• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 607
  • Last Modified:

SBS2003 ISA, Need to close 1433 due to hacking

I have a bit of a dilema; I am running SBS2003 with ISA2004. The SBS SQL Server is hosting an application over port 1433 of which is redirected by ISA to a SQL Server 2005 installation. I have a rather long list of IP addresses that have attempted  to break-in using the SA account user/password. As I have noted the breakin attempt, I have added the IP address to a Hacker Network Interface created in ISA to deny access to the network.

Aside from neutering the SA username & password any suggestions within ISA to stop or mitigate the threat? I thought of assigning a different port but that seems to be a short-term solution.

Any suggestions would be welcome.

Tim
0
TimPeer
Asked:
TimPeer
2 Solutions
 
the_b1ackfoxCIOCommented:
Why not set up a rule which only accepts 1433 from whatever the ipaddress is of the application?  Like if you have a website then only accept sql from that website (an make sure that the code on the webserver is safe from injection attacks)
0
 
Keith AlabasterEnterprise ArchitectCommented:
I would agree that the above is the common sense approach assuming your scenario allows you to dictate or limit access to certain addresses. ie if this is a public service then you are unlikely to be able to lock it down in this way.

On the assumption that this is a publicly available service (you cannot lock it down to single sources):
Are you sure this is a hack attempt? For example, I run a number of services that are publicly accessible including a Sharepoint portal that has an SQL end to it. The vast majority of what could be called non-authorised access attempts are actually the result of being hit by a port scan rather than a concverted attack on the port.

As you say, changing the port number is a short-term fix plus you would have to tell all the normal users that you had changed the port also as they would need to change the client access to meet the new port number.

The fact that you are opening the port for access at all means you will always be more vulnerable than if you closed down the public access completely - this being the case, all you can really do is ensure the password is suitably strong.
0
 
TimPeerAuthor Commented:
Thanks you for your response. Solutions are actually simpler than they appear at first glance. I will obtain the IP address ranges and lock down 1433 for all except the range. Although the first response is the chosen response and since I intend to implement SP, I think it fair to distribute points.

Thanks again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now