IIS Server Security - Re: IIS 6.0, ASP.NET, SQL 2000 on one server?

Author

Re: IIS 6.0, ASP.NET, SQL 2000 on one server?

Ken Schaefer

2007-11-16, 1:39 pm

You should start by looking on the Microsoft technet security subsite for
guidance on securing SQL Server.

There are permissions you need to configure within SQL Server, and also in
reducing the attack surface of SQL Server (e.g. limiting connections to just
the local host i.e. IIS, and from your internal network).

That prevents direct attacks against SQL Server, because external users
would not be able to directly connect to it. They'd need to attack your web
application or similar, to be able to get to SQL Server.

Cheers
Ken

"gcadmindude" <gcadmindude@discussions.microsoft.com> wrote in message
news:19F6C166-A348-4095-AB15-CF7C65E277EA@microsoft.com...
> Hi gang! I need some help here...ok, I need a LOT of help here! I've
> just
> been informed that we will be building a new Win2003 based web server that
> will host our public web site. To my surprise I have been directed to put
> all of our SQL 2000 databases on this server. My first response...are you
> nuts!? Their response....make it happen!
>
> Ok...is it even possible to effectively secure a SQL 2000 database on a
> Win2003 based web server that's located on a corporate DMZ behind a
> firewall?
> I know that IIS 6.0 installs in a lockdown mode but is the default install
> secure enough to run SQL databases on the same server?
>
> There will also be a number of custom applications currently under
> development running on the web server. Add to that the need for access
> from
> within the corporate network to the SQL databases...
>
> And of course the big question, what additional steps are needed to secure
> the SQL databases!???? ARGH!!!!!!!
>
> Any suggestions would be greatly appreciated! I should mention that I'm
> in
> no way a SQL or IIS expert. Please give details in any responses.
>
> Thanks! Michael