Solved

SBS2003 ISA, Need to close 1433 due to hacking

Posted on 2007-12-02
3
493 Views
Last Modified: 2010-04-21
I have a bit of a dilema; I am running SBS2003 with ISA2004. The SBS SQL Server is hosting an application over port 1433 of which is redirected by ISA to a SQL Server 2005 installation. I have a rather long list of IP addresses that have attempted  to break-in using the SA account user/password. As I have noted the breakin attempt, I have added the IP address to a Hacker Network Interface created in ISA to deny access to the network.

Aside from neutering the SA username & password any suggestions within ISA to stop or mitigate the threat? I thought of assigning a different port but that seems to be a short-term solution.

Any suggestions would be welcome.

Tim
0
Comment
Question by:TimPeer
3 Comments
 
LVL 9

Accepted Solution

by:
the_b1ackfox earned 300 total points
ID: 20394569
Why not set up a rule which only accepts 1433 from whatever the ipaddress is of the application?  Like if you have a website then only accept sql from that website (an make sure that the code on the webserver is safe from injection attacks)
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
ID: 20395181
I would agree that the above is the common sense approach assuming your scenario allows you to dictate or limit access to certain addresses. ie if this is a public service then you are unlikely to be able to lock it down in this way.

On the assumption that this is a publicly available service (you cannot lock it down to single sources):
Are you sure this is a hack attempt? For example, I run a number of services that are publicly accessible including a Sharepoint portal that has an SQL end to it. The vast majority of what could be called non-authorised access attempts are actually the result of being hit by a port scan rather than a concverted attack on the port.

As you say, changing the port number is a short-term fix plus you would have to tell all the normal users that you had changed the port also as they would need to change the client access to meet the new port number.

The fact that you are opening the port for access at all means you will always be more vulnerable than if you closed down the public access completely - this being the case, all you can really do is ensure the password is suitably strong.
0
 

Author Closing Comment

by:TimPeer
ID: 31412279
Thanks you for your response. Solutions are actually simpler than they appear at first glance. I will obtain the IP address ranges and lock down 1433 for all except the range. Although the first response is the chosen response and since I intend to implement SP, I think it fair to distribute points.

Thanks again!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question