June 20, 2005 at 9:41 am
Howdy,
I am posting because I've seen a bunch of conflicting information when it comes to SQL Server 2000 and what ports it should run on. I have seen many resources that recommend changing the default port for the TCP/IP properties from 1433 to some other number (such as 1533). One of these such sources is the NSA's "Guide to the Secure Configuration and Administration of Microsoft SQL Server 2000" (one of the SNAC documents). At the same time I see many other documents that recommend checking the "Hide server" option. This apparently effectively stops the server from responding to broadcast requests and automatically changes the port 2433 whether you like it or not. In addition to all of this, I have seen some documents that both recommend changing the default port as well as checking the Hide server option (This makes no sense to me as the Hide server option will apparently override the Default port change).The next bit of documents I read on this issue don't even really consider changing the default ports or hiding the server. They simply recommend stronger firewall rules and block outside traffic to these ports. I guess they assume that all internal traffic will be safe and the server should respond to all the broadcast requests.
This is where I begin to really wonder what method is the best. Leaving the install alone and trying to enforce port blocking doesn't seem like the more secure of the three choices. It might be easier on administration as you do not need to require clients to reconfigure anything, but is that a fair trade for security? Also, changing the default port will stop where many automated tools or even automated scanners look. However, it won't stop the server from responding in default ways to broadcast or other requests if they come to that changed port. However, at the same time it seems it would not be on a default and obvious port to be found. Now you have the option of "Hide server" which changes the port to 2433. This will prevent the server from responding to broadcasts and stops tools like Query Analyzer. However, even though this "hides the server" -- it's really going to a new default and obvious port.
What is the best option and trade off? Is there any way possible to hide the server on a port other than 2433? Let me know what guys think please.
Thanks
Steven
June 21, 2005 at 9:07 am
I'd leave the default port number alone and let your network team earn thier keep.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
June 21, 2005 at 10:05 am
I tend to agree. Even if you stop broadcast requests, I can still scan ports trying to log in and I'll get the login response. It's fairly trivial to map these out and determine what's running on a port. Of course, you could ask your network team to setup an IDS to look for this.
Changing the default port is one of those small, weak security mechanisms. It has some effect, but inside the company do you really think that if someone was malicious and they just asked, that they wouldn't get told the port? Or if there is some automated virus, that it might not just scan your alias' in the client network utility, where you'd store this, to get the port?
Security is definitely a series of bumps in the road, and this is one of them. It doesn't necessarily add a lot and it can be a real pain for people that setup new applications, workstations, etc. I agree that you should leave it along and use other methods to secure the server.
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply