February 27, 2003 at 11:20 am
Is there risk in installing it in this manner?
quote:
- If you only need FTP, you can choose not to install WWW and SMTP
John Zacharkan
John Zacharkan
February 27, 2003 at 11:52 am
Sure. You still deal with the issues of having an FTP server on your SQL Server and all the security issues that would normally entail. That's usually enough to make most folks reconsider.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
February 28, 2003 at 4:45 am
If I've understood zach_john's situation correctly (unlikely I know), the FTP server only needs to allow access by a limited number of known machines (maybe even just one?)
Assuming static IP on the external machines the firewall can be configured to reduce the risk to what I would consider an acceptable level. Whether you use IIS or a separate FTP app, it should of course run in an account with least possible rights and be further restricted through NTFS configuration. My gut feeling remains that a dedicated third party FTP app is a "safer" choice than IIS with extraneous services dsiabled but that is just a hunch.
However, as bkelly says, if you can justify the cost of another machine, why take a risk?
February 28, 2003 at 7:24 am
It also probably needs to be said that if you're on Win2K and above (WinXP and 2003) across all machines that will talk in this manner, you also have the option of instituting IPSec to shield your FTP processes to certain systems since you can specify IPs and IP ranges. This would be transparent to whatever FTP server you happen to be running because IPSec sits below the protocols that drive FTP.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
February 28, 2003 at 8:44 am
I agree with everyone here that you should keep your SQL box pristine, but if
you MUST absolutely have IIS on the SQL server there is a tool that can help you
secure it from MSFT. Check out the IIS Lockdown Tool (version 2.1) @
http://www.microsoft.com/windows2000/downloads/recommended/iislockdown/default.asp
Side note : Brian could you not use Certificate services, or the install for the
certificate from the provider? I am curious why you would need to install IIS to
get the certificate on the machine. I ask this question from ignorance as I have
never used SSL to encrypt my SQL Server data streams, and would be very
interested in reading more about it. Could you post some links on the subject?
(I will google it soon, but may not find what you have already found...)
Tim C.
//Will write code for food
Tim C //Will code for food
February 28, 2003 at 9:03 am
IIS Lockdown tool helps greatly, but it isn't the end of it since you have to keep up with the bulletins that have come out since then as well.
As far as Certificate Services, if you have an Enterprise CA, you can use MMC and all is good. However, if you need a certificate another business is going to trust, then you're going to have to get it from somewhere. The typical place is Verisign or another 3rd party root CA. In order to get the certificate, you have to fill out a certificate request, and that's where IIS comes in.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
February 28, 2003 at 9:44 am
quote:
In order to get the certificate, you have to fill out a certificate request, and that's where IIS comes in.
Do you mean Internet Explorer? Or IIS, I am still trying to understand why you would need IIS to fill in a certificate request?
Tim C.
//Will write code for food
Tim C //Will code for food
February 28, 2003 at 10:06 am
Guys,
Microsoft has documentation on how to use SSL Certificates with SQL Server without requiring the installation of IIS. Hope this helps.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT19.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;276553
Good Luck!
February 28, 2003 at 10:11 am
These docs work if you are using a Microsoft Certificate Server. They don't cover the case where you need a 3rd party CA for B2B. After all, if you and I have want to establish a secure B2B connection, and we're using SSL, are you going to trust the certificate I issued or are you going to want that 3rd party-issued certificate?
If you're smart, you'll want that 3rd party certificate. Even with that said, with SQL Server the client still has to trust the root CA that issued the certificate, meaning I now have to trust two of your certificates. Also, if your CA isn't publically accessible (or you haven't given me VPN, etc.), I have little recourse for validating the certificate, etc.
Root CAs like Verisign provide certificates, but require certain bits of info from you. This information is stored in a certificate request. Are there other methods to generate the CR other than IIS? Yes. Which is easier? Typically IIS. IIS has to handle obtaining certificates in an easy manner and therefore has the GUI tools built so you can generate the CR and install the certificate with minimal effort.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
February 28, 2003 at 10:30 am
My problem (at the moment) with the dedicated ftp server is that I then need two dedicated ftp servers. I cannot afford to have any single point of failure.
I am working on the management here to set up a beefy dedicated ftp and smtp server. with of course a dedicated backup, possibly two set - one in front of the firewall and one behind it.
Although I'm receptive to the ideas presented here, it's a matter of execution time and money. Since I came in on the tail end of this particular project I'm going to have to let it slide and cjust control the iis install making sure only the ftp portion is added.
thank you all
quote:
dedicated third party FTP app is a "safer" choice than IIS with extraneous services dsiabled but that is just a hunch.
John Zacharkan
John Zacharkan
Viewing 10 posts - 16 through 24 (of 24 total)
You must be logged in to reply to this topic. Login to reply