After the Slammer

As everyone in the SQL Server community is aware, a worm called SQL Slammer, aka Sapphire, began spreading rapidly around the world January 24, attacking systems through a vulnerability in SQL Server 2000. SQL Slammer didn't try to compromise data stored in SQL Server; instead, it generated massive amounts of network traffic, leading to a global traffic jam in many parts of the Internet. The Washington Post reported that SQL Slammer shut down a Bank of America ATM network, Continental Airlines' online ticketing system, and an emergency call center in Seattle as well as cutting off Internet access for millions of PC users worldwide, including most users in South Korea.

Interestingly, Microsoft first addressed the SQL Server 2000 security flaw exposed by the Slammer in a July security fix. Although systems administrators can choose to ignore security hotfixes as they're released, you can bet that hackers pay close attention to them. Professional systems administrators have no excuse for letting their systems go unpatched for months. Let's set the record straight: SQL Slammer couldn't have spread if professional administrators had applied the patch last July. Notice that I said "professional" administrators.

For better or worse, many systems don't have dedicated, full-time, professional administrators. While professional administrators should be ashamed of themselves for letting SQL Slammer strike, what about the people who manage SQL Server part time or the folks who don't even know that SQL Server is running on their systems? Microsoft SQL Server 2000 Desktop Engine (MSDE), for example, is basically a copy of the SQL Server database engine. It's installed by default or as an add-on option through a host of Microsoft programs and third-party applications. According to reports, many of the "slammed" SQL Servers were actually instances of MSDE. It's hard to protect what you don't know is there.

Software products have bugs. Vendors have a responsibility to patch those problems and vulnerabilities as they learn about them, and professional administrators have a duty to keep security and other key patches up-to-date. But there aren't easy answers for the problems of inexperienced, part-time administrators and stealth software that customers don't know needs fixed. Ultimately, Software Update Services and Windows Critical Updates might provide the solution for automatically updating our applications. For non-technical corporate and home users, computers need to become smart enough to alert us to security holes we've left open through poor configuration choices and failure to apply the latest security patches.

The Microsoft SQL Server team has been telling me for months that it's committed to the goal of Trustworthy Computing, and last week the team demonstrated that commitment by providing resources to help its customers quickly understand the Slammer attack and protect against it. Not long ago, Microsoft would have probably issued a defensive response: "We issued a patch; it's not our fault that people didn't install it." But if you visit the Microsoft SQL Server home page today, you'll find half of it devoted to content about SQL Slammer. In addition, the company has posted three new tools (at http://www.microsoft.com/sql/downloads/securitytools.asp ) designed to help you find systems that might be vulnerable to the Slammer and similar attacks.

Microsoft, recognizing that it shares the burden in helping us protect our systems, has also launched a new SQL Server newsgroup called microsoft.public.sqlserver.securitytools, available at msnews.microsoft.com or at http://communities.microsoft.com/newsgroups/default.asp . The newsgroup's goal is to provide community support for security issues and to provide Microsoft support for using the new security tools. You'll also find a site devoted to the Slammer at http://www.microsoft.com/security/slammer.asp , which offers a wide range of technical resources to help you manage this threat.

Microsoft cynics sneer that the company's response is mere window-dressing and that it isn't really serious about tackling the security problems that are rampant in all computing systems. But the people I've talked to in the company's SQL Server group maintain that database security and Microsoft's Trustworthy Computing initiatives are among their most important priorities. We'll see how the SQL Server team delivers on those goals over the coming weeks and months.