Home Forums Article Discussions Article Discussions by Author Discuss content posted by David Poole SQL and IIS on the same Box? RE: SQL and IIS on the same Box?

  • June 20, 2003 at 4:44 am

    #462359

    Thanks for your comments.

    My concern with "properly" locking down a server, be it SQL, IIS or whatever is where do you learn to do it "properly"?

    I've read a great deal on the web about security and have come away humbled and scared because I get the impression that I haven't even scratched the first ice crystal, never mind the tip of the iceberge. I've a horrible suspicion that feeling that I've got a fighting chance against hackers would be as delusional a thinking that I have a fighting chance against Mike Tyson.

    I didn't emphasise the single point of failure argument simply because I've been working with database driven content management systems too long and actually don't have much dealings with static content any more. I would go out on a limb and say that most commercial sites whose databases go down would be crippled.

    Your points about accessing SQL over TCP/IP is interesting but just for the sake of argument lets make the generalisation that the webserver is designed to be accessed by the public where as VPN access (as I understand it) is designed to be restricted and encrypted. Also consider managed hosting. We are allowed the equivalent of db_datareader and db_datawriter but all other changes have to be submitted to the hosting company for implementation.

    My understanding is that the SQL Server service HAS to run with administrative priviledges of the machine on which it is installed?

    Let us suppose that someone hacks admin priviledges of the IIS box. Yes they will be able to get at your web app password to SQL Server and can do whatever that login and password has priviledges to, but hopefully that login and password won't grant overall permissions to the SQL Server. In other words they have to beat two or more machines rather than the one.

    Restricting xp_cmdshell etc is something I have asked in a recent forum post on removing permissions from the public role within the MASTER database. I didn't know this at the time of writing the article. I did the original SQL6.5 admin course and it was hammered into us that "THOU SHALT NOT TAMPER WITH THE MASTER DATABASE"

    I wish that there was a specific book, course or single point reference for SQL Server security.

    LinkedIn Profile