Re: SQL2K WIN2K3 CONNECTION SECURITY
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/12/05
- Next message: Roger Abell: "Re: IPSEC for scripting"
- Previous message: UWide User: "IPSEC for scripting"
- In reply to: jens.aggergren_at_lycos-europe.com: "SQL2K WIN2K3 CONNECTION SECURITY"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 12 Jun 2005 08:05:26 -0700
Poster Mercury has already provided you with much valid
guidance. As you did not spell out the nature of the connection
strings you are using to access SQL objects off-box from the
IIS webserver, but you did mention the issue with IPC$ I do
suspect that you have more going on here with attempts for
windows integrated authentication. In absence of a domain
you will find doing that, if that is your config, to be touchy.
You can easily use IPsec on the SQL server. Or, as you
have indicated the SQL is being moved to W2k3 you could
also look into using the new Security Configuration Wizard
that shipped with SP1 for W2k3.
You can use IPsec in a filtering-only mode in order to just
force all packets except for the desired to be dropped. In the
documentation you have been reviewing, which speaks of
using Kerberos a domain environment is assumed and you
are likely also being guided into using "real" IPsec with
security associations instead of using the IPsec binaries to
effect only an IP filtering.
To effect simple filtering you can define a new IPsec policy
and then within this define rules that are set for use of pre-
shared keys, but as you will not be binding security associations
you do not need to tie the preshared secret together between
the systems. If you define rules to allow Tcp 1433 with the
webserver IP only, some rules to allow other accesses that
the SQL server might need (DNS, timesync, admin workstation,
etc. as identified), and then add rules to block all, the net effect
would be that all packets would be dropped except for those
mentioned in specific allow rules.
-- Roger Abell Microsoft MVP (Windows Security) <jens.aggergren@lycos-europe.com> wrote in message news:1118378086.080331.325050@g49g2000cwa.googlegroups.com... This question got rejected from the SQL Server group, but i'll try here as it relates to security. I moving an old SQL Server-backend-IIS5/ASP-frontend application to servers with windows 2003 standard edition. One server will run the database the other will run IIS 6.0. Note that i haven't set-up a domain, which i think requires one machine to be domain controller which would decrease performance and stuff. I've simply put them on the same group. I wan't to restrict access to the sql server so only the incomming connection from the webserver is allowed. I can use either named pipes(which should be the fastest protocol) or tcp(which should be slight slower than named pipes) but I seem to have a problem. If I use named pipes to connect, the IUSR(the user under which IIS is running) must have access-rights to IPC$ share on the sql server. I can't seem to set any access-right directly for IPC$ share, but I can reactivate my guest user and then it works, but then everyone can now access the ipc$ share so it's not really what i'm looking for. I can also connect through TCP( and set up some kind of filter only allowing incomming connections on port 1433 from the ip of the web server. But i don't know how to do this. I've taken a look at the IPSec stuff but it's all about kerberos authentication and other bull which i don't think i need. What i need is a simply ip port filter, which does nothing else but reject incomming connections to sql server on port 1433 originating from any other ip's than my webserver. My question is how do I do this? Do i need to have a additional "firewall" service running and, if so, how much extra overhead will this create for the sql server. Alternately, is it possible to change the access rights for the IPC$ share manually? Thanks in advance for any input you might have on this?
- Next message: Roger Abell: "Re: IPSEC for scripting"
- Previous message: UWide User: "IPSEC for scripting"
- In reply to: jens.aggergren_at_lycos-europe.com: "SQL2K WIN2K3 CONNECTION SECURITY"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
