How (un)secure Is My Remote SQL Server?
Apr 10, 2007
I've been provided with a server at a hosting company. The server is running W2K3 SP2 in its own workgroup (i.e., non-AD) configuration, but is not behind any type of hardware firewall; there is no VPN in place, either. I connect to the server via RDP using an extremely long and complex password. I'm using the newest version of the RDP client. The article "Hacking RDP" and the ensuing reader comments (http://mcpmag.com/columns/article.asp?EditorialsID=1699) indicate that using RDP in this fashion is relatively safe.
I installed SQL Server 2005 SP2 on this server. I set server authentication to 'SQL Server and Windows Authentication mode'. I created one obscure SQL Server login, using another extremely long and complex password. I also disabled the login for the 'sa' account.
Since installing SQL Server on this server, I've noticed thousands of Failure Audit events in the server's Application log:
Source: MSSQLSERVER
Description: Login failed for user X
where X equals 'administrator', 'root', 'server', 'database' 'sql', 'sa', etc.
These failure events occur almost non-stop, about a dozen per second, and come from a small pool of unknown IP addresses. The IP address seems to change every few hours. I'm guessing that someone is hoping that one of these names is an actual SQL Server login and is trying a brute-force attack to try to stumble upon a matching password. None of these logins are valid, but it's still disconcerting. Is this anything to be concerned about? I could have the hosting company block the IP addresses, but that seems like a losing battle.
Lastly, I used the Surface Area Configuration tool to allow local and remote connections, using TCP/IP only--so that I could begin interacting with this SQL Server from my PC, using both SQL Server Management Studio and my own Visual Studio code. For each method, I'm using the obscure SQL Server login that I created earlier--the one with the extremely long and complex password. How (un)secure is my traffic to/from this SQL Server? I don't believe that my credentials are encrypted, but I'm not sure how much of a risk this is nor do I know how else to more securely connect to SQL Server.
Given these circumstances, is there any way to make this resource more secure? Thanks!
View 9 Replies
ADVERTISEMENT
May 8, 2007
Hi guys
I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)
I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.
Have researched this a fair bit, but get somewhat lost amongst all the jargon.
View 6 Replies
View Related
May 19, 2007
I am trying to get my hosting company to provide a way to make secure encrypted connections from my desktop (where I am using Enterprise Manager and Aqua Data Studio) to their shared MS SQL Server.
I've seen some references to SSH, but I don't understand how this works or how the host would implement it. I also read that an SSL certificate can be installed on SQL Server, but it doesn't seem as if EM or ADS can make SSL connections to SQL Server. (In case it makes any difference for either of these solutions, the hosting company has port 1433 open, and will not close it because some clients connect to the DB server from web apps on their own intranets.)
Finally, if a web-based admin is used instead (like phpMyAdmin for MySQL), then which machine is the software installed on? Can it be on a web server that makes a local connection to the DB server or does it have to be on the DB machine? E.g., if I had a VPS or dedicated server at the same hosting company would I be able to install web-based admin software which would then connect to the host's shared SQL Server?
Anyway, my host is giving incomprehensible (to me) objections to all of these ideas. Is there a reasonably simple way to do this on a shared DB server?
View 1 Replies
View Related
Mar 10, 2004
Hello all,
An ASP.NET website hosting service allows the use of Enterprize Manager to manage the backend database of a hosted asp.net website. This is not done across a VPN and I don't think it could be done on SSL so the question is : How Secure is that? would this be ok for learning but not Ecommerce? Or is it an encrypted session and I paranoid?
-Thanks
Heywade
View 1 Replies
View Related
Nov 11, 2005
hi
this is my 1st time on this forum, I need to keep my DB secure on SQL server, that no body can enter into my DB and couldnt see my tables and other elements of DB.
Regards
AHK
View 2 Replies
View Related
Feb 20, 2004
When I'm getting data from sqlserver using ado.net and a sqldataadapter, are the resultant network traffic packets secure? If I wanted to deploy my objects at a remote site, would I still be safe going straight to my sql server from there or should I build a web service and then auto generate 'remote' versions of my objects that will then communicate to the web service on https?
thanks
pat
View 2 Replies
View Related
Apr 18, 2007
Is it secure setting ftp on the server so that i can use this ftp task in ssis.
I want to get some files located on the sever to my machine.
right now it does not work.
Is it safe setting ftp on the server???????
View 1 Replies
View Related
Sep 25, 2007
Greetings all,
Please allow me to describe my setup briefly and then I will jump into my problem/questions. I am trying to setup a shared hosting/DB type environment in a secure manner. I have two Windows Server 2003 boxes where Machine 1 is the DB server (MS SQL Server 2005) and Machine 2 is the web server (IIS 6.0). The web server may ultimately have 5-6 different customers (web applications/domains) on it.
In order to keep an exploit/poor code in one customer's application from accessing the files of another, the server is being setup so each website instance runs with a different low-privileged domain account (in Domain Guests). For example, for Website 1, the Directory Security will be setup so it runs with DOMAINIUSR_website1 and for Website 2, the Directory Security will be setup so it runs as DOMAINIUSR_website2. Both of these accounts are in the Domain Guests group and no other groups. This was chosen so that the DB used by each websites on the SQL Server could have read/write permissions granted to the appropriate user. On the web server the SYSTEM DSN is setup to access each database. This way if there is a DB setup with permissions for IUSR_website1 and it gets called by IUSR_website2, access will be denied. If I ran each website instance as the same user, they could in theory still called this DSN and access someone else's database.
Now here is the problem I get. First, the website access works just fine with it setup as the Domain Guest user account. However, when I go to the called the System DSN for DB access I get this error:
---------
Microsoft OLE DB Provider for ODBC Drivers error '80040e4d'
[Microsoft][SQL Native Client][SQL Server]Login failed for user ''. The user is not associated with a trusted SQL Server connection.
/login.asp, line 7
--------
Line 7 of login.asp is as follows:
objConn.Open "DSN=DSN_CTO_SQL"
--------
So it appears there is something that is failing here. For troubleshooting purposes I have taken that IUSR_website1 account and placed them into the Domain Users group instead of Domain Guests. This fixes the problem. However, it's not the most secure setup to run the web/SQL stuff as a Domain User. Any ideas on why it works fine if the account is in Domain Users but not with Domain Guests? I even went to the registry key for HKLMSoftwareODBC and gave DOMAINIUSER_website1 specific read permissions. This did not fix the problem.
Can anyone make a suggestion or know what the issue is? How are people running secure IIS 6.0 + SQL Server setups for shared environments?
Thanks
Steven
View 6 Replies
View Related
Jan 24, 2007
I have some doughts when i am securing my MsSql Server 2005 report service project, Currently i have secured using windows authentication mode, Now my problem is how to authenticate the users using forms authentication and custom authentication method ? and how do i implement the access rights to the users (authorize the users )? Any idea ? has anybody got any smaple code or article ? thanks regards sujithf
View 3 Replies
View Related
May 1, 2007
We currently have a few reports running on a external website. The users have to log in to the website using their Domain Username and Password. Our network admin wants to move from simply http, to a secure https protocol.
My question is: Are there any conciderations for making this move? ...Will it break my reports?
View 1 Replies
View Related
Aug 14, 2007
Hi,
I am trying to deploy reports to my secure report server. When I attempt to deploy it's not authenticating me and I get an error:
TITLE: Microsoft Report Designer
------------------------------
A connection could not be made to the report server https://reports.******.com/ReportServer.
------------------------------
ADDITIONAL INFORMATION:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (System.Web.Services)
------------------------------
The remote certificate is invalid according to the validation procedure. (System)
------------------------------
BUTTONS:
OK
------------------------------
I have checked my certificate and it looks okay.
Thanks,
Darren
View 3 Replies
View Related
May 17, 2006
my package requires a send mail task and i must use a secure non-windows smtp server. can someone please tell me how to configure the smtp connection manager so i can do this? thanks.
View 6 Replies
View Related
Aug 25, 2006
Hello,
My question is about allowing and securing connections to SQL Server 2000 over the internet. The company that I work for has an application server that several of our clients connect to via the internet using secure .NET remoting. Basically, the clients have a desktop application that they run that creates a remoting connection to our server software and we handle the server/database part. Anyway, one of our clients now wants to use Crystal Reports to run ad hoc queries on their data that is hosted on our SQL 2000 database server behind our firewall. Obviously, opening up a port in our firewall and allowing someone to run ad hoc queries on the database makes us all more than a little nervous about security.
