Slammer: Failure of Basic Security Practices?


I've read Brian Moran's SQL Slammer commentaries in SQL Server Magazine UPDATE with interest ("Do the Right Thing," InstantDoc ID 38166, "Getting to the Root of Slammer," InstantDoc ID 38086, "SQL Server DBAs Deserve an Apology," InstantDoc ID 38036, and "After the Slammer," InstantDoc ID 37980). I installed SQL Server 2000 Service Pack 3 (SP3) about a week before the Slammer attacks and wasn't affected by the worm. I'm a beginning-level DBA who's been running two SQL Server 2000 systems for a little more than a year now, and I admit I still have a lot to learn. But my big question is why so many SQL Servers were available to Internet connectivity in the first place. If the SQL Server ports had been closed to the Internet, the Slammer attack's severity would have been much less significant and widespread. Although customers who didn't apply the patch allowed the attack to spread, in my opinion, basic security practices are much more suspect. My firewalls don't allow any traffic on port 1433 or 1434. When I need to communicate through the SQL Server ports, I do so via a VPN connection to get through perimeter security, thus keeping my SQL Servers secure—the way they should be.

Preference, Not Power


In response to Michael Otey's February 2003 editorial, "A New Language" (InstantDoc ID 37517), I'd like to say that the .NET language you use to develop database applications isn't important—the .NET Framework itself is what's important. I use Visual Basic .NET, but I could just as easily use C#. The .NET Common Language Runtime (CLR) translates code from any .NET language into a standard assembly. The choice of language is now based on preference, not power.

The Oracle Link


Thanks for Michael Otey's linked-servers article "The Direct Connection" (March 2003, InstantDoc ID 37678). Does the sp_addlinkedserver support work only with Oracle on Windows 2000 or does it also work with Oracle running on Sun Solaris?

Thanks for your comments. Although I did all my testing on Win2K, the linked-server support should work exactly the same for Oracle on Solaris.

CORRECTION


The Answers from Microsoft Q&A "Importing Word Documents into SQL Server (March 2003, InstantDoc ID 37903) incorrectly stated, "To index Word documents, SQL Server 7.0 and later releases provide the full-text search component." However, only SQL Server 2000 offers full-text search; the component isn't available in SQL Server 7.0 and earlier releases. We apologize for any inconvenience this might have caused.