[dba-SQLServer]IP Connection to SQL

Arthur Fuller artful at rogers.com
Wed Apr 16 14:00:44 CDT 2003


>> Yes, this is exactly what happens, w/ Sql Server authentication you don't
need a domain, just the IP/Port and uid/pwd for the server.
Routers/Firewalls have the port opened in this case 1433.  What is dangerous
about this situation is that port 1433 is a common known port which hackers
and script kiddies can use to infiltrate said network.

What if I use a different port number?

Even if I don't, will it matter? In client 1's case, I can see the whole SQL
database, but only because I have privileges. I can't see any other
machines, or any drives on the server, or anything but the database itself.
And I can only get into that with appropriate uid and pswd. So where's the
threat? Automated manufacture of logins+pswds?

Again, since I know nothing about this level of technology, this might be a
really stupid question, but so be it :-)

Imagine if you will 3 roles: webUser, Data-Entry and Manager. All that is
already set up in SQL. Suppose we tell the router to listen on some
different port. I think there are port-sniffers or whatever they're called,
but still, if the router simply forwards the incoming traffic to SQL and the
traffic fails SQL authentication, where's the risk?

A.

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of Francisco H
Tapia
Sent: April 16, 2003 2:30 PM
To: dba-sqlserver at databaseadvisors.com
Subject: Re: [dba-SQLServer]IP Connection to SQL


Yes, this is exactly what happens, w/ Sql Server authentication you don't
need a domain, just the IP/Port and uid/pwd for the server.
Routers/Firewalls have the port opened in this case 1433.  What is dangerous
about this situation is that port 1433 is a common known port which hackers
and script kiddies can use to infiltrate said network.

-Francisco
http://rcm.netfirms.com




More information about the dba-SQLServer mailing list