[dba-SQLServer]IP Connection to SQL

Jim Lawrence (AccessD) accessd at shaw.ca
Wed Apr 16 15:42:23 CDT 2003 

Hi Arthur:

The port 1433 is only dangerous if you have not upgraded the appropriate SQL
patch. No port number is not vulnerable because most intruders simple scan
all ports when attempting to gain access. It is not worth trying to change
the port value as the port number might be used by some other product, like
a game. Also all the clients would have to setup individually as they will
automatically be expecting to access the SQL server through that 1433 port
number.

I personally would not waste my time with changing port numbers, for
security but I would turn off the SQL login, 'sa' and setup strong Server
side NT authentication.

My thoughts
Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Arthur
Fuller
Sent: Wednesday, April 16, 2003 12:01 PM
To: dba-sqlserver at databaseadvisors.com
Subject: RE: [dba-SQLServer]IP Connection to SQL


>> Yes, this is exactly what happens, w/ Sql Server authentication you don't
need a domain, just the IP/Port and uid/pwd for the server.
Routers/Firewalls have the port opened in this case 1433.  What is dangerous
about this situation is that port 1433 is a common known port which hackers
and script kiddies can use to infiltrate said network.

What if I use a different port number?

Even if I don't, will it matter? In client 1's case, I can see the whole SQL
database, but only because I have privileges. I can't see any other
machines, or any drives on the server, or anything but the database itself.
And I can only get into that with appropriate uid and pswd. So where's the
threat? Automated manufacture of logins+pswds?

Again, since I know nothing about this level of technology, this might be a
really stupid question, but so be it :-)

Imagine if you will 3 roles: webUser, Data-Entry and Manager. All that is
already set up in SQL. Suppose we tell the router to listen on some
different port. I think there are port-sniffers or whatever they're called,
but still, if the router simply forwards the incoming traffic to SQL and the
traffic fails SQL authentication, where's the risk?

A.

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of Francisco H
Tapia
Sent: April 16, 2003 2:30 PM
To: dba-sqlserver at databaseadvisors.com
Subject: Re: [dba-SQLServer]IP Connection to SQL


Yes, this is exactly what happens, w/ Sql Server authentication you don't
need a domain, just the IP/Port and uid/pwd for the server.
Routers/Firewalls have the port opened in this case 1433.  What is dangerous
about this situation is that port 1433 is a common known port which hackers
and script kiddies can use to infiltrate said network.

-Francisco
http://rcm.netfirms.com


_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

More information about the dba-SQLServer mailing list