SQL databases on a web server - major risk or not.

pma111
pma111 used Ask the Experts™
on
Can anyone give me their view on whether installing databases directly on a web server (where all your website files exist) is a major security issue, and why, given only the standard web ports are open to the Internet, nothing specific to SQL.

We have a CMS that allows users to edit the web pages, and the configuration, e.g. usernames & password hashes, user permissions etc etc, are all stored in a SQL Server express database, and the SQL Server express software and the databases themselves are installed on the web server itself. I'd like to know if this is 'unheard of' from a best practices point of view, or if the risk is relatively low and somewhat overblown. There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords, but their are already IP restrictions in place on where the CMS can be accessed from, e.g. not the Internet, only from machines on the internal private network. Granted if you could amend/drop tables etc that may seriously mess up with the website, but from a confidentiality perspective I am not sure its a major issue.

Is there anything above and beyond security as to why you should not coexist the CMS databases on the web server itself? If so, what are they?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ste5anSenior Developer

Commented:
There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords,
Dump that CMS.. there is absolutely no justification for using software which stores passwords.

Besides that, when only the ports for http and https are open to the world, then there is no attack surface to the database.
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
I agree that passwords should NEVER be stored in the clear.

Many a hack has been performed with only 80 and 443 exposed to the Internet.

You say there isn't any sensitive data stored in the database.  Since this is a CMS app, what if I get access to the database and change a webpage or 50 with a link that spreads malware or a virus?  What is your company exposure?  What if I create a webpage that asks for the users personal information or "password verification"?

It is all about risk.  What if everything is lost?  If there is no impact, then it doesn't matter.

Author

Commented:
Sorry by passwords I did mean the hashes version of the password, definately not clear text.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
Even if hashed there is risk.

For example:  Please post your hashed password for your personal bank account here.  It is safe, right?

*If you didn't realize, I was kidding to make a point*

Author

Commented:
>You say there isn't any sensitive data stored in the database.  Since this is a CMS app, what if I get access to the database and change a webpage or 50 with a link that spreads malware or a virus?  What is your company exposure?  What if I create a webpage that asks for the users personal information or "password verification"?

so your saying essentially the fact that the database is local to the web server means its more susceptible to security compromise than if it was in the private network with a firewall rule between server and database server and connection string specified in the config files? That is koind of what I am getting at, is the database more susceptible to security compromise when its local to the web server, than if it was installed elsewhere, e.g. not on the webs server.

Author

Commented:
I'm aware you can crack password hashes, but again you'd have to get access to them first, and in this case all the hashes grant access to is the CMS portal, which there is already protections against who can access that externally anyway.
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
>>is the database more susceptible to security compromise when its local to the web server

Yes.  Why wouldn't it be?

https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

Author

Commented:
Besides that, when only the ports for http and https are open to the world, then there is no attack surface to the database.

So your view is from an attack / security perspective, there is no more risk in the databases being local to the webserver than if they were segregated and in the private network.
Most Valuable Expert 2012
Distinguished Expert 2018

Commented:
>>which there is already protections against who can access that externally anyway.

Can it be accessed form the web server itself?  Depends on the exploit and level of control hackers gain to the web server.  What if they gain elevated OS access to the web server?

Author

Commented:
fair point. I just wanted some perspective more than anything, and not be seen to be making a 'mountain out of a molehill'.
Senior Developer
Commented:
The difference is in the attack surface or vector as already slightwv tried to point out.

When your server has only the http and https ports open, then the only attackable service is the http service. Thus a database server has no direct attack surface.
So it cannot be attacked directly.

BUT: what happens when the http service is vulnerable? Then anything running local on the server can be attacked from the vulnerable service, thus also the database. And as it running local, there are now many attack vectors to the database. The service it self, the processes or files etc.

Here comes the defense in depth concept: By segregating the services these multiple vectors will be reduced. And by having a separated server for the database means that you only have one vector left, the port for connecting to the database.

So running the database server on the same server is "secure". But having a separate server for it is "more secure".

The important part in evaluating the security is that you collect the requirements first. Thus create a list of security targets aka attack scenarios you must cover to be protected against.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
>  I'd like to know if this is 'unheard of' from a best practices point of view,

You do have to keep this in perspective.  A CMS vs medical or financial data.

Having the db on the webserver is common practice for smaller sties.  Some of the shared hosting services have the database ports open to the public so anybody can access. As example https://help.newtekwebhosting.com/kb/a822/connecting-to-your-sql-2008-database-with-sql-server-management-studio.aspx shows databases are located at sqlXXX.webcontrolcenter.com.  I used to host sites there prior to 2005 and from memory, you were able to contact support and scope traffic only from your shared webserver but I don't think many did.

For those that use dedicated or VPS hosting, it is common to keep the database on the web server and close the port meaning the only access is via localhost.  If somebody does capture your webserver, you have bigger issues.  But that is what back ups are for and I personally use both local to a back up drive and offsite on an hourly basis.

The point is, in your decision, you need to factor in your budget and the level of security you need.  One advantage to  keeping your db local for a CMS will potentially be speed.   if you there is a limited budget say under $200 or $300 per month, it may not be feasible to go with the most secure scenario. There are CMS hosting services available such as https://www.liquidweb.com/products/managed-wordpress/ where you do not have to manage the db and only concentrate on your design and content.  Azzure has this https://azure.microsoft.com/en-us/services/app-service/web/ as does AWS or https://cloud.google.com/wordpress/ and many others.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
To add, the security risk to focus on will be using plug ins more than the database layer itself.
richnDirector of Information Services

Commented:
If this database is used primarily for the web site, then I might consider keeping it on the server.  You could make an argument that this could increase your overall security if keeping it there means you can put a firewall in place between this server and your main database server.  If someone does gain control of this server they only get this one database and cannot use it as an attack vector to the rest of your databases.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial