locked
3 Questions regarding security vectors when using SQL Server Express on a VPS RRS feed

  • Question

  • User1287536547 posted

    I have started using ASP.NET Core. I wanted a cheaper alternative to Azure with SSL, so I got a VPS running server 2012 R2. I have SQL Server Express 2014 Installed. This is all pretty new to me on the hosting side. At the moment I have The Web Server and the database server running side-by-side. When I go to production I am going to split to two VPS's. I set up remote access to my SQL Server Express Database. I have a single user for the remote access. I have it set up using TCP on a given port and I have setup a rule for that port on windows firewall for that specific user. I am able to connect remotely with SSMS on my computer. Outside of the possible vectors from my app source code and connection strings:

    1).What potential vectors do I need to look for running side by side and when I have separate servers?

    2).If I add MySQL into the mix along with SQL Server are there any other vectors?

    I read a posting where someone called someone an "idiot" for running the Database as root, for security reasons. Does this mean connecting as the administrator account?

    3.)What is running your instance as root, and what are the alternatives?

    Saturday, April 30, 2016 3:54 PM

Answers

  • User-219423983 posted

    Hi remojr76,

    I wanted a cheaper alternative to Azure with SSL

    1).What potential vectors do I need to look for running side by side and when I have separate servers?

    Do you mean this vectors would host the separate servers? If true, you’d better first search it by yourself and then compare them to choose the best on for you.

    If not, please let me know and clarify what the “vectors” means?

    2).If I add MySQL into the mix along with SQL Server are there any other vectors?

    I read a posting where someone called someone an "idiot" for running the Database as root, for security reasons. Does this mean connecting as the administrator account?

    I guess this situation is using the “sa” to connect to the remote database. If true, yes, it means connecting as administrator accutnt.

    3.)What is running your instance as root, and what are the alternatives?

    For this question, you could first have a look at below thread to learn the sql server authentication process. Then as it says, you’d better create a new same user both on IIS server side and the database side and then grant this user with the proper rights.

    http://stackoverflow.com/questions/2432793/the-best-way-to-connect-sql-server-windows-authentication-vs-sql-server-authent

    Best Regards,

    Weibo Zhang

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 2, 2016 10:41 AM