[dba-SQLServer]IP Connection to SQL

Francisco H Tapia my.lists at verizon.net
Wed Apr 16 15:36:45 CDT 2003 

Arthur, the only stupid q's are the ones not asked ;o)

Using a diffrent port number helps prevent some of your most common attacks
on your server, yes there are port sniffer programs out there designed to
exploit the weaknesses in a firewall...  After a hacker or script kiddie
figures out your port all they  have to test access for is the SA account
since that is the common uid in all Sql Servers... in fact there are already
exploits that are published as .exe packages out there... VPN'ing your
connection would be the method to go in order to secure your connection, w/
or w/o TS.  The only thing I can think of in favor of TS is that the data is
carried between 10-100mbs (depending on your customer's network) over to the
TS screen vs, any T1 connection to your machine over the internet, and w/
VPN you have some overhead on the line.


-Francisco
http://rcm.netfirms.com

On Wednesday, April 16, 2003 12:00 PM [GMT-8],
Arthur Fuller <artful at rogers.com> wrote:

::: Yes, this is exactly what happens, w/ Sql Server authentication you
::: don't
: need a domain, just the IP/Port and uid/pwd for the server.
: Routers/Firewalls have the port opened in this case 1433.  What is
: dangerous about this situation is that port 1433 is a common known
: port which hackers and script kiddies can use to infiltrate said
: network.
:
: What if I use a different port number?
:
: Even if I don't, will it matter? In client 1's case, I can see the
: whole SQL database, but only because I have privileges. I can't see
: any other machines, or any drives on the server, or anything but the
: database itself. And I can only get into that with appropriate uid
: and pswd. So where's the threat? Automated manufacture of
: logins+pswds?
:
: Again, since I know nothing about this level of technology, this
: might be a really stupid question, but so be it :-)
:
: Imagine if you will 3 roles: webUser, Data-Entry and Manager. All
: that is already set up in SQL. Suppose we tell the router to listen
: on some different port. I think there are port-sniffers or whatever
: they're called, but still, if the router simply forwards the incoming
: traffic to SQL and the traffic fails SQL authentication, where's the
: risk?
:
: A.
:
: -----Original Message-----
: From: dba-sqlserver-bounces at databaseadvisors.com
: [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of
: Francisco H Tapia
: Sent: April 16, 2003 2:30 PM
: To: dba-sqlserver at databaseadvisors.com
: Subject: Re: [dba-SQLServer]IP Connection to SQL
:
:
: Yes, this is exactly what happens, w/ Sql Server authentication you
: don't need a domain, just the IP/Port and uid/pwd for the server.
: Routers/Firewalls have the port opened in this case 1433.  What is
: dangerous about this situation is that port 1433 is a common known
: port which hackers and script kiddies can use to infiltrate said
: network.
:
: -Francisco
: http://rcm.netfirms.com

More information about the dba-SQLServer mailing list