Re: Web and SQL Security

From: Chris Weber [Security MVP] (chris_at_dev.nul)
Date: 03/24/05 

Date: Wed, 23 Mar 2005 18:42:07 -0800

This has always been a recommendation from the security community. the
issue is that separating roles is a security practice - you DON'T want to
host your database on the same server that hosts your Web server. Surely
however, you would apply proper Firewall rules that only allow inbound TCP
80 and 443, and not 1433. The reasons for separation are numerous. For
example, a vulnerability in IIS would lead to a direct compromise of the
data.

This issue is largely dependent on the application's design. Are you
allowing Anonymous access? Then your chances of getting compromised are
that much greater.

Honestly, this recommendation was originally conceived from the notion of
separating application components - one that serves web pages and one that
holds data. But it was also conceived during the early days of IIS 4/5 when
vulnerabilities were very severe and seeemed to come out every week. IIS6
is much stronger.

You could get away with it on one server, but you need to lock down IIS, SQL
permissions, and the application's functionality as much as possible.
If you can afford two boxes and separate them by a firewall - DO IT.
But remember, if your making your connection from IIS to SQL as a full
sysadmin or dbo level, then once your IIS box gets compromised, the hacker
will likely have access to the database with that level of permission. SO,
USE a LOW PRIVILEGED account for data access.

The majority of attacks today are exploiting poorly written
web-applications, not the underlying infrastructure so much.

/Chris

"David" <Dante@community.nospam> wrote in message
news:E3F758FD-A178-4DC9-8CB1-2567F9DA9468@microsoft.com...
> Hi
>
> I know that a couple of years ago I read a Microsoft recommendation that
> SQL
> server shoudl not run on the same machine as IIS.
>
> We are looking at taking a managed hosted server for an app. and I
> wondered
> if the same reccomendation applies. Does it depend on the way the hosting
> company sets up the server or is it always less secure when the two are on
> one machine?
> We can have two less powerful machines or one more powerful machine to do
> the job and security is the thing that will determine which way to go. We
> wil
> use Windows Server 2003, SQL Server 200 and .Net Framework.
>
> Any thoughts appreciated.
>
> David

Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • [NT] Cumulative Patch for Internet Information Services
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ...
    (Securiteam)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)
Quantcast