Post reply

sql server security to an open open

  • December 5, 2008 at 4:11 am

    #383520

    Hi,

    We have a requirement where in we need to connect to Server Database from a client system from an xbap application over internet. That is from a web application, some component is running on client's system and trying to connect to DB on the web server. Which we are able to do it.

    Now we are facing security issue since we are connecting to DB server from client system using IP address of DB server. For this to happen a port is being opened on DB server to enable for client system to connect to SQL server over the internet.

    how can we secure the database with an XBAP application, if all the communication is going to happen from a client?

    does it ping the SQL server on HTTP or any other protocol...

    because we can then open the port for only that kinda protocol messages..

    otherwise that port being opened is a very big vulnerability

    What are steps that can be taken to secure SQL server when port is open? Please in this regard.

    I have got some of the links on net which puts some light on this :

    1. Using Proxy server

    2. Using different port, not the default port

    3. Enabling only the required services and blocking other services.

    But I need more light on each one of these. Also if anybody proovide me which is the safest and better way to secure SQL server port keeing it open. I am more interested to know more about securing SQL server using services option.

    Early reply will help us

    Thanks in advance

    Kavya.

  • January 8, 2009 at 7:41 am

    #923318

    If you must make a direct connection to SQL from a remote location and expose your SQL Server outside of your network, then you should at the very least require Encryption, SSL and make your connection over a VPN.

    You should also specify a static port for each SQL Instance anyway - and starting at a port number other than 1433 is a good idea. This alone won't protect you, but it is another hurdle in the way of any malicious user.

    If you have the budget and ability, you should also be running bastion hosts and intrusion detection systems in front of your exposed services.

    This is a very large and complex area, make sure you bed down your exact requirements and do a lot of reading prior to deploying this in production.

    --
    Andrew Hatfield

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply