SQL Server with Mr. Denny

Oct 19 2016   8:10PM GMT

Obscurity is not Security

Denny Cherry Denny Cherry Profile: Denny Cherry

Tags:
SQL Server

AndyWe’ve all heard the argument that using a different TCP port number for SQL, other than 1433, is more secure.  Here’s the truth, it isn’t.  Andy said it best here in a conversation on Twitter that happened in the #sqlhelp hash tag.  If you think that hiding your SQL Servers on a different TCP port number is going to make them harder to break into you are sadly mistaken.

The two most common ways of a data breach are employees and SQL Injection.  Employees already know what port the SQL Server is listening on, as they know how to connect to it already.  If not, they can easily download a port scanner and scan the SQL Server for open ports.  The ones that are open they’ll connect to.  If it’s a decent port scanner it’ll tell them which port is SQL and what all the other open ports are so they’ll know which one to connect to. You’ve slowed the attacker down by about 5-10 seconds, maybe.

If the attacker is using SQL injection then they don’t care what port the SQL Server is running on. They are connecting to the web/app tier and just using whatever SQL Server connection information that the application has to get access to your database.  By changing the TCP port number you haven’t slowed them down at all.

Proper security requires understand user/business requirements and building a solution which will meet those requirements while building proper secure protections into the system so that if something does go wrong the exposure is limited.

Pretending that hiding the servers and making them harder to find is making them more secure isn’t.  Spend time doing things which will make the environment actually secure so that when the system is breached the data isn’t all lost.  And if possible do this without making the environment harder to manage, which is all that you are doing by changing the TCP port numbers.

Denny

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: