September 24, 2010 at 4:42 pm
Hi,
it's time to post a question.... 😉
Here's the scenario:
A 3rd party app will install a pre-configured MSDE version on a client PC in a network.
Unfortunately, it will use a named instance in combination with a fixed login + (known) pwd.
Even worse, the login has sysadmin privileges. :sick:
How can I lock down such a DB to be non-reachable from the network?
What I've tried so far:
a) the "HIDE" method: failed, since the DB can still be connected to once the port is "guessed" (or made available using one of the "known methods")
b) rename the instance: failed, since the app won't run anymore (obviously hardcoded)
c) rename the user: failed, since the app won't run anymore (obviously hardcoded)
d) cut down privileges of the user: will reduce the risk, but not avoid it, since db can still be compromized.
e) disable all protocols for this instance (except named pipes): currently the only option that seems to work. But I don't know what the risk is for the named pipe protocol being still open...
Any thoughts?
I'm scared at the moment.... (since I know how to break that current "security" and have now idea how to lock it down other than removing the application...)
September 24, 2010 at 5:25 pm
Change the port it listens on then firewall off that port?
September 24, 2010 at 5:44 pm
Can you alter the database engine/remote connections to local connections only via the surface area configuration? Will this work for the MDSE engine?
Best I can come up with. I shoulda known something from Lutz wasn't gonna be a low hanging fruit. 😀
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
September 25, 2010 at 3:11 am
inm ot a network guy, but maybe you can configure the server so only certain machines/ip ranges can access the ports for the sql server?
i think you can do that, but i'm really weak on networking tweaks and firewalling outside of our Sonic Firewall app;
at least that locks down a portion of the possible attack vectors?
maybe put an alias on the client machines that will use the app so it goes to a different server altogether? so D223\SQLEXPRESS really goes to PROD due to the mapping on that one machine with the app installed?
Lowell
September 25, 2010 at 5:43 am
Lowell (9/25/2010)
inm ot a network guy, but maybe you can configure the server so only certain machines/ip ranges can access the ports for the sql server?i think you can do that, but i'm really weak on networking tweaks and firewalling outside of our Sonic Firewall app;
at least that locks down a portion of the possible attack vectors?
maybe put an alias on the client machines that will use the app so it goes to a different server altogether? so D223\SQLEXPRESS really goes to PROD due to the mapping on that one machine with the app installed?
Unfortunately, the MSDE is part of a software needed by our dev team, installed on several clients.
The installation is extremely bad configured and will be installed in silent mode without any chance to change instance name, user or pwd. So far we found almost 10 instances. :crazy:
@Craig: I guess I'll start playing with the sac utility. As soon as we have a configuration that is locked down but still useable (for some reason that's still part of the requirement 😉 ). I'll export the config, use some other tools available to find those instances of the clients that need to be modified, use the sac utility to apply the safe config together with some sqlcmd to strip down the user privileges.
Sounds like a plan!!
Thank y'all for your help!!!!!
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply