PRB: Unsecured SQL Server with Blank (NULL) SA Password Leaves Vulnerability to a Worm (313418)
The information in this article applies to:
- Microsoft SQL Server 2000 (all editions)
- Microsoft SQL Server 7.0
- Microsoft Data Engine (MSDE) 1.0
This article was previously published under Q313418 SYMPTOMS A worm, code-named "Voyager Alpha Force," that takes
advantage of blank SQL Server system administrator (sa) passwords has been found on the Internet. The worm looks for a
server that is running SQL Server by scanning for port 1433. Port 1433 is the
SQL Server default port. If the worm finds a server, it tries to log in to the
default instance of that SQL Server with a blank (NULL) sa
password.
If the login is successful, it broadcasts the
address of the unprotected SQL Server on an Internet Relay Chat (IRC) channel,
and then tries to load and run an executable file from an FTP site in the
Philippines. Logging in to SQL Server as sa gives the user administrative access to the computer, and
depending on your particular environment, possibly access to other computers.
WORKAROUND Each of the steps in this section will help to make your
system more secure in general, and any one of them alone will prevent this
particular worm from infecting your server that is running SQL Server. Note
that these steps are part of the standard security "best practices" for any SQL
Server installation.
- If your authentication mode is Mixed Mode (Windows
Authentication and SQL Server Authentication), secure your sa login account with a non-NULL password. The worm only works if
you have no security for your sa login account. Therefore, it is best to follow the recommendation
from the "System Administrator (SA) Login" topic in SQL Server Books Online to
make sure that the built-in sa account has a strong password, even if you never directly use the
sa account yourself. For increased security, enable Windows
Authentication Mode (Windows Authentication only), thus removing the ability
for anyone to log in as sa user. Configure your clients to use Windows Authentication.
- Enable auditing for successful and failed logins, and then
stop and restart the MSSQLServer service.
- Block port 1433 at your Internet gateways and assign SQL
Server to listen on an alternate port.
- If port 1433 must be available on your Internet gateways,
enable egress/ingress filtering to prevent misuse of this port.Note Contact your network administrator or your firewall vendor for
more information about setting up ingress/egress filtering.
- Run the SQLServer service and SQL Server Agent under an
ordinary Microsoft Windows NT account, not a local administrative
account.
For information about how to recover an already compromised
system, visit the independent CERT Coordination Center at the following Web
site: Microsoft
provides third-party contact information to help you find technical support.
This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact
information.
| Modification Type: | Major | Last Reviewed: | 7/21/2005 |
|---|
| Keywords: | kbprb KB313418 kbAudDeveloper |
|---|
|