Lock up with SQL Server 2000 security tools

Microsoft has provided the SQL Critical Update Kit to help admins keep viruses and hackers from attacking a soft spot in the default installation of SQL Server 2000 and its little brother, MSDE 2000. The SQL Critical Update Kit is a set of tools that helps detect instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the SQL Slammer worm.

While SQL Slammer (also referred to as the Sapphire worm) is no longer at the top of the virus charts, the flaw itself still represents a serious security concern. The SQL Critical Update Kit can help identify SQL instances that have never been patched, as well as new installations that have not been updated. Both of these can still pose significant dangers to network security.

Who's vulnerable?
You are vulnerable to the SQL Slammer worm if you have SQL Server 2000 or MSDE 2000 and you have not installed SQL Server 2000 Service Pack 3, or Service Pack 2 with one of the following security bulletins:

• MS02-039
• MS02-043
• MS02-056
• MS02-061 (This patch includes all patches above.)

Of course, these SQL Server Security Tools can be valuable even if your SQL Server installation is not vulnerable.

What is included in the kit?After you download the kit to a directory of your choice, you can browse the directory and see that the following is included with this package:

• SQL Critical Update Wizard: This wizard updates and patches all instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the SQL Slammer worm. This can be used as a stand-alone tool to scan and patch each vulnerability, or you can use some of the tools below to create a customized solution for your company.
• SQL Scan: SQL Scan locates instances of SQL Server 2000 and MSDE 2000 that are vulnerable to the Slammer worm across a Local Area Network (LAN).
• SQL Check: SQL Check finds instances that are vulnerable to the SQL Slammer Worm, and you can optionally enable and/or disable these instances.
• SQL Critical Update: Use this executable to patch SQL Server 2000 and/or MSDE 2000 instances that are vulnerable to the SQL Slammer worm.
• SMS Deploy: SMS Deploy allows you to use SMS to deploy the patches over your LAN.
• ServPriv: This allows you to patch and resolve an unchecked buffer, as well as permissions problems with the SQL Server startup account when the account doesn't belong to the administrators group.

Identify the version of SQL
Before attempting to run the update, learn how to verify exactly what version of SQL Server you are running. You can do this by opening up Query Analyzer from the Start | Programs | Microsoft SQL Server | Query Analyzer and typing the query shown in Figure A.

Figure A: Query Analyzer from the Start | Programs | Microsoft SQL Server | Query Analyzer

The output returns a version number of SQL Server 2000, a service pack number, and the edition of SQL Server 2000 (Developer, Standard, and Enterprise). Please see Table A to help you decode the SQL Server 2000 Version.

If you already have SQL 2000 SP3 applied, you will see the result shown in Figure B.

Figure B: Now that you have determined the version, you are ready to patch the instance.

Installing the SQL Critical Update
After downloading the SQL Critical Update and placing it on a network share to be accessed by each machine that is vulnerable to the Slammer worm, you will then click SQLCritUpdWiz_ENU.msi, as shown in Figure C. You will then be prompted with the SQL Server Critical Update Wizard screen.

Figure C: Click on SQLCritUpdWiz_ENU.msi

If you do not need the patches, a screen will appear telling you that the update is not necessary. If the patch is necessary, it will install the patches and tell you when they have completed successfully.

Working with the command line utilities
The SQL Scan command line utility will locate all instances of SQL 2000 or MSDE 2000 on your LAN. You can use SQL Scan to scan a range of addresses, a domain, and/or an individual computer. To use this utility, simply open a command prompt and browse to the directory where you installed the SQL Scan tools (see Figure D). Next, in order to display a list of switches, type "sqlscan /?" (see Figure E).

Figure D: Browse to the directory where you installed the SQL Scan tools

Figure E: Display of list of switches

After looking at the switches, you can run a scan on an individual server with the command:
sqlscan –v –m stevenw

This switch will run a SQL scan on the system stevenw and provide a verbose message, as shown in Figure F.

Figure F: SQL scan on the system stevenw

Now that I have gone over the nuts and bolts of accessing the SQL Server tools via command line, you can explore the other command line utilities included in the update kit by following the same steps. For example, if you want to use SQL Check, you would browse to the SQLCheck folder via command prompt and then type sscheck /? to view all of the switches (see Figure G).

Figure G: Browse to the SQLCheck folder via command prompt and then type sscheck /?

Final word
After you have completed the update to your SQL Server 2000 or MSDE 2000 machine, verify that you are running the patched version by executing the verification script in Figure A and reviewing the results against the codes in Table A. When the verification is complete, you have successfully patched your SQL Server 2000 and/or MSDE 2000 machines. This not only patches your systems against variants of the SQL Slammer worm, but also protects them against other future attacks that could exploit the same vulnerabilities.

This article originally appeared in TechRepublic's TechProGuild section.