none
Security concerns?

    Question

  • Does separation of default instance and named instance on 1 physical server equivalent to separate physical servers, security wise?

    If so, can you please include some examples? If not, can you please include some examples?

    Thursday, August 29, 2013 1:46 AM

Answers

  • Hi  Ami,

    Yes, to put different SQL Server instances on separate physical servers will be more secure.I will explain it from two aspects.

    From windows level, it will be more secure to put these two instances on separate physical servers. For example,if we put these two instances on the same computer, the user who got the computer administrator permission will get permission to manipulate both of these SQL Server instances, such as: stop SQL Server service, uninstall SQL Server components, etc.

    From SQL Server level, no matter the two instances are on the same physical server or not, they are two standalone instances, and the login in one SQL Server instance will not affect the login in another instance.

    Thanks,
    Candy Zhou

    Friday, August 30, 2013 7:36 AM
  • Of course there is, as usual, a big “it depends”. And in this case it depends on what you want to be secure against.

    If you use different (non admin) service accounts, do not allow commandshell and privilege escalation is not possible because of other security measures, ... then they are pretty much “separated” from outside attacks.

    But if an attacker manages to access the box, and has administrative permissions there, he owns both. Usually this would be an inside-attacker.. but not necessarily.

    So: it depends at least on whether "pretty much" is enough, and "not secure separately from inside-admins" is ok..


    Andreas Wolter | Microsoft Certified Master SQL Server
    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com


    Thursday, August 29, 2013 8:22 AM
  • Yes, people  create a named instance for security purposes as well. You will have create a login  to have an access only to the needed instance... but sure that is not exactly the same as we separate instances over two physical servers. 

    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Blog: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance

    Thursday, August 29, 2013 8:39 AM

All replies

  • no. there nothing security wise.

    I have seen some people argue that if we used named-instance the person has to "guess" the name of the instance first before trying to hack.

    But IMO, that's immature because its an example of security by obfuscation.


    val it: unit=()

    Thursday, August 29, 2013 3:51 AM
  • Hi,

    ideally both the scenarios are same  whether if both instances are at the same server or differenct servers.But let me know which type of security level you are looking for the difference.

    Thursday, August 29, 2013 4:17 AM
  • Of course there is, as usual, a big “it depends”. And in this case it depends on what you want to be secure against.

    If you use different (non admin) service accounts, do not allow commandshell and privilege escalation is not possible because of other security measures, ... then they are pretty much “separated” from outside attacks.

    But if an attacker manages to access the box, and has administrative permissions there, he owns both. Usually this would be an inside-attacker.. but not necessarily.

    So: it depends at least on whether "pretty much" is enough, and "not secure separately from inside-admins" is ok..


    Andreas Wolter | Microsoft Certified Master SQL Server
    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com


    Thursday, August 29, 2013 8:22 AM
  • Yes, people  create a named instance for security purposes as well. You will have create a login  to have an access only to the needed instance... but sure that is not exactly the same as we separate instances over two physical servers. 

    Best Regards,Uri Dimant SQL Server MVP, http://sqlblog.com/blogs/uri_dimant/

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Blog: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance

    Thursday, August 29, 2013 8:39 AM
  • Hi  Ami,

    Yes, to put different SQL Server instances on separate physical servers will be more secure.I will explain it from two aspects.

    From windows level, it will be more secure to put these two instances on separate physical servers. For example,if we put these two instances on the same computer, the user who got the computer administrator permission will get permission to manipulate both of these SQL Server instances, such as: stop SQL Server service, uninstall SQL Server components, etc.

    From SQL Server level, no matter the two instances are on the same physical server or not, they are two standalone instances, and the login in one SQL Server instance will not affect the login in another instance.

    Thanks,
    Candy Zhou

    Friday, August 30, 2013 7:36 AM
  • Thank you all for the great comments.
    Tuesday, September 03, 2013 7:31 PM