By Mike Mullins
Organizations often use SQL Server as a back-end device to collect and distribute information via the Web. But with the ongoing reality of Web server vulnerabilities, it's imperative that you make sure the communication between these two devices remains as secure as possible.
SQL vulnerabilities are still prevalent due to the SQL Slammer and the Sapphire worms. According to Dshield.org, SQL ports are among the top 10 most probed ports on the Internet. This statistic means you can't afford to let your SQL Server remain unsecured.
Begin with the ports
By default, Internet Information Services (IIS) and SQL Server connect via TCP/UDP ports 1433 and 1434. Your first step in securing this connection is to filter that traffic through a firewall—from the Web server (which should be in a DMZ) to the SQL Server (which lies within your intranet).
After you secure the path between these two servers, the next step is to secure the transactional data. To do so, turn on TCP/IP filtering on SQL Server. Follow these steps:
Choose an authentication method
After filtering your traffic, you must decide how to authenticate this traffic. You generally have two options:
Unless you have a specific, documented reason why it's not a good idea, I highly recommend using Windows authentication for every installation. Verify that the IUSR account on the Web server has the appropriate permissions to SQL Server, and monitor the SQL Server logs for login failures and privilege escalation.
If you're adept at Visual Basic, you can increase SQL Server security by writing your own trusted connection string. For more information, check out "Setting SQL Server 7.0 and IIS Security." You can improve performance and security in one session.
Many companies often overlook Web-to-database security. Using the default settings to get a site up and running is a recipe for disaster. Instead, make sure your system is secure from the client to the Web server to the SQL Server.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.