locked
database open access vulnerability RRS feed

  • Question

  • Dear SQL Server Support team..

    Need your kind assistance on the following web security issue.

    "The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because
    databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a
    violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms."

    Wednesday, October 12, 2016 3:14 PM

Answers

  • This issue can be addressed by a firewall. What this will mean is that internet users will not be able to access the ports, only servers behind the dmz, or know servers in the dmz. You can configure inbound rules for this.
    Wednesday, October 12, 2016 3:59 PM
  • For anyone reviewing and tempted to reply to this post.

    Note my first post on this issue, we cannot offer advice or solutions here; for instance if the inbound Routers are managed by another company (ours are) then it will be up to Management/the company to provide a solution to provide inbound rules.


    Please click "Mark As Answer" if my post helped. Tony C.

    Wednesday, October 12, 2016 4:13 PM
  • That is ok, use the windows firewall. go to start, run and type windows firewall. Make the changes there. It seems like you failed a PCI compliance audit. Ideally this will be done with the front facing firewalls, but you can configure with wiht the windows firewall on your local machine.
    Wednesday, October 12, 2016 4:40 PM
  • I agree with Hilary you can pretty much control unauthorized access from firewall as compared to databases. Use static port and aliases. The port should have limited access

    Cheers,

    Shashank

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My TechNet Wiki Articles

    MVP

    Wednesday, October 12, 2016 5:02 PM

All replies

  • This appears to be a violation of some policy which your company/organisation has adopted.

    raise this as an issue with your Line Manager and escalate it upwards; although we can recommend changes on here; what would be viable would be dictated by your policy and management feedback.


    Please click "Mark As Answer" if my post helped. Tony C.

    Wednesday, October 12, 2016 3:19 PM
  • This issue can be addressed by a firewall. What this will mean is that internet users will not be able to access the ports, only servers behind the dmz, or know servers in the dmz. You can configure inbound rules for this.
    Wednesday, October 12, 2016 3:59 PM
  • For anyone reviewing and tempted to reply to this post.

    Note my first post on this issue, we cannot offer advice or solutions here; for instance if the inbound Routers are managed by another company (ours are) then it will be up to Management/the company to provide a solution to provide inbound rules.


    Please click "Mark As Answer" if my post helped. Tony C.

    Wednesday, October 12, 2016 4:13 PM
  • That is ok, use the windows firewall. go to start, run and type windows firewall. Make the changes there. It seems like you failed a PCI compliance audit. Ideally this will be done with the front facing firewalls, but you can configure with wiht the windows firewall on your local machine.
    Wednesday, October 12, 2016 4:40 PM
  • I agree with Hilary you can pretty much control unauthorized access from firewall as compared to databases. Use static port and aliases. The port should have limited access

    Cheers,

    Shashank

    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it

    My TechNet Wiki Articles

    MVP

    Wednesday, October 12, 2016 5:02 PM
  • Dear Juwita,

    give your own description rather than taking the data from Rapid7 (nexpose) and pasting it over microsoft.

    Monday, November 5, 2018 7:34 AM