Discussion:
TCP 1433 and UDP 1434
(too old to reply)
Peter Nolan
2009-01-14 11:14:07 UTC
Permalink
Hello,

I know that in SQL 2000 these ports needed to be disabled for none trusted
connections. Do you need to do the dame for 2005 and 2008?

Thanks
Peter
Dan Guzman
2009-01-14 13:15:34 UTC
Permalink
SQL Server listens on TCP 1433 by default. If you block the port, then you
will need to either assign a different port for SQL Server to listen on
unless you want to disable remote connections entirely. These are not
related specifically to trusted (Windows authenticated) connections.

UDP 1434 is used for named instance enumeration (SQL Browser in SQL 2005)
and is is only needed if you have named instances. You can use the SQL
Server Configuration Manager tool to disable the SQL Browser service and set
the listing ports in SQL 2005 and SQL 2008.
--
Hope this helps.

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
Post by Peter Nolan
Hello,
I know that in SQL 2000 these ports needed to be disabled for none trusted
connections. Do you need to do the dame for 2005 and 2008?
Thanks
Peter
Peter Nolan
2009-01-15 00:06:06 UTC
Permalink
Thank you,

I know what the ports are for my question is does SQL Server 2005 have the
same vunerability as SQL 2000.

Thanks
Peter
Post by Dan Guzman
SQL Server listens on TCP 1433 by default. If you block the port, then you
will need to either assign a different port for SQL Server to listen on
unless you want to disable remote connections entirely. These are not
related specifically to trusted (Windows authenticated) connections.
UDP 1434 is used for named instance enumeration (SQL Browser in SQL 2005)
and is is only needed if you have named instances. You can use the SQL
Server Configuration Manager tool to disable the SQL Browser service and set
the listing ports in SQL 2005 and SQL 2008.
--
Hope this helps.
Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
Post by Peter Nolan
Hello,
I know that in SQL 2000 these ports needed to be disabled for none trusted
connections. Do you need to do the dame for 2005 and 2008?
Thanks
Peter
Bob Beauchemin
2009-01-15 01:09:35 UTC
Permalink
In SQL Server 2000 IIRC, the browser (which uses 1434) functionality was
part of the server process. In SQL Server 2005 and above, its a separate
service, which can be turned off if you don't need instance discovery (ie,
you use specific port numbers and either use default port for default
instance or specify port number in the connection string).

SQL Server must use a TCP port for connections, you can configure a port
other than 1433. Not sure exactly what you mean by "disable for untrusted
connections" in this context or the specific "same" vulnerability to which
you refer.

Cheers,
Bob Beauchemin
SQLskills
Post by Peter Nolan
Thank you,
I know what the ports are for my question is does SQL Server 2005 have the
same vunerability as SQL 2000.
Thanks
Peter
Post by Dan Guzman
SQL Server listens on TCP 1433 by default. If you block the port, then you
will need to either assign a different port for SQL Server to listen on
unless you want to disable remote connections entirely. These are not
related specifically to trusted (Windows authenticated) connections.
UDP 1434 is used for named instance enumeration (SQL Browser in SQL 2005)
and is is only needed if you have named instances. You can use the SQL
Server Configuration Manager tool to disable the SQL Browser service and set
the listing ports in SQL 2005 and SQL 2008.
--
Hope this helps.
Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
Post by Peter Nolan
Hello,
I know that in SQL 2000 these ports needed to be disabled for none trusted
connections. Do you need to do the dame for 2005 and 2008?
Thanks
Peter
Dan Guzman
2009-01-15 02:54:30 UTC
Permalink
Post by Peter Nolan
I know what the ports are for my question is does SQL Server 2005 have the
same vunerability as SQL 2000.
If you are referring the the UDP 1434 buffer overrun vulnerability, this was
corrected back in 2001 with SQL 2000 SP2 (and a hotfix pre-SP2). SQL 2005
and later versions have never had the issue.

As Bob mentioned, a separate SQL Browser service exists in SQL 2005 and SQL
2008. This can be disabled entirely if you don't need that functionality.
The security Best Practice is to enable only the functionality you actually
need.
--
Hope this helps.

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
Post by Peter Nolan
Thank you,
I know what the ports are for my question is does SQL Server 2005 have the
same vunerability as SQL 2000.
Thanks
Peter
Post by Dan Guzman
SQL Server listens on TCP 1433 by default. If you block the port, then you
will need to either assign a different port for SQL Server to listen on
unless you want to disable remote connections entirely. These are not
related specifically to trusted (Windows authenticated) connections.
UDP 1434 is used for named instance enumeration (SQL Browser in SQL 2005)
and is is only needed if you have named instances. You can use the SQL
Server Configuration Manager tool to disable the SQL Browser service and set
the listing ports in SQL 2005 and SQL 2008.
--
Hope this helps.
Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
Post by Peter Nolan
Hello,
I know that in SQL 2000 these ports needed to be disabled for none trusted
connections. Do you need to do the dame for 2005 and 2008?
Thanks
Peter
Erland Sommarskog
2009-01-15 23:26:49 UTC
Permalink
Post by Dan Guzman
If you are referring the the UDP 1434 buffer overrun vulnerability, this
was corrected back in 2001 with SQL 2000 SP2 (and a hotfix pre-SP2).
SQL 2005 and later versions have never had the issue.
The Slammer fix was in SP3 and in a hotfix to SP2, wasn't it?
--
Erland Sommarskog, SQL Server MVP, ***@sommarskog.se

Links for SQL Server Books Online:
SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx
SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx
SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
Dan Guzman
2009-01-16 12:30:42 UTC
Permalink
Post by Erland Sommarskog
The Slammer fix was in SP3 and in a hotfix to SP2, wasn't it?
Yes, you are right, Erland. And the year was 2003.

Thanks for the correction.
--
Hope this helps.

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
Post by Erland Sommarskog
Post by Dan Guzman
If you are referring the the UDP 1434 buffer overrun vulnerability, this
was corrected back in 2001 with SQL 2000 SP2 (and a hotfix pre-SP2).
SQL 2005 and later versions have never had the issue.
The Slammer fix was in SP3 and in a hotfix to SP2, wasn't it?
--
SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx
SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
Loading...