SQL2K WIN2K3 CONNECTION SECURITY

jens.aggergren_at_lycos-europe.com
Date: 06/10/05 

Date: 9 Jun 2005 21:34:46 -0700

This question got rejected from the SQL Server group, but i'll try here
as it relates to security.

I moving an old SQL Server-backend-IIS5/ASP-fronte­­nd application to
servers with windows 2003 standard edition. One server will run the
database the other will run IIS 6.0. Note that i haven't set-up a
domain, which i think requires one machine to be domain controller
which would decrease performance and stuff. I've simply put them on the
same group.

I wan't to restrict access to the sql server so only the incomming
connection from the webserver is allowed. I can use either named
pipes(which should be the fastest protocol) or tcp(which should be
slight slower than named pipes) but I seem to have a problem. If I use
named pipes to connect, the IUSR(the user under which IIS is running)
must have access-rights to IPC$ share on the sql server.

I can't seem to set any access-right directly for IPC$ share, but I can
reactivate my guest user and then it works, but then everyone can now
access the ipc$ share so it's not really what i'm looking for.

I can also connect through TCP( and set up some kind of filter only
allowing incomming connections on port 1433 from the ip of the web
server. But i don't know how to do this. I've taken a look at the IPSec
stuff but it's all about kerberos authentication and other bull which i
don't think i need.

What i need is a simply ip port filter, which does nothing else but
reject incomming connections to sql server on port 1433 originating
from any other ip's than my webserver.

My question is how do I do this? Do i need to have a additional
"firewall" service running and, if so, how much extra overhead will
this create for the sql server.

Alternately, is it possible to change the access rights for the IPC$
share manually?

Thanks in advance for any input you might have on this?

Relevant Pages

  • SQL2K WIN2K3 CONNECTION SECURITY
    ... database the other will run IIS 6.0. ... which i think requires one machine to be domain controller ... I wan't to restrict access to the sql server so only the incomming ... must have access-rights to IPC$ share on the sql server. ...
    (microsoft.public.windows.server.networking)
  • This question got rejected from the SQL Server group, but ill try here as it relates to networking:
    ... This question got rejected from the SQL Server group, ... must have access-rights to IPC$ share on the sql server. ... What i need is a simply ip port filter, ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: ADP problems after SQL 2005 Upgrade
    ... Use the SQL Server Configuration Manager to create aliases; ... each port can be associated only with a single instance. ... Sylvain Lafontaine, ing. ...
    (microsoft.public.access.adp.sqlserver)
  • [NT] Microsoft SQL Server 2000 Unauthenticated System Compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft's database server SQL Server 2000 exhibits two buffer-overrun ... clients connecting to TCP port 1433 or both. ... This message is a single byte packet, ...
    (Securiteam)
  • Re: Do SqlServer 2000 & SqlServer 2005 co-exist
    ... Either SQL Server 2000 or SQL Server 2005. ... So you have to move one of them to another port. ... You could allow an program exception in your firewall instead of a port number exception. ... I understand that you can connect to SQL 2000 named instance on the local ...
    (microsoft.public.sqlserver.setup)