Every piece of software has security issues and SQL Server is no exception. Because this is server product and many DBAs do not manage the external security for their systems, I often find unpatched servers with vulernabilities. Now there are not too many alerts for SQL Server, but there are a few. Below are links to patches as well as other resources for keeping informed.
I will continue to update this area as new alerts are released. Please check back periodically for updates. I will also be adding some articles on SQL Security and best practices that should be followed.
Visual Studio VB T-SQL Object Contains Unchecked Buffer.
If you develop applications or install applications developed in VB, this is a possible security risk. Your developers may want to apply this patch, though I am not sure how much of a risk this is.
If you use NT in an e-commerce environment read this! one.
The SANS Insitute released this notice after being informed of attacks by the FBI. Eastern Europe hackers appear to be targeting NT e-commerce sites for extortion. You can get the tool to scan your systems from The Center for Internet Security here.
A critical alert for all Windows 2000 Servers. Let your system admins know about this one.
Service Pack 3 for SQL Server v7.0
Service pack 3 is available for SQL Server 7.0 and fixes a number of bugs and security holes. The fix list is at Q274797 and includes the version numbers for all service packs.
Patch Available for Extended Stored Procedure Parameter Parsing Vulnerability (December 2000)
A patch was posted December 1, 2000 for a vulnerability in extended stored procedures. A malicious user could cause a buffer overrun to occur with a sufficiently long parameter. While not a likely risk for most installations, you should read this to see if you are affected. SQL 7, MSDE, and SQL 2000 are affected.
Patch Available for DTS Password Vulnerability
There is a bug in v7.0 that would allow a user to view the passwords that are stored in DTS packages. The patch disallows non-sa or non-creators to access these passwords.
Patch Available for Stored Procedure Permissions Vulnerability
A user without EXECUTE permissions could possible execute a stored procedure if certain conditions exist in your server. This is NOT patched in SP2.
Service Pack 2
While you should definitely test them, Service Packs are a must install. They contain many fixes and once you have tested them, you should definitely install them on your server.
Microsoft SQL Server 2000 has received the C2 security rating from the National Security Administration (NSA) which was one of the goals that the SQL Server development team mentioned at TechEd 2000. One of the main items that allowed this goal to be met was the enhanced Profiler auditing of the events that occur inside SQL Server.
Microsoft has published documents that describes the C2 setup of SQL Server. There are a couple of important caveats to be aware of for securing SQL Server at the C2 level.
- NT 4.0 is required as the OS and it must be secured as a C2 system.
- NT authentication is required. SQL Seucrity is not supported, therefore you cannot really secure the server in many installations.
- Only transactional replication is supported.
- The following are not included in the evaluation: SQL Mail, Full Text Search, English Query, DTC, Meta Data Services, and Analysis Services. The SQL Mail along is a reason many sites (mine included) would not even try to implement this level of security.
I am not sure who really needs C2 (outside of the military) and it appears to require only the base RDBMS engine and a bunch of management effort. While probably worth it in some instances, I would not recommend anyone implement this as a marketing move. Unless you truly want to be a full time administrator.
The official NSA document is here.
Screen Savers For Security Professionals - (New)
Microsoft has released screen saver that will remind you of The Ten Immutable Laws of Security and The Ten Immutable Laws of Security Administration.
The Ten Immutable Laws of Security Administration
"The most important tool here isn't a software tool it's procedures." A direct quote from this article and worth the read alone. This is good article on security fundamentals that can apply to SQL Server.
The Definition Of A Security Vulnerability
At least according to Microsoft. This is worth a read to understand why and how patches are created and the madness behind the methodology for when they are released.
Data Security and Data Availability for End Systems
White paper discussing data security. This is more of a system administrator's view from the Windows 2000 security standpoint, but a good read for DBAs to understand some of the vulnerabilities that are out there and where security can be comprimised. It's easy to get paranoid when reading something like this, so don't go out there and start quizzing your sysops, but you might check and see how many of these things are implemented at your site.
Microsoft SQL Server 2000 Security
White paper for system administrators outlining new security features in SQL 2000.
A good source for security bulletins and patches that Microsoft has released.
Tour of the Microsoft Security Response Center
A tour as Microsoft attempts to address the security concerns. IMHO a nice step forward in providing Enterprise level products.
An independent source for tracking bugs in NT/2000 software. Maintains a mailing list as well as links to a variety of patches and commentary on bugs.
Carnegie Mellon University's Computer Emergency Response Team. This is the organization that should be informed of all attacks. They provide a clearinghouse for information related to security. Unfortunately this has not been used as much as it could.
Another security organization that I belong to and receive alerts from. They have some good resources for securing your systems.