Avatar of Pau Lo
Pau Lo
 asked on

SQL databases on a web server - major risk or not.

Can anyone give me their view on whether installing databases directly on a web server (where all your website files exist) is a major security issue, and why, given only the standard web ports are open to the Internet, nothing specific to SQL.

We have a CMS that allows users to edit the web pages, and the configuration, e.g. usernames & password hashes, user permissions etc etc, are all stored in a SQL Server express database, and the SQL Server express software and the databases themselves are installed on the web server itself. I'd like to know if this is 'unheard of' from a best practices point of view, or if the risk is relatively low and somewhat overblown. There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords, but their are already IP restrictions in place on where the CMS can be accessed from, e.g. not the Internet, only from machines on the internal private network. Granted if you could amend/drop tables etc that may seriously mess up with the website, but from a confidentiality perspective I am not sure its a major issue.

Is there anything above and beyond security as to why you should not coexist the CMS databases on the web server itself? If so, what are they?
DatabasesMicrosoft SQL ServerMicrosoft IIS Web Server

Avatar of undefined
Last Comment
richn

8/22/2022 - Mon
ste5an

There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords,
Dump that CMS.. there is absolutely no justification for using software which stores passwords.

Besides that, when only the ports for http and https are open to the world, then there is no attack surface to the database.
slightwv (䄆 Netminder)

I agree that passwords should NEVER be stored in the clear.

Many a hack has been performed with only 80 and 443 exposed to the Internet.

You say there isn't any sensitive data stored in the database.  Since this is a CMS app, what if I get access to the database and change a webpage or 50 with a link that spreads malware or a virus?  What is your company exposure?  What if I create a webpage that asks for the users personal information or "password verification"?

It is all about risk.  What if everything is lost?  If there is no impact, then it doesn't matter.
Pau Lo

ASKER
Sorry by passwords I did mean the hashes version of the password, definately not clear text.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
slightwv (䄆 Netminder)

Even if hashed there is risk.

For example:  Please post your hashed password for your personal bank account here.  It is safe, right?

*If you didn't realize, I was kidding to make a point*
Pau Lo

ASKER
>You say there isn't any sensitive data stored in the database.  Since this is a CMS app, what if I get access to the database and change a webpage or 50 with a link that spreads malware or a virus?  What is your company exposure?  What if I create a webpage that asks for the users personal information or "password verification"?

so your saying essentially the fact that the database is local to the web server means its more susceptible to security compromise than if it was in the private network with a firewall rule between server and database server and connection string specified in the config files? That is koind of what I am getting at, is the database more susceptible to security compromise when its local to the web server, than if it was installed elsewhere, e.g. not on the webs server.
Pau Lo

ASKER
I'm aware you can crack password hashes, but again you'd have to get access to them first, and in this case all the hashes grant access to is the CMS portal, which there is already protections against who can access that externally anyway.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
slightwv (䄆 Netminder)

>>is the database more susceptible to security compromise when its local to the web server

Yes.  Why wouldn't it be?

https://en.wikipedia.org/wiki/Defense_in_depth_(computing)
Pau Lo

ASKER
Besides that, when only the ports for http and https are open to the world, then there is no attack surface to the database.

So your view is from an attack / security perspective, there is no more risk in the databases being local to the webserver than if they were segregated and in the private network.
slightwv (䄆 Netminder)

>>which there is already protections against who can access that externally anyway.

Can it be accessed form the web server itself?  Depends on the exploit and level of control hackers gain to the web server.  What if they gain elevated OS access to the web server?
Your help has saved me hundreds of hours of internet surfing.
fblack61
Pau Lo

ASKER
fair point. I just wanted some perspective more than anything, and not be seen to be making a 'mountain out of a molehill'.
ASKER CERTIFIED SOLUTION
ste5an

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Scott Fell

>  I'd like to know if this is 'unheard of' from a best practices point of view,

You do have to keep this in perspective.  A CMS vs medical or financial data.

Having the db on the webserver is common practice for smaller sties.  Some of the shared hosting services have the database ports open to the public so anybody can access. As example https://help.newtekwebhosting.com/kb/a822/connecting-to-your-sql-2008-database-with-sql-server-management-studio.aspx shows databases are located at sqlXXX.webcontrolcenter.com.  I used to host sites there prior to 2005 and from memory, you were able to contact support and scope traffic only from your shared webserver but I don't think many did.

For those that use dedicated or VPS hosting, it is common to keep the database on the web server and close the port meaning the only access is via localhost.  If somebody does capture your webserver, you have bigger issues.  But that is what back ups are for and I personally use both local to a back up drive and offsite on an hourly basis.

The point is, in your decision, you need to factor in your budget and the level of security you need.  One advantage to  keeping your db local for a CMS will potentially be speed.   if you there is a limited budget say under $200 or $300 per month, it may not be feasible to go with the most secure scenario. There are CMS hosting services available such as https://www.liquidweb.com/products/managed-wordpress/ where you do not have to manage the db and only concentrate on your design and content.  Azzure has this https://azure.microsoft.com/en-us/services/app-service/web/ as does AWS or https://cloud.google.com/wordpress/ and many others.
Scott Fell

To add, the security risk to focus on will be using plug ins more than the database layer itself.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
richn

If this database is used primarily for the web site, then I might consider keeping it on the server.  You could make an argument that this could increase your overall security if keeping it there means you can put a firewall in place between this server and your main database server.  If someone does gain control of this server they only get this one database and cannot use it as an attack vector to the rest of your databases.