IIS 6.0, ASP.NET, SQL 2000 on one server?

IIS 6.0, ASP.NET, SQL 2000 on one server?

am 30.10.2007 15:19:01 von gcadmindude

Hi gang! I need some help here...ok, I need a LOT of help here! I've just
been informed that we will be building a new Win2003 based web server that
will host our public web site. To my surprise I have been directed to put
all of our SQL 2000 databases on this server. My first response...are you
nuts!? Their response....make it happen!

Ok...is it even possible to effectively secure a SQL 2000 database on a
Win2003 based web server that's located on a corporate DMZ behind a firewall?
I know that IIS 6.0 installs in a lockdown mode but is the default install
secure enough to run SQL databases on the same server?

There will also be a number of custom applications currently under
development running on the web server. Add to that the need for access from
within the corporate network to the SQL databases...

And of course the big question, what additional steps are needed to secure
the SQL databases!???? ARGH!!!!!!!

Any suggestions would be greatly appreciated! I should mention that I'm in
no way a SQL or IIS expert. Please give details in any responses.

Thanks! Michael

Re: IIS 6.0, ASP.NET, SQL 2000 on one server?

am 13.11.2007 03:23:53 von Ken Schaefer

You should start by looking on the Microsoft TechNet security subsite for
guidance on securing SQL Server.

There are permissions you need to configure within SQL Server, and also in
reducing the attack surface of SQL Server (e.g. limiting connections to just
the local host i.e. IIS, and from your internal network).

That prevents direct attacks against SQL Server, because external users
would not be able to directly connect to it. They'd need to attack your web
application or similar, to be able to get to SQL Server.

Cheers
Ken

"gcadmindude" wrote in message
news:19F6C166-A348-4095-AB15-CF7C65E277EA@microsoft.com...
> Hi gang! I need some help here...ok, I need a LOT of help here! I've
> just
> been informed that we will be building a new Win2003 based web server that
> will host our public web site. To my surprise I have been directed to put
> all of our SQL 2000 databases on this server. My first response...are you
> nuts!? Their response....make it happen!
>
> Ok...is it even possible to effectively secure a SQL 2000 database on a
> Win2003 based web server that's located on a corporate DMZ behind a
> firewall?
> I know that IIS 6.0 installs in a lockdown mode but is the default install
> secure enough to run SQL databases on the same server?
>
> There will also be a number of custom applications currently under
> development running on the web server. Add to that the need for access
> from
> within the corporate network to the SQL databases...
>
> And of course the big question, what additional steps are needed to secure
> the SQL databases!???? ARGH!!!!!!!
>
> Any suggestions would be greatly appreciated! I should mention that I'm
> in
> no way a SQL or IIS expert. Please give details in any responses.
>
> Thanks! Michael