March 23, 2006 at 10:55 am
Hi everyone,
We are trying to secure our database server and use IP Sec rules. I read somwhere that port 1433 used by ODBC is a potential exploit. Is this true? We need to connect from multiple machines running websites to the more secure SQL Server 2000 machine, OS is Windows Server 2003 Standard.
Are there any basic rules or documentation covering network layout/security involving a SQL Server made available to web servers on same or other IP domains?
I would really appreciate your help.
Radu P.
March 24, 2006 at 4:58 am
Port 1433 is the default port for SQL Server connections. It is an exploit only to the extent that it is well known as the default, and is therefore easier to try. Sites with security concerns often do configure their SQL servers to use a different port.
March 27, 2006 at 11:15 am
I've always felt that obsfucation is no replacement for good security. Due to Sarbanes Oxley rules we ended up isolating one of our servers behind IPSec and issuing certificates to just a trusted few clients. This has been so successful that we're now looking at rolling it out to other servers.
Don't forget if you're going to do this then you might want to look at turning off Named Pipes (not so easy if you're on a Sql 2K cluster) otherwise you're still leaving your RDBMS somewhat exposed.
If your concern is of exposing a server to the Internet then you might want to look at other options (application dependant), e.g. using a firewall.
T
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply