‘SQL Slammer’ Lesson: Just Say No to Desktop Servers

The rapid spread of the “SQL Slammer” worm showed that highly vulnerable desktop servers are everywhere. Here’s how enterprises can shut them down for good.

What You Need to Know

New security concerns prompted by the SQL Slammer worm and the uncertain economy present IT administrators with the opportunity to lock down enterprise desktops. The best place to start is to ensure that end users are not unintentionally running servers on their desktops.

Analysis

The “SQL Slammer” Internet worm, like the “Nimda” worm, was an unusually nasty malicious-code attack, spreading rapidly and causing widespread Internet congestion. SQL Slammer and Nimda shared a particularly damaging characteristic: Both spread from the Internet to corporate intranets by exploiting vulnerabilities in desktop software. Their impact was magnified many times by the fact that the vulnerabilities in Microsoft’s server software products, SQL Server and Internet Information Server, were also present on many desktops in the form of Personal Web Server and Microsoft SQL Server Developers Edition.

Even enterprises that invested heavily in improvements to their patching processes were hit hard by SQL Slammer and Nimda, primarily because they focused on server systems. The SQL Slammer and Nimda worms took advantage of the points of least resistance in enterprise systems – that is, servers running on desktops, many that were installed as part of third-party products (see www.microsoft.com/technet/security/msdeapps.asp for a list of products affected by SQL Slammer). Any desktop patch management strategy would have had to cover all of these products in use, not just Windows, to be effective against these attacks.

The SQL Slammer attack underscores the urgent need for enterprises to ensure that no unauthorized server processes are running on their networked desktops. Microsoft has stated that there are no desktop “instantiations” (“instances”) of its other server products. Nonetheless, serverlike capabilities routinely are installed on PCs in a number of areas, including:

• Instant messaging software
• Peer-to-peer file-sharing software
• Web applications that allow offline data entry
• “Spyware” programs
• Remote-control software, such as Timbuktu, PCAnywhere and GoToMyPC
• File Transfer Protocol and Telnet software

Take These Steps Now

Enterprises can realize the greatest improvements in their security by locking down the corporate desktop – that is, by not allowing users to install any software on the standard corporate desktop image. However, fewer than 5 percent of enterprises have been able to take this step, typically because influential users complain that the lockdown adversely affects their job performance. However, a confluence of factors – heightened security concerns, the current slowdown in IT spending and a harsh job market – has given IS organizations a window of opportunity to gain approval for desktop lockdown. These measures will result in an increase in demand for help desk support for installing PC software that is justified by business needs. However, the savings from increased security will more than offset the additional support costs.

Another solution is to install centrally managed personal firewall software on all PCs across the enterprise, including tower desktop PCs. Vendors such as Zone Labs, Sygate Technologies, InfoExpress and Okena (now owned by Cisco Systems), and major antivirus technology vendors, support the ability to block communications ports that are used by worms such as SQL Slammer, and enforce local policies governing which applications can communicate over network connections. Gartner recommends that all laptops have personal firewalls installed to protect them during remote-access and public wireless local-area network use. The additional expense that enterprises that follow this practice will face is for desktop tower PCs.

At a minimum, enterprises should use their firewalls to block all services that are not specifically permitted, and to perform regular vulnerability scanning to detect server processes on desktops. Enterprises also should monitor Web sites such as www.incidents.org to ensure that they have up-to-date information about the server processes for which hackers are scanning. Enterprises should configure their enterprise and desktop firewalls to block as many of the leading attacks as possible.

Finally, enterprises should read every new vendor security alert carefully to determine whether a new patch should be applied to desktops as well as servers.

Tactical Guidelines

• Take advantage of the current security and economic environment to lock down all desktops.
• If a complete lockdown is impossible, install personal firewall software on desktops and laptops.
• If personal firewall software is not a viable option, perform daily vulnerability scanning to detect dangerous server processes that appear on desktops.
• If daily vulnerability scanning is not practical, extend patch management processes to the desktop.

Key Issues

• What new vulnerabilities will arise through the deployment of emerging technologies and products?
• Which product approaches and practices will help enterprises achieve higher levels of data integrity?

For more Gartner research on Security & Privacy, visit www.gartner.com/security