RE: Co-Hosting SQL with IIS FTP service



Nope.
His question suggests nothing more than that they're considering this deployment and that he's asking for advice before it's built. This "unpatched vulnerabilities" FUD is applicable to any operating system / application combination. Such statements are self-defeating as the only logical conclusion to be drawn from them is "don't use computers". Not much help, wouldn't you say?

Now to actually answer the question posed:
1. there are no functional conflicts between SQL and IIS; their network resource demands are unique.
2. there may be security issues, since IIS FTP does not provide a secure authentication mechanism
3. FTP (IIS or otherwise) is *always* a target for the script kiddies and WAREZ folks; deploy this with great care

Your application security is dependent on how you choose to configure the app; there are many references on http://microsoft.com/technet and http://microsoft.com/security for securing IIS and SQL services

If the machine resources are enough, you can also use your favorite virtualization technology to separate the FTP and SQL servers and thus avoid the combinational security issues that public FTP services may impose on the SQL server.

Jim Harrison <blocked::mailto:jmharr@xxxxxxxxxxxxx>
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!

________________________________

From: Steve Armstrong [mailto:stevearmstrong@xxxxxxxxxxxxxxxxxxx]
Sent: Tue 7/25/2006 09:25
To: chris.dalton@xxxxxxxxxxxxxxxxxx
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Co-Hosting SQL with IIS FTP service



Chris

Possibly not the best email to send from your employers email server.
It suggests you are using MS servers with IIS and FTP enabled
backending, I would guess "on the same box" to MS SQL.

While you will get some information about the vulnerabilities, most here
would expect you to keep your banks systems patched. What you will get
from this kind of forum is advise on patches to vulnerabilities that
have been disclosed; However, you will not get info on new exploits
(the zero-day type hackers use against the likes of banks) on
non-publicly disclosed vulnerabilities.

Therefore, you will not be able to prevent exploits that MS is still
working to patch. With a disclosure regarding your infrastructure on
such a public forum, you should watch your front facing Sy barriers for
increased attacks aimed specifically at MS architecture. Best give the
IDS/IPS and incident staff a nod too. I recognise you may be double
bluffing, but I will bet you will still get a 100% increase in the MS
exploits thrown at your FW and internet gateways.

As to your question, try secunia.com, www.osvdb.org and good old
www.packetstormsecurity.nl

Steve A


-----Original Message-----
From: chris.dalton@xxxxxxxxxxxxxxxxxx
[mailto:chris.dalton@xxxxxxxxxxxxxxxxxx]
Sent: 25 July 2006 15:42
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Co-Hosting SQL with IIS FTP service

Can anyone guide me as to what type of issues with inter-system
dependencies might arise by co hosting IIS FTP service with SQL?


Anyone know of any articles on the exploits?


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
    ... uses NT group based permissons on the SQL Server, ... > transfered to the IIS box and IIS does a local logon. ... > delegation for all accounts. ...
    (microsoft.public.inetserver.iis.security)
  • RE: MS patch-scanner for Win-NT, 2K, IIS, SQL
    ... MS patch-scanner for Win-NT, 2K, IIS, SQL ... check the local computer - so there are no FW or Gateway problems. ... SQL Hi, I get the following error message when I try ...
    (Focus-Microsoft)
  • Re: General Network Error - MS Stumped
    ... > environment between our ASP.NET application and SQL Server 2000. ... > to be related to queries that return "large" amounts of data from SQL. ... > MS had us perform 3 data captures initially: MPSRPT_MDAC on the IIS ... > at System.Data.SqlClient.TdsParser.ReadByteArray(Bytebuff, Int32 ...
    (microsoft.public.sqlserver.connect)
  • Re: General Network Error - MS Stumped
    ... > environment between our ASP.NET application and SQL Server 2000. ... > to be related to queries that return "large" amounts of data from SQL. ... > MS had us perform 3 data captures initially: MPSRPT_MDAC on the IIS ... > at System.Data.SqlClient.TdsParser.ReadByteArray(Bytebuff, Int32 ...
    (microsoft.public.sqlserver.server)
  • Re: General Network Error - MS Stumped
    ... > environment between our ASP.NET application and SQL Server 2000. ... > to be related to queries that return "large" amounts of data from SQL. ... > MS had us perform 3 data captures initially: MPSRPT_MDAC on the IIS ... > at System.Data.SqlClient.TdsParser.ReadByteArray(Bytebuff, Int32 ...
    (microsoft.public.dotnet.framework.aspnet)