Solved

SQL Server / web server security

Posted on 2003-12-07
7
379 Views
Last Modified: 2010-04-11
Hello,

 I have a web app that Ive written that sits on an IIS5 server with SQL2k. All known patches have been applied. I try and keep it up to date for security reasons.

 Recently I put in a program called SecureIIS
(http://www.eeye.com/html/Products/SecureIIS/Features.html)

 and have SQL and IIS running on the same server. Now this web server has two ip addresses. I want to make security as tight as possible so no hackers can break in.

 Any tips on how to harden SQL server or NT2k? I see on sqlsecurity.com they are saying to block access to TCP 1433 and UDP 1434 from all un-trusted clients. Any idea how to do this?

 Thanks!

-MR
0
Comment
Question by:mjreine
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 9894386
This is done in the server's IP security policy

Security Focus has a good series on this
http://www.securityfocus.com/infocus/1559

The ideal thing would be to have this behind a dedicated firewall or to use an access list on your router.
0
 

Author Comment

by:mjreine
ID: 9894504
Thanks for the article however it doesnt really explain how to secure SQL server from outside attacks. Im really looking for easier steps I can take to deny TCP 1433 and UDP 1434 to the outside world (i.e. ANY client other than the 2 ips bound to my web/sql server)

Right now it seems anyone could use query analyzer and connect to one of my ips and guess passwords all day long. Doubtful they would get it as its long however Id rather just cut off all access to SQL server other than to my local asp apps on that same server.

Also, in the server networking utility, I have tcpip and named pipes installed. May I remove the named pipes option? Whats it for?

I dont have a good router yet.. we are getting a cisco 2610 soon but we dont have it yet. Meanwhile I need to lock this server down.

Thanks!

-Matt
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894605
IP Filter Lists are explained in that article, this is not done through SQL server, but in the operating system. You might further want to examine http://nsa2.www.conxion.com/win2k/
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9894653
So, you don't have a firewall in place?
How about a software-based firewall like ZoneAlarm?
That would prevent connections to port 1433 & 1434.
Also, do you have File And Print Sharing enabled on the NIC that is plugged into your router? If so, please disable it!

BTW, do you have Service Pack 3A on SQL Server, to prevent the Slammer worm from infecting it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894718
I'm not sure I'd put zone alarm on a production server. An IDS sensor from an enterprise level package ( Axent, CyberSafe ISS, etc.) would be worth considering down the road as part of a comprehensive security plan.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9897383
Any good hardware based stateful packet inspection firewall can do the job for you.
Adding access-lists on the router can also do what you want (assuming you have a configurable router like a Cisco)

I like Chicagoan's suggestion to put the SQL on a totally separate server, behind the firewall, and create an IPSEC secure connection between the IIS server and the SQL server. The SQL server then only accepts traffic from the IIS server IP and no one else.

It sounds like you can't "split" your setup into two different servers, so you should take whatever steps you can. I personally would not rely simply on the Win2k operating system to provide all of my security on a money-making machine. Windows OS will never be secure, and therefore, no applications running on Windows OS (IIS/SQL) will ever be secure.
Block ports at the screening access router
Block access at the stateful packet inspection firewall
Lock down as best you can the OS/Applications on the server

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9899878
That would be ideal, but my point was that the security on the existing box should be done via the OS filters and that a consumer level software firewall is going to be nothing but trouble.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question