November 5, 2004 at 12:56 pm
I work at a Federal Government site. As an ongoing process, an upper level organization, to which my division belongs, has our servers are scanned by Foundstone (http://www.foundstone.com).
The only reported vulnerability was
"Microsoft SQL Server UDP 1434 Database Instance TCP Information Disclosure"
To overcome the problem, the following registry key is supposed to be set to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib\Tcp\TcpHideFlag
A final remark from Foundstone is:
"Once the TcpHideFlag is set, the SQL Resolution Service will still respond to queries over UDP port 1434, but without the TCP instance information."
Has anybody heard anthing about this? I couldn't find anything, so I'm hesitant to just do this without any further documentation.
Thanks,
Mike
November 7, 2004 at 8:59 am
A security alert was issued because the way SQL Server works is to respond to 1434 with the port of the instance and what it is. Since you are disclosing information with this to someone who is scanning, it's seen as a potential problem.
If you disable this, then you cannot "scan" for SQL Servers. So clicking the drop down in QA will not "find" servers. No big deal for the default instance, just connect on 1433 to the server name. For named instances, however, you need to specify a port. You can do this in the server network utility for the instance to set it to a particular port and then connect using that port.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
November 8, 2004 at 5:56 am
Thanks, Steve.
Any change I make to our servers requires documentation, so I wanted to identify the specific security alert (issued by Microsoft). However, I've been unable to locate it so far.
Thanks again.
September 25, 2008 at 8:14 am
I have exactly the same issue to deal with. After I apply the hide server flag. None of the applications can see the database instances anymore. What did you do to overcome this problem.
Thanks
September 25, 2008 at 8:29 am
You should be able to connect by directly connecting to the port for that instance. So if you have a named instance, you need to set a specific port (port xx), and then connect as
server\instance:xx
I'm not sure which security alert this was for and I can't find it either.
I think it's overkill, personally. People can still scan the system for open ports, they just can't do it with the SQL Client.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
October 3, 2008 at 7:27 am
Is this the security alert you were looking for? It was issued for the slammer worm that performs a DOS through UDP 1434.
http://www.microsoft.com/technet/security/alerts/slammer.mspx
Herve Roggero
hroggero@pynlogic.com
MCDBA, MCSE, MCSD
SQL Server Database Proxy/Firewall and Auditing
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply