Remote SQL Server connection via ASP - Security

  • HI,

    Due to our web application is hosted at Web Hosting company and it is

    required to access to our SQL server which is hosted internally, just wondering what is the best

    solution/practise to achieve this as open the SQL server port to public might

    raise the possibility of the information leaking (hacking).

    Normally we are using the ASP connection string to for the database connection, as below:

    ConnString="DRIVER={SQL Server};SERVER=yourServername, 1433;UID=yourUsername;" & _

    "PWD=yourPassword;DATABASE=yourDatabasename"

    Just wonder normally how do we achieve this?

     

    pls advise....

  • This was removed by the editor as SPAM

  • I see your problem.  Opening your SQL Server to the outside world can be very dangerous.  You must make sure you lock it down as best you can at the firewall level by perhaps putting a rule that only allows a connection from the IP address of the webserver.  I would definately change the ports as everyone knows SQL Server listens on 1433, just make sure all of your applications are aware the the port change. 

    Marvin Dillard
    Senior Consultant
    Claraview Inc

  • Also, don't forget about the VPN option between your sql server and the web hosting site.  That keeps it more secure. 

    Marvin Dillard
    Senior Consultant
    Claraview Inc

  • In addition to what was said:

    1. Tighten down the security on the account being used to the absolute minimum. For instance, make sure it doesn't have any fixed server roles (especially not sysadmin). If you can avoid it, make sure it doesn't own the database and has no fixed database roles (like db_owner, db_ddladmin, etc.). Only give it rights to the object it needs. Even avoid db_datareader and db_datawriter if possible.
    2. Put an IDS in place monitoring the connection in to SQL Server. If your organization doesn't already have one of these products purchased, Snort is available at no cost except for the hardware to run it on.
    3. Switch to a non-standard port (not 1433 and not 2433) for your SQL Server, if possible.
    4. Make sure UDP/1434 is blocked by your firewall, external router, etc. with respect to the Internet.
    5. Put an IPSEC policy in place on the SQL Server that, with respect to the Internet connection, only allows a connection to the SQL Server port. Yes, the firewall should have a similar ACL in place, but this protects you in case someone messes up the firewall (Defense in Depth).
    6. If possible, look for a layer 7 firewall type of device / application in addition to your hardware firewall. Something that does content filtering. ISA Server comes immediately to mind.

     

    K. Brian Kelley
    @kbriankelley

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply