rstone
asked on
Lock down SQL Server?
I have two separate issues for locking down SQL Server. First, is it possible to make SQL Server only "talk" to the computer that it's installed on? I have a small setup where the SQL Server is on the same box as my IIS. Since it's an intranet application the only access to that SQL Server is from the IIS. Is it possible to have SQL Server not respond to any requests from any other computer on the network, but still respond to requests made from that box?
Second, my application is scalable, so it will be used to handle thousands of requests in the near future. If my client institutes a server farm for IIS, then the SQL Server would probably reside on another box. In that case I would only want SQL Server to respond to requests from the computers running IIS. They could probably have static IP's if that would help.
Second, my application is scalable, so it will be used to handle thousands of requests in the near future. If my client institutes a server farm for IIS, then the SQL Server would probably reside on another box. In that case I would only want SQL Server to respond to requests from the computers running IIS. They could probably have static IP's if that would help.
ASKER
I don't see how to set those in the server network utility. The only thing that I can set in the properties button of TCP/IP is the port.
In the server farm, a router/firewall is probably the best way to go. I'll look into that.
In the server farm, a router/firewall is probably the best way to go. I'll look into that.
Agree with danblake--get IIS on another box to start with and put a router firewall in place....
ASKER
For the server farm separating IIS and SQL Server is fine. However, in some cases my clients will need to put both on the same box. If I can just stop SQL Server from listening to network requests, I'll have all of the security I need in this instance. The reason that I'm wondering about this is that I know some Oracle developers that have done this same thing, so I was curious as to whether SQL Server could do it.
I just don't see how to do danblake's first suggestion.
I just don't see how to do danblake's first suggestion.
" I'll have all of the security I need in this instance"
You can't do this. SQL Server, by default, will listen on any NIC card that's in the box....Now, if you're not actually connected to an internal network the point is moot.
HOWEVER, it's still a bad idea to have IIS and SQL on the same box since IIS is much less secure than SQL Server. If IIS gets hacked, you're data is easily accessible.....
You can't do this. SQL Server, by default, will listen on any NIC card that's in the box....Now, if you're not actually connected to an internal network the point is moot.
HOWEVER, it's still a bad idea to have IIS and SQL on the same box since IIS is much less secure than SQL Server. If IIS gets hacked, you're data is easily accessible.....
ASKER
Can I use a software firewall, then?
Using IIS and SQL Server on the same box is unavoidable. I'm sorry if I did not make that clear.
Using IIS and SQL Server on the same box is unavoidable. I'm sorry if I did not make that clear.
ASKER
I have a requirement of Windows 2000 or Windows XP Pro, so if something's built into both of those, then I could use that as well.
IIS & SQL-Server should never really ever ever ever be sitting on the same box. (Was there enough evers in there arbert ?)
If you MUST place this on the same box, remove all other network protocals from Sql-server in the server client network utility tool, change the port to a non-default port (good idea anyway)..
To ensure it binds to only 127.0.0.1, why not prevent inbound querys/outbound queries on your network card adapter under windows 2000 -- open the network card properties ,
Click the properties of the TCP/IP interface, Go to options, click on TCP/IP filtering...
Click Properties, and Disable all ports in/out TCP/UDP/IP that sql-server uses and only allow the ports in/out that your web-browser is using : 80 (non-secure - http), 443 (secure-ports -https)
http://www.iana.org/assignments/port-numbers
If you MUST place this on the same box, remove all other network protocals from Sql-server in the server client network utility tool, change the port to a non-default port (good idea anyway)..
To ensure it binds to only 127.0.0.1, why not prevent inbound querys/outbound queries on your network card adapter under windows 2000 -- open the network card properties ,
Click the properties of the TCP/IP interface, Go to options, click on TCP/IP filtering...
Click Properties, and Disable all ports in/out TCP/UDP/IP that sql-server uses and only allow the ports in/out that your web-browser is using : 80 (non-secure - http), 443 (secure-ports -https)
http://www.iana.org/assignments/port-numbers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll give blocking out the IP ports a try.
Also, not to be rude, but I did say that it is a requirement that SQL Server and IIS be on the same box, so I don't need to multiple warnings about how it's a bad idea.
Also, not to be rude, but I did say that it is a requirement that SQL Server and IIS be on the same box, so I don't need to multiple warnings about how it's a bad idea.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could always use IP filtering within windows as well......
If you use TCP/IP set to localhost 127.0.0.1 (as the ip address),
you can specify multiple listening TCP/IP inputs for the SQL Server server when moved to your server farm in a similar mechanism.
Why not just place a router/firewall in front- of the SQL Server from the IIS Servers (esp in your web-farm) ?
This will then ensure traffic is only going to the SQL-Server at the highest level of security currently possible.
(Due to the way port traffic is established between sql-server and IIS)