TCP Port 1433

pma111
pma111 used Ask the Experts™
on
How can you check if a SQL Server has enforced any IP restrictions on port 1433, is there a specific file that will demonstrate if any IP restrictions on the SQL port are currently in place to stop anyone in the Network trying to connect to Databases they shouldnt have access too...

Out of interest is this a countermeasure you deploy to further secure access to your SQL instances storing sensitive data?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hello,

i am not sure if i understand right, but  i would do at least following checks:
are they any other open ports from the sqlsever? check with netstat
if i want to be sure, do i have a firewall like checkpoint to protect all other ports?

in sql managemaent studio, check server properties for the point connections, check parameters here

if here is everything fine check this please:

http://msdn.microsoft.com/en-us/library/ms177440.aspx

regards
bytesleuth

Author

Commented:
Port 1433 is obviously open to handle remote connections to the SQL-Database, but you can restrict which IP's the port will accept connections from to stop inappropriate connections to the Database. I want to see which IP's are permitted and which aren't.
Commented:
>How can you check if a SQL Server has enforced any IP restrictions

SQL Server does not apply restrictions on ports, but firewalls do. SQL will listen and respond to requests on a specific port. Out of the box, a default instance of SQL listens on port TCP 1433 and named instances are assigned a TCP port dynamically at startup. You don't know in advance what port that will be and it may change upon subsequent startups. You may assign a static port to a named instance as ByteSleuth described above to force it to use the same port all the time. A static port is essential if you have a firewall between the client and the server, or your client is trying to connect by port number instead of instance name such as when UDP port 1434 is blocked at the firewall, which is a common security measure. The browser service (2005&2008) listens on port UDP 1434 and redirects the client to the port assigned to the requested instance.

So, your approach should be to first identify the port  on which your instance is listening and then determine if the client can connect to that port. One way to test if a listener is responding on a port is to connect to it with telnet. But telnet will not help you to know if a firewall is blocking you connection attempt.  MS provides a tool to assist named PortQry.  Download and usability information follow.

PortQry Command Line Port Scanner Version 2.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en
 
Description of the Portqry.exe command-line utility
http://support.microsoft.com/default.aspx?scid=kb;en-us;310099

How To: Mastering PortQry.exe
http://www.windowsecurity.com/articles/Mastering-PortQryexe-Part1.html


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial