Solved

SQL Server / web server security

Posted on 2003-12-07
7
376 Views
Last Modified: 2010-04-11
Hello,

 I have a web app that Ive written that sits on an IIS5 server with SQL2k. All known patches have been applied. I try and keep it up to date for security reasons.

 Recently I put in a program called SecureIIS
(http://www.eeye.com/html/Products/SecureIIS/Features.html)

 and have SQL and IIS running on the same server. Now this web server has two ip addresses. I want to make security as tight as possible so no hackers can break in.

 Any tips on how to harden SQL server or NT2k? I see on sqlsecurity.com they are saying to block access to TCP 1433 and UDP 1434 from all un-trusted clients. Any idea how to do this?

 Thanks!

-MR
0
Comment
Question by:mjreine
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
Comment Utility
This is done in the server's IP security policy

Security Focus has a good series on this
http://www.securityfocus.com/infocus/1559

The ideal thing would be to have this behind a dedicated firewall or to use an access list on your router.
0
 

Author Comment

by:mjreine
Comment Utility
Thanks for the article however it doesnt really explain how to secure SQL server from outside attacks. Im really looking for easier steps I can take to deny TCP 1433 and UDP 1434 to the outside world (i.e. ANY client other than the 2 ips bound to my web/sql server)

Right now it seems anyone could use query analyzer and connect to one of my ips and guess passwords all day long. Doubtful they would get it as its long however Id rather just cut off all access to SQL server other than to my local asp apps on that same server.

Also, in the server networking utility, I have tcpip and named pipes installed. May I remove the named pipes option? Whats it for?

I dont have a good router yet.. we are getting a cisco 2610 soon but we dont have it yet. Meanwhile I need to lock this server down.

Thanks!

-Matt
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
IP Filter Lists are explained in that article, this is not done through SQL server, but in the operating system. You might further want to examine http://nsa2.www.conxion.com/win2k/
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 6

Expert Comment

by:Joseph_Moore
Comment Utility
So, you don't have a firewall in place?
How about a software-based firewall like ZoneAlarm?
That would prevent connections to port 1433 & 1434.
Also, do you have File And Print Sharing enabled on the NIC that is plugged into your router? If so, please disable it!

BTW, do you have Service Pack 3A on SQL Server, to prevent the Slammer worm from infecting it?
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
I'm not sure I'd put zone alarm on a production server. An IDS sensor from an enterprise level package ( Axent, CyberSafe ISS, etc.) would be worth considering down the road as part of a comprehensive security plan.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Any good hardware based stateful packet inspection firewall can do the job for you.
Adding access-lists on the router can also do what you want (assuming you have a configurable router like a Cisco)

I like Chicagoan's suggestion to put the SQL on a totally separate server, behind the firewall, and create an IPSEC secure connection between the IIS server and the SQL server. The SQL server then only accepts traffic from the IIS server IP and no one else.

It sounds like you can't "split" your setup into two different servers, so you should take whatever steps you can. I personally would not rely simply on the Win2k operating system to provide all of my security on a money-making machine. Windows OS will never be secure, and therefore, no applications running on Windows OS (IIS/SQL) will ever be secure.
Block ports at the screening access router
Block access at the stateful packet inspection firewall
Lock down as best you can the OS/Applications on the server

0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
That would be ideal, but my point was that the security on the existing box should be done via the OS filters and that a consumer level software firewall is going to be nothing but trouble.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Jailbreak and Rooting on mobile devices 10 96
Cisco ACS re-imaging with CIMC 2 42
deny local logon 12 62
Two factor authentication 6 53
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now