SQL Server 2000 Security

Topic

New Reply

Hi all,

We have SQL Server 2000 running in several PCs. I am new to this and was checking on the system’s security, which is nearly null. We have SQL’s initial installation, with no Service Packs applied.
a) I imagine the response to this answer, but would you recommend installing SPs? Which one? Some SPs are known to bring more trouble than solutions.
Reading about SQL Server 2000 security on the ‘net, I got to know the Microsoft Baseline Security Analyzer. The version of the MBSA to install (1.2.1 or 2.0) seems to be SP-dependent, and apparently no MBSA version will work for unSP’d SQL Server installations. Is MBSA worth the run?

Thank you in advance

Edited: I noticed I had generated a duplicate post. I deleted the first one which was incomplete, accidentally resulting from pressing ENTER in the subject field

Reply | Quote

Replies

I believe that unpatched SQL Server 2000 is ripe for attack by the Blaster worm. Although such an attack from “outside” is unlikely, assuming your server is not exposed to the Internet, an infected contractor or family member plugging in a laptop for a quick email could bring down your server. You really don’t have much choice in installing at least the security patches.

We recently installed a new SQL Server 2000 box, presumably with the latest SPs, and I haven’t heard of any problems. We followed the requirements of the application that uses it, and if you use third party applications that access the server, you should check those to make sure they are compatible with the latest SPs.

Reply | Quote

Hi Jefferson,

I didn’t find info on the Blaster worm but on the Slammer one.
I also found this site to check out: http://www.sqlsecurity.com[/url%5D. I think I’ll spend a while to read articles and investigate a bit further.

I’m downloading SP4. Then I believe I’ll give MBSA a try.

Thanks!

Reply | Quote

Keep in mind that when you use the MBSA tool it’s not completely accurate, mainly because Microsoft has never really had a standard means of identifying their own patches in their OS’s and products. It’s a good place to start, but don’t bet the farm on it!

Reply | Quote

Alright. I’ll keep that in mind .
Thanks!

Reply | Quote

Yes, Slammer, I should remember because it has that nice alliteration (SQL Slammer).

Reply | Quote