 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / March 2007Web and SQL Security
Hi I know that a couple of years ago I read a Microsoft recommendation that SQL server shoudl not run on the same machine as IIS. We are looking at taking a managed hosted server for an app. and I wondered if the same reccomendation applies. Does it depend on the way the hosting company sets up the server or is it always less secure when the two are on one machine? We can have two less powerful machines or one more powerful machine to do the job and security is the thing that will determine which way to go. We wil use Windows Server 2003, SQL Server 200 and .Net Framework. Any thoughts appreciated. David Usually the issue is concerned with SQL Server housed on the same box as a web server running OUTSIDE the firewall. Typically (!) DB servers are not placed outside the firewall. There is nothing inhirently insecure about IIS and SQL Server on the same box, although you will want to review the recommendations on hardening both your IIS and SQL Server installations. hope this helps. dlr > Hi > [quoted text clipped - 12 lines] > > David This has always been a recommendation from the security community. the issue is that separating roles is a security practice - you DON'T want to host your database on the same server that hosts your Web server. Surely however, you would apply proper Firewall rules that only allow inbound TCP 80 and 443, and not 1433. The reasons for separation are numerous. For example, a vulnerability in IIS would lead to a direct compromise of the data. This issue is largely dependent on the application's design. Are you allowing Anonymous access? Then your chances of getting compromised are that much greater. Honestly, this recommendation was originally conceived from the notion of separating application components - one that serves web pages and one that holds data. But it was also conceived during the early days of IIS 4/5 when vulnerabilities were very severe and seeemed to come out every week. IIS6 is much stronger. You could get away with it on one server, but you need to lock down IIS, SQL permissions, and the application's functionality as much as possible. If you can afford two boxes and separate them by a firewall - DO IT. But remember, if your making your connection from IIS to SQL as a full sysadmin or dbo level, then once your IIS box gets compromised, the hacker will likely have access to the database with that level of permission. SO, USE a LOW PRIVILEGED account for data access. The majority of attacks today are exploiting poorly written web-applications, not the underlying infrastructure so much. /Chris > Hi > [quoted text clipped - 15 lines] > > David Hi Chris The issue here is that we do not hold the boxes. They will be at a (high quality) ISP and managed by them. I understand that typically hosted web and SQL servers reside behind the same firewall configuration. A two tier one in this case. Therefore (.NET) web app communicates with the SQL server using sql authentication. I guess my point is that if the two servers are behind the same firewall system, then if the web server is compromised, it won't take much to get to the SQL servre. The connection strings are encrypted of course, but ... Basically there is a cost issue. We can two low power boxes, 1 for the web and the other for SQL or we can one high power box to do both jobs. ISecurity is the issue that will determine wich setup we go for. Any comment on this would be much appreciated. Thanks David > This has always been a recommendation from the security community. the > issue is that separating roles is a security practice - you DON'T want to [quoted text clipped - 46 lines] > > > > David Hello Chris, If SQL server is the same box of IIS, you may consider disable TCP and named pipes protocals so that it is not possible to access SQL server from network. Best Regards,, Peter Yang MCSE2000/2003, MCSA, MCDBA Microsoft Online Partner Support When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. =====================================================  SignatureThis posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | Thread-Topic: Web and SQL Security | thread-index: AcUwdJvCXlFN3a1BSOyx97cEKv+gjA== | X-WBNR-Posting-Host: 82.32.31.180 | From: "=?Utf-8?B?RGF2aWQ=?=" <Dante@community.nospam> | References: <E3F758FD-A178-4DC9-8CB1-2567F9DA9468@microsoft.com> <uzthnsBMFHA.2384@tk2msftngp13.phx.gbl> | Subject: Re: Web and SQL Security | Date: Thu, 24 Mar 2005 05:23:03 -0800 [quoted text clipped - 87 lines] | > > | > > David Your connection string needs to be a low privileged account. Hopefully your developers were able to design it that way. How are they encrypted? Using DPAPI? It will still be much harder for an attacker to compromise the database if it's on a separate server. You've created a barrier by encrypting the connection string, so they won't be able to connect to SQL without it right? Or are you also using trusted connections? I can't comment on 1 high power vs 2 low power, because I've no idea of the performance requirements and load the servers expect. You know, if there's a lot of database activity, it's best to separate the database files and transaction logs to separate disks and controllers ideally. SQL auth is never recommended, Windows auth always is. I would say separate into two boxes if you can, harden both servers. Especially lock down SQL and the application - use low privileged accounts, run all requests through Stored procedures or parameterized queries. Apply strict permissions to the database and tables. Your correct, separating into two servers won't buy you much unless you properly design the application, host configurations, and account access permissions. Have a pen-test run on your web-app, that's usually where most holes into the network are found. Check out this guide for more details. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/T hreatCounter.asp /Chris Weber > Hi Chris > [quoted text clipped - 85 lines] >> > >> > David Hi Guys David sorry about jumping in on this thread. This sounds alot like what I am trying to achivce. I also have a few Questions. We want to have our web server IIS 6 in the DMZ and our SQL in the Local lan. We would like to access the SQL box with intergrated security and impersinate a domainb user but I do not want the Web server to be a member of our domain. Right now I have both servers on the same sunet as I deal with login issues. So far using a SQL account to do access the database is working fine. The odd thing here is when I try using sspi I can get a result from the sql server using the http:\\localhost but not using the Servers ip address 192.168.0.xxx A low privlige account is good but this would require me to have a conection string with user and password info in the webconfig file located on the web sever. We need to allow anonymous access to the web site then they login to the app. Thanks Stephen Roy > Your connection string needs to be a low privileged account. Hopefully your > developers were able to design it that way. How are they encrypted? Using [quoted text clipped - 115 lines] > >> > > >> > David |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.