| Author |
Topic |
|
MorningZ
Starting Member
44 Posts |
 Posted - 2003-03-05 : 10:28:49
|
| I am prepping to make the jump from a shared host to a dedicated box, and part of that will be to have IIS and SQL2k running on the same box....nevermind the hardware issues, the server is pretty strong and should (guess i'll find out the hard way) be able to handle it..but my concern is security... i keep hearing that its "more insecure to have on the same box".... but i have never seen reasons "why" and more importantly what are some things to do during setup to tighten down as much as possible.....I have no problem with having to using terminal service to get onto the box to run EM and QA locally, so if setting SQL somewhere just to allow "inside" traffic is an option, that would help to know if its possibleanyways, any feedback, links, articles that would help me out would be great.. |
|
|
smccreadie
Aged Yak Warrior
505 Posts |
Posted - 2003-03-05 : 11:19:32
|
| It's a good idea to keep SQL not exposed to the internet through your network architecture. If you put it on the same box as IIS, you're probably exposing the database more than ideal.Maybe there's a way to set it up so that the box runs on two networks - not sure. |
 |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-03-05 : 11:38:19
|
| You should set up a firewall on that box that blocks any external traffic on the SQL Server ports (1433 and 1434). This will prevent people from hacking the SQL Server from the internet, yet still allow the web server to access SQL Server. |
|
|
|
MorningZ
Starting Member
44 Posts |
Posted - 2003-03-05 : 12:51:49
|
| theres no way to tell SQL Server: "dont accept 1433 and 1434 traffic except from localhost" eh? bummeri love the two NIC card and bind the server to the local ip the second NIC would provide, but i don't think that's too feasible cost wise (i am already tripling my monthly costs to make this change)i guess i'll poke around for a super simple firewall, ZoneAlarm is one that comes to mind, but its got such high CPU usage.... |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-03-05 : 14:50:13
|
| You should not be using ports 1433 or 1434 on a database server which gets connected to from the internet. You will want to modify the port that SQL Server is listening on and only open that port on the firewall. Close ports 1433 and 1434.Tara |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-03-05 : 16:14:31
|
| Well, that's all well and good, but it has to listen on SOME port, and unless the FIREWALL prevents external, internet traffic from hitting that port, they're just as vulnerable as if they use 1433/1434.Actually, now that I think of it, you could disable SQL Server from using TCP/IP completely, and stick with using only named pipes or shared memory networking. That would make your SQL Server totally secure from internet access. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-03-05 : 16:27:20
|
| I realize that, but you can reduce the risk (they would have to scan a lot of ports before they figured out which port SQL Server was listening on) by not using 1433 or 1434.Tara |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-03-05 : 16:49:13
|
| I agree it's less risky, but ultimately the SQL Server is either vulnerable or it's not. If a burglar tries the front door and finds that it's locked, that doesn't mean it's safe or less risky to leave the back door or any of the windows open. "No internet access" means a firewall has to block the port that SQL Server listens on. Actually, the easiest way to secure it is to block all ports except 80, and 8080 (if you're using https), and any email ports you might need to have open. That way you can select any port for SQL Server and know that it'll be secured. |
|
|
|
MorningZ
Starting Member
44 Posts |
Posted - 2003-03-07 : 08:32:38
|
| So if i do so (only open port 80 and 8080), i can lock down all other ports and maybe open up something like "777" for SQL Server Access (so i can remote use QA/EM)?actually, the host has Terminal Services on there, i don't really have any issue with having to TS in to do EM and QA (i can install those right on the server) |
|
|
|
|
IIS and SQL 2k on same box