David Litchfield ran a scan on the Internet for the typical SQL Server and Oracle ports. It is unbelievable that he found approx. 490'000 servers on the Internet – unprotected and often un-patched. On unsupported version levels, on unsupported Service Packs.
What is going on there? Are these test servers nobody cares of (they are pretty often connected to the corporate network and can easily be used as an entry point for a criminal)? Who is the company behind that? ...
Looking at the comments to the article Hacker finds 492,000 unprotected Oracle, SQL database servers people just talk of the admins being stupid … I tend to disagree. Often the ITPros (and this is just my assumption) are just overstrained. They do not get enough training. They have to be the AD Admin, the SharePoint Guru, the Exchange Pro, the Network specialist, the…., the…., the…. and we expect them to be the Security Officer as well? They are held responsible for having a good uptime – unfortunately not for security!
Do not get me wrong. I do not say that this situation is good but up to a certain point I can understand them. We tend to compare them with us, being security professionals. They are often not. Instead of blaming them, we should rather make sure that we can help them and improve the situation. Do they do it deliberately? For sure no! Calling them ignorant and dumb is unfair and the wrong approach!
I totally agree with you Roger. I personally think when we read any blogs or security related article we think how is that possible? Because, we compare them with us. Infact we should be thinking as a normal System Admin or IT Staff.
“Calling them ignorant and dumb is unfair and the wrong approach!”
Calling them dumb, yes, that’s unfair. Calling them ignorant is both fair and true. Ignorant simply means not knowing something. We are all ignorant about something, and indeed about lots of somethings. The vast majority of computer security specialists are likely ignorant on the finer points of playing Mighty Wurlitzer theatre pipe organs, for instance.
Ignorance is fixable. Stupidity is not. There is no shame in being ignorant (unless it’s about something that one really should not be ignorant about). Remaining ignorant once the ignorance is exposed IS shameful.
On to the matter of the hundreds of thousands of unprotected SQL Servers: did he check to see which editions they are? Not which versions — which EDITIONS. There is a BIG difference between SQL Server 2005 ENTERPRISE Edition and SQL Server 2005 EXPRESS Edition. The latter is a small, freeware version that Microsoft bundles with lots of products, including some versions of Microsoft Office or Access 2007, all versions of Visual Studio 2005 or 2008 beta including the free Express versions thereof, and many more. It’s also in third-party products such as ACT. Many home computers have this installed without the user being aware of it.
The SQL Server 7 / 2000 equivalent was MSDE (MicroSoft Database Engine), and was likewise bundled with Office Pro or Access 2000 [SQL 7-equivalent version] / XP / 2002 / 2003 [SQL 2000-equivalent version], etc.
There is also the inexpensive but not free SQL Server Developer Edition, which is sort of between the MSDE/Express and full Standard / Enterprise versions. It’s intended for use by developers in small networks for developing and testing their applications before deployment to a full-fledged Standard or Enterprise server.
I’m not as familiar with Oracle, but I imagine that they, too, have free or low-cost limited-capacity editions.
The point of all of this is that if his survey didn’t distinguish by EDITION as well as by VERSION, then very likely the vast majority of what he found is actually the free MSDE / Express versions installed with free or low-cost or third-party software by people who have no idea that they even have a database on their computer. Why expect those to be secured?
Though, on the other hand, it should be noted that SQL Server 2005 Express defaults to not allowing outside connections at all, and is intended for use on the same physical box that the software that installed it is on. However, it can easily be configured to allow TCP/IP Port 1433 connections, but can only support a few at a time (one of the main limitations over the Standard and Enterprise Editions). So, DEFAULT installations of SQL Server 2005 Express should not have shown up in his survey. I do believe, however, that the older MSDE DID default to allowing TCP/IP connections, so, if that is the case, they WOULD show up in the survey. And there are A LOT of those out there.
I think that retroactively patching MSDE to disallow connections with the internet wouldn't be a bad idea, if it's really those unsecured servers we see showing up. I'm just wondering in which scenario you would need MSDE and also an open internet connection.
Are there cheap hosting providers offering some sort of low-cost "doityourself" database lite + asp package?
Another thing i'm wondering about: if port 1433 was just as secure as port 80, would it really be a huge problem to have a connection to the internet on that port? This depends on the version as well, I think.
Generally speaking: if you have the business logic on the webpage and not in the database, it's not such a great idea to allow unlimited access on a default admin account from the internet. But if you have a hidden admin account, fully patched latest SQL server version, and business rules cover your tables, is it still a really bad idea or just "not that good"?
Update: just read the article and it said "over 80% were unprotected SQL Server 2000 servers". No MSDE. Vanilla SQL Server 2000 with a minority unpatched but the majority patched to the latest SQL Server 2000 patchlevel.
Now I'm running this same database on the computer in a closet at home which doubles as webserver. I put a router in front of that with NAT configured to drop all incoming traffic except port 80, and a firewall to prohibit outgoing and incoming connections to (amongst others) the SQL server. Either one would prevent the portscan in the article from succeeding. I'm running these on windows 2000 server ed. (its a pentium II-450 with 128MB memory so no Vista on this one :)) so it doesnt have the WIndows XP SP2 firewall.
So do we conclude we have 100000+ servers installed by people who (a) have a router who allows all traffic to go to their server from the internet and (b) have no firewall installed? Eew.
It seems so. And this is frightening. It seems that there are some PCs/servers having the public IP directly on the machine and having SQL Server installed and not having a firewall switched on. It would definitely be interesting to get more details on that in order to see what we can do better with "Security by Default". Or to learn that what we did actually paid off as the above mentioned DBs are running on older OSs :-)