How ISA Server Can Be Configured to Help Prevent the W32.Slammer Worm

Microsoft Internet Security and Acceleration (ISA) Server 2000 can be used help prevent the spread of the W32.Slammer Worm (Slammer). However, the first course of action should be to protect the SQL servers in the environment (see "Patching and Protecting Your Systems" below).

This document discusses how the Slammer spreads, where links to more details about patching your servers, what ISA Server can do to help prevent Slammer, and where to go for more information.

On This Page

Disclaimer
How the Slammer Worm Spreads
Patching and Protecting Your Systems
What ISA Server Can Do To Help Stop Slammer
Summary
More Info

Disclaimer

There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

How the Slammer Worm Spreads

Slammer targets computers running Microsoft SQL Server 2000, and computers running Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server Resolution Service Port. This large number of packets results in a Denial of Service attack. The worm only spreads as an in-memory process: it never writes itself to the hard drive.

Patching and Protecting Your Systems

The above is only a short description of how Slammer spreads and infects. As mentioned above, the first course of action should be to protect your computers running SQL Server 2000 with the SQL Server 2000 Security Tools. The SQL Server 2000 Security Tools are used to scan instances of SQL Server 2000 and detect security vulnerabilities, and then apply updates to the affected files.

For complete details on securing the SQL servers, visit Download details: SQL Server 2000 Security Tools.

What ISA Server Can Do To Help Stop Slammer

You can take the following steps to configure ISA Server to help you protect your network against further infiltration by Slammer.

Note that the steps detailed below assume the following:

• ISA Server is installed in Firewall or Integrated mode

• ISA Server is the only route between the Internet and the internal network

• IP Packet Filtering is enabled

• No Server Publishing rule allows UDP-1434 to the internal network

• No anonymous rules exist

Perform the following steps to help prevent outbound attacks:

1. Create a protocol definition with the following parameters:

   • Set Name to SQL Enumeration

   • Set Protocol to UDP.

   • Set Direction to Send.

   • Set Local Port to Any.

   • Set Remote port to 1434

2. Create a protocol rule with the following parameters:

   • Set Action = Deny

   • Set Protocol to SQL Enumeration.

   • Set Schedule to Always.

   • Set Applies to to All requests.

Summary

The first course of action taken against Slammer should be protecting and patching all computers running SQL Server 2000. In addition, ISA Server can also help prevent Slammer. Taking the above steps can help mitigate current circumstances, and could help to prevent machines on internal networks from further infection.

More Info

The links below include more information about the subjects mentioned in this article:

• https://www.microsoft.com/security/malwareremove/default.mspx

• https://www.microsoft.com/downloads/details.aspx?FamilyId=9552D43B-04EB-4AF9-9E24-6CDE4D933600

• https://www.microsoft.com/technet/security/bulletin/ms02-061.mspx