[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SQL Server / web server security

Posted on 2003-12-07
7
Medium Priority
?
393 Views
Last Modified: 2010-04-11
Hello,

 I have a web app that Ive written that sits on an IIS5 server with SQL2k. All known patches have been applied. I try and keep it up to date for security reasons.

 Recently I put in a program called SecureIIS
(http://www.eeye.com/html/Products/SecureIIS/Features.html)

 and have SQL and IIS running on the same server. Now this web server has two ip addresses. I want to make security as tight as possible so no hackers can break in.

 Any tips on how to harden SQL server or NT2k? I see on sqlsecurity.com they are saying to block access to TCP 1433 and UDP 1434 from all un-trusted clients. Any idea how to do this?

 Thanks!

-MR
0
Comment
Question by:mjreine
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 750 total points
ID: 9894386
This is done in the server's IP security policy

Security Focus has a good series on this
http://www.securityfocus.com/infocus/1559

The ideal thing would be to have this behind a dedicated firewall or to use an access list on your router.
0
 

Author Comment

by:mjreine
ID: 9894504
Thanks for the article however it doesnt really explain how to secure SQL server from outside attacks. Im really looking for easier steps I can take to deny TCP 1433 and UDP 1434 to the outside world (i.e. ANY client other than the 2 ips bound to my web/sql server)

Right now it seems anyone could use query analyzer and connect to one of my ips and guess passwords all day long. Doubtful they would get it as its long however Id rather just cut off all access to SQL server other than to my local asp apps on that same server.

Also, in the server networking utility, I have tcpip and named pipes installed. May I remove the named pipes option? Whats it for?

I dont have a good router yet.. we are getting a cisco 2610 soon but we dont have it yet. Meanwhile I need to lock this server down.

Thanks!

-Matt
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894605
IP Filter Lists are explained in that article, this is not done through SQL server, but in the operating system. You might further want to examine http://nsa2.www.conxion.com/win2k/
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9894653
So, you don't have a firewall in place?
How about a software-based firewall like ZoneAlarm?
That would prevent connections to port 1433 & 1434.
Also, do you have File And Print Sharing enabled on the NIC that is plugged into your router? If so, please disable it!

BTW, do you have Service Pack 3A on SQL Server, to prevent the Slammer worm from infecting it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894718
I'm not sure I'd put zone alarm on a production server. An IDS sensor from an enterprise level package ( Axent, CyberSafe ISS, etc.) would be worth considering down the road as part of a comprehensive security plan.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9897383
Any good hardware based stateful packet inspection firewall can do the job for you.
Adding access-lists on the router can also do what you want (assuming you have a configurable router like a Cisco)

I like Chicagoan's suggestion to put the SQL on a totally separate server, behind the firewall, and create an IPSEC secure connection between the IIS server and the SQL server. The SQL server then only accepts traffic from the IIS server IP and no one else.

It sounds like you can't "split" your setup into two different servers, so you should take whatever steps you can. I personally would not rely simply on the Win2k operating system to provide all of my security on a money-making machine. Windows OS will never be secure, and therefore, no applications running on Windows OS (IIS/SQL) will ever be secure.
Block ports at the screening access router
Block access at the stateful packet inspection firewall
Lock down as best you can the OS/Applications on the server

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9899878
That would be ideal, but my point was that the security on the existing box should be done via the OS filters and that a consumer level software firewall is going to be nothing but trouble.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question