none
PCI Compliance

    Question

  • Hello...

    We just started using sql (sql 2008 r2) for the first time with our website.  Our website has to stay pci compliant and we're getting a failure regarding sql.

    TCP 1433 ms-sql-s

    7

    Your Micros oft SQL databas e is vers ion (). There are known vunerabilities in your version.

    Solution: Contact Micros oft. Risk Factor: High CVE: CVE : CVE-2000-1209

    BID : 1281, 4797

    The CVE-2000-1209 bit was a link, but when I clicked on it it said to set a password for the user "sa".  I did that but we're still getting the same failure.
    I'm not sure what I'm supposed to do.
    Hehehe...
    JJ

    Wednesday, May 02, 2012 2:13 PM

Answers

  • Hello,

    Uri is correct, they want you to change from the default port of tcp 1433 and you should probably (unless in a cluster/always on/etc) disable the sql browser service. This is the best example of security by obscurity that makes me laugh. Will it "protect" you from most entry level people looking to cause issues? Probably. It's a MS best practice to change from the default port for security, but it's laughable how easy it is to port scan a machine and find the new port.

    The BEST advice I can give you is that PCI compliance is open to interpretation in some areas and as that's the case I would talk to your auditors and get their recommendations. This way you know (and hopefully will have it in writing or email) what they expect.

    -Sean


    Sean Gallardy, MCC | Blog

    • Marked as answer by Fa310tx Wednesday, May 02, 2012 3:40 PM
    Wednesday, May 02, 2012 3:35 PM

All replies

  • You can change the default port 1433 to something else  http://support.microsoft.com/kb/823938

    http://msdn.microsoft.com/en-us/library/ms177440.aspx


    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/


    Wednesday, May 02, 2012 2:29 PM
  • Is there a problem with it being on 1433?  People don't go changing their web daemon port because people know it's port 80 (or ftp, smtp, etc...).
    Is that what the actual compliance error is about?
    JJ

    Wednesday, May 02, 2012 2:49 PM
  • Hello,

    Uri is correct, they want you to change from the default port of tcp 1433 and you should probably (unless in a cluster/always on/etc) disable the sql browser service. This is the best example of security by obscurity that makes me laugh. Will it "protect" you from most entry level people looking to cause issues? Probably. It's a MS best practice to change from the default port for security, but it's laughable how easy it is to port scan a machine and find the new port.

    The BEST advice I can give you is that PCI compliance is open to interpretation in some areas and as that's the case I would talk to your auditors and get their recommendations. This way you know (and hopefully will have it in writing or email) what they expect.

    -Sean


    Sean Gallardy, MCC | Blog

    • Marked as answer by Fa310tx Wednesday, May 02, 2012 3:40 PM
    Wednesday, May 02, 2012 3:35 PM
  • Would just blocking 1433 from the internet accomplish the same goal?
    We're already looking to do that.
    JJ

    Wednesday, May 02, 2012 3:57 PM
  • The link that was provided gave information about changing registry information.
    I didn't see where 1433 was specified in the prescribed registry location (1434 was).
    I found this information on another site that was useful.
    JJ

    To change the Port Number, do the following steps.

    1) Form start click on
    Microsoft SQl Server 2008\ Configuration Tools\ SQL Server Configuration
    Manager.

    2) Expand SQl Server network Cofiguration\ Protocols for
    SQL2008

    3) On your right hand Pane find "TCP/IP". you need to enable this
    protocol for using port number.

    4) Double click the "TCP\IP" and go to
    tab "IP Address".
    find "TCP PORT", which can be configured by the
    administrator.

    Note: Changes can be in effect only after a restart of teh
    SQL Server Service.
    How to ensure that SQL Server is
    using the set port number?
    You can find this information from the sql Server
    Log. it should say SQL Server listing on a particular port number.

    • Edited by Fa310tx Wednesday, May 02, 2012 4:16 PM
    Wednesday, May 02, 2012 4:15 PM
  • Would it accomplish the same goal? This is up to interpretation from the auditor. My guess is, no.

    Without the actual documentation you are looking at, it's very hard to say what they are looking for, hence my comment about asking the auditor what they are looking for specifically.

    -Sean


    Sean Gallardy, MCC | Blog

    Wednesday, May 02, 2012 5:01 PM
  • Hello,

    By default SQL Server has a TCP endpoint listening on 1433. SQLBrowser has a UDP listener on 1434.

    What is described above is to change what port SQL Server listens on (1434 refers to the browser service). Again I would ask the auditor how they interpret it.

    What you have above is the correct way to change the port. You can find the information in the registry and in the sql server errorlog (if it goes back that far, I roll mine over at midnight and keep 32 logs).

    -Sean


    Sean Gallardy, MCC | Blog

    Wednesday, May 02, 2012 5:05 PM
  • Would just blocking 1433 from the internet accomplish the same goal?
    We're already looking to do that.

    Unless you want to accept connections to your SQL Server from the Internet, you should of course not block whichever port SQL Server is listening on.
    That is far more important than changing the port number.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    Wednesday, May 02, 2012 10:02 PM