Rules for MSSQL and shellcodes

Hello,

I noticed that MSSQL listens to port 1434 even when TCP/IP is not enabled. I made a rule to block external access to ports 1434 and 1433. I also made a rule to block shellcodes by blocking access to cmd.exe. However, I am not sure if those rules are correct(probably not!), I would appreciate some help. Thank you!

Peace,
Joseph

 

Hi jgama,

what you try to achieve isn't possible for many reasons :

- cmd.exe must be an internet capable executable for the rule to apply, and if it was, you rule blocks _everything_ when it is loaded. Actually, since cmd.exe is not network capable, the rule would never be triggered.
EDIT : you can as a workaround to force the add anyway of cmd.exe to the application filtering, but it is useless as the following details explain

- then, "Shellcode" are something more general and don't rely in particular on cmd.exe. A shellcode is a piece of executable code injected into a running processes via a buffer overflow. In this way, the shellcode is injected into running processes such as your MS SQL server, RPC Locator, etc...
Those Shellcode then may or may not use cmd.exe to accomplish different purposes, but it's already too late.


If you want to be protected from windows vulnerabilities, first disable uneeded services, then close as many ports as possible with Look'n'Stop, and if you are running servers and that you must let opened several ports, don't forget to apply Windows Update patchs (do it even if you are not running server in fact).

Hope this help

regards,

gkweb.

 

Thank you gkweb!