Improving Web Application Security: Threats and Countermeasures

To update SQL Server and MSDE, you must:

• Apply patches for each instance of SQL Server and MSDE

• Analyze SQL Server and MSDE security configuration

Apply Patches for Each Instance of SQL Server and MSDE

MSDE shares common technology with SQL Server, and it enables developers, partners , and IT professionals to build database applications without requiring the full SQL Server product. MSDE can be packaged with applications that require database support. To apply patches to MSDE, you must know which application installed it on your system. This is important because you must obtain the patch for MSDE from the product vendor.

For more information on applications that include MSDE, refer to the following resources:

• "Microsoft Products That Include MSDE," at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/MSDEapps.asp

• "SQL Server/MSDE-Based Applications," at http://www.sqlsecurity.com/forum/applicationslistgridall.aspx

If your third-party vendor does not supply a patch for MSDE, and if it becomes critical to have the latest patches, you can only do the following:

• Uninstall the instance of SQL Server using Add/Remove Programs. If you do not see an uninstall option for your instance, you might need to uninstall your application.

• Stop the instance of SQL Server using the Services MMC snap-in in Computer Management. You can also stop the instance from the command line by running the following command:

  net stop mssqlserver (default instance), mssql$instancename (for instances)

• Use IPSec to limit which hosts can connect to the abandoned (unpatched) instances of SQL Server. Restrict access to localhost clients .

Analyze SQL Server and MSDE Security Configuration

Use MBSA to analyze your Microsoft SQL Server or MSDE configuration on your workstation.

 Task   To analyze SQL Server and MSDE security configuration

1. Run MBSA by double-clicking the desktop icon or selecting it from the Programs menu.

2. Click Scan a computer . MBSA defaults to the local computer.

3. Clear all check boxes except for Check for SQL vulnerabilities .

   This option scans for security vulnerabilities in the configurations of SQL Server 7.0, SQL Server 2000, and MSDE. For example, it checks the authentication mode, the sa account password, and the SQL Server service account, among other checks.

   A number of the checks require that your instance of SQL Server is running. If it is not running, start it.

4. Click Start scan . Your configuration is now analyzed . When the scan completes, MBSA displays a security report, which it also writes to the %Userprofile%\SecurityScans directory.

5. Review the failed checks, and fix vulnerable configuration settings.

   Click Result details next to each failed check for more information about why the check failed. Click How to correct this , for information about how to fix the vulnerability.

For more information about using MBSA, see "How To: Use Microsoft Baseline Security Analyzer (MBSA)," in the How To section of this guide.