||SQL Server Tips by Burleson
SQL Server 2000 by default has two protocols enabled in both the
Server Network Utility and the Client Network Utility, they are
TCP/IP and Named Pipes.
If the application using SQL Server is running in the same box then
the best solution is to remove all protocols (netlibs) in Server
Network Utility and the server will automatically use Shared Memory,
the client should have set “enable shared memory protocol”. There is
a plus: this protocol is the fastest of all.
However, most applications usually run on a computer other than the
SQL Server machine, and sometimes only accessible through TCP/IP.
The InterNet Assigned Numbers Authority (IANA) assigned port 1433 to
Microsoft SQL Server. IANA is the "central coordinator for the
assignment of unique parameter values for Internet protocols".
For that reason SQL Server uses 1433 as a default UDP port but it
also uses port 1434 as a listener service for multi-instance
With the need to audit network resources, tools were developed for
various tasks, and an easy one is to enumerate a list of SQL Servers
in a network. Either by running Osql –L or sending a broadcast UDP
packet to port 1434. ChipAndrews, Rajiv Delwadia and Michael Choi
coded SQLPing in C++ after studying the packets during the SQL
Server communication process. Interestingly, they also found some
vulnerabilties in the server dealing with the packets; some
specially crafted packets could cause a Denial Of Service (DOS),
buffer overflows or heap overflows.
SQLPing retrieves information
about a server:
The version details are not correct but a list of the returned
values and the corresponding real ones is easy to obtain with simple
examination. Still, the older the version, the most vulnerable it
is. Known exploits, not patched, are easy targets. If the server
uses named pipes over NetBIOS there is the possibility of ports 139
and 445 being targeted as well. If the named pipes protocol is not
used, then you should disable it as an extra precaution.
The above book excerpt is from:
Turbocharge Database Performance with C++ External Procedures
Joseph Gama, P. J. Naughter