Query Analyzer vulnerable thru Firewall?

Query Analyzer vulnerable thru Firewall?

Post by Joe Reis » Thu, 06 Feb 2003 08:49:31



Regarding SQL Server 2000.

I've asked my network admin to configure the firewall to enable me to do
remote administration of  SQL Server from my house via the internet.  He
started to give warnings that hackers would also be able to get in because
of security flaws within query analyzer if he opens up the SQL server port
on the firewall side.   The server is behind the firewall.

I've not heard of any issues pertaining to this.

Can anyone please give me info on this issue if in fact it is an issue.

Thanks,
Joe

 
 
 

Query Analyzer vulnerable thru Firewall?

Post by Denn » Thu, 06 Feb 2003 08:52:29


Joe,
This could cause some problems as this would allow anyone access to port
1433 on your SQL Server.  All a hacker would need is time before he'd find
your sa password.  And SQL Traffic isn't the most encrypted traffic on the
net.  So someone could sniff your connection and get the token that you are
passing (if using windows authintication) or local username and password (if
SQL auth) and log in with your permissions and do all sorts of * things.

I'd recommend a VPN or dial up session to the domain.  With some sort of
smart card (those cards with the numbers that change once per minute
randomly).  This would be the best way.

--
Denny Cherry
Database Administrator
GameSpy Industries


Quote:> Regarding SQL Server 2000.

> I've asked my network admin to configure the firewall to enable me to do
> remote administration of  SQL Server from my house via the internet.  He
> started to give warnings that hackers would also be able to get in because
> of security flaws within query analyzer if he opens up the SQL server port
> on the firewall side.   The server is behind the firewall.

> I've not heard of any issues pertaining to this.

> Can anyone please give me info on this issue if in fact it is an issue.

> Thanks,
> Joe


 
 
 

Query Analyzer vulnerable thru Firewall?

Post by Joe Reis » Fri, 07 Feb 2003 01:02:22


Would you recommend PC Anywhere as opposed to setting up a VPN?

Thanks,
Joe


> Joe,
> This could cause some problems as this would allow anyone access to port
> 1433 on your SQL Server.  All a hacker would need is time before he'd find
> your sa password.  And SQL Traffic isn't the most encrypted traffic on the
> net.  So someone could sniff your connection and get the token that you
are
> passing (if using windows authintication) or local username and password
(if
> SQL auth) and log in with your permissions and do all sorts of *
things.

> I'd recommend a VPN or dial up session to the domain.  With some sort of
> smart card (those cards with the numbers that change once per minute
> randomly).  This would be the best way.

> --
> Denny Cherry
> Database Administrator
> GameSpy Industries



> > Regarding SQL Server 2000.

> > I've asked my network admin to configure the firewall to enable me to do
> > remote administration of  SQL Server from my house via the internet.  He
> > started to give warnings that hackers would also be able to get in
because
> > of security flaws within query analyzer if he opens up the SQL server
port
> > on the firewall side.   The server is behind the firewall.

> > I've not heard of any issues pertaining to this.

> > Can anyone please give me info on this issue if in fact it is an issue.

> > Thanks,
> > Joe

 
 
 

Query Analyzer vulnerable thru Firewall?

Post by Denn » Fri, 07 Feb 2003 04:00:22


PC Anywhere isn't bad.  It does support 128 bit encyrption, and domain
authentication.  If the VPN isn't an option, PC Anywhere should work ok.
Just make sure that the Encryption is setup as high as possible.

--
Denny Cherry
Database Administrator
GameSpy Industries


> Would you recommend PC Anywhere as opposed to setting up a VPN?

> Thanks,
> Joe



> > Joe,
> > This could cause some problems as this would allow anyone access to port
> > 1433 on your SQL Server.  All a hacker would need is time before he'd
find
> > your sa password.  And SQL Traffic isn't the most encrypted traffic on
the
> > net.  So someone could sniff your connection and get the token that you
> are
> > passing (if using windows authintication) or local username and password
> (if
> > SQL auth) and log in with your permissions and do all sorts of *
> things.

> > I'd recommend a VPN or dial up session to the domain.  With some sort of
> > smart card (those cards with the numbers that change once per minute
> > randomly).  This would be the best way.

> > --
> > Denny Cherry
> > Database Administrator
> > GameSpy Industries



> > > Regarding SQL Server 2000.

> > > I've asked my network admin to configure the firewall to enable me to
do
> > > remote administration of  SQL Server from my house via the internet.
He
> > > started to give warnings that hackers would also be able to get in
> because
> > > of security flaws within query analyzer if he opens up the SQL server
> port
> > > on the firewall side.   The server is behind the firewall.

> > > I've not heard of any issues pertaining to this.

> > > Can anyone please give me info on this issue if in fact it is an
issue.

> > > Thanks,
> > > Joe

 
 
 

1. Pass Thru Query/Query Analyzer

Hi, I have defined a Remote Server (an Oracle DB) and want
to run a passthrough Query.  I can already do this up to a
point in Query Analyzer:

Select * from OpenQuery(MyRemoteServer, 'SELECT * FROM
TABLEX')

The problem is, I want to filter these records using a
WHERE clause:

WHERE FieldX = 'SomeValue'  How do I write this query when
using Query Analyzer since I have a string within a string?

2. UNIDATA: Run UNIBASIC pgm from UNIX

3. How to run a DTS poackage thru Query Analyzer

4. server won't shutdown

5. Securing ADO traffic from a web server thru a firewall

6. Oracle on Alphaserver/Tru64 10 times slower than NT on PC. Why?

7. ODBC thru firewall failing

8. Tracing Access violations within INGRES applications

9. SQL*Net connection thru a firewall

10. OAS thru a firewall

11. SQL2000 & Firewall thru ASP page

12. Enterprise Mgr Connection thru Firewall

13. SQL Mgmt thru Firewall