Francisco H Tapia
my.lists at verizon.net
Wed Apr 16 16:56:12 CDT 2003
this is one area where you can disagree all you like but it is a common practice by most Sql Server dba's (just check out sqlservercentral.com or sswug.org). Changing the port that Sql Server listens on (1433) to anything else, helps avoid your most common attacks by "drive by hackers" if you will. Plus Arthur mentioned that this was for a customer of his, so it's doubtful that a game port would be acceptable in that environment. -Francisco http://rcm.netfirms.com On Wednesday, April 16, 2003 1:42 PM [GMT-8], Jim Lawrence (AccessD) <accessd at shaw.ca> wrote: : Hi Arthur: : : The port 1433 is only dangerous if you have not upgraded the : appropriate SQL patch. No port number is not vulnerable because most : intruders simple scan all ports when attempting to gain access. It is : not worth trying to change the port value as the port number might be : used by some other product, like a game. Also all the clients would : have to setup individually as they will automatically be expecting to : access the SQL server through that 1433 port number. : : I personally would not waste my time with changing port numbers, for : security but I would turn off the SQL login, 'sa' and setup strong : Server side NT authentication. : : My thoughts : Jim : : -----Original Message----- : From: dba-sqlserver-bounces at databaseadvisors.com : [mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Arthur : Fuller : Sent: Wednesday, April 16, 2003 12:01 PM : To: dba-sqlserver at databaseadvisors.com : Subject: RE: [dba-SQLServer]IP Connection to SQL : : ::: Yes, this is exactly what happens, w/ Sql Server authentication you ::: don't : need a domain, just the IP/Port and uid/pwd for the server. : Routers/Firewalls have the port opened in this case 1433. What is : dangerous about this situation is that port 1433 is a common known : port which hackers and script kiddies can use to infiltrate said : network. : : What if I use a different port number? : : Even if I don't, will it matter? In client 1's case, I can see the : whole SQL database, but only because I have privileges. I can't see : any other machines, or any drives on the server, or anything but the : database itself. And I can only get into that with appropriate uid : and pswd. So where's the threat? Automated manufacture of : logins+pswds? : : Again, since I know nothing about this level of technology, this : might be a really stupid question, but so be it :-) : : Imagine if you will 3 roles: webUser, Data-Entry and Manager. All : that is already set up in SQL. Suppose we tell the router to listen : on some different port. I think there are port-sniffers or whatever : they're called, but still, if the router simply forwards the incoming : traffic to SQL and the traffic fails SQL authentication, where's the : risk? : : A. : : -----Original Message----- : From: dba-sqlserver-bounces at databaseadvisors.com : [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of : Francisco H Tapia : Sent: April 16, 2003 2:30 PM : To: dba-sqlserver at databaseadvisors.com : Subject: Re: [dba-SQLServer]IP Connection to SQL : : : Yes, this is exactly what happens, w/ Sql Server authentication you : don't need a domain, just the IP/Port and uid/pwd for the server. : Routers/Firewalls have the port opened in this case 1433. What is : dangerous about this situation is that port 1433 is a common known : port which hackers and script kiddies can use to infiltrate said : network. : : -Francisco : http://rcm.netfirms.com : : : _______________________________________________ : dba-SQLServer mailing list : dba-SQLServer at databaseadvisors.com : http://databaseadvisors.com/mailman/listinfo/dba-sqlserver : http://www.databaseadvisors.com : : _______________________________________________ : dba-SQLServer mailing list : dba-SQLServer at databaseadvisors.com : http://databaseadvisors.com/mailman/listinfo/dba-sqlserver : http://www.databaseadvisors.com