Has anyone else here had to deal with this sort of situation before? We'd like to set up a secure, encrypted connection for this one client, but still keep it locked down for everyone else. Is it as simple as enabling encryption and generating SSL certificates for the client machine and our server? I've only been able to find a few resources that help with bits and pieces of the problem, never anything tackling the issue as a whole. If anyone has any thoughts, experiences, links, etc. to share it would be greatly appreciated. We are a small company and no one here has experience with this sort of thing.
Cheers!
Justin
View 4 Replies
View Related
Dec 5, 2005
Using SSIS to send file to FTP server...
View 10 Replies
View Related
Mar 21, 2007
Hi all,
I am developing an application for a big office which uses SQL Server 2000.
Apart from my database, on that server, there are two databases by other companies.
The administrator also has access to server but the client only wants him to backup the database.
I have two questions:
1) First of all (if it is possible) I would like to protect my own database from the other companies.
I don't want them to:
see the data in the tables (around 20 tables)
make changes to the stored procedures (more than 100 stored procedures)
be able to backup the database
2) The client will save sensitive data to the database (mainly currency amounts, salaries etc) which he wants to keep hidden.
I am using float type for these fields and I would like to make the data encrypted. I could do it for nvarchar fields but changing these float to nvarchar would be time consuming.
Thanks for your patience reading this!
Would really appreciate some help on any of these
Nicolas
View 4 Replies
View Related
Jan 14, 2015
I am a bit stumped by error generated when attempting to connect to the report url.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The only thing I can think of is a certificate is issued to the server (all domain devices) via group policy by cert authority running on the domain.
If I check the bindings within Report Services Configuration Manager the certificate is referenced.
I have tried removing 443 but I am still unable to connect.
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
View 2 Replies
View Related
Apr 11, 2013
I have an issue with SMTP server " send mail task ". we see the following error [Send Mail Task] Error: An error occurred with the following error message: "The SMTP server requires a secure connection or the client was not authenticated.In SMTP connection manager what we should give in SMTP SERVER, if we use gmail id's in send mail task editor.
View 4 Replies
View Related
Jun 2, 2015
- When I disable "allow remote connections to this server" from server properties>connection page, I can still remotely connect to the server from SSMS...so what is the impact of enable/disabling it?
- what is the impact of changing the remote query timeout (on the same page) from default value?
View 4 Replies
View Related
Nov 10, 2006
I am trying to add a linked server from a AMD x64 server (Windows 2003) with SQL Server 2005 64 bit to a Server running SQL 2000. These are not in the same domain.
I can create a linked server using the option "Be made using the login's current security context" but can not when trying to specify the security context, i.e. sa and the sa password. When I try I get the following message:
Msg 15185, Level 16, State 1, Procedure sp_addlinkedsrvlogin, Line 98
There is no remote user 'sa' mapped to local user '(null)' from the remote server 'DTS_FSERVER'.
I have several other x64 server that I have no problem creating a linked server and specifying sa and the sa password.
The problem with using "the login's current security context" option is that I get an error when trying to run any Jobs against the linked server. The job fails withe the following error:
Executed as user: NT AUTHORITYSYSTEM. Access to the remote server is denied because no login-mapping exists. [SQLSTATE 42000] (Error 7416). The step failed.
I'm sure the two errors are related. Any ideas what is going on?
View 7 Replies
View Related
Mar 27, 2007
I want to make the ReportServer and Reports pages secured i.e not allow anyone to access these pages via browser.
I login to a machine as user ABC. This user does not have permission on reports.
if this user accesses ReportServer or Reports, expected is that access should be denied unless I enter
an account that has been given permissions.
for e.x. following pages should be secured.
http://<reportserver>/Reports
http://<reportserver>/Reports/Pages/Report.aspx?ItemPath=%2f<Report_Project>%2f<Report_Name>
http://<reportserver>/ReportServer
http://<reportserver>/ReportServer?%2f<Report_Project>&rs:Command=ListChildren
Actual result is that I am able to access these pages. When I click on the report I get the error (this is expected)
but then user ABC should be shown error on first page itself.
In short, for all the accounts that do not already have permissions on reports, the server should challenge me to enter an account and password.
Is there some setting in the configuration file?
Any help would be appreciated
Thanks in advance!
