware and software security I'll take a stab at translating that as at least a firewall. So far we're in agreement. Remember, this started b/c I said anyone who left port 1433 open was an idiot -- now we're into discussing how to assess the risk from a specific vulnerability (choosing which patches to apply) and which service pack which *are* (potentially) past the normal desktop user's area of responsibility. Let me ask you, what version of SQL are you running? 8.00.818? Actually, yes I am on my production servers. My clients are a mix of ..818 (post-SP3 hotfix) and .760 (SP3). And to be completely fair, my laptop actually runs 8.00.760 (with Named Pipes disabled). Note you do not have to patch all risks if the risk is low - for example there may be an issue where a maliscious user could access your server but its only a problem/issue if the maliscious user can gain access to it... Agreed -- whether it's MS-SQL or Windows (or Linux or CF or whatever) you don't have to immediately apply patches if you're not vulnerable to the issue. As I've said, I run my laptop in *horrors* SP3 instead of the post-SP3 hotfix -- upgrading wasn't worth the risk (though when I build a new box, it goes to .818 by default) -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197079 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Securing MS-SQL port 1433 [WAS Re: Pro/Con Moving from MSSQL to MySQL]
On Thu, 24 Feb 2005 16:54:37 -0500, Dave Watts [EMAIL PROTECTED] wrote: Of course you can trust MS-SQL -- it's a great database. I'd ask what kind of idiot leaves port 1433 open on a MS-SQL server in the first place (due to the number of infections with the various worms, apparently a lot)? This doesn't really have anything to do with the thread, but to answer your question quite a few people do this, and those people aren't necessarily idiots. Remember that lots of products install some variant of SQL Server, like MSDE, for you, so there are quite a few people running SQL Server without necessarily knowing it, or thinking about having to secure it. And remember that if you're implementing basic security measures -- specifically installing a firewall -- that you shouldn't automatically leave port 1433 (or any other non-needed port) open to the world. That precaution of course won't prevent problems from someone *inside* the firewall infecting you, but again, that should be handled by basic security measures. As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196923 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433 [WAS Re: Pro/Con Moving from MSSQL to MySQL]
Don't be security arrogant. -Adam On Tue, 1 Mar 2005 09:04:27 -0500, John Paul Ashenfelter [EMAIL PROTECTED] wrote: On Thu, 24 Feb 2005 16:54:37 -0500, Dave Watts [EMAIL PROTECTED] wrote: Of course you can trust MS-SQL -- it's a great database. I'd ask what kind of idiot leaves port 1433 open on a MS-SQL server in the first place (due to the number of infections with the various worms, apparently a lot)? This doesn't really have anything to do with the thread, but to answer your question quite a few people do this, and those people aren't necessarily idiots. Remember that lots of products install some variant of SQL Server, like MSDE, for you, so there are quite a few people running SQL Server without necessarily knowing it, or thinking about having to secure it. And remember that if you're implementing basic security measures -- specifically installing a firewall -- that you shouldn't automatically leave port 1433 (or any other non-needed port) open to the world. That precaution of course won't prevent problems from someone *inside* the firewall infecting you, but again, that should be handled by basic security measures. As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196930 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433 [WAS Re: Pro/Con Moving from MSSQL to MySQL]
On Tue, 1 Mar 2005 09:30:41 -0500, Adrocknaphobia [EMAIL PROTECTED] wrote: Don't be security arrogant. -Adam Actually, it should be Don't be security *ignorant*. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196938 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433 [WAS Re: Pro/Con Moving from MSSQL to MySQL]
As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. That's all well and good, but many people using products which include MSDE aren't network administrators, and don't know about port scanning or any other things that network administrators might know about, and they shouldn't have to know those things. Not knowing things like this doesn't make one and idiot. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196942 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433 [WAS Re: Pro/Con Moving from MSSQL to MySQL]
Agreed, that original statement reeks of idiocy itself. -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: 01 March 2005 16:17 To: CF-Talk Subject: RE: Securing MS-SQL port 1433 [WAS Re: Pro/Con Moving from MSSQL to MySQL] As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. That's all well and good, but many people using products which include MSDE aren't network administrators, and don't know about port scanning or any other things that network administrators might know about, and they shouldn't have to know those things. Not knowing things like this doesn't make one and idiot. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196946 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 16:24:58 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Agreed, that original statement reeks of idiocy itself. How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as idiotic but you can call it poor practice, negligent, a mistake or some other less offensive word if you need to. From: Dave Watts [mailto:[EMAIL PROTECTED] As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. That's all well and good, but many people using products which include MSDE aren't network administrators, and don't know about port scanning or any other things that network administrators might know about, and they shouldn't have to know those things. Not knowing things like this doesn't make one and idiot. That's true, not and idiot, but an idiot :) If they are putting a server on a naked Internet connection with an external address, they certainly *should* be aware of basic security. Even normal home users are aware of the need for firewall (and av) software. A $40 dsl/cable/etc router contains a decent enough firewall to protect a MS-SQL server behind it with no more work than plugging it in and turning it on. Seriously, running any externally facing app without basic security precautions makes you *not* an idiot? The level of even basic security-awareness should be part of every developer's toolbox -- at least any one worth hiring. And the excuse that I didn't know MSDE was part of the application or I'm not a sysadmin is a pretty poor one. How hard is the Microsoft Baseline Security Analyzer to use? How hard is it to read the docs? Of course securing the port doesn't prevent weak passwords. Or the possiblilty of SQL Injection attacks. Or any of a myriad other common security weaknesses. The assumption that I didn't know is an acceptable excuse relating to security, whether it's configuration (e.g. firewall settings) or code (e.g. SQL injection vunerabilities) is a key reason why people get cracked. And frankly, I care less about someone with poor security getting hacked (something along the lines of getting what you deserve) than what their zombie server can do to my sites or one of the sites I count on -- or about the consequences of the use/misuse of my data they're storing. When a security issue can affect *me*, then I've got a stake in making sure people do the right thing -- I think security is black and white (you don't see a Grey Hat security conference...) Maybe there are varying *degrees* of security idiocy, but all things considered, I'll err on the side of spending the time/money/effort on security instead of taking the risk of being a victim of the security is too hard syndrome. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196975 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
Do you even have your CISSP? -Adam On Tue, 1 Mar 2005 12:53:05 -0500, John Paul Ashenfelter [EMAIL PROTECTED] wrote: On Tue, 1 Mar 2005 16:24:58 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Agreed, that original statement reeks of idiocy itself. How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as idiotic but you can call it poor practice, negligent, a mistake or some other less offensive word if you need to. From: Dave Watts [mailto:[EMAIL PROTECTED] As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. That's all well and good, but many people using products which include MSDE aren't network administrators, and don't know about port scanning or any other things that network administrators might know about, and they shouldn't have to know those things. Not knowing things like this doesn't make one and idiot. That's true, not and idiot, but an idiot :) If they are putting a server on a naked Internet connection with an external address, they certainly *should* be aware of basic security. Even normal home users are aware of the need for firewall (and av) software. A $40 dsl/cable/etc router contains a decent enough firewall to protect a MS-SQL server behind it with no more work than plugging it in and turning it on. Seriously, running any externally facing app without basic security precautions makes you *not* an idiot? The level of even basic security-awareness should be part of every developer's toolbox -- at least any one worth hiring. And the excuse that I didn't know MSDE was part of the application or I'm not a sysadmin is a pretty poor one. How hard is the Microsoft Baseline Security Analyzer to use? How hard is it to read the docs? Of course securing the port doesn't prevent weak passwords. Or the possiblilty of SQL Injection attacks. Or any of a myriad other common security weaknesses. The assumption that I didn't know is an acceptable excuse relating to security, whether it's configuration (e.g. firewall settings) or code (e.g. SQL injection vunerabilities) is a key reason why people get cracked. And frankly, I care less about someone with poor security getting hacked (something along the lines of getting what you deserve) than what their zombie server can do to my sites or one of the sites I count on -- or about the consequences of the use/misuse of my data they're storing. When a security issue can affect *me*, then I've got a stake in making sure people do the right thing -- I think security is black and white (you don't see a Grey Hat security conference...) Maybe there are varying *degrees* of security idiocy, but all things considered, I'll err on the side of spending the time/money/effort on security instead of taking the risk of being a victim of the security is too hard syndrome. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196983 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as idiotic but you can call it poor practice, negligent, a mistake or some other less offensive word if you need to. I think you're missing my point. My servers are adequately secure because it's my job to know how to secure them. But if you install any number of third-party products that contain MSDE onto your desktop, are you an idiot for (a) not being a network administrator, or (b) not being aware of database server security? I would argue that the onus for security of desktop applications is largely the responsibility of the creators of said applications. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196985 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 14:32:04 -0500, Dave Watts [EMAIL PROTECTED] wrote: How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as idiotic but you can call it poor practice, negligent, a mistake or some other less offensive word if you need to. I think you're missing my point. My servers are adequately secure because it's my job to know how to secure them. But if you install any number of third-party products that contain MSDE onto your desktop, are you an idiot for (a) not being a network administrator, or (b) not being aware of database server security? I would argue that the onus for security of desktop applications is largely the responsibility of the creators of said applications. I totally get that point. And I'll concede that MSDE may be installed without your direct knowledge, though the lists I've seen of apps that install MSDE are overwhelmingly enterprise/admin apps (and thus would be installed either in a corporate environment with security/network professionals, right?) One list is here: