Secure setup...

  • swjohnson

    Hall of Fame

    Points: 3254

    Curious to see if anyone has done this or thought of doing this. 

    Our Security team was questioning if we really need to install the workstation components on our production database server.  An interesting question????

    Preface:  The DB servers reside in a separate domain from the web servers and the application servers and a firewall is in front of the DB server. So it is configured like this.  Internet-->Firewall-->Web Server-->Firewall-->App Server-->Firewall-->DB Server. 

    Basically their argument goes like this...a management network exists that has the workstation components on it and we should be using it to connect to the DB server.  Also, if a hacker were to get to this, the command line sql utility would be there and thus it would put the data at greater risk.  Simply they are arguing that if the workstation tools, BOL,... aren't there it would make it harder for the hacker. 

    My argument is to install them as there will be a time when the management network isn't there and I will need those utilities to do something on the server.  The command line sql utility isn't really required to get inside the database, you can get to it via other methods, .Net, ASP, SQL-DMO, don't necessarily need the Management Studio or the command line utility. So it is really pointless to hamstring the DBA like this as they will be breathing down his neck when something does (and will) go wrong with the server.   

    I am curious to see what you all have done for your production database servers?


  • This was removed by the editor as SPAM

  • Tim Mitchell


    Points: 15664

    We install the management tools on all of our production machines.  We do so because there simply is no downside, and lots of potential benefits. 

    Other than disk space, there is no persistent overhead to having the tools installed.  SqlWb.exe is relatively heavy, but only when it's actually running.

    I don't have to physically touch a database server very often, but when I do, I like to have the option to attach to the database from the local terminal.  Also, assume that a catastrophic failure has taken down your network and you need to get in to your database to run some emergency maintenance - without the locally installed tools, you may be out of luck.

    As far as the dangers of a hacker - if a hacker happens to get all the way to your database server, you've got bigger problems than whether or not he has access to your SQL command line tools.

    Hope this helps...


    Tim Mitchell, Microsoft Data Platform MVP
    Data Warehouse and ETL Consultant | @Tim_Mitchell |
    ETL Best Practices

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply