locked
Own IIS webserver and mailserver with SQL Server 2012 - Protection RRS feed

  • Question

  • Hey there,

    I want to place my own IIS web server and mail server (“hMailServer”). One web-application has to connect to the SQL Server 2012 Express, which runs on the server, too. The machine runs under Windows 7 Professional.

    In SQL Server I have several databases. One of these is for the web application and the other are only for the local network. So I have to connect to the other databases in the local network.

    How can I protect the server from Hacker attacks?

    I can't use two servers (one for SQL Server and the second for the web applications). But I must secure the other databases from the world wide web, because these are internal data.

    I also can’t run two virtual machines on it.

    How do I configure the IIS and SQL Server 2012 correctly?

    Regards,

    Börni

    Thursday, January 31, 2013 5:13 PM

Answers

  • Well, this is a more hazardous approach, since there is no firewall between your Web App and the SQL Server.  See: http://stackoverflow.com/questions/274846/should-sql-server-be-on-the-same-machine-as-your-iis-installation

    If you really need to pursue this approach, then things to think about.

    1. Firewall the server as well as possible while still letting the world wide web into your application. 
    2. Limit the authority delegated to the Web App.
    3. Back up the database very regularly to another storage location and retain the backups for at least several weeks. (To help recover from attacks.)
    4. Only allow the Web App to use stored procedures for all access, selecting, inserting, references, et cetera. 
    5. Absolutely no direct granting rights to anything other than the stored procedures in the selected database.
    6. Review all web and stored procedure code for possible injection attacks and remove the vulnerability. 
      Here is one of many discussions: http://www.veracode.com/security/sql-injection
    7. Consider encryption of more sensitive data elements. This will add encryption overhead to your application with performance side effects.
    8. Monitor all of the login attempts on your server closely, looking for efforts to break in.
    9. Audit in some way, through your stored procedures, extended events, etc, to see who is doing what to your server and database.
    10. And monitor, monitor, monitor.

    All the best,
    RLF

    • Marked as answer by Maggie Luo Thursday, February 7, 2013 6:15 AM
    Thursday, January 31, 2013 9:42 PM

All replies

  • Well, this is a more hazardous approach, since there is no firewall between your Web App and the SQL Server.  See: http://stackoverflow.com/questions/274846/should-sql-server-be-on-the-same-machine-as-your-iis-installation

    If you really need to pursue this approach, then things to think about.

    1. Firewall the server as well as possible while still letting the world wide web into your application. 
    2. Limit the authority delegated to the Web App.
    3. Back up the database very regularly to another storage location and retain the backups for at least several weeks. (To help recover from attacks.)
    4. Only allow the Web App to use stored procedures for all access, selecting, inserting, references, et cetera. 
    5. Absolutely no direct granting rights to anything other than the stored procedures in the selected database.
    6. Review all web and stored procedure code for possible injection attacks and remove the vulnerability. 
      Here is one of many discussions: http://www.veracode.com/security/sql-injection
    7. Consider encryption of more sensitive data elements. This will add encryption overhead to your application with performance side effects.
    8. Monitor all of the login attempts on your server closely, looking for efforts to break in.
    9. Audit in some way, through your stored procedures, extended events, etc, to see who is doing what to your server and database.
    10. And monitor, monitor, monitor.

    All the best,
    RLF

    • Marked as answer by Maggie Luo Thursday, February 7, 2013 6:15 AM
    Thursday, January 31, 2013 9:42 PM
  • But maybe you could run two SQL Server instances on the server? Then you could put the web databases on once instance, and the internal databases on another instance. You would configure the firewall so that only the port for the external server. (And if you have place for two network cards, that's even better.)

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

    Thursday, January 31, 2013 10:42 PM