http://www.sqlsecurity.com/applicationslistgridall.aspx. And the (admittedly only 2) of these manufacturers that I've dealt with for MSDE-related software issued advisories to their clients about installing SP3 for MSDE. The onus of responsibility has to be shared in any nontrivial application between the creators and the implementors. Unfortunately for the creators of apps based on MSDE, there was a flaw in one of their components (MSDE) that they had no direct control over. This happens -- and is endemic to every level of the software stack -- so implementors need unfortunately need to take proactive steps to mitigate risk. Consider the Feb batch of Microsoft monthly security updates (which made NPR Morning Edition among other popular media outlets) -- is a company that built an application that's deployed on a vulnerable Windows platform stupid for using Windows? No (despite the cries from the Linux folks...) But take a look at that batch of security updates -- if you read the the bulk of them are mitigated by using a firewall. That's not significantly different than the MS-SQL/MSDE vulnerability that Slammer took advantage of. *Knowing* that there an unknown number of potential exploits in the os, application, etc, you reduce your risk by following basic security practices. So while you should probably apply any of the patches relating to services you use, there's no need to panic while you do if you've already done some basic mitigation. So no, you don't need to be (a) a network administrator or (b) aware of database security to reduce your risk of exposure to security issues. You simply need to take some basic precautions (relating to the triumvirate of anti-virus, firewall, and potentially spyware) that are basic to the reality of the Internet. As an aside, Slashdot today ran a link (http://it.slashdot.org/article.pl?sid=05/02/28/2228245tid=172tid=218) about a test of 6 computers being attached unprotected to the Internet for a week which probably doesn't point out any new information, but is interesting in the context of this discussion. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196999 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 14:12:11 -0500, Adrocknaphobia [EMAIL PROTECTED] wrote: Do you even have your CISSP? -Adam I need a CISSP to understand *basic* security precautions? Like using a firewall? No, I don't have a CISSP -- nor is a certification directly relevant to the discussion (though I think CISSP is one of the better certifications there is as far as rigor and value). What I do have is the experience of managing a datacenter containing a heterogenous mix of Linux and Windows servers of varying versions for 6 years, not to mention handling or securing the on-site and colo networks for around a dozen clients. I don't do anything fancy -- PIX firewalls on the outside, software firewalls on key internal boxes, a little bit of appropriate VLAN segregation, ssh and VPNs where appropriate. And then simple monitoring and an occasional run of Nessus to ensure things are still tight. And keeping abreast of the security fixes/bulletins for the key software I run. I have, however, seen numerous folks cracked -- specifically Windows folks (probably b/c more clients locally use Windows). I've seen one client with a Win NT 4 SP4 server running naked (no firewall) with FTP enabled get turned into a porn DVD server. I've seen the Biz School at a major univeristy be brought to its knees TWICE by Windows worms. And I've seen the CTO of a startup bring in Slammer to the *inside* of their network on a laptop... contracted even though he's on dialup at home... In al of these cases, a basic firewall rules would have prevented the incident. Hopefully those of you who are CISSP will be doing something a little more sophisticated than arguing that a firewall is a good thing. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197003 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
I totally agree, it's the responsibility of the network administrator to make sure that the desktop computers are behind a firewall, and therefore don't have any open ports. This way even if users have MSDE on their computer without their knowledge, it won't be open to the world (And now you only need to worry about somebody bringing in an infected laptop or having their home pc infected and using the VPN, or an insider attack...) Russ -Original Message- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 3:16 PM To: CF-Talk Subject: Re: Securing MS-SQL port 1433 On Tue, 1 Mar 2005 14:32:04 -0500, Dave Watts [EMAIL PROTECTED] wrote: How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as idiotic but you can call it poor practice, negligent, a mistake or some other less offensive word if you need to. I think you're missing my point. My servers are adequately secure because it's my job to know how to secure them. But if you install any number of third-party products that contain MSDE onto your desktop, are you an idiot for (a) not being a network administrator, or (b) not being aware of database server security? I would argue that the onus for security of desktop applications is largely the responsibility of the creators of said applications. I totally get that point. And I'll concede that MSDE may be installed without your direct knowledge, though the lists I've seen of apps that install MSDE are overwhelmingly enterprise/admin apps (and thus would be installed either in a corporate environment with security/network professionals, right?) One list is here: http://www.sqlsecurity.com/applicationslistgridall.aspx. And the (admittedly only 2) of these manufacturers that I've dealt with for MSDE-related software issued advisories to their clients about installing SP3 for MSDE. The onus of responsibility has to be shared in any nontrivial application between the creators and the implementors. Unfortunately for the creators of apps based on MSDE, there was a flaw in one of their components (MSDE) that they had no direct control over. This happens -- and is endemic to every level of the software stack -- so implementors need unfortunately need to take proactive steps to mitigate risk. Consider the Feb batch of Microsoft monthly security updates (which made NPR Morning Edition among other popular media outlets) -- is a company that built an application that's deployed on a vulnerable Windows platform stupid for using Windows? No (despite the cries from the Linux folks...) But take a look at that batch of security updates -- if you read the the bulk of them are mitigated by using a firewall. That's not significantly different than the MS-SQL/MSDE vulnerability that Slammer took advantage of. *Knowing* that there an unknown number of potential exploits in the os, application, etc, you reduce your risk by following basic security practices. So while you should probably apply any of the patches relating to services you use, there's no need to panic while you do if you've already done some basic mitigation. So no, you don't need to be (a) a network administrator or (b) aware of database security to reduce your risk of exposure to security issues. You simply need to take some basic precautions (relating to the triumvirate of anti-virus, firewall, and potentially spyware) that are basic to the reality of the Internet. As an aside, Slashdot today ran a link (http://it.slashdot.org/article.pl?sid=05/02/28/2228245tid=172tid=218) about a test of 6 computers being attached unprotected to the Internet for a week which probably doesn't point out any new information, but is interesting in the context of this discussion. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197004 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
I totally get that point. And I'll concede that MSDE may be installed without your direct knowledge, though the lists I've seen of apps that install MSDE are overwhelmingly enterprise/admin apps (and thus would be installed either in a corporate environment with security/network professionals, right?) Lots of things get installed in environments without security/network professionals. I mean, Visio, for crying out loud? The onus of responsibility has to be shared in any nontrivial application between the creators and the implementors. Unfortunately for the creators of apps based on MSDE, there was a flaw in one of their components (MSDE) that they had no direct control over. This happens -- and is endemic to every level of the software stack -- so implementors need unfortunately need to take proactive steps to mitigate risk. This is simply not correct with regard to MSDE. You can configure many aspects of how MSDE is installed when it's bundled with another application, such as which network protocols are used, which ports are used, what kind of authentication is used, and so on. For example, if you plan to use it with your bundled application, why listen on TCP/IP at all unless your application is incapable of using Named Pipes or Shared Memory? You seem too quick to absolve blame in the group of people who can most easily mitigate these sorts of problems, and equally quick to assign it to the group least able to protect themselves. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197005 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
I'm just trying to figure out where you get off calling someone an idiot. This isn't an information security newsgroup. I thought maybe you were a subject expert, but you dont have your CISSP... So basically, you are just some guy on _COLDFUSION_ list annoying (and insulting) people with the stereotypical MS security rant. Exactly what is the point of your thread again? -Adam On Tue, 1 Mar 2005 15:32:27 -0500, John Paul Ashenfelter [EMAIL PROTECTED] wrote: On Tue, 1 Mar 2005 14:12:11 -0500, Adrocknaphobia [EMAIL PROTECTED] wrote: Do you even have your CISSP? -Adam I need a CISSP to understand *basic* security precautions? Like using a firewall? No, I don't have a CISSP -- nor is a certification directly relevant to the discussion (though I think CISSP is one of the better certifications there is as far as rigor and value). What I do have is the experience of managing a datacenter containing a heterogenous mix of Linux and Windows servers of varying versions for 6 years, not to mention handling or securing the on-site and colo networks for around a dozen clients. I don't do anything fancy -- PIX firewalls on the outside, software firewalls on key internal boxes, a little bit of appropriate VLAN segregation, ssh and VPNs where appropriate. And then simple monitoring and an occasional run of Nessus to ensure things are still tight. And keeping abreast of the security fixes/bulletins for the key software I run. I have, however, seen numerous folks cracked -- specifically Windows folks (probably b/c more clients locally use Windows). I've seen one client with a Win NT 4 SP4 server running naked (no firewall) with FTP enabled get turned into a porn DVD server. I've seen the Biz School at a major univeristy be brought to its knees TWICE by Windows worms. And I've seen the CTO of a startup bring in Slammer to the *inside* of their network on a laptop... contracted even though he's on dialup at home... In al of these cases, a basic firewall rules would have prevented the incident. Hopefully those of you who are CISSP will be doing something a little more sophisticated than arguing that a firewall is a good thing. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197006 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
I would say NONE - all of the SQL boxes we have (and we have thousands) are a) protected with hardware and software security. They are all patched to the highest degree (where needs be, as not all servers require all patches for loopholes and indeed some cannot have them). Let me ask you, what version of SQL are you running? 8.00.818? If you are then you are not secure. Note you do not have to patch all risks if the risk is low - for example there may be an issue where a maliscious user could access your server but its only a problem/issue if the maliscious user can gain access to it... -Original Message- From: John Paul Ashenfelter [mailto:[EMAIL PROTECTED] Sent: 01 March 2005 17:53 To: CF-Talk Subject: Re: Securing MS-SQL port 1433 On Tue, 1 Mar 2005 16:24:58 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: Agreed, that original statement reeks of idiocy itself. How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as idiotic but you can call it poor practice, negligent, a mistake or some other less offensive word if you need to. From: Dave Watts [mailto:[EMAIL PROTECTED] As an aside, there are *plenty* of ways to scan for open SQL Sever ports on your network to find those MSDE installs, so I'll maintain that anyone with an unsecured SQL Server of any type is, in fact, and idiot. That's all well and good, but many people using products which include MSDE aren't network administrators, and don't know about port scanning or any other things that network administrators might know about, and they shouldn't have to know those things. Not knowing things like this doesn't make one and idiot. That's true, not and idiot, but an idiot :) If they are putting a server on a naked Internet connection with an external address, they certainly *should* be aware of basic security. Even normal home users are aware of the need for firewall (and av) software. A $40 dsl/cable/etc router contains a decent enough firewall to protect a MS-SQL server behind it with no more work than plugging it in and turning it on. Seriously, running any externally facing app without basic security precautions makes you *not* an idiot? The level of even basic security-awareness should be part of every developer's toolbox -- at least any one worth hiring. And the excuse that I didn't know MSDE was part of the application or I'm not a sysadmin is a pretty poor one. How hard is the Microsoft Baseline Security Analyzer to use? How hard is it to read the docs? Of course securing the port doesn't prevent weak passwords. Or the possiblilty of SQL Injection attacks. Or any of a myriad other common security weaknesses. The assumption that I didn't know is an acceptable excuse relating to security, whether it's configuration (e.g. firewall settings) or code (e.g. SQL injection vunerabilities) is a key reason why people get cracked. And frankly, I care less about someone with poor security getting hacked (something along the lines of getting what you deserve) than what their zombie server can do to my sites or one of the sites I count on -- or about the consequences of the use/misuse of my data they're storing. When a security issue can affect *me*, then I've got a stake in making sure people do the right thing -- I think security is black and white (you don't see a Grey Hat security conference...) Maybe there are varying *degrees* of security idiocy, but all things considered, I'll err on the side of spending the time/money/effort on security instead of taking the risk of being a victim of the security is too hard syndrome. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197010 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 20:53:13 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: I would say NONE - all of the SQL boxes we have (and we have thousands) are a) protected with hardware and software security. They are all patched to the highest degree (where needs be, as not all servers require all patches for loopholes and indeed some cannot have them). Great! So by hardware and software security I'll take a stab at translating that as at least a firewall. So far we're in agreement. Remember, this started b/c I said anyone who left port 1433 open was an idiot -- now we're into discussing how to assess the risk from a specific vulnerability (choosing which patches to apply) and which service pack which *are* (potentially) past the normal desktop user's area of responsibility. Let me ask you, what version of SQL are you running? 8.00.818? Actually, yes I am on my production servers. My clients are a mix of ..818 (post-SP3 hotfix) and .760 (SP3). And to be completely fair, my laptop actually runs 8.00.760 (with Named Pipes disabled). Note you do not have to patch all risks if the risk is low - for example there may be an issue where a maliscious user could access your server but its only a problem/issue if the maliscious user can gain access to it... Agreed -- whether it's MS-SQL or Windows (or Linux or CF or whatever) you don't have to immediately apply patches if you're not vulnerable to the issue. As I've said, I run my laptop in *horrors* SP3 instead of the post-SP3 hotfix -- upgrading wasn't worth the risk (though when I build a new box, it goes to .818 by default) -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197019 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 15:46:51 -0500, Adrocknaphobia [EMAIL PROTECTED] wrote: I'm just trying to figure out where you get off calling someone an idiot. This isn't an information security newsgroup. I thought maybe you were a subject expert, but you dont have your CISSP... So basically, you are just some guy on _COLDFUSION_ list annoying (and insulting) people with the stereotypical MS security rant. I don't think it requires a CISSP to know that a firewall is a good idea -- we're not talking esoteric software/hardware security here. I think knowing that a firewall is a good idea is an example of common knowledge -- not something reserved for folks with a CISSP. If that's *not* the case, if you're saying that a typical COLDFUSION programmer doesn't know basic security considerations (lock down ports you don't want attacked) which for example, my 62-year-old mother-in-law is aware of, then we're in real trouble. And *horrors* -- a post on the ColdFusion list covering MS-SQL and firewalling?!?? Or one that annoys or insults some people? Clearly I'm breaking new ground here :) As an aside, how is this a stereotypical MS rant? I'll say the same thing about MySQL (block port 3306). Or making sure your Apache is running the point releases that handle the buffer overrun issues. Exactly what is the point of your thread again? My point is that if you're not blocking external access (e.g TCP/IP) access to your MS-SQL Server, then you're an idiot. (see http://dictionary.reference.com/search?q=idiot, particularly the first definition -- A foolish or stupid person). If you're not taking basic precautions with your SQL Server (or any similar tool), you're a danger to you employer, you're a danger to anyone on your subnet (nothing like being on the same gateway as a box or two saturating the pipe with a zombie process), you're a danger to your customers, and you're a danger to anyone a cracker who takes over your box cares to target with spam, DOS, etc. I think that perfectly qualifies as a foolish .. person. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197023 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
IMO if you are so serious about security you should a) put your DB servers on their own network with a firewall between them everything else and b) use Oracle. Contracting a virus or having your server turned into a porn FTP server are the least of concerns in the corporate world. Worst case scenario there is a temporary loss of service until the servers can be rebuilt. The primary concern should be in preventing hack attempts where private information and trade secrets can be stolen. This is where the result can cost the company money. These vulnerabilities reside in the applications themselves. Your firewall will do little to prevent this. Even if someone broke in to our datacenter, and managed to log on as an administrator to our web servers or database server, they could do nothing more because the applications themselves are secure. Application security is the cornerstone of information security. Not firewalls and routers. -Adam On Tue, 1 Mar 2005 16:52:40 -0500, John Paul Ashenfelter [EMAIL PROTECTED] wrote: On Tue, 1 Mar 2005 20:53:13 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: I would say NONE - all of the SQL boxes we have (and we have thousands) are a) protected with hardware and software security. They are all patched to the highest degree (where needs be, as not all servers require all patches for loopholes and indeed some cannot have them). Great! So by hardware and software security I'll take a stab at translating that as at least a firewall. So far we're in agreement. Remember, this started b/c I said anyone who left port 1433 open was an idiot -- now we're into discussing how to assess the risk from a specific vulnerability (choosing which patches to apply) and which service pack which *are* (potentially) past the normal desktop user's area of responsibility. Let me ask you, what version of SQL are you running? 8.00.818? Actually, yes I am on my production servers. My clients are a mix of ..818 (post-SP3 hotfix) and .760 (SP3). And to be completely fair, my laptop actually runs 8.00.760 (with Named Pipes disabled). Note you do not have to patch all risks if the risk is low - for example there may be an issue where a maliscious user could access your server but its only a problem/issue if the maliscious user can gain access to it... Agreed -- whether it's MS-SQL or Windows (or Linux or CF or whatever) you don't have to immediately apply patches if you're not vulnerable to the issue. As I've said, I run my laptop in *horrors* SP3 instead of the post-SP3 hotfix -- upgrading wasn't worth the risk (though when I build a new box, it goes to .818 by default) -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197029 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
If they are putting a server on a naked Internet connection with an external address, they certainly *should* be aware of basic security. Even normal home users are aware of the need for firewall (and av) software. A $40 dsl/cable/etc router contains a decent enough firewall to protect a MS-SQL server behind it with no more work than plugging it in and turning it on. Sure, that's one thing. So Joe Home User goes out and buys a $50 wireless router which blocks external access, but allows internal access to other machines connecting through WiFi. He plugs it into his cable modem and he's all set, until his nextdoor neighbor infects his machine by connecting to it through the open-by-default wireless connection! D'oh! I guess he's just an idiot, because he doesn't know how TCP/IP works. Too bad he installed Visio Enterprise so he could work on flow charts at home. How could anyone be so dumb? I've got news for you. Most people don't know how TCP/IP works. And if they have to know that in order to use a PC, something is radically wrong with PCs. Seriously, running any externally facing app without basic security precautions makes you *not* an idiot? The level of even basic security-awareness should be part of every developer's toolbox -- at least any one worth hiring. And the excuse that I didn't know MSDE was part of the application or I'm not a sysadmin is a pretty poor one. How hard is the Microsoft Baseline Security Analyzer to use? How hard is it to read the docs? Who said anything about developers? Again, there are plenty of applications with vulnerabilities, and these may be run by people other than developers. Oh, and that list of apps that use MSDE is woefully incomplete, by the way. I've worked with several applications that (a) aren't on the list and (b) install MSDE without notifying the user. The assumption that I didn't know is an acceptable excuse relating to security, whether it's configuration (e.g. firewall settings) or code (e.g. SQL injection vunerabilities) is a key reason why people get cracked. And frankly, I care less about someone with poor security getting hacked (something along the lines of getting what you deserve) than what their zombie server can do to my sites or one of the sites I count on -- or about the consequences of the use/misuse of my data they're storing. If I leave my front door open and someone walks in and bops me on the head, did I get what I deserve? Why is this any different? When a security issue can affect *me*, then I've got a stake in making sure people do the right thing -- I think security is black and white (you don't see a Grey Hat security conference...) Maybe there are varying *degrees* of security idiocy, but all things considered, I'll err on the side of spending the time/money/effort on security instead of taking the risk of being a victim of the security is too hard syndrome. Your efforts would be better spent on the developers of insecure applications, if for no other reason than it's a smaller dataset. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197053 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
IMO if you are so serious about security you should a) put your DB servers on their own network with a firewall between them everything else and b) use Oracle. There are plenty of Oracle vulnerabilities - just ask Dave Litchfield. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197054 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
My point is that if you're not blocking external access (e.g TCP/IP) access to your MS-SQL Server, then you're an idiot. (see http://dictionary.reference.com/search?q=idiot, particularly the first definition -- A foolish or stupid person). If you're not taking basic precautions with your SQL Server (or any similar tool), you're a danger to you employer, you're a danger to anyone on your subnet (nothing like being on the same gateway as a box or two saturating the pipe with a zombie process), you're a danger to your customers, and you're a danger to anyone a cracker who takes over your box cares to target with spam, DOS, etc. I think that perfectly qualifies as a foolish .. person. I submit that the truly foolish person here is the one who expects everyone who uses a computer to also understand network security issues. But good luck with that, ok? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197055 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Securing your app [WAS Re: Securing MS-SQL port 1433]
On Tue, 1 Mar 2005 17:24:25 -0500, Adrocknaphobia [EMAIL PROTECTED] wrote: IMO if you are so serious about security you should a) put your DB servers on their own network with a firewall between them everything else and b) use Oracle. I totally am in agreement with (a) -- mutlilayered security is much more robust than a single layer, though it's more of a PITA. That's the normal security tradeoff -- pain, annoyance, and inconvenience seems to be directly (or possibly exponentially) related to security. I think (b) is a less clear-cut. If you've got an experienced Oracle DBA (which is a virtual requirement for a serious Oracle installation) then you're in good shape. One problem w/ MS-SQL is that (like many Microsoft products) it's easy to set up -- securing it is a different animal altogether. Thankfully, MS made the default install of IIS6 more secure, has created tools like the MSBA to help evaluate SQL Server installations, and published whitepapers on how to secure the default install which even a non-CISSP, non-MS-SQL DBA should be able to follow. And since we've been pounding on MS-SQL, let's be fair and mention the default configuration out of the box for MySQL. Argghh! Contracting a virus or having your server turned into a porn FTP server are the least of concerns in the corporate world. Worst case scenario there is a temporary loss of service until the servers can be rebuilt. Depends on where your business value resides. If you provide content to libraries and you're suddenly serving porn instead of your collection of translated work of Aristotle, your business is being damaged fairly severely, regardless of the downtime to switch over to your redundant backup site (or rebuild the box -- whichever). Loosing a worm on the corporate network that affects your internal database servers that are not even connected to the internet, well that's just bad too -- especially if you're running something like Great Plains or Soloman internally... Of course then there's the downtime of the corporate systems to *install* the patches in the first place. Rock, hard place. The primary concern should be in preventing hack attempts where private information and trade secrets can be stolen. This is where the result can cost the company money. These vulnerabilities reside in the applications themselves. Your firewall will do little to prevent this. And now we're in a whole different type of security discussion -- and a more valuable one. Firewalls are simply one layer in a multilayer defense. SQL injection attacks can cause serious damage and are one of the best examples in the CF world of application-oriented (and far to common, yet generally easily preventable) security vulnerabilities. Even if someone broke in to our datacenter, and managed to log on as an administrator to our web servers or database server, they could do nothing more because the applications themselves are secure. Without starting another long thread about it, if someone is in your data center you've got problems. If they are after your data and have *physical* access there's always a chance they can get your data, assuming they are willing to spend the money on it. Just like physical security, data security is all about making the cost of getting the data more than the data is worth. Sounds like you're doing a fine job. Application security is the cornerstone of information security. Not firewalls and routers. No doubt. But for multi-tier web applications, the security of each individual application, from the OS right up through the code your developers are writing is part of the application that needs to be secured. Many of the most common vulnerabilities that I've seen exploited happen at the interface between two tiers or applications, which is exactly why a CF developer needs to be at least vaguely aware of MS-SQL security issues (e.g. does the user the application runs as *really* need to be dbo?) for example. All a firewall does is prevent socket connections; all a router does is route packets (ok, many of these devices are now multifunction, but that's an aside). Layer 5-7 firewalls actual do some more interesting work to protect your *application* but in any case its all about controlling which packets get to the box. Securing the allowed behavior of packets that reach the application is another issue entirely... On Tue, 1 Mar 2005 16:52:40 -0500, John Paul Ashenfelter [EMAIL PROTECTED] wrote: On Tue, 1 Mar 2005 20:53:13 -, Robertson-Ravo, Neil (RX) [EMAIL PROTECTED] wrote: I would say NONE - all of the SQL boxes we have (and we have thousands) are a) protected with hardware and software security. They are all patched to the highest degree (where needs be, as not all servers require all patches for loopholes and indeed some cannot have them). Great! So by hardware and software security I'll take a stab at translating that as at least a firewall. So far we're in
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 20:01:13 -0500, Dave Watts [EMAIL PROTECTED] wrote: IMO if you are so serious about security you should a) put your DB servers on their own network with a firewall between them everything else and b) use Oracle. There are plenty of Oracle vulnerabilities - just ask Dave Litchfield. And, for the record, so does MySQL. Considering there are three major versions in frequently used in production (3.23.x, 4.0.x, and 4.1.x) it can be a minefield. Oh, and PostgreSQL. And DB2. And Sybase. Let's just say all of them have vulnerabilities. The best thing I'll say about Oracle is that you almost *have* to have a certified Oracle DBA, so odds are your install will be fairly secure. MySQL, PostgreSQL, MS-SQL -- it's a lot more common to have the sysadmin or one of the developers roleplay as the DBA with varying degrees of success from a security perspective. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197059 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Securing MS-SQL port 1433
