Re: Web and SQL Security
From: Peter Yang [MSFT] (petery_at_online.microsoft.com)
Date: 03/25/05
- Previous message: Ron: "How to force usage on NTLM"
- In reply to: David: "Re: Web and SQL Security"
- Next in thread: Chris Weber [Security MVP]: "Re: Web and SQL Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Mar 2005 05:37:14 GMT
Hello Chris,
If SQL server is the same box of IIS, you may consider disable TCP and
named pipes protocals so that it is not possible to access SQL server from
network.
Best Regards,,
Peter Yang
MCSE2000/2003, MCSA, MCDBA
Microsoft Online Partner Support
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Web and SQL Security
| thread-index: AcUwdJvCXlFN3a1BSOyx97cEKv+gjA==
| X-WBNR-Posting-Host: 82.32.31.180
| From: "=?Utf-8?B?RGF2aWQ=?=" <Dante@community.nospam>
| References: <E3F758FD-A178-4DC9-8CB1-2567F9DA9468@microsoft.com>
<uzthnsBMFHA.2384@tk2msftngp13.phx.gbl>
| Subject: Re: Web and SQL Security
| Date: Thu, 24 Mar 2005 05:23:03 -0800
| Lines: 83
| Message-ID: <C53BF10D-C682-4E7E-A1B3-78598427EECC@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.sqlserver.security
| Path: TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA03.phx.gbl microsoft.public.sqlserver.security:23634
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| X-Tomcat-NG: microsoft.public.sqlserver.security
|
| Hi Chris
|
| The issue here is that we do not hold the boxes. They will be at a (high
| quality) ISP and managed by them. I understand that typically hosted web
and
| SQL servers reside behind the same firewall configuration. A two tier one
in
| this case. Therefore (.NET) web app communicates with the SQL server
using
| sql authentication.
|
| I guess my point is that if the two servers are behind the same firewall
| system, then if the web server is compromised, it won't take much to get
to
| the SQL servre. The connection strings are encrypted of course, but ...
|
| Basically there is a cost issue. We can two low power boxes, 1 for the
web
| and the other for SQL or we can one high power box to do both jobs.
ISecurity
| is the issue that will determine wich setup we go for.
|
| Any comment on this would be much appreciated.
|
| Thanks
|
| David
|
| "Chris Weber [Security MVP]" wrote:
|
| > This has always been a recommendation from the security community. the
| > issue is that separating roles is a security practice - you DON'T want
to
| > host your database on the same server that hosts your Web server.
Surely
| > however, you would apply proper Firewall rules that only allow inbound
TCP
| > 80 and 443, and not 1433. The reasons for separation are numerous.
For
| > example, a vulnerability in IIS would lead to a direct compromise of
the
| > data.
| >
| > This issue is largely dependent on the application's design. Are you
| > allowing Anonymous access? Then your chances of getting compromised
are
| > that much greater.
| >
| > Honestly, this recommendation was originally conceived from the notion
of
| > separating application components - one that serves web pages and one
that
| > holds data. But it was also conceived during the early days of IIS 4/5
when
| > vulnerabilities were very severe and seeemed to come out every week.
IIS6
| > is much stronger.
| >
| > You could get away with it on one server, but you need to lock down
IIS, SQL
| > permissions, and the application's functionality as much as possible.
| > If you can afford two boxes and separate them by a firewall - DO IT.
| > But remember, if your making your connection from IIS to SQL as a full
| > sysadmin or dbo level, then once your IIS box gets compromised, the
hacker
| > will likely have access to the database with that level of permission.
SO,
| > USE a LOW PRIVILEGED account for data access.
| >
| > The majority of attacks today are exploiting poorly written
| > web-applications, not the underlying infrastructure so much.
| >
| > /Chris
| >
| >
| >
| >
| >
| > "David" <Dante@community.nospam> wrote in message
| > news:E3F758FD-A178-4DC9-8CB1-2567F9DA9468@microsoft.com...
| > > Hi
| > >
| > > I know that a couple of years ago I read a Microsoft recommendation
that
| > > SQL
| > > server shoudl not run on the same machine as IIS.
| > >
| > > We are looking at taking a managed hosted server for an app. and I
| > > wondered
| > > if the same reccomendation applies. Does it depend on the way the
hosting
| > > company sets up the server or is it always less secure when the two
are on
| > > one machine?
| > > We can have two less powerful machines or one more powerful machine
to do
| > > the job and security is the thing that will determine which way to
go. We
| > > wil
| > > use Windows Server 2003, SQL Server 200 and .Net Framework.
| > >
| > > Any thoughts appreciated.
| > >
| > > David
| >
| >
| >
|
- Previous message: Ron: "How to force usage on NTLM"
- In reply to: David: "Re: Web and SQL Security"
- Next in thread: Chris Weber [Security MVP]: "Re: Web and SQL Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
