iis security: IIS 6.0, ASP.NET, SQL 2000 on one server? -- iis security

IIS 6.0, ASP.NET, SQL 2000 on one server?

gcadmindude
10/30/2007 7:19:01 AM

iis security: Hi gang! I need some help here...ok, I need a LOT of help here! I've just
been informed that we will be building a new Win2003 based web server that
will host our public web site. To my surprise I have been directed to put
all of our SQL 2000 databases on this server. My first response...are you
nuts!? Their response....make it happen!

Ok...is it even possible to effectively secure a SQL 2000 database on a
Win2003 based web server that's located on a corporate DMZ behind a firewall?
I know that IIS 6.0 installs in a lockdown mode but is the default install
secure enough to run SQL databases on the same server?

There will also be a number of custom applications currently under
development running on the web server. Add to that the need for access from
within the corporate network to the SQL databases...

And of course the big question, what additional steps are needed to secure
the SQL databases!???? ARGH!!!!!!!

Any suggestions would be greatly appreciated! I should mention that I'm in
no way a SQL or IIS expert. Please give details in any responses.

Re: IIS 6.0, ASP.NET, SQL 2000 on one server?

Ken Schaefer
11/13/2007 1:23:53 PM

You should start by looking on the Microsoft TechNet security subsite for
guidance on securing SQL Server.

There are permissions you need to configure within SQL Server, and also in
reducing the attack surface of SQL Server (e.g. limiting connections to just
the local host i.e. IIS, and from your internal network).

That prevents direct attacks against SQL Server, because external users
would not be able to directly connect to it. They'd need to attack your web
application or similar, to be able to get to SQL Server.

Cheers
Ken

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages in the iis security group.