SQL and IIS on public facing server

Is it considered a security concern if your internet facing IIS server also hosts a SQL Server? Is this common practice, or bad practice? is the SQL database considered more vulnerable than if on a server in a private network? if the data in the database isn't sensitive does it really matter?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carl TawnSystems and Integration DeveloperCommented:
Yes, it is a concern. In most real-world scenarios the SQL server will be at the very least be sat in a DMZ with an additional firewall sat between it and the public facing web server.
pma111Author Commented:
Do you mean on a separate server in the DMZ? are there reasons why the SQL Server needs to be in the DMZ, and not in the private network behind the firewall, and then just an ACL between the web server and the DB server created, I presume?
Carl TawnSystems and Integration DeveloperCommented:
You'll often find the web server and SQL Server located in the DMZ. Primarily to keep a separation between them and your internal network (should your SQL Server become compromised, for example, an attacker can do less damage from a compromised machine in the DMZ than it can from one on your internal network).

This article might be worth a read:  http://www.windowsecurity.com/articles-tutorials/web_server_security/Secure_Architecture_SQL_Web_Server.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Michael MachieIT SupervisorCommented:
You can also place your SQL server inside your intranet and leave the IIS server on the DMZ. Open port 1433 on your firewall from your DMZ to your intranet and specify the required IPs..

DMZ Server at IP:
Intranet SQL Server at IP:

Allow firewall access for DMZ server to Intranet SQL server via TCP port 1433
This will protect your SQL server from the public and grant the DMZ IIS server access to your internal SQL server.
pma111Author Commented:
is the concern with such a design that a SQL Server is far more exploitble when hosted on a web server than it is when hosted in your intranet/private network?
Carl TawnSystems and Integration DeveloperCommented:
Partly. If you're SQL Server isn't properly locked-down then it is open to being exploited wherever it is. Hosting SQL Server in your DMZ means that, if it is compromised, the ability to attack the internal network is lessened.

The reason SQL Server and web servers are traditionally separated onto different hardware is more down to the widly different

Also, you should never run a production SQL Server on the default ports - they're well known and are therefore an obvious attack vector.
pma111Author Commented:
so basically the SQL Server can be in the DMZ, but on a dedicated/seperate server, and not on the same server as the web server also in the DMZ.
Carl TawnSystems and Integration DeveloperCommented:
In an ideal world yes. But infrastructure (and budget) vary wildly, so the ideal solution may not be suitable for you. But you are essentially talking about two separate things.

Separating the SQL server to a separate box is about resource management and configuration; whereas moving things in and out of the DMZ is about network boundary security.

All you can do is weigh up the options and see which one best suits you and your environment/budget. A fully locked-down SQL Server should, in theory at least, be just as safe on your internal network as it is in the DMZ - in theory!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.