Solved

SBS2003 ISA, Need to close 1433 due to hacking

Posted on 2007-12-02
3
435 Views
Last Modified: 2010-04-21
I have a bit of a dilema; I am running SBS2003 with ISA2004. The SBS SQL Server is hosting an application over port 1433 of which is redirected by ISA to a SQL Server 2005 installation. I have a rather long list of IP addresses that have attempted  to break-in using the SA account user/password. As I have noted the breakin attempt, I have added the IP address to a Hacker Network Interface created in ISA to deny access to the network.

Aside from neutering the SA username & password any suggestions within ISA to stop or mitigate the threat? I thought of assigning a different port but that seems to be a short-term solution.

Any suggestions would be welcome.

Tim
0
Comment
Question by:TimPeer
3 Comments
 
LVL 9

Accepted Solution

by:
the_b1ackfox earned 300 total points
ID: 20394569
Why not set up a rule which only accepts 1433 from whatever the ipaddress is of the application?  Like if you have a website then only accept sql from that website (an make sure that the code on the webserver is safe from injection attacks)
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 200 total points
ID: 20395181
I would agree that the above is the common sense approach assuming your scenario allows you to dictate or limit access to certain addresses. ie if this is a public service then you are unlikely to be able to lock it down in this way.

On the assumption that this is a publicly available service (you cannot lock it down to single sources):
Are you sure this is a hack attempt? For example, I run a number of services that are publicly accessible including a Sharepoint portal that has an SQL end to it. The vast majority of what could be called non-authorised access attempts are actually the result of being hit by a port scan rather than a concverted attack on the port.

As you say, changing the port number is a short-term fix plus you would have to tell all the normal users that you had changed the port also as they would need to change the client access to meet the new port number.

The fact that you are opening the port for access at all means you will always be more vulnerable than if you closed down the public access completely - this being the case, all you can really do is ensure the password is suitably strong.
0
 

Author Closing Comment

by:TimPeer
ID: 31412279
Thanks you for your response. Solutions are actually simpler than they appear at first glance. I will obtain the IP address ranges and lock down 1433 for all except the range. Although the first response is the chosen response and since I intend to implement SP, I think it fair to distribute points.

Thanks again!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Problem with SqlConnection 5 115
Server 2008 Cluster Fail-over Errors 5 46
Sql query for filter 12 22
Change part of a string 2 21
Introduction In my previous article (http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/SSIS/A_9150-Loading-XML-Using-SSIS.html) I showed you how the XML Source component can be used to load XML files into a SQL Server database, us…
Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now