Re: How secure is MS SQL Server 2000?
From: Hal Berenson (haroldb_at_truemountainconsulting.com)
Date: 08/28/05
- Previous message: Hal Berenson: "Re: Internet password attacks"
- In reply to: Rob R. Ainscough: "Re: How secure is MS SQL Server 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Aug 2005 08:46:50 -0600
While you do need to lock down SQL Server (or any other product) your
problem at least sounds narrower than just opening up your server for any
cross-firewall access. You should be able to set your firewall to only
allow access to port 1433 from the known IP addresses of the machines that
need to access it. As for your wanting to perform remote administration,
VPN or RDC/RDP are better solutions. But if you have a static IP address
for the machine(s) that you want to perform remote administration from then
you can also use the trick of specifying that in your firewall .
The business I'm in these days is based on Microsoft Terminal Services (aka
Remote Desktop Connection). And I can tell you I would never use VPN or
direct SQL Server access again for administration of a system. VPN is just
too flakey and opening up SQL Server is too risky (and often too narrow a
solution). So to manage a multi-machine site I use RDC/RDP to get into a
publicly accessible machine and then use a session from that machine to any
other machine behind our firewall. I can do this from any Windows client, I
can do it from a Linux client, I can do it from a Mac, I can even do it from
my Pocket PC (though the form factor makes that a little difficult). I can
do it from a hotel business center. All the communications is encrypted.
It uses the full Windows security features. It is just a superior solution.
And yes, it even works over a decent dialup connection.
-- Hal Berenson, President PredictableIT Phone: 805-212-1025 ext 101 hberenson@predictableit.com Helpdesk: 805-212-1024 ext 1 "Rob R. Ainscough" <robains@pacbell.net> wrote in message news:etZaH67pFHA.2956@TK2MSFTNGP12.phx.gbl... > Hi Sue, thanks for the links. > > I must admit, I'm a developer not an IT security person and my first > impression is one of frustration when it comes to trying to secure a SQL > server and make have my application still work. The list of things that > should be done to secure a SQL Server is making me want to look for > another SQL product. > > Rob. > > > > "Sue Hoegemeier" <Sue_H@nomail.please> wrote in message > news:iutcg192u7kgl97oimo59dg9pnak7qstvn@4ax.com... >> There isn't necessarily a quick read of one article that >> will get you up to speed on all you need to know about >> security...it just doesn't work that way these days. >> Some resources: >> SQL Security Resource Page >> http://www.microsoft.com/sql/techinfo/administration/2000/security/default.mspx >> >> TechNet SQL Security Page: >> http://www.microsoft.com/technet/security/prodtech/sQLserver.mspx >> >> SQL Server 2000 SP3 Security Features and Best Practices >> http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec00.mspx >> >> -Sue >> >> On Thu, 18 Aug 2005 23:38:52 -0700, "Rob R. Ainscough" >> <robains@pacbell.net> wrote: >> >>>So I can have port TCP 1433 and UPD 1434 open and still retain a secure >>>SQL >>>Server? If you could provide a list of how to secure it items that would >>>be >>>most appreciated -- I'm a developer and I'm assuming the job of IT >>>security >>>guy since nobody else seems to know. Any quick information on how to >>>secure >>>a SQL Server with port 1433 and 1434 open would be most appreciated. >>> >>>Thanks, Rob. >>> >>>"Sue Hoegemeier" <Sue_H@nomail.please> wrote in message >>>news:b4nag1dc4167jv3j2voqp4m7d56r1q3mkr@4ax.com... >>>> They can use a non-default port if they want - they just >>>> need to have the clients specify the port when they connect. >>>> It doesn't really add all that much on the security end >>>> though. A determined hacker can still find what ports are >>>> listening. It's just simple to go at the default port as >>>> it's known. >>>> SQL Server security depends on your configuration of the >>>> server, SQL, the services, access methods, etc. It certainly >>>> can be secure if the appropriate methods, security steps are >>>> implemented. >>>> >>>> -Sue >>>> >>>> On Thu, 18 Aug 2005 00:06:33 -0700, "Rob R. Ainscough" >>>> <robains@pacbell.net> wrote: >>>> >>>>>Client inside the firewall?? No the client would be outside of the >>>>>firewall >>>>>hence the need to open port 1433?? >>>>> >>>>>The SQL Server is behind a firewall, yes. >>>>> >>>>>"Hari Prasad" <hari_prasad_k@hotmail.com> wrote in message >>>>>news:ebAQ09woFHA.3408@tk2msftngp13.phx.gbl... >>>>>> Hi ROb, >>>>>> >>>>>> SP4 is Safe and holds all the security paches by itself. If the >>>>>> client >>>>>> is >>>>>> inside the firewall then it is allways safe to open port 1433. >>>>>> >>>>>> >>>>>> THANKS >>>>>> Hari >>>>>> SQL SERVER MVP >>>>>> >>>>>> >>>>>> >>>>>> "Rob R. Ainscough" <robains@pacbell.net> wrote in message >>>>>> news:ewoCwruoFHA.3380@TK2MSFTNGP12.phx.gbl... >>>>>>>I have a client that does not want to open Port 1433 (default for SQL >>>>>>>Server). Is MS SQL Server 2000 SP4 still vulnerable to having this >>>>>>>port >>>>>>>open to the public? >>>>>>> >>>>>>> Thanks, Rob. >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > >
- Previous message: Hal Berenson: "Re: Internet password attacks"
- In reply to: Rob R. Ainscough: "Re: How secure is MS SQL Server 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
