locked
sql server open port security RRS feed

  • Question

  •  

    Hi,


    We have a requirement where in we need to connect to Server Database from a client system from an xbap application over internet. That is from a web application, some component is running on client's system and trying to connect to DB on the web server. Which we are able to do it.
     
    Now we are facing security issue since we are connecting to DB server from client system using IP address of DB server. For this to happen a port is being opened on DB server to enable for client system to connect to SQL server over the internet.

     

    how can we secure the database with an XBAP application, if all the communication is going to happen from a client?
    does it ping the SQL server on HTTP or any other protocol...
    because we can then open the port for only that kinda protocol messages..
    otherwise that port being opened is a very big vulnerability
     
    What are steps that can be taken to secure SQL server when port is open? Please in this regard.
     
    I have got some of the links on net which puts some light on this :
     
    1. Using Proxy server
    2. Using different port, not the default port
    3. Enabling only the required services and blocking other services.
     
    But I need more light on each one of these. Also if anybody proovide me which is the safest and better way to secure SQL server port keeing it open. I am more interested to know more about securing SQL server using services option.
     
    Early reply will help us

    Thanks in advance

    Kavya.

    Friday, December 5, 2008 10:32 AM

All replies

  • Hi Kavya,

     

    I am not sure I completely understand how your application is making the connection or which protocol it is using. However, you could probably set up a separate endpoint (see CREATE ENDPOINT in Books Online) and secure it with a certificate. And keep away from the default port.

     

    /Elisabeth

     

    Monday, December 8, 2008 1:04 PM
  • Hi Kavya, WELCOME to MSDN!

     

    I think that, the must powerfull way to protect your application is using SSL from all connection.

    Because, if you only create an endpoint you will only protect the SQL port and control who can can connect and how can connect, but to you data will continous unsafety.

     

    There are a good way to do that you want, see on the link below:

    http://support.microsoft.com/kb/316898

     

    Please, don't forget to post back and classify this post as answered if this advise was usefull.

    Monday, December 8, 2008 9:54 PM
  • Hi Emanuel,

    Thanks for the reply.

    Through SSL we can only protect our application. As we are keeping a port open for database connection, the port is not secure and hence our database is vulnerable. What is the best way to secure even our database? or are there any other methods for port security?

     

    Tuesday, December 9, 2008 6:49 AM
  • Hi Elisabeth,

    Thanks for the reply.

    We are not using any protocol here. We use internet to connect to the server.

    For running our application all client machines should install a certificate in their machines.

    Our requirement here is how to secure our database as we have kept a port open for client-server communication.

    Through that open port we feel our database is vulnerable and not secure.

    Tuesday, December 9, 2008 6:53 AM
  • Hi,

     

    Well, some port has to be open otherwise your database would go from possibly unsecure to positively useless. To lock down your server, SQL Server, database and the objects in the database there are a number of things you can and should do.

     

    Please read through the

    "SQL Server 2005 Security Best Practices - Operational and Administrative Tasks", http://download.microsoft.com/download/8/5/e/85eea4fa-b3bb-4426-97d0-7f7151b2011c/SQL2005SecBestPract.doc 

    and

    "Best Practices for Using Native XML Web Services", http://msdn.microsoft.com/en-us/library/ms190399(SQL.90).aspx if you are using Web services and get back to us if you have any further concerns.

     

    HTH

     

    /Elisabeth

    Tuesday, December 9, 2008 7:34 AM
  • We are not using webservices but Linq to connect to sql.

    Tuesday, December 9, 2008 8:22 AM
  • Read up on how to harden a SQL server before you even think of presenting it to the internet.
    That being said here are my recommendations:
    1. Force SSL encryption on all connections using CA -signed certificates.
    2. Run SQL on a non-standard port TCP/IP (i.e not 1433)
    3. Disable all other protocols.
    4. Disable the SQL browser service (UDP 1434 which redirects to the appropriate TCP port)- configure your client(s) to connect to the appropriate port.
    5. Run the SQL service account with an account that has greatly reduced permissions on the SQL server/domain. I would recommend a local account only.
    6. Firewall everything!!
    7. Use multiple levels of permissions for your application connection(s). i.e. a login account with a VERY STRONG password, then create appropriate db and/or application roles within the db that are restricted to only exactly what needs to be done.
    8. Try to use stored procedures for most things and grant permissions to those, not tables. Avoid all built-in roles.
    9. Completely eliminate the use of any dymanic SQL.
    10. Ensure that all input to the SQL server will be fully escaped to avoid SQL injection attacks.
    11. Harden the server OS.
    Tuesday, December 16, 2008 10:56 PM