SQL Server UDP 1434 Database Instance TCP Information Disclosure

  • I work at a Federal Government site. As an ongoing process, an upper level organization, to which my division belongs, has our servers are scanned by Foundstone (http://www.foundstone.com).

    The only reported vulnerability was

    "Microsoft SQL Server UDP 1434 Database Instance TCP Information Disclosure"

    To overcome the problem, the following registry key is supposed to be set to 1:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib\Tcp\TcpHideFlag

    A final remark from Foundstone is:

    "Once the TcpHideFlag is set, the SQL Resolution Service will still respond to queries over UDP port 1434, but without the TCP instance information."

    Has anybody heard anthing about this? I couldn't find anything, so I'm hesitant to just do this without any further documentation.

    Thanks,

    Mike

  • A security alert was issued because the way SQL Server works is to respond to 1434 with the port of the instance and what it is. Since you are disclosing information with this to someone who is scanning, it's seen as a potential problem.

    If you disable this, then you cannot "scan" for SQL Servers. So clicking the drop down in QA will not "find" servers. No big deal for the default instance, just connect on 1433 to the server name. For named instances, however, you need to specify a port. You can do this in the server network utility for the instance to set it to a particular port and then connect using that port.

  • Thanks, Steve.

    Any change I make to our servers requires documentation, so I wanted to identify the specific security alert (issued by Microsoft). However, I've been unable to locate it so far.

    Thanks again.

  • I have exactly the same issue to deal with. After I apply the hide server flag. None of the applications can see the database instances anymore. What did you do to overcome this problem.

    Thanks

  • You should be able to connect by directly connecting to the port for that instance. So if you have a named instance, you need to set a specific port (port xx), and then connect as

    server\instance:xx

    I'm not sure which security alert this was for and I can't find it either.

    I think it's overkill, personally. People can still scan the system for open ports, they just can't do it with the SQL Client.

  • Is this the security alert you were looking for? It was issued for the slammer worm that performs a DOS through UDP 1434.

    http://www.microsoft.com/technet/security/alerts/slammer.mspx

    Herve Roggero
    hroggero@pynlogic.com
    MCDBA, MCSE, MCSD
    SQL Server Database Proxy/Firewall and Auditing

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply