Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2008 Forums
 SQL Server Administration (2008)
 Security on SQL Server server - Firewall and Antiv

Author  Topic 

denis_the_thief
Aged Yak Warrior

596 Posts
Posted - 2012-08-02 : 08:48:01
I am looking for any advice on wether the Firewall should be on and Anti-Virus installed on the Server where SQL Server is running?

Could the rationale for leaving these off be for performance or that people don't normally surf the web on the Server?

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2012-08-02 : 12:19:51
AVS should definitely be on, but with exclusions in place for the SQL Server files (like mdf, ndf, ldf, bak).

I'm not sure about the firewall though. I'm pretty sure it should be on with possible rules added. I'm not a server admin so I leave that stuff up to our server guys.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog
Go to Top of Page

jackv
Master Smack Fu Yak Hacker

2179 Posts
Posted - 2012-08-03 : 01:52:45
I keep the SQL Servers configured on the ports either then 1433.
Speak to your administrators about whether they a firewall at a different level , such as DataPower

Jack Vamvas
--------------------
http://www.sqlserver-dba.com
Go to Top of Page

sql-lover
Yak Posting Veteran

99 Posts
Posted - 2012-08-04 : 00:06:37
I was a Windows Admin 1st and then that introduced me to the database world. I've never used built in firewall on my systems. It is better to use a dedicated router or hardware firewall and put that "in front" of the SQL server's network. Using a hardware router or firewall for that purpose is not only more flexible but also faster and better for the server itself. Your server won't be using additional services or resources for that.

Now, which port or ports, besides the one you use for SQL depends of what your company uses or needs; check your network department on that. But one piece of advice, try to change de default SQL port; it makes more difficult (not impossible) for a hacker or worn to break your systems.

It is useful to have Internet access on a SQL server though (patches, hotfixes, etc), but restrict browser's usage to a max. That way, you will reduce the chances to accidentally download or introduce viruses into your system ot network. A workaround, if you don't want to give Internet access is using one machine in that network as a "jump" server; allow access to that one only and from there you move stuff in and out of your SQL boxes. Be sure that machine is still behind the firewall, well patched and secure though or it will be your single point of failure in terms of security and network access from outside.

In terms of the AV program and like Tara and other said, they are a most. But it must be configured to skip data folders. Scanning the actual mdf and ldf files has no advantage but creating unnecessary disk IO and affecting performance.
Go to Top of Page

denis_the_thief
Aged Yak Warrior

596 Posts
Posted - 2012-08-07 : 13:17:40
Thanks everyone.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site