Solved

SQL Server / web server security

Posted on 2003-12-07
7
383 Views
Last Modified: 2010-04-11
Hello,

 I have a web app that Ive written that sits on an IIS5 server with SQL2k. All known patches have been applied. I try and keep it up to date for security reasons.

 Recently I put in a program called SecureIIS
(http://www.eeye.com/html/Products/SecureIIS/Features.html)

 and have SQL and IIS running on the same server. Now this web server has two ip addresses. I want to make security as tight as possible so no hackers can break in.

 Any tips on how to harden SQL server or NT2k? I see on sqlsecurity.com they are saying to block access to TCP 1433 and UDP 1434 from all un-trusted clients. Any idea how to do this?

 Thanks!

-MR
0
Comment
Question by:mjreine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 9894386
This is done in the server's IP security policy

Security Focus has a good series on this
http://www.securityfocus.com/infocus/1559

The ideal thing would be to have this behind a dedicated firewall or to use an access list on your router.
0
 

Author Comment

by:mjreine
ID: 9894504
Thanks for the article however it doesnt really explain how to secure SQL server from outside attacks. Im really looking for easier steps I can take to deny TCP 1433 and UDP 1434 to the outside world (i.e. ANY client other than the 2 ips bound to my web/sql server)

Right now it seems anyone could use query analyzer and connect to one of my ips and guess passwords all day long. Doubtful they would get it as its long however Id rather just cut off all access to SQL server other than to my local asp apps on that same server.

Also, in the server networking utility, I have tcpip and named pipes installed. May I remove the named pipes option? Whats it for?

I dont have a good router yet.. we are getting a cisco 2610 soon but we dont have it yet. Meanwhile I need to lock this server down.

Thanks!

-Matt
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894605
IP Filter Lists are explained in that article, this is not done through SQL server, but in the operating system. You might further want to examine http://nsa2.www.conxion.com/win2k/
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9894653
So, you don't have a firewall in place?
How about a software-based firewall like ZoneAlarm?
That would prevent connections to port 1433 & 1434.
Also, do you have File And Print Sharing enabled on the NIC that is plugged into your router? If so, please disable it!

BTW, do you have Service Pack 3A on SQL Server, to prevent the Slammer worm from infecting it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9894718
I'm not sure I'd put zone alarm on a production server. An IDS sensor from an enterprise level package ( Axent, CyberSafe ISS, etc.) would be worth considering down the road as part of a comprehensive security plan.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9897383
Any good hardware based stateful packet inspection firewall can do the job for you.
Adding access-lists on the router can also do what you want (assuming you have a configurable router like a Cisco)

I like Chicagoan's suggestion to put the SQL on a totally separate server, behind the firewall, and create an IPSEC secure connection between the IIS server and the SQL server. The SQL server then only accepts traffic from the IIS server IP and no one else.

It sounds like you can't "split" your setup into two different servers, so you should take whatever steps you can. I personally would not rely simply on the Win2k operating system to provide all of my security on a money-making machine. Windows OS will never be secure, and therefore, no applications running on Windows OS (IIS/SQL) will ever be secure.
Block ports at the screening access router
Block access at the stateful packet inspection firewall
Lock down as best you can the OS/Applications on the server

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9899878
That would be ideal, but my point was that the security on the existing box should be done via the OS filters and that a consumer level software firewall is going to be nothing but trouble.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 128
Fraud Email 22 117
wifi security 11 37
yahoo 2 step email authentication 2 25
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question