Solved

SQL Server / web server security

Posted on 2003-12-07
7
387 Views
Last Modified: 2010-04-11
Hello,

 I have a web app that Ive written that sits on an IIS5 server with SQL2k. All known patches have been applied. I try and keep it up to date for security reasons.

 Recently I put in a program called SecureIIS
(http://www.eeye.com/html/Products/SecureIIS/Features.html)

 and have SQL and IIS running on the same server. Now this web server has two ip addresses. I want to make security as tight as possible so no hackers can break in.

 Any tips on how to harden SQL server or NT2k? I see on sqlsecurity.com they are saying to block access to TCP 1433 and UDP 1434 from all un-trusted clients. Any idea how to do this?

 Thanks!

-MR
0
Comment
Question by:mjreine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 9894386
This is done in the server's IP security policy

Security Focus has a good series on this
http://www.securityfocus.com/infocus/1559

The ideal thing would be to have this behind a dedicated firewall or to use an access list on your router.
0
 

Author Comment

by:mjreine
ID: 9894504
Thanks for the article however it doesnt really explain how to secure SQL server from outside attacks. Im really looking for easier steps I can take to deny TCP 1433 and UDP 1434 to the outside world (i.e. ANY client other than the 2 ips bound to my web/sql server)

Right now it seems anyone could use query analyzer and connect to one of my ips and guess passwords all day long. Doubtful they would get it as its long however Id rather just cut off all access to SQL server other than to my local asp apps on that same server.

Also, in the server networking utility, I have tcpip and named pipes installed. May I remove the named pipes option? Whats it for?

I dont have a good router yet.. we are getting a cisco 2610 soon but we dont have it yet. Meanwhile I need to lock this server down.

Thanks!

-Matt
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894605
IP Filter Lists are explained in that article, this is not done through SQL server, but in the operating system. You might further want to examine http://nsa2.www.conxion.com/win2k/
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9894653
So, you don't have a firewall in place?
How about a software-based firewall like ZoneAlarm?
That would prevent connections to port 1433 & 1434.
Also, do you have File And Print Sharing enabled on the NIC that is plugged into your router? If so, please disable it!

BTW, do you have Service Pack 3A on SQL Server, to prevent the Slammer worm from infecting it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894718
I'm not sure I'd put zone alarm on a production server. An IDS sensor from an enterprise level package ( Axent, CyberSafe ISS, etc.) would be worth considering down the road as part of a comprehensive security plan.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9897383
Any good hardware based stateful packet inspection firewall can do the job for you.
Adding access-lists on the router can also do what you want (assuming you have a configurable router like a Cisco)

I like Chicagoan's suggestion to put the SQL on a totally separate server, behind the firewall, and create an IPSEC secure connection between the IIS server and the SQL server. The SQL server then only accepts traffic from the IIS server IP and no one else.

It sounds like you can't "split" your setup into two different servers, so you should take whatever steps you can. I personally would not rely simply on the Win2k operating system to provide all of my security on a money-making machine. Windows OS will never be secure, and therefore, no applications running on Windows OS (IIS/SQL) will ever be secure.
Block ports at the screening access router
Block access at the stateful packet inspection firewall
Lock down as best you can the OS/Applications on the server

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9899878
That would be ideal, but my point was that the security on the existing box should be done via the OS filters and that a consumer level software firewall is going to be nothing but trouble.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Here's a look at newsworthy articles and community happenings during the last month.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question