Posted by: Denny Cherry
Networking, Security, SecurityFightClub, SQL Server
All to often I see people online asking some sort of question about connecting to their CoLo’ed SQL Server and they connect directly over the Internet. This is nuts people. If you can access your SQL Server via Management Studio from anywhere on the Internet so can people who would love to break into your SQL Server and use the machine for their own uses.
SQL Servers shouldn’t every be directly accessible from the Internet. Even if you have to use public IPs to host the machines, make sure that there is a firewall setup between that server and the public Internet so that no one has any sort of direct access to the machine from outside of the data center.
How do you manage the SQL Server in this case? You use the router’s built in functions to setup a point to point VPN with your office router so that you can securely communicate with the servers in the CoLo without sending that data in plain text over the Internet.
For that matter while you are locking down the SQL Server, suggest that the Web Servers be locked down as well. The only ports that they should have open are 80 and 443 unless you are running streaming servers, or known FTP servers.
If your servers have been sitting exposed on the public Internet then I highly suggest that you install an Anti-virus on them and check for Viruses, malware, etc that’s doing stuff you don’t want it to be doing.
Several years ago I was doing some work for a company that had Windows 2003 servers sitting directly on the Internet without an Anti-Virus and with no firewall. When I got to the machines and took them off the Internet for cleaning there were over 200 viruses on the machines that they had no idea were on there. There complaint was that the machines were running slow, and network costs kept going up. God only knows what sort of network traffic these viruses were generating as they did what ever it was they were trying to do.