January 14, 2013 at 8:40 am
Hey all,
A quick question. I recently joined an organization and I see here all the
production environments are on default instance names with default port. I have asked my sr.DBA and he informed
me that the sql server will not call any webservice and also he pointed that assigning default port will not guarantee security. I was really worried once he informed me that. I usually assign secured ports. Isn't that so strange
assigning defaul sql ports for prod environments which running sensitive data. What advice can I give.
Is that preferred way?
January 14, 2013 at 8:53 am
I try to always use no-default ports after getting struck by a worm a few years ago that went after 1433. I have not had any problems with web servers talking with the database as long as in the web.config ( I believe ) you specify in your connection string the port being used. Works much like specifying a non-default port for a web site.
Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
January 14, 2013 at 1:21 pm
It depends on what other controls are in place. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request. It's not a bad idea to run SQL Server on a non-default port, but it's not necessarily a security problem if you do. If you're concerned I would make a mental note of it but wait until you have seen how the rest of the environment is laid out before thinking about raising the issue as a potential security exposure.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
January 15, 2013 at 5:38 am
There never are guarantees with security. As DBA's is mitigate risk and make it a little more difficult for people to get "unauthorized" access to the database system. By changing from port 1433, you make it a little more difficult for a potential hacker to gain access to the system. Pretty much everyone knows that SQL default port is 1433, so that's the first port that someone would look at to exploit (ie, low lying fruit theory).
I would say that it is highly recommended that you change the <default> port to a fixed port, although some people use dynamic ports which also could be effective. If you change to a fixed port, the network folks only need to open up that port. If the ports are dynamic then the network folks need to open up ranges which actually could pose a larger risk. My standard for SQL instance installs is to immediately change the SQL port to a fixed port.
Where I work, the applications do not have trouble connecting via our "fixed" ports. The ports can be placed in connection strings, or in local alias'. It's a rudimentary change.
I look forward to reading other pro/con posts about this topic.
Steve
January 15, 2013 at 5:56 am
. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request.
This is good as long as nobody can bring in thumb drives or other media from outside. I thought that way until the work got inside the firewall. Then all hell broke out.
Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
January 15, 2013 at 6:38 am
Thanks Sr.DBA for clarification. I Will try to follow up and see whether ports config can be done in my organization or not. Currently there are around 400+ servers. Need to see how things goes..
January 15, 2013 at 6:47 am
sjimmo (1/15/2013)
. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request.
This is good as long as nobody can bring in thumb drives or other media from outside. I thought that way until the work got inside the firewall. Then all hell broke out.
That's why I said it depends on what other controls are in place. Thumb drives can be disallowed from even being recognized by Windows via a Group Policy change.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
January 15, 2013 at 6:57 am
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply