SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Default Port


Default Port

Author
Message
DBA_Learner
DBA_Learner
Old Hand
Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)

Group: General Forum Members
Points: 395 Visits: 450
Hey all,

A quick question. I recently joined an organization and I see here all the
production environments are on default instance names with default port. I have asked my sr.DBA and he informed
me that the sql server will not call any webservice and also he pointed that assigning default port will not guarantee security. I was really worried once he informed me that. I usually assign secured ports. Isn't that so strange
assigning defaul sql ports for prod environments which running sensitive data. What advice can I give.
Is that preferred way?
sjimmo
sjimmo
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3760 Visits: 2904
I try to always use no-default ports after getting struck by a worm a few years ago that went after 1433. I have not had any problems with web servers talking with the database as long as in the web.config ( I believe ) you specify in your connection string the port being used. Works much like specifying a non-default port for a web site.

Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
Orlando Colamatteo
Orlando Colamatteo
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15009 Visits: 14396
It depends on what other controls are in place. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request. It's not a bad idea to run SQL Server on a non-default port, but it's not necessarily a security problem if you do. If you're concerned I would make a mental note of it but wait until you have seen how the rest of the environment is laid out before thinking about raising the issue as a potential security exposure.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Steve-3_5_7_9
Steve-3_5_7_9
UDP Broadcaster
UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)UDP Broadcaster (1.5K reputation)

Group: General Forum Members
Points: 1466 Visits: 1599
There never are guarantees with security. As DBA's is mitigate risk and make it a little more difficult for people to get "unauthorized" access to the database system. By changing from port 1433, you make it a little more difficult for a potential hacker to gain access to the system. Pretty much everyone knows that SQL default port is 1433, so that's the first port that someone would look at to exploit (ie, low lying fruit theory).

I would say that it is highly recommended that you change the <default> port to a fixed port, although some people use dynamic ports which also could be effective. If you change to a fixed port, the network folks only need to open up that port. If the ports are dynamic then the network folks need to open up ranges which actually could pose a larger risk. My standard for SQL instance installs is to immediately change the SQL port to a fixed port.

Where I work, the applications do not have trouble connecting via our "fixed" ports. The ports can be placed in connection strings, or in local alias'. It's a rudimentary change.

I look forward to reading other pro/con posts about this topic.

Steve



sjimmo
sjimmo
Hall of Fame
Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)Hall of Fame (3.8K reputation)

Group: General Forum Members
Points: 3760 Visits: 2904
. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request.


This is good as long as nobody can bring in thumb drives or other media from outside. I thought that way until the work got inside the firewall. Then all hell broke out.

Steve Jimmo
Sr DBA
“If we ever forget that we are One Nation Under God, then we will be a Nation gone under." - Ronald Reagan
DBA_Learner
DBA_Learner
Old Hand
Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)Old Hand (395 reputation)

Group: General Forum Members
Points: 395 Visits: 450
Thanks Sr.DBA for clarification. I Will try to follow up and see whether ports config can be done in my organization or not. Currently there are around 400+ servers. Need to see how things goes..
Orlando Colamatteo
Orlando Colamatteo
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15009 Visits: 14396
sjimmo (1/15/2013)
. If you have a firewall blocking 1433 requests from untrusted networks then the SQL Server will never even see the request.


This is good as long as nobody can bring in thumb drives or other media from outside. I thought that way until the work got inside the firewall. Then all hell broke out.

That's why I said it depends on what other controls are in place. Thumb drives can be disallowed from even being recognized by Windows via a Group Policy change.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Jayanth_Kurup
Jayanth_Kurup
SSCrazy
SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)

Group: General Forum Members
Points: 2917 Visits: 1351
There are a lot of best practices that need to be followed before you get into SQL port configuration. I usually reserve this for databases that have customer sensitive information.

Jayanth Kurup
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search