473,839 Members | 1,330 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

MSDE - security issues while on cable modem?

I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable. Any thoughts one this? Does anyone
know if running if at home could cause an open door to exist through
which others might "make themselves at home"?

Thanks
Nov 12 '05 #1
6 1950
On 22 Dec 2003 09:01:08 -0800, jm***@yahoo.com (jmev7) wrote:

There are much better newsgroups than CDMA to discuss this.
My personal view: after using the IIS lockdown tool, and after using a
firewall that closes all ports except for a few I need to have open,
and after regularly applying all security patches MSFT releases, I
feel pretty safe.
But then I don't have a lot of sensitive information. If I did, I
would hire people to advise me further, perform penetration testing,
etc.

-Tom.
I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable. Any thoughts one this? Does anyone
know if running if at home could cause an open door to exist through
which others might "make themselves at home"?

Thanks


Nov 12 '05 #2
jm***@yahoo.com (jmev7) wrote in
<c7************ **************@ posting.google. com>:
I have heard of security issues with IIS while on a T1 line or on
a cable modem, etc. I learned of a "break in" at a state office,
and it was traced to an "open door" while using IIS. Due to that
break in, research was done which resulted in the consensus that
MSDE applications were also vulnerable. Any thoughts one this?
Does anyone know if running if at home could cause an open door to
exist through which others might "make themselves at home"?


Well, turn off the IIS system service and turn off MSDE. If you
must have a web server, try Apache, which has no such
vulnerabilities . If you must have MSDE, make sure you have a strong
password for the administrator account. If you're connected to a
broadband connection, use an inexpensive broadband router with NAT.
This will basically prevent any external exploit (though it will
still allow Trojans to get out). If you're connected directly to
the broadband network, you *must* have a software firewall, and set
it to refuse all non-authorized connections. I'm out of date on the
best firewalls, as I've been using Tiny Personal Firewall forever,
which works very well. It's been replaced by a commercial version
that, in my opinion, is not as good. A software firewall allows you
to completely control traffic in and out, authorizing which
applications can communicate.

You'll probably want to block the port for SQL Server (which I've
forgotten -- 1362?), and if you're running a web server for local
use, you'll want to block port 80 for incoming connections (or, all
ports for incoming connections).

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 12 '05 #3
I assume you are using NT4, 2k, or XP since you may be using IIS. Do you
actually develop with IIS/MSDE? If not, set the services to "Disabled". If
you do use them, then...

The port for sql/msde is 1433 by default, which can be altered for increased
invisibility. You should install the msde service pack from Microsoft if
you are not blocking the port and plan to communicate with that port
externally. Setup good password(s) (it's strongly encouraged by the
installer program during installation), especially for the sa login.

There is no reason to feel discomfort, especially if you are behind a NAT
router or have some kind of basic firewall. Installing Microsoft service
packs certainly help, but a great percentage of the service packs are of no
concern if you have the firewall security in the first place. The IIS
lockdown toolkit certainly tightens up security also.

The noise from the tabloids significantly outweighs the technical knowledge
of digital security today. If the press took an hour to investigate the
root cause of breach once in a while then nobody would care about Microsoft
security issues and would say "oh, yeah, that was a dumb idea to have a
e-commerce site online without a firewall or ssl certificate". Get real
people... geez... any system can fall in this realm, especially those like
IIS that have so many features that 90% of web admins don't even know how to
(properly) take advantage of, let alone block from buffer blasting nerds who
have succumb to throwing rocks at the doors to find a crack.

Sorry about the rant - it's not pointed at you, but is obviously something
that gets on my nerves... Hopefully, I have done something constructive
here today! :)
--
Jerry Boone
Analytical Technologies, Inc.
http://www.antech.biz
Secure Hosting and Development Solutions for ASP, ASP.NET, SQL Server, and
Access

"jmev7" <jm***@yahoo.co m> wrote in message
news:c7******** *************** ***@posting.goo gle.com...
I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable. Any thoughts one this? Does anyone
know if running if at home could cause an open door to exist through
which others might "make themselves at home"?

Thanks

Nov 12 '05 #4
jm***@yahoo.com (jmev7) wrote:

(Sorry for the delay. ISP not processing outbound messages for a few days.)
I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable.


So long as the SPs are up to date then MSDE, which is the same product as SQL Server
but a few restrictions, is as secure as any other product out there. Unfortunately,
right now, SQL Server/MSDE patches are a pain to apply as they are much less
convenient than Windows or Office Update. This will be corrected soon.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Nov 12 '05 #5
tt****@teluspla net.net (Tony Toews) wrote in
<c3************ *************** *****@4ax.com>:
jm***@yahoo.co m (jmev7) wrote:
I have heard of security issues with IIS while on a T1 line or on
a cable modem, etc. I learned of a "break in" at a state office,
and it was traced to an "open door" while using IIS. Due to that
break in, research was done which resulted in the consensus that
MSDE applications were also vulnerable.


So long as the SPs are up to date then MSDE, which is the same
product as SQL Server but a few restrictions, is as secure as any
other product out there. . . .


Do all server databases install with a blank administrator password
. . . Unfortunately, right now, SQL
Server/MSDE patches are a pain to apply as they are much less
convenient than Windows or Office Update. This will be corrected
soon.


Even if you've got all the patches installed, you should still do
these things:

1. make sure you have a strong password on the administrator
account.

2. with a firewall, close all incoming ports.

Patches can only address exploits known at the time the patches are
created. Firewalling protects you from outside exploits that are
new.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 12 '05 #6
Thank you Tony and David, as well as all who have replied to this
posting. I've been out of Access/MSDE/SQL Server develoment due to the
economic downturn, and am about to plunge into a bright new challenge,
but need to re-explore my capabilities. I will probably be posting
more inquiries as I succesfully mess things up, so it's great to know
the good old wisemen are still there.

Thanks once again

JV

dX********@bway .net.invalid (David W. Fenton) wrote in message news:<94******* *************** *****@24.168.12 8.86>...
tt****@teluspla net.net (Tony Toews) wrote in
<c3************ *************** *****@4ax.com>:
jm***@yahoo.co m (jmev7) wrote:

I have heard of security issues with IIS while on a T1 line or on
a cable modem, etc. I learned of a "break in" at a state office,
and it was traced to an "open door" while using IIS. Due to that
break in, research was done which resulted in the consensus that
MSDE applications were also vulnerable.


So long as the SPs are up to date then MSDE, which is the same
product as SQL Server but a few restrictions, is as secure as any
other product out there. . . .


Do all server databases install with a blank administrator password
. . . Unfortunately, right now, SQL
Server/MSDE patches are a pain to apply as they are much less
convenient than Windows or Office Update. This will be corrected
soon.


Even if you've got all the patches installed, you should still do
these things:

1. make sure you have a strong password on the administrator
account.

2. with a firewall, close all incoming ports.

Patches can only address exploits known at the time the patches are
created. Firewalling protects you from outside exploits that are
new.

Nov 12 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
2053
by: Mike N. | last post by:
I am writing a database app which will run under MSDE on the user's systems. Other than limitations as to the number of concurrent users, are there any issues that I need to be aware of when programming the database using SQL Server 2000? i.e., are there T-SQL programming statements that will run under SQL Server 2000 as part of my development enviornemnt that won't run under MSDE on the end users machines, or will MSDE handle anything...
10
3860
by: noname | last post by:
MSDE 2000 Release A installed under windows 2000 pro will not communicate with SQL Server Manager nor MS Access on peer computer. Can someone help? Have set DISABLENETWORKPROTOCOLS=0 at install time. Install log shows installation successful.. Control Panel> Admin Tools> Services section shows SQL server instance running.
41
2466
by: NB | last post by:
Hi I have been developing on MS Access / Jet / VBA platform for about 2 years. The current project I am working on for a small business is built on Access 2002. It has about 53 tables in 2 backend MDB files, 125 queries, 109 forms & subforms, 43 reports & subreports, 20 code modules and some macros. The size of the backend is now at a modest size of about 4MB (down
3
2538
by: Paul Aspinall | last post by:
Hi I want to package my C# winforms app, to be deployed with MSDE, as easily as possible for the end user. I want to create an MSI or Installshield (prefer MSI), to setup my C# app, together with MSDE (if not already installed), and the MSDE application DB. How can I detect if MSDE is already installed?? Has anyone does this?? How??
4
1574
by: Anthony P. Mancini | last post by:
Does anyone know how to make the MSDE do SQL authentication ? It appears to authenticate using Windows at all times. Thanks, Anthony
2
4236
by: hfk0 | last post by:
Hi, I have a simple asp.net application running ok on my WinXP development server with SQL Server Express 2005 installed locally. After moving to the live server (Win 2000 server with MSDE 2000 installed locally), it's giving me the 'SQL Network Interface Error (error 25): connection string is not valid'. So far, i've tried using the following connection string in my web.config file:
11
6254
by: HC | last post by:
I posted this in one of the VB forums but I'm starting to think it might be more appropriate to have it here, since it really seems to be a SQL server (MSDE/Express 2005) problem: Hey, all, I have a problem with queries against a SQL server instance that I just found and is causing me fits. I hope someone can point me in the right direction, please. TIA. Basically, I got a Vista OS machine to test my VB6 app on it as some
9
5766
by: HC | last post by:
Hello, all, I started out thinking my problems were elsewhere but as I have worked through this I have isolated my problem, currently, as a difference between MSDE and SQL Express 2005 (I'll just call it Express for simplicity). I have, to try to simplify things, put the exact same DB on two systems, one running MSDE and one running Express. Both have 2 Ghz processors (one Intel, one AMD), both have a decent amount of RAM (Intel system...
3
3585
by: apg018 | last post by:
Hi - I just bought an Asus laptop with wireless capabilities. I have a desktop that I've used for years that is hooked up to Cox cable for high speed internet through a Motorola SG5120 cable modem. The modem is ethernet / USB compatible, but it currently hooks to my desktop with a USB cable. I bought a Linksys wireless router last night and tried to install. The first problem was that I couldn't hook the USB cable from the desktop...
0
9855
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9697
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10587
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10649
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9426
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
7018
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5682
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5867
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
3
3136
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.