TechNet Home > TechNet Security > Guidance > Internet Security and Acceleration Server (ISA)

How ISA Server Can Be Configured to Help Prevent the W32.Slammer Worm

Microsoft Internet Security and Acceleration (ISA) Server 2000 can be used help prevent the spread of the W32.Slammer Worm (Slammer). However, the first course of action should be to protect the SQL servers in the environment (see "Patching and Protecting Your Systems" below).

This document discusses how the Slammer spreads, where links to more details about patching your servers, what ISA Server can do to help prevent Slammer, and where to go for more information.

*
On This Page
DisclaimerDisclaimer
How the Slammer Worm SpreadsHow the Slammer Worm Spreads
Patching and Protecting Your SystemsPatching and Protecting Your Systems
What ISA Server Can Do To Help Stop SlammerWhat ISA Server Can Do To Help Stop Slammer
SummarySummary
More InfoMore Info

Disclaimer

There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Top of pageTop of page

How the Slammer Worm Spreads

Slammer targets computers running Microsoft SQL Server 2000, and computers running Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. This large number of packets results in a Denial of Service attack. The worm only spreads as an in-memory process: it never writes itself to the hard drive.

Top of pageTop of page

Patching and Protecting Your Systems

The above is only a short description of how Slammer spreads and infects. As mentioned above, the first course of action should be to protect your computers running SQL Server 2000 with the SQL Server 2000 Security Tools. The SQL Server 2000 Security Tools are used to scan instances of SQL Server 2000 and detect security vulnerabilities, and then apply updates to the affected files.

For complete details on securing the SQL servers, visit Download details: SQL Server 2000 Security Tools.

Top of pageTop of page

What ISA Server Can Do To Help Stop Slammer

You can take the following steps to configure ISA Server to help you protect your network against further infiltration by Slammer.

Note that the steps detailed below assume the following:

ISA Server is installed in Firewall or Integrated mode

ISA Server is the only route between the Internet and the internal network

IP Packet Filtering is enabled

No Server Publishing rule allows UDP-1434 to the internal network

No anonymous rules exist

Perform the following steps to help prevent outbound attacks:

1.

Create a protocol definition with the following parameters:

Set Name to SQL Enumeration

Set Protocol to UDP.

Set Direction to Send.

Set Local Port to Any.

Set Remote port to 1434

2.

Create a protocol rule with the following parameters:

Set Action = Deny

Set Protocol to SQL Enumeration.

Set Schedule to Always.

Set Applies to to All requests.

Top of pageTop of page

Summary

The first course of action taken against Slammer should be protecting and patching all computers running SQL Server 2000. In addition, ISA Server can also help prevent Slammer. Taking the above steps can help mitigate current circumstances, and could help to prevent machines on internal networks from further infection.

Top of pageTop of page

More Info

The links below include more information about the subjects mentioned in this article:

http://www.microsoft.com/security/malwareremove/default.mspx

http://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600

http://www.microsoft.com/technet/security/bulletin/ms02-061.mspx


Top of pageTop of page