On Tue, 1 Mar 2005 20:00:28 -0500, Dave Watts [EMAIL PROTECTED] wrote: Even normal home users are aware of the need for firewall (and av) software. A $40 dsl/cable/etc router contains a decent enough firewall to protect a MS-SQL server behind it with no more work than plugging it in and turning it on. Sure, that's one thing. So Joe Home User goes out and buys a $50 wireless router which blocks external access, but allows internal access to other machines connecting through WiFi. He plugs it into his cable modem and he's all set, until his nextdoor neighbor infects his machine by connecting to it through the open-by-default wireless connection! D'oh! I guess he's just an idiot, because he doesn't know how TCP/IP works. Too bad he installed Visio Enterprise so he could work on flow charts at home. How could anyone be so dumb? If someone's installing Visio Enterprise to work on flowcharts at home, they probably got it from work. Licensing issues aside (since we'll assume they're good there) then their home box gets hosed. PITA, but not much impact on the business. If it's a work laptop, then their security officer/sysadmin should be having a discussion with them about a number of aspects relating to security. Even if they're running WPA at home, they're potentially screwed as soon as the hit the coffee shop's open router to get some work while they're on a business trip. Or as soon as they VPN into the office with their infected box... How is this any different than the corporate education about opening attachments (bad) and phishing (bad)? Most people, I'd put forth, *do* know that the internet isn't all that safe and they should be running a firewall. WinXP SP2 finally has it builtin, for gosh sakes. I've got news for you. Most people don't know how TCP/IP works. And if they have to know that in order to use a PC, something is radically wrong with PCs. Why would they have to know how TCP/IP works? Do they have to know how VBScript and ActiveX work to be aware that they should be running antivirus software? Or do they just need to be aware of the risk? Who said anything about developers? Again, there are plenty of applications with vulnerabilities, and these may be run by people other than developers. Oh, and that list of apps that use MSDE is woefully incomplete, by the way. I've worked with several applications that (a) aren't on the list and (b) install MSDE without notifying the user. It's fair that that's an incomplete list. I'd venture that there isn't one single list of every commercial app running MSDE. The assumption that I didn't know is an acceptable excuse relating to security, whether it's configuration (e.g. firewall settings) or code (e.g. SQL injection vunerabilities) is a key reason why people get cracked. And frankly, I care less about someone with poor security getting hacked (something along the lines of getting what you deserve) than what their zombie server can do to my sites or one of the sites I count on -- or about the consequences of the use/misuse of my data they're storing. If I leave my front door open and someone walks in and bops me on the head, did I get what I deserve? Why is this any different? Actually, I think the answer to your question is yes, you did have something happen to you that was completely avoidable and probably deserve it. You chose to keep your door open when they're a high likelihood of attack (we're comparing to the security of the internet, remember). I think the analogy is more akin to having homeowners' insurance, sure odds are low your house will burn down, but when it does (or speaking to more personal experience, when trees split your roof in two consecutive hurricanes) you're going to feel pretty good you took some basic precautions. No one hopes to use their insurance, but nearly everyone gets it -- it's just what you do (or in the case of a mortgage, are required to do) to mitigate your risk. Same with antivirus, same with a basic firewall. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197060 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Securing MS-SQL port 1433
If someone's installing Visio Enterprise to work on flowcharts at home, they probably got it from work. Licensing issues aside (since we'll assume they're good there) then their home box gets hosed. PITA, but not much impact on the business. My point has nothing to do with impact on the business. You stated that anyone running an unprotected SQL Server was an idiot. I took issue with that, and provided a counterexample. It's as simple as that. How is this any different than the corporate education about opening attachments (bad) and phishing (bad)? Most people, I'd put forth, *do* know that the internet isn't all that safe and they should be running a firewall. WinXP SP2 finally has it builtin, for gosh sakes. While most people may know that they should be running a firewall, I doubt very much that most of these people even know what a firewall is. And when their system pops up a little message saying do you want to allow traffic from [socket 1] to [socket 2], they'll click the OK button in many cases even if they don't know the import of their actions. And again, your analogy with corporate education about attachments just highlights the idiocy of our industry - we find it more efficient to train untold thousands of people not to double-click something, rather than design a safe system in the first place! If we built cars, we'd tell people don't drive downhill because the brakes don't work, rather than just fixing the damn brakes. How idiotic is that? Actually, I think the answer to your question is yes, you did have something happen to you that was completely avoidable and probably deserve it. You chose to keep your door open when they're a high likelihood of attack (we're comparing to the security of the internet, remember). You have a peculiar way of defining deserved. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197061 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
