Re: Is there any problem by running both ftp and Http in the same Machine
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/27/04
- Previous message: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- In reply to: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- Next in thread: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- Reply: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Oct 2004 02:34:11 -0700
Aneesh
I am not certain whether you are asking us for further
assistance, or just informing us of current status.
If you ask for further assistance, I for one feel we have
incomplete information. For example, we do not know
why your application needs to use FTP, and so could not
assess alternatives that might be applicable.
As far as SQL issues, if your application was configured
to use the sa then it is likely that you may need to review
SQL best practices in general. In particular for your web
interface use of lowest needed SQL grants and of only
stored procedures for all SQL queries, inserts, updates,
and/or deletes, are the two most fundemental.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Aneesh" <aneesh.r@eostek.com> wrote in message news:eNjc6H$uEHA.3452@TK2MSFTNGP10.phx.gbl... > Hi Andy > > Thanks for your replies. > > The problem associated with me is that, our client wants to remove our ftp > access in the site. They actually changed the Http server and the FTP server > to two different machines. Thus we won't be able to test our products. They > are blaming the reasons regarding the ftp. Here is the content of the mail > they send for us regarding the security. > > > > > > 1. Almost of the databases in the SQL Server running in our Live > Servers is using System Administrator (SA) as the database user. The SA is > purely for administrative purposes and should not be used for any other > purposes other than Maintenance and Administrative purposes. Applications > using SA account to call SQL server are highly vulnerable. Ideally, every > database should have a set of database users for operating them. > > With the SQL Server being vulnerable this way, web sites and web > applications running on the machine can be used by hackers to gain control > over not the just the databases, but over the SQL Server itself. > 3. FTP is one of the oldest protocols that use no encryption. > Hackers can easily hack a site if both FTP and Web are served from the same > machine. > > > > > > Once I have identified these risks, my immediate requirement was to protect > the data and server from any possible attack. I need to do two steps. > > > > 1. Move all FTP sites to a different server, so that no direct > access is available to the site and immediate risk is avoided. > > > > 2. Assign separate database users for each database in the SQL > Server. > > > > Can u send me a systematic answer so that we could gain the control of the > system? Its really urgent. Thanking in advance > > > > Aneesh > >
- Previous message: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- In reply to: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- Next in thread: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- Reply: Aneesh: "Re: Is there any problem by running both ftp and Http in the same Machine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
