Open port 1433: Microsoft SQL

What this means

By default, the Microsoft SQL server communicates over TCP port 1433 and UDP port 1434.

When these ports are left accessible to the internet, it creates the possibility of a direct connection to the database engine that an attacker may exploit.

Why this is a problem

The Microsoft SQL server is a complex application that contains additional features to the main database engine, such as reporting and integration services along with email functionality.

By providing access to Microsoft SQL on the default port from an untrusted network can allow several vulnerabilities and weaknesses to be exposed.

Combined with misconfiguration and default settings such as using port 1433 and default SA username can cause the following:

• unauthorised access where attackers can attempt brute-force attacks to gain access to the database
• SQL Injection attacks if the server is not properly configured, malicious SQL queries can be injected, potentially exposing or modifying sensitive data
• data exfiltration where attackers who gain access can extract sensitive business or personal data
• Denial of Service (DoS) attacks where attackers can overwhelm the server with excessive connection requests, making it unresponsive
• ransomware and malware injection where open SQL ports can be exploited to install malicious software, encrypting data or causing system disruptions

How to check if the problem is there

There are several methods to identify open SQL ports, depending on the method you use. 

Check from an external Windows based device

You can use either Telnet via Command Prompt or PowerShell to check.

Open Command Prompt and run:

telnet <your service ip> 1433

If the port is open then a connection will be attempted to SQL.

Open PowerShell and run:

test-netconnection <your service ip> -port 1433

If the port is open then a connection will be attempted to SQL.

Verify if your SQL server port is open

To verify if your SQL Server port is open internally, you can use the following steps:

1. Locally from the SQL server, open SSMS and check TCP/IP properties.
2. Check local and network Firewall Rules.

How to check local and network Firewall Rules

Local Firewall Rules

1. Open Windows Defender Firewall with Advanced Security.
2. Look for inbound rules allowing traffic on port 1433.

Network Firewall Rules

1. Open the perimeter firewall device.
2. Look for inbound rules allowing traffic on port 1433

How to fix this

To mitigate attacks against against the Microsoft SQL server, an administrator can take the following steps to block access or reduce the attack surface.

Restrict network access

Restrict network access by carrying out the following:

• remove any inbound firewall or port forwarding rules allowing port 1433
• configure firewall rules to allow connections only from trusted IP addresses
• disable or uninstall services if not required

Enable authentication and encryption

Enable authentication and encryption by carrying out the following:

• ensure Windows Authentication or Mixed Mode Authentication is enforced
• enable encryption at rest and in transit
• run surface area configuration tools to help minimize the attack surface

Use strong passwords and Multi-Factor Authentication (MFA)

Use strong passwords and MFA by carrying out the following:

• ensure that the System Administrator (SA) and all user accounts have strong, unique passwords
• use Directory service accounts and groups where possible

Regularly monitor logs

Enable SQL server logging to track failed login attempts and unauthorised access.

Consider VPN or Internal Networking

If remote access is needed, consider using a VPN or setting up a private network instead of exposing the port to the public internet.