View 7 Replies
View Related
Sep 24, 2005
I am designing an application built on sql server 2000
how can I prohibit other sql server users from accessing my database and allowing only acceesing it through my application or through owner designer of sql server database.
my situation needs sometimes copying the db from the end user platforms to
my designer computer to analyze some problems or maintainenace or modification, and also I have no control on users windows environment and I need the end user professional not to enter the my db from outside my application.
So,
is there anything I can do to secure an MDF (MSDE/SQL Server 2000) file so that a user cannot see my schema under any circumstances.
Even if I lock the MDF down and secure the instance, a smart user can just shut off the SQL server, copy the MDF to another instance, sp_attachdb and open it with sa rights. I need a way to prevent others from getting inside my schema.
View 1 Replies
View Related
Apr 28, 2008
Hi,
Do you guys know how to call secure FTP from a script task in an SSIS package which can be done by invoking the exe like winscp from a script task
View 1 Replies
View Related
Apr 9, 2008
hi everybody ,
Can anybody tell me about Secure FTP
and how the code for uploading and downloading of files can be write using Visual C#
actually i have created code for Standad FTP(normal FTP), but when I am using it for secure FTP then the compiler is giving an Exception: "Unable to create Remote Server"
very confuse about what to do....??
even very small help would be very very appreciable
thanx .... Nics
View 9 Replies
View Related
Aug 9, 2004
Database files (.mdf and .ldf) could be copied and explored by attaching them to any other instance of sqlserver.
How we could secure those files as we can do for Access file using a password ?
Thanks for any comment.
skentafi
View 1 Replies
View Related
Mar 21, 2006
i need to set up a sql server login that can query the database, but i don't want it to be able to see scheduled jobs or dts packages
actually if i could keep it out of enterprise manager altogether that would be great
how can i set this up?
View 1 Replies
View Related
Jun 30, 2005
If a user is a local admin of the box they can gain full access to the database via integrated security. They can create their own database and attach .MDF
How can i secure the .MDF so that no one can gain access to it?
View 1 Replies
View Related
Mar 5, 2008
I have developed an application that uses a SQL Server compact edition database (.sdf). The database contains important data that I do not wish people to access.
My question is if I choose to Encrypt the database using the option available when you create the database and specify a password how secure is it ?
Are there tools on the market that will be able to crack this password and therefore gain access ?
Thanks
View 1 Replies
View Related
Jul 20, 2005
We can find a lot of recommandations about how to secure a SQL*Server configuration.Does anyone have scripts to do it ?Any advices or links are welcome
View 2 Replies
View Related
Jul 20, 2005
How would I set up secure replication between 2 servers that are indifferent cities?Would I need to define linked servers first?Would I use SSL?Help appreciated. Thanks.Steve*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
View 1 Replies
View Related
Jul 10, 2007
Hello...
I develop a .NET Application which uses a SQL Express Database. The application will be distributet to several customers. That means the customer must have (or install) SQL Server Express Edition .
But we dont want that the users manual access to the database.
As far as understand that is not possible because the user (customer) will be the administrator for the SQL Server Express because it runs in his own PC (no password security).
Am I right? Thank you..
View 1 Replies
View Related
Oct 24, 2006
Is it possible to secure a SQL Server database or schema using a technique such as the .Net StrongNameIdentityPermission attribute? The intent is that SQL Server would only permit transactions coming from assemblies which were signed with a particular .Net StrongName private key.
We are installing a 3rd party SQL Server / ASP.Net application which must run in our DMZ and we are looking for all possible measures to secure the SQL Server database.
Thanks
View 1 Replies
View Related
Jun 30, 2005
If a user is a local admin of the box they can gain full access to the database via integrated security. They can create their own database and attach .MDF
View 24 Replies
View Related
Jun 16, 2007
hello all,
I've recently started using sql express 2005. I've used the features very conveniently.
But one thing i coudn't understand is how can i secure my database from unwanted access.
I've Installed Sql Express 2005 with mixed mode authentication (Sql authentication) and attached my Database. But it also connects with Windows authentication, and all my data tables are openly visible.!!
How can i Secure my database now..!!!
My intention is to restrict access to my databases only to certain users (may be SQL Logins)
Please guide me how to accomplish this...
Thanks
View 11 Replies
View Related