Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

SQL Server 2000 security

It seems every week we are bombarded with tons of surveys, that scare us into eating more of this and generally less of everything.  Surveys on database health and security are much rarer, but  I did notice that David Lichfield is about to publish that latest edition of The Database Exposure Survey 2007.

I would expect that there are a few databases out there that are vulnerable but I was surprised how high this figure is generally and also that it applies more to Oracle than to SQL Server.  The basic problem is that the versions in use have known vulnerabilities where the latest versions are better able to deal with threats.  To counter this Oracle and Microsoft release patches and best practice advice, but customers are simply not applying the patches or following the advice. 

I am not an expert on Oracle but I am sure they are just as keen as we are to help close the gaps and you should contact your reseller and crawl the extensive help on their website.  Where I can help is to suggest a few pointers for SQL Server 2000:

  • Upgrade to SQL Server 2005 if possible. The current version is secure by design, and is pretty well locked down by default.
  • Make sure your patches are up to date. You should be running SQL Server 2000 SP4 (8.0.2039). If you don’t know hot to tell what service pack is applied then follow this link.
  • Network administrators should ensure that perimeter access is configured properly, and that interior hosts are not exposed to unwanted traffic. In most cases, that means blocking access to port 1433/TCP from outside the network perimeter.
  • Apply the advice SQL Server 2000 – Security Best Practices Checklist (refer to Firewalls and Strong passwords section).   [Note: The SQL Server 2000 SP3 best practices are valid for SQL Server 2000 SP4].

Of course if you do want a rapid career change then please ignore this.

Technorati Tags: ,