Re: SQL Server Specific Windows Firewall Exception

Quite correct. Most corporations do have other systems in place to protect
their network (and I'm not talking ZoneAlarm, McAfee Personal Firewall, here.
I'm talking full 3-leg perimeter network, DMZ, ForeFront, ePO, etc.), and
they're in trouble if they don't.

I'm not saying Windows Firewall is good, but it is installed and enabled by
default for XP SP2 and W2K3 SP1, which does mean it needs some attention of
some kind.

And it does provide a small measure of protection against malicious software
introduced to the corporate network through some other means... An infected
CD or downloaded file with a 0-day virus like Blaster or Slammer that the
up-to-date antivirus system doesn't detect until it's already whizzing about
the network. All those lovely non-firewalled PC's being hit from the inside.

(Recent surveys have shown that 73% of corporate security breaches are from
the inside.)

Like you said, in most cases it's turned off in corporate environments
because they have other applications, so... then it's not really a problem
having it automatically add exceptions (which don't have to be open ports) in
corporate environments, is it?

Granted. It can't do that if you have a 3rd party firewall installed, and a
search of the support forums for such software shows common problems with
getting certain communications working through whichever firewall is
installed on the Desktop or Server.

But then, Microsoft don't have a problem with it considering the exceptions
it adds to Windows Firewall when you install Office 2007 Ultimate, even if
the firewall is off.

And yes, it is a common request. Just look through these newsgroups and the
KB to see how many questions and articles relate to adding exceptions to
Windows Firewall to enable remote access and administration to a SQL Server
box.

I don't see MS saying "turn off Windows Firewall and use someone else's
product".

So, if we put aside the whole automatic open ports distraction, wouldn't it
still be good if there was a custom DLL or package that did all the exception
additions in one go for SQL Server? Even if it had to be user initiated?

"Sue Hoegemeier" wrote:

Most corporate environments don't use Microsoft Windows
Firewall - not because it's too complicated but because it's
too simple and doesn't support the needs of a corporate
environment. They only turn them off on PCs as it's not
really needed in their environment - they use other
appliances to protect the corporate infrastructure. The
firewalls being used are different so having some
"automatically open nnn port" may not be realistic. If
someone had Express on their PC and allowed remote
connections which opened up the ports on corporate
firewalls, you'd have problems.
Although I understand your frustration with trying to figure
out what ports to open when and why, the efforts required
come from a place of having learned some hard lessons with
issues like Blaster, Slammer, etc. Microsoft deals with
trying to best support the needs of all environments. I
think most users appreciate that to some degree.
Automatically opening up firewall ports is something they
have been blasted for in the past...and still are but to a
lesser degree. It just is not a good practice to
automatically expose ports or open up vulnerabilities.

-Sue

On Sun, 5 Aug 2007 22:36:01 -0700, Andrew Hayes
<AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Generally. That is true. And I'm quite happy with the default out-of-box
configuration. At least for local machine purposes.

However, if I've gone into the Surface Area Configuration and enabled remote
Named Pipes and TCP/IP connections then obviously something is going to be
connecting to it remotely (otherwise, why would I bother?).

At this point it should install the Exceptions that are needed, even if it
doesn't enable them, so when I go to Windows Firewall I don't have to mess
about browsing for EXE's or adding new ports, and ending up with a mess of
exceptions that are a pain to deal with.

I spend far too much time trawling through "HOWTO: blah blah blah through
Windows Firewall" articles than I would like.

Why introduce a firewall that is so complicated to configure in a corporate
environment that most SE's I know just turn it off?

And no. Using the GPO isn't a realistic approach as you would have to have
several policies to open different ports and/or point at different EXE's
depending on what the server is used for, and then setup WMI filtering so
that the policies only apply to the correct servers.

"Sue Hoegemeier" wrote:

You generally don't want something that installs and
automatically opens up ports - that's been a huge problem in
the past. So things are intentionally designed to be secure
by default now with the newer Microsoft services. There are
applications that use only local, nonremote connections to
SQL Server so automatically opening up ports in such cases
would unnecessarily increase the surface area of exposure to
threats, hacks.

-Sue

On Sun, 29 Jul 2007 18:30:01 -0700, Andrew Hayes
<AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

If you edit File and Print Sharing in Windows Firewall, you'll see that it
lists 2 UDP ports and 2 TCP ports.

This is something that cannot be done normally but is offered through the
XPSP2 resource DLL. You can see this by looking at the registry entry for
GloballyOpenPorts under HKLM.

"137:UDP"="137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001"
"138:UDP"="138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002"
"139:TCP"="139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005"

My question is - when will such a DLL or other method become available for
SQL Server 2005 so that we don't have to add a number of different program
and port exceptions to get remote connections and administration to work
through Windows Firewall?

Or possibly have it install the exceptions for us, such as Office 2007 does
for Groove, OneNote and Outlook? The SQL Server Surface Area Configuration
tool is the best place for such firewall changes to be chosen.





.

Relevant Pages

  • Re: SQL Server 2005 Transaction VPN Firewall
    ... den MSDTC habe ich eingerichtet, wenn ich die Firewall alle Ports aufmache, ... Kann man die Verbindung nicht auf einen festen Port legen? ... wie geht das in SQL Server 2005? ... Ports da genutzt werden. ...
    (microsoft.public.de.sqlserver)
  • Re: Deploying ASP.NET Application
    ... I think this is not about firewall port blocking, ... > SQL Server does not exist or access denied. ... deployed on that server - it has something to do with ports on the firewall ... environment to our production environment. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Firewall Problems With SBS2003 Std Server SP1
    ... now I have to either enter all of the exceptions on the XPSP2 type ... firewall, or get my port and program exceptions built into the ... These ports are needed to communicate with the Symantec Server ...
    (microsoft.public.windows.server.sbs)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)