MSDE - security issues while on cable modem?

On 22 Dec 2003 09:01:08 -0800, jm***@yahoo.com (jmev7) wrote:

There are much better newsgroups than CDMA to discuss this.
My personal view: after using the IIS lockdown tool, and after using a
firewall that closes all ports except for a few I need to have open,
and after regularly applying all security patches MSFT releases, I
feel pretty safe.
But then I don't have a lot of sensitive information. If I did, I
would hire people to advise me further, perform penetration testing,
etc.

-Tom.

I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable. Any thoughts one this? Does anyone
know if running if at home could cause an open door to exist through
which others might "make themselves at home"?

Thanks

jm***@yahoo.com (jmev7) wrote in
<c7**************************@posting.google.com >:

I have heard of security issues with IIS while on a T1 line or on
a cable modem, etc. I learned of a "break in" at a state office,
and it was traced to an "open door" while using IIS. Due to that
break in, research was done which resulted in the consensus that
MSDE applications were also vulnerable. Any thoughts one this?
Does anyone know if running if at home could cause an open door to
exist through which others might "make themselves at home"?

Well, turn off the IIS system service and turn off MSDE. If you
must have a web server, try Apache, which has no such
vulnerabilities. If you must have MSDE, make sure you have a strong
password for the administrator account. If you're connected to a
broadband connection, use an inexpensive broadband router with NAT.
This will basically prevent any external exploit (though it will
still allow Trojans to get out). If you're connected directly to
the broadband network, you *must* have a software firewall, and set
it to refuse all non-authorized connections. I'm out of date on the
best firewalls, as I've been using Tiny Personal Firewall forever,
which works very well. It's been replaced by a commercial version
that, in my opinion, is not as good. A software firewall allows you
to completely control traffic in and out, authorizing which
applications can communicate.

You'll probably want to block the port for SQL Server (which I've
forgotten -- 1362?), and if you're running a web server for local
use, you'll want to block port 80 for incoming connections (or, all
ports for incoming connections).

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

I assume you are using NT4, 2k, or XP since you may be using IIS. Do you
actually develop with IIS/MSDE? If not, set the services to "Disabled". If
you do use them, then...

The port for sql/msde is 1433 by default, which can be altered for increased
invisibility. You should install the msde service pack from Microsoft if
you are not blocking the port and plan to communicate with that port
externally. Setup good password(s) (it's strongly encouraged by the
installer program during installation), especially for the sa login.

There is no reason to feel discomfort, especially if you are behind a NAT
router or have some kind of basic firewall. Installing Microsoft service
packs certainly help, but a great percentage of the service packs are of no
concern if you have the firewall security in the first place. The IIS
lockdown toolkit certainly tightens up security also.

The noise from the tabloids significantly outweighs the technical knowledge
of digital security today. If the press took an hour to investigate the
root cause of breach once in a while then nobody would care about Microsoft
security issues and would say "oh, yeah, that was a dumb idea to have a
e-commerce site online without a firewall or ssl certificate". Get real
people... geez... any system can fall in this realm, especially those like
IIS that have so many features that 90% of web admins don't even know how to
(properly) take advantage of, let alone block from buffer blasting nerds who
have succumb to throwing rocks at the doors to find a crack.

Sorry about the rant - it's not pointed at you, but is obviously something
that gets on my nerves... Hopefully, I have done something constructive
here today! :)
--
Jerry Boone
Analytical Technologies, Inc.
http://www.antech.biz
Secure Hosting and Development Solutions for ASP, ASP.NET, SQL Server, and
Access

"jmev7" <jm***@yahoo.com> wrote in message
news:c7**************************@posting.google.c om...

I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable. Any thoughts one this? Does anyone
know if running if at home could cause an open door to exist through
which others might "make themselves at home"?

Thanks

jm***@yahoo.com (jmev7) wrote:

(Sorry for the delay. ISP not processing outbound messages for a few days.)

I have heard of security issues with IIS while on a T1 line or on a
cable modem, etc. I learned of a "break in" at a state office, and it
was traced to an "open door" while using IIS. Due to that break in,
research was done which resulted in the consensus that MSDE
applications were also vulnerable.

So long as the SPs are up to date then MSDE, which is the same product as SQL Server
but a few restrictions, is as secure as any other product out there. Unfortunately,
right now, SQL Server/MSDE patches are a pain to apply as they are much less
convenient than Windows or Office Update. This will be corrected soon.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm

tt****@telusplanet.net (Tony Toews) wrote in
<c3********************************@4ax.com>:

jm***@yahoo.com (jmev7) wrote:

I have heard of security issues with IIS while on a T1 line or on
a cable modem, etc. I learned of a "break in" at a state office,
and it was traced to an "open door" while using IIS. Due to that
break in, research was done which resulted in the consensus that
MSDE applications were also vulnerable.

So long as the SPs are up to date then MSDE, which is the same
product as SQL Server but a few restrictions, is as secure as any
other product out there. . . .

Do all server databases install with a blank administrator password
. . . Unfortunately, right now, SQL
Server/MSDE patches are a pain to apply as they are much less
convenient than Windows or Office Update. This will be corrected
soon.

Even if you've got all the patches installed, you should still do
these things:

1. make sure you have a strong password on the administrator
account.

2. with a firewall, close all incoming ports.

Patches can only address exploits known at the time the patches are
created. Firewalling protects you from outside exploits that are
new.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

Thank you Tony and David, as well as all who have replied to this
posting. I've been out of Access/MSDE/SQL Server develoment due to the
economic downturn, and am about to plunge into a bright new challenge,
but need to re-explore my capabilities. I will probably be posting
more inquiries as I succesfully mess things up, so it's great to know
the good old wisemen are still there.

Thanks once again

JV

dX********@bway.net.invalid (David W. Fenton) wrote in message news:<94***************************@24.168.128.86> ...

tt****@telusplanet.net (Tony Toews) wrote in
<c3********************************@4ax.com>:

jm***@yahoo.com (jmev7) wrote:

I have heard of security issues with IIS while on a T1 line or on
a cable modem, etc. I learned of a "break in" at a state office,
and it was traced to an "open door" while using IIS. Due to that
break in, research was done which resulted in the consensus that
MSDE applications were also vulnerable.

So long as the SPs are up to date then MSDE, which is the same
product as SQL Server but a few restrictions, is as secure as any
other product out there. . . .

Do all server databases install with a blank administrator password

. . . Unfortunately, right now, SQL
Server/MSDE patches are a pain to apply as they are much less
convenient than Windows or Office Update. This will be corrected
soon.

Even if you've got all the patches installed, you should still do
these things:

1. make sure you have a strong password on the administrator
account.

2. with a firewall, close all incoming ports.

Patches can only address exploits known at the time the patches are
created. Firewalling protects you from outside exploits that are
new.