Re: Web and SQL Security

From: David (Dante_at_community.nospam)
Date: 03/24/05

  • Next message: gbledsoe: "Running SQLServer and SQLServer Agent as Power User"
    Date: Thu, 24 Mar 2005 05:23:03 -0800
    
    

    Hi Chris

    The issue here is that we do not hold the boxes. They will be at a (high
    quality) ISP and managed by them. I understand that typically hosted web and
    SQL servers reside behind the same firewall configuration. A two tier one in
    this case. Therefore (.NET) web app communicates with the SQL server using
    sql authentication.

    I guess my point is that if the two servers are behind the same firewall
    system, then if the web server is compromised, it won't take much to get to
    the SQL servre. The connection strings are encrypted of course, but ...

    Basically there is a cost issue. We can two low power boxes, 1 for the web
    and the other for SQL or we can one high power box to do both jobs. ISecurity
    is the issue that will determine wich setup we go for.

    Any comment on this would be much appreciated.

    Thanks

    David

    "Chris Weber [Security MVP]" wrote:

    > This has always been a recommendation from the security community. the
    > issue is that separating roles is a security practice - you DON'T want to
    > host your database on the same server that hosts your Web server. Surely
    > however, you would apply proper Firewall rules that only allow inbound TCP
    > 80 and 443, and not 1433. The reasons for separation are numerous. For
    > example, a vulnerability in IIS would lead to a direct compromise of the
    > data.
    >
    > This issue is largely dependent on the application's design. Are you
    > allowing Anonymous access? Then your chances of getting compromised are
    > that much greater.
    >
    > Honestly, this recommendation was originally conceived from the notion of
    > separating application components - one that serves web pages and one that
    > holds data. But it was also conceived during the early days of IIS 4/5 when
    > vulnerabilities were very severe and seeemed to come out every week. IIS6
    > is much stronger.
    >
    > You could get away with it on one server, but you need to lock down IIS, SQL
    > permissions, and the application's functionality as much as possible.
    > If you can afford two boxes and separate them by a firewall - DO IT.
    > But remember, if your making your connection from IIS to SQL as a full
    > sysadmin or dbo level, then once your IIS box gets compromised, the hacker
    > will likely have access to the database with that level of permission. SO,
    > USE a LOW PRIVILEGED account for data access.
    >
    > The majority of attacks today are exploiting poorly written
    > web-applications, not the underlying infrastructure so much.
    >
    > /Chris
    >
    >
    >
    >
    >
    > "David" <Dante@community.nospam> wrote in message
    > news:E3F758FD-A178-4DC9-8CB1-2567F9DA9468@microsoft.com...
    > > Hi
    > >
    > > I know that a couple of years ago I read a Microsoft recommendation that
    > > SQL
    > > server shoudl not run on the same machine as IIS.
    > >
    > > We are looking at taking a managed hosted server for an app. and I
    > > wondered
    > > if the same reccomendation applies. Does it depend on the way the hosting
    > > company sets up the server or is it always less secure when the two are on
    > > one machine?
    > > We can have two less powerful machines or one more powerful machine to do
    > > the job and security is the thing that will determine which way to go. We
    > > wil
    > > use Windows Server 2003, SQL Server 200 and .Net Framework.
    > >
    > > Any thoughts appreciated.
    > >
    > > David
    >
    >
    >


  • Next message: gbledsoe: "Running SQLServer and SQLServer Agent as Power User"

    Relevant Pages

    • FW: Microsoft Security Advisory MS 03-007
      ... am trying to find a vulnerability tester/script and I could test it out ... Department of the Army server that had been compromised and that this ... announcement covers IIS 5.1 but not IIS 6, ... How a Hacker Uses SQL Injection to Steal Your SQL Data! ...
      (Focus-Microsoft)
    • RE: Confusion on standard security methodologies.
      ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
      (microsoft.public.inetserver.iis.security)
    • RE: MS patch-scanner for Win-NT, 2K, IIS, SQL
      ... MS patch-scanner for Win-NT, 2K, IIS, SQL ... XML file from the following location - mssecure.xml Possible ... and on a NT 4 Server, but the scanner works fine on a W2K Server ...
      (Focus-Microsoft)
    • Re: SQL CE Synching Problems
      ... install location of SQL CE instead of under Inetpub like I had done before. ... > so the issue has to be between the server tools and the publisher. ... >>I ran the wizard again to check all the permissions and this is what it ... >> A request to send data to the computer running IIS has failed. ...
      (microsoft.public.sqlserver.ce)
    • Re: General Network Error - MS Stumped
      ... > environment between our ASP.NET application and SQL Server 2000. ... > to be related to queries that return "large" amounts of data from SQL. ... > MS had us perform 3 data captures initially: MPSRPT_MDAC on the IIS ... > at System.Data.SqlClient.TdsParser.ReadByteArray(Bytebuff, Int32 ...
      (microsoft.public.sqlserver.connect)