hitting some boundaries of Access, and are ready to move to SQL. They are
going to keep the front end in Access b/c of the massive amounts of code
they have written. We are going to set them up a SQL server in a datacenter,
and use linked tables in their access database. They have offices all over
the eastern half of the US, so they will need to connect to the SQL server
from anywhere, pretty much.
Basically my question is how can I keep this secure? I'm going to setup
encryption. Is it a bad idea to leave SQL server open on the public? How
can I lock it down and still keep functionality?I get about 10-20,000 hits a night from what looks like dictionary attacks.
Make sure all users & sa user have a a very long non standard password.
Can you lock the firewall down to a list of known host ranges on port 1433
?.
Run MS Base line security application on sql server box !.
Remove all non essensial db's on sql installation.
Regards
Don Grover
"Chris Miller" <cmiller@.compuville.net> wrote in message
news:1010agvq9v9k154@.corp.supernews.com...
quote:
> I've got a customer who has an application written in Access. They are
> hitting some boundaries of Access, and are ready to move to SQL. They are
> going to keep the front end in Access b/c of the massive amounts of code
> they have written. We are going to set them up a SQL server in a
datacenter,
quote:|||I'm going to try to lock it down to only a list of known host ranges, but
> and use linked tables in their access database. They have offices all over
> the eastern half of the US, so they will need to connect to the SQL server
> from anywhere, pretty much.
>
> Basically my question is how can I keep this secure? I'm going to setup
> encryption. Is it a bad idea to leave SQL server open on the public? How
> can I lock it down and still keep functionality?
>
I'm not sure that will be possiable.
Where do I set what hosts each user can login from? Also, how do I set sa to
only be allowed to connect from localhost?
-Chris
"Don Grover" <spamfree@.assoft.com.au> wrote in message
news:%23JhsCNS4DHA.2404@.TK2MSFTNGP10.phx.gbl...
quote:
> I get about 10-20,000 hits a night from what looks like dictionary
attacks.
quote:|||Chris, I hope you don't mind if I piggyback my question onto yours;
> Make sure all users & sa user have a a very long non standard password.
> Can you lock the firewall down to a list of known host ranges on port 1433
> ?.
> Run MS Base line security application on sql server box !.
> Remove all non essensial db's on sql installation.
> Regards
> Don Grover
> "Chris Miller" <cmiller@.compuville.net> wrote in message
> news:1010agvq9v9k154@.corp.supernews.com...
are[QUOTE]
> datacenter,
over[QUOTE]
server[QUOTE]
How[QUOTE]
>
We also have the need to make a sql database accessibly via internet. We
think our customers are going to demand encryption over the wire.
sql2k allows for ssl encryption at the protocol level, but my understanding
is that this would require our customers to enable ssl encryption on any sql
server they access from a given client. Am I wrong?
I recall seeing something about using the keyword "encrypt", either in the
connection string or in sql commands, but can find this nowhere in any dox.
Can anyone help me here?
So, what is the best way to do this?
Jeremy
"Chris Miller" <cmiller@.compuville.net> wrote in message
news:1010agvq9v9k154@.corp.supernews.com...
quote:
> I've got a customer who has an application written in Access. They are
> hitting some boundaries of Access, and are ready to move to SQL. They are
> going to keep the front end in Access b/c of the massive amounts of code
> they have written. We are going to set them up a SQL server in a
datacenter,
quote:|||I too will be using SLL Encryption via my ODBC connections.
> and use linked tables in their access database. They have offices all over
> the eastern half of the US, so they will need to connect to the SQL server
> from anywhere, pretty much.
>
> Basically my question is how can I keep this secure? I'm going to setup
> encryption. Is it a bad idea to leave SQL server open on the public? How
> can I lock it down and still keep functionality?
>
-Chris
"Jeremy" <grand@.hevanet.com> wrote in message
news:%23NKtQwW4DHA.2136@.TK2MSFTNGP12.phx.gbl...
quote:
> Chris, I hope you don't mind if I piggyback my question onto yours;
> We also have the need to make a sql database accessibly via internet. We
> think our customers are going to demand encryption over the wire.
> sql2k allows for ssl encryption at the protocol level, but my
understanding
quote:
> is that this would require our customers to enable ssl encryption on any
sql
quote:
> server they access from a given client. Am I wrong?
> I recall seeing something about using the keyword "encrypt", either in the
> connection string or in sql commands, but can find this nowhere in any
dox.
quote:|||"Chris Miller" <cmiller@.compuville.net> wrote in
> Can anyone help me here?
> So, what is the best way to do this?
> Jeremy
>
> "Chris Miller" <cmiller@.compuville.net> wrote in message
> news:1010agvq9v9k154@.corp.supernews.com...
are[QUOTE]
> datacenter,
over[QUOTE]
server[QUOTE]
How[QUOTE]
>
news:1010c2rc2c6kc99@.corp.supernews.com:
quote:
> I'm going to try to lock it down to only a list of known host ranges,
> but I'm not sure that will be possiable.
> Where do I set what hosts each user can login from? Also, how do I set
> sa to only be allowed to connect from localhost?
Did you find an answer to how you limit sa to localhost? I very like to
know this answer.
Masa|||By default there is no mechanism to do this. You could limit the machines
allowed to connect to the server via firewall or using Microsoft ISA server.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Kevin, are you saying there is no mechanism whatsoever, other than the
global ssl technique, to encrypt data over the wire? Not even a 3rd party
solution?
And yes, we can limit connections to known machines, but the market is
demanding encryption. What argument do we use to convince folks that
unencrypted transfers are ok?
Thanks, Jeremy
quote:
> By default there is no mechanism to do this. You could limit the machines
> allowed to connect to the server via firewall or using Microsoft ISA
server.
quote:|||My response was to a question regarding limiting the network interfaces.
> Thanks,
> Kevin McDonnell
> Microsoft Corporation
I'm not sure what you meant by this reply:
"are you saying there is no mechanism whatsoever, other than the
global ssl technique, to encrypt data over the wire? Not even a 3rd party
solution?"
We can use SSL encryption with SQL 2000, which relies on PKI.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.sql
No comments:
Post a Comment