'SQL Slammer' Lesson: Just Say No to Desktop Servers

The rapid spread of the SQL Slammer worm showed that highly vulnerable desktop servers are everywhere. Gartner explains how enterprises can shut them down for good.

By John Pescatore

April 02, 2003 — CSO —

The rapid spread of the "SQL Slammer" worm showed that highly vulnerable desktop servers are everywhere. Here's how enterprises can shut them down for good.

What You Need to Know

New security concerns prompted by the SQL Slammer worm and the uncertain economy present IT administrators with the opportunity to lock down enterprise desktops. The best place to start is to ensure that end users are not unintentionally running servers on their desktops.

Analysis

The "SQL Slammer" Internet worm, like the "Nimda" worm, was an unusually nasty malicious-code attack, spreading rapidly and causing widespread Internet congestion. SQL Slammer and Nimda shared a particularly damaging characteristic: Both spread from the Internet to corporate intranets by exploiting vulnerabilities in desktop software. Their impact was magnified many times by the fact that the vulnerabilities in Microsoft's server software products, SQL Server and Internet Information Server, were also present on many desktops in the form of Personal Web Server and Microsoft SQL Server Developers Edition.

Even enterprises that invested heavily in improvements to their patching processes were hit hard by SQL Slammer and Nimda, primarily because they focused on server systems. The SQL Slammer and Nimda worms took advantage of the points of least resistance in enterprise systems - that is, servers running on desktops, many that were installed as part of third-party products (see www.microsoft.com/technet/security/msdeapps.asp for a list of products affected by SQL Slammer). Any desktop patch management strategy would have had to cover all of these products in use, not just Windows, to be effective against these attacks.

The SQL Slammer attack underscores the urgent need for enterprises to ensure that no unauthorized server processes are running on their networked desktops. Microsoft has stated that there are no desktop "instantiations" ("instances") of its other server products. Nonetheless, serverlike capabilities routinely are installed on PCs in a number of areas, including:

• Instant messaging software

• Peer-to-peer file-sharing software

• Web applications that allow offline data entry

• "Spyware" programs

• Remote-control software, such as Timbuktu, PCAnywhere and GoToMyPC

• File Transfer Protocol and Telnet software

Take These Steps Now

Enterprises can realize the greatest improvements in their security by locking down the corporate desktop - that is, by not allowing users to install any software on the standard corporate desktop image. However, fewer than 5 percent of enterprises have been able to take this step, typically because influential users complain that the lockdown adversely affects their job performance. However, a confluence of factors - heightened security concerns, the current slowdown in IT spending and a harsh job market - has given IS organizations a window of opportunity to gain approval for desktop lockdown. These measures will result in an increase in demand for help desk support for installing PC software that is justified by business needs. However, the savings from increased security will more than offset the additional support costs.

• Print