We help IT Professionals succeed at work.

SQL databases on a web server - major risk or not.

109 Views
Last Modified: 2019-03-04
Can anyone give me their view on whether installing databases directly on a web server (where all your website files exist) is a major security issue, and why, given only the standard web ports are open to the Internet, nothing specific to SQL.

We have a CMS that allows users to edit the web pages, and the configuration, e.g. usernames & password hashes, user permissions etc etc, are all stored in a SQL Server express database, and the SQL Server express software and the databases themselves are installed on the web server itself. I'd like to know if this is 'unheard of' from a best practices point of view, or if the risk is relatively low and somewhat overblown. There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords, but their are already IP restrictions in place on where the CMS can be accessed from, e.g. not the Internet, only from machines on the internal private network. Granted if you could amend/drop tables etc that may seriously mess up with the website, but from a confidentiality perspective I am not sure its a major issue.

Is there anything above and beyond security as to why you should not coexist the CMS databases on the web server itself? If so, what are they?
Comment
Watch Question

ste5anSenior Developer
CERTIFIED EXPERT

Commented:
There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords,
Dump that CMS.. there is absolutely no justification for using software which stores passwords.

Besides that, when only the ports for http and https are open to the world, then there is no attack surface to the database.
CERTIFIED EXPERT
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
I agree that passwords should NEVER be stored in the clear.

Many a hack has been performed with only 80 and 443 exposed to the Internet.

You say there isn't any sensitive data stored in the database.  Since this is a CMS app, what if I get access to the database and change a webpage or 50 with a link that spreads malware or a virus?  What is your company exposure?  What if I create a webpage that asks for the users personal information or "password verification"?

It is all about risk.  What if everything is lost?  If there is no impact, then it doesn't matter.

Author

Commented:
Sorry by passwords I did mean the hashes version of the password, definately not clear text.
CERTIFIED EXPERT
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
Even if hashed there is risk.

For example:  Please post your hashed password for your personal bank account here.  It is safe, right?

*If you didn't realize, I was kidding to make a point*

Author

Commented:
>You say there isn't any sensitive data stored in the database.  Since this is a CMS app, what if I get access to the database and change a webpage or 50 with a link that spreads malware or a virus?  What is your company exposure?  What if I create a webpage that asks for the users personal information or "password verification"?

so your saying essentially the fact that the database is local to the web server means its more susceptible to security compromise than if it was in the private network with a firewall rule between server and database server and connection string specified in the config files? That is koind of what I am getting at, is the database more susceptible to security compromise when its local to the web server, than if it was installed elsewhere, e.g. not on the webs server.

Author

Commented:
I'm aware you can crack password hashes, but again you'd have to get access to them first, and in this case all the hashes grant access to is the CMS portal, which there is already protections against who can access that externally anyway.
CERTIFIED EXPERT
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
>>is the database more susceptible to security compromise when its local to the web server

Yes.  Why wouldn't it be?

https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

Author

Commented:
Besides that, when only the ports for http and https are open to the world, then there is no attack surface to the database.

So your view is from an attack / security perspective, there is no more risk in the databases being local to the webserver than if they were segregated and in the private network.
CERTIFIED EXPERT
Most Valuable Expert 2012
Distinguished Expert 2019

Commented:
>>which there is already protections against who can access that externally anyway.

Can it be accessed form the web server itself?  Depends on the exploit and level of control hackers gain to the web server.  What if they gain elevated OS access to the web server?

Author

Commented:
fair point. I just wanted some perspective more than anything, and not be seen to be making a 'mountain out of a molehill'.
Senior Developer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Scott FellDeveloper
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
>  I'd like to know if this is 'unheard of' from a best practices point of view,

You do have to keep this in perspective.  A CMS vs medical or financial data.

Having the db on the webserver is common practice for smaller sties.  Some of the shared hosting services have the database ports open to the public so anybody can access. As example https://help.newtekwebhosting.com/kb/a822/connecting-to-your-sql-2008-database-with-sql-server-management-studio.aspx shows databases are located at sqlXXX.webcontrolcenter.com.  I used to host sites there prior to 2005 and from memory, you were able to contact support and scope traffic only from your shared webserver but I don't think many did.

For those that use dedicated or VPS hosting, it is common to keep the database on the web server and close the port meaning the only access is via localhost.  If somebody does capture your webserver, you have bigger issues.  But that is what back ups are for and I personally use both local to a back up drive and offsite on an hourly basis.

The point is, in your decision, you need to factor in your budget and the level of security you need.  One advantage to  keeping your db local for a CMS will potentially be speed.   if you there is a limited budget say under $200 or $300 per month, it may not be feasible to go with the most secure scenario. There are CMS hosting services available such as https://www.liquidweb.com/products/managed-wordpress/ where you do not have to manage the db and only concentrate on your design and content.  Azzure has this https://azure.microsoft.com/en-us/services/app-service/web/ as does AWS or https://cloud.google.com/wordpress/ and many others.
Scott FellDeveloper
CERTIFIED EXPERT
Fellow
Most Valuable Expert 2013

Commented:
To add, the security risk to focus on will be using plug ins more than the database layer itself.
richnDirector of Information Services

Commented:
If this database is used primarily for the web site, then I might consider keeping it on the server.  You could make an argument that this could increase your overall security if keeping it there means you can put a firewall in place between this server and your main database server.  If someone does gain control of this server they only get this one database and cannot use it as an attack vector to the rest of your databases.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.