Remote SQL Server connection via ASP - Security

Question

Remote SQL Server connection via ASP - Security

Viewing 3 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

Marvin D SSCarpal Tunnel Points: 4058 More actions · Answer 1

I see your problem. Opening your SQL Server to the outside world can be very dangerous. You must make sure you lock it down as best you can at the firewall level by perhaps putting a rule that only allows a connection from the IP address of the webserver. I would definately change the ports as everyone knows SQL Server listens on 1433, just make sure all of your applications are aware the the port change.

Marvin Dillard
Senior Consultant
Claraview Inc

Marvin D SSCarpal Tunnel Points: 4058 More actions · Answer 2

Also, don't forget about the VPN option between your sql server and the web hosting site. That keeps it more secure.

Marvin Dillard
Senior Consultant
Claraview Inc

K. Brian Kelley SSC Guru Points: 114704 More actions · Answer 3

In addition to what was said:

Tighten down the security on the account being used to the absolute minimum. For instance, make sure it doesn't have any fixed server roles (especially not sysadmin). If you can avoid it, make sure it doesn't own the database and has no fixed database roles (like db_owner, db_ddladmin, etc.). Only give it rights to the object it needs. Even avoid db_datareader and db_datawriter if possible.
Put an IDS in place monitoring the connection in to SQL Server. If your organization doesn't already have one of these products purchased, Snort is available at no cost except for the hardware to run it on.
Switch to a non-standard port (not 1433 and not 2433) for your SQL Server, if possible.
Make sure UDP/1434 is blocked by your firewall, external router, etc. with respect to the Internet.
Put an IPSEC policy in place on the SQL Server that, with respect to the Internet connection, only allows a connection to the SQL Server port. Yes, the firewall should have a similar ACL in place, but this protects you in case someone messes up the firewall (Defense in Depth).
If possible, look for a layer 7 firewall type of device / application in addition to your hardware firewall. Something that does content filtering. ISA Server comes immediately to mind.

K. Brian Kelley
@kbriankelley