Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Default Port Expand / Collapse
Author
Message
Posted Monday, January 14, 2013 8:39 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Sunday, May 4, 2014 11:25 AM
Points: 176, Visits: 406
Hey all,

A quick question. I recently joined an organization and I see here all the
production environments are on default instance names with default port. I have asked my sr.DBA and he informed
me that the sql server will not call any webservice and also he pointed that assigning default port will not guarantee security. I was really worried once he informed me that. I usually assign secured ports. Isn't that so strange
assigning defaul sql ports for prod environments which running sensitive data. What advice can I give.
Is that preferred way?
Post #1406772
Posted Monday, January 14, 2013 8:53 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, July 14, 2014 9:47 AM
Points: 2,919, Visits: 2,525
I try to always use no-default ports after getting struck by a worm a few years ago that went after 1433. I have not had any problems with web servers talking with the database as long as in the web.config ( I believe ) you specify in your connection string the port being used. Works much like specifying a non-default port for a web site.

Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
Post #1406778
Posted Monday, January 14, 2013 1:21 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 7:34 AM
Points: 7,098, Visits: 12,606
It depends on what other controls are in place. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request. It's not a bad idea to run SQL Server on a non-default port, but it's not necessarily a security problem if you do. If you're concerned I would make a mental note of it but wait until you have seen how the rest of the environment is laid out before thinking about raising the issue as a potential security exposure.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1406928
Posted Tuesday, January 15, 2013 5:38 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, August 21, 2014 7:01 AM
Points: 914, Visits: 1,431
There never are guarantees with security. As DBA's is mitigate risk and make it a little more difficult for people to get "unauthorized" access to the database system. By changing from port 1433, you make it a little more difficult for a potential hacker to gain access to the system. Pretty much everyone knows that SQL default port is 1433, so that's the first port that someone would look at to exploit (ie, low lying fruit theory).

I would say that it is highly recommended that you change the <default> port to a fixed port, although some people use dynamic ports which also could be effective. If you change to a fixed port, the network folks only need to open up that port. If the ports are dynamic then the network folks need to open up ranges which actually could pose a larger risk. My standard for SQL instance installs is to immediately change the SQL port to a fixed port.

Where I work, the applications do not have trouble connecting via our "fixed" ports. The ports can be placed in connection strings, or in local alias'. It's a rudimentary change.

I look forward to reading other pro/con posts about this topic.

Steve



Post #1407196
Posted Tuesday, January 15, 2013 5:56 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, July 14, 2014 9:47 AM
Points: 2,919, Visits: 2,525
. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request.


This is good as long as nobody can bring in thumb drives or other media from outside. I thought that way until the work got inside the firewall. Then all hell broke out.


Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
Post #1407207
Posted Tuesday, January 15, 2013 6:38 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Sunday, May 4, 2014 11:25 AM
Points: 176, Visits: 406
Thanks Sr.DBA for clarification. I Will try to follow up and see whether ports config can be done in my organization or not. Currently there are around 400+ servers. Need to see how things goes..
Post #1407239
Posted Tuesday, January 15, 2013 6:47 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 7:34 AM
Points: 7,098, Visits: 12,606
sjimmo (1/15/2013)
. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request.


This is good as long as nobody can bring in thumb drives or other media from outside. I thought that way until the work got inside the firewall. Then all hell broke out.

That's why I said it depends on what other controls are in place. Thumb drives can be disallowed from even being recognized by Windows via a Group Policy change.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1407247
Posted Tuesday, January 15, 2013 6:56 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Thursday, June 12, 2014 2:04 PM
Points: 1,789, Visits: 1,014
There are a lot of best practices that need to be followed before you get into SQL port configuration. I usually reserve this for databases that have customer sensitive information.

Jayanth Kurup
Post #1407256
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse