On a Saturday morning in late January, many system administrators woke up to cell phones and pagers alerting them to serious network problems with their servers. A worm targeting SQL Servers had hit company and commercial data centers around the world. In fact, a national bank’s ATM network was brought to its knees, and a major carrier’s airline reservation systems were totally shut down. The worm directly affected only machines with SQL Server installed, but the traffic generated by the worm made it almost impossible for other servers on the Internet to continue communicating with one another.
The worm, dubbed "SQL Slammer," attacked via a vulnerability discovered six months ago in SQL Server 2000 software from Microsoft. Microsoft had released a patch in the summer of 2002, but hundreds of IT managers hadn’t yet installed the patch.
This incident was similar to the Chinese worm event that took place two years ago. In that case, Microsoft had also issued a security patch to protect Web servers using its IIS software six months in advance of the attacks. Given the increasing focus on Internet security, how could an attack like this have happened again?
Keep your guard up
One reason is that IT managers have been focused on securing Web servers and firewalls, and these SQL Server attacks weren’t even on the radar screen.
But in some cases, it’s not even the IT managers who are to blame but the service providers that they use. Many of the systems affected by the worm weren’t infected but were housed in data centers or colocation facilities that had other customers whose servers were infected. Because of the traffic generated by these infected servers, other machines couldn’t get enough bandwidth to operate effectively.
SQL Server viruses typically infect machines with Internet connections using the standard 1433 port and default passwords. These worms use the default SQL Server system administrator account (sa) with an empty password to infect the system. The newly infected SQL Server then becomes an attacker, looking for other servers to infect.
Protecting the server is simple: Just change the password on your sa account to a strong one and block access to your SQL server from the public Internet.
Security incidents like these should inspire you to have a sense of renewed vigilance in protecting your infrastructure. Take a hard look at SLAs signed with your data center or colocation provider to make sure that your partners are doing everything they can to ensure uptime. You should revisit the following five security actions.
Install the latest patches on your servers
Having the latest patches is especially important for servers that are directly connected to the Internet. Many IT managers won’t install operating system or application server patches until they’re able to do some testing first. Having worked with hundreds of customers who’ve spent thousands of hours testing these patches without any negative effects on their servers, I can confidently state that you stand a better chance of being infected with a virus than causing damage to your production machines by applying security patches.
Don’t allow anyone to install servers with simple passwords
Many breaches occur because developers want to test systems with minimum amounts of security and therefore put in accounts with administrative privileges and blank or simple passwords (like “password”). When the systems go into production, these immature security schemes get propagated to the final application. In fact, I participated in a public presentation recently where the presenter was showing his production system. When he logged into the machine across the Internet, one of the attendees noticed that he accessed his SQL Database using the sa user ID and no password. In the middle of his presentation, all of his data “magically” disappeared. The attendee had logged into the presenter’s SQL Server using the wireless connection in the conference center and had dropped all the tables from the database. Needless to say, it was quite embarrassing for the speaker and had a profoundly negative effect on the application’s users.
Protecting the servers inside your firewall is only half the battle
You need a regular maintenance program for your PCs, especially machines that leave the building, such as laptops and Palm and Pocket PC devices. (Although there have been no widespread reports of viruses borne by PDAs, I think it’s only a matter of time before it happens.)
The vast majority of corporate desktops use Microsoft Outlook or Outlook Express as an e-mail client, so it’s only natural that virus authors choose to spread their venom using the features of these products against the users. If you’re a corporate Outlook user, your IT staff needs an organized way to download and install the latest Outlook security patches from Microsoft. Microsoft provides the Windows Update service to allow individual machines to download the latest security and application patches directly. IT managers who don’t want users downloading the patches directly have the option of installing a local copy of the Windows Update service and allowing users to get the patches from a local security server that includes the latest patches.
Your IT staff should especially be concerned about laptops
When users take laptops out of the office and connect them to the Internet, they do so without any of the firewall, virus-screening, or other protections built into your corporate infrastructure. I recommend that you configure laptops that communicate remotely to come through a VPN in the corporate network whenever they use Internet resources, even though the laptop may not perform as quickly if you do so. Without this protection, it’s relatively simple for a user to pick up a virus or worm on the laptop when connecting remotely and then spread it through your corporate network when they connect locally.
Consider turning off all access to IM clients or newsgroups
Many companies have removed IM access, though I think the potential benefit of using instant messaging and newsgroups outweighs the risk as long as you advise your users not to accept attachments from strangers in online chat systems and to avoid downloading files from public newsgroups. Vendor newsgroups are a different matter, however, since vendors do a good job of policing their own news servers and keeping dangerous files from being posted.
Security is a full-time job
Most companies want the benefits of giving their customers, employees, and partners 24/7 access to systems by using the Internet as their communications backbone.
But one of the things most often overlooked by the CIOs who want this capability is the responsibility of policing systems and connections on a 24/7 basis. If you expect your IT managers to invest the time required to keep your systems safe and connected, you must be willing to invest the money and other resources to help them do so.