security question

  • vsamantha35

    SSChampion

    Points: 11042

    Hi All,

    This is more of a security related question.

    Usually, we connect to Prod SQL Servers via Jump Servers. while connecting to jump server we get the verification code on mobile, we verify and we get access to the prod servers.

    We do a RDP or using SSMS we connect to prod env.

    Now, my question is, if we are having SSMS installed on local machine/laptop , we are also able to connect to prod servers. This is a potential security risk. How can we restrict such local connections.

    We want to allow connections only via jump servers and not from any local machine / laptop.

    Is there a way to restrict local connections from SQL Server side or do we need involve network team on this ? if network team is involved, what would they typically do in order to implement such process.

    Want to have some idea before reaching out to them.

    Please suggest.

    Thanks,

    Sam

  • Alejandro Santana

    SSCommitted

    Points: 1745

    In our case to access production servers, we must send an email to IT Sec telling them the reason why and which tool it is and explain the reason.

    Since we are in different networks they just open ports the tools use to connect to production.

    I.E: SSMS uses port 1433.

    Here we usually have everything locked, ports between IPs, we don't use windows OS firewall, we use third party firewall hardware which handles that very well.

    best regards

  • vsamantha35

    SSChampion

    Points: 11042

    Thank you Alej.

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715889

    Network team needs to lock this down. Having access from local laptops to production is a bad idea, not the least of which is because of ransomware. Access to prod should be very locked down.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply