Fog Creek Software
g
Discussion Board

MSDE Desktop Security

I have heard that it's generally a bad idea to run MS-SQL on a machine that's either has a real IP or is not behind a firewall, so I'm wondering if it's a bad idea to run the free MSDE Desktop (or ASP) server.  Microsoft's website says that you can run MSDE as the database server for ASP.NET websites.  However, I'm worried if I run it, I'll be compromising my machine.

Has anyone here had any experience running the MSDE Desktop (or ASP) edition with a direct connection to the Net?  Am I being an overly paranoid MySQL fan?

Thanks!

Andrew Burton
Wednesday, April 7, 2004

If you're running the database for a website, it doesn't need to be open to the 'net - it only needs to be open to the process running the site. Even if it's on the same machine, you can firewall it so 1433 calls are only allowed from the local host.

Philo

Philo
Wednesday, April 7, 2004

I think there's a setup switch for MSDE to disable all network protocols.

To be doubly sure you can run svrnetcn.exe (it should be in your PATH after installing MSDE) - here you can disable all network protocols. To connect to the database on the local machine you use:   
  (local)
or
  (local)\InstanceName

which connects via shared memory rather than via any network gubbins.

Duncan Smart
Wednesday, April 7, 2004

Philo: I'm ashamed to say this, but blocking that port from the outside hadn't even occured to me.  Thank you!

Duncan: Thank you.  Getting even further away from the network is even better.  (Mind you, I think I'll still block that port. *g*)

Thanks, guys!

Andrew Burton
Wednesday, April 7, 2004

Being a pedant... blocking 1433 wouldn't be enough as this only block calls via the TCP/IP Socket NetLib, Named pipes is also enabled by default so you'd need to block SMB/NetBIOS/NetBT too - which would also stop you being able to share out files (which might not be a huge problem).

Duncan Smart
Thursday, April 8, 2004

...and Slammer was exploiting port *1434* which is where SQL announces/confirms its presence.

Duncan Smart
Thursday, April 8, 2004

Attention all firewall users:

YOU DO NOT BLOCK PORTS!!!

Rather, you should be blocking EVERYTHING and explicitly OPENING ports ONLY FOR THE SERVICES YOU USE.

If you are not sure what services you use, then open nothing, and let your user's bitching be a guide.

This "default deny" policy protects you from things you don't know about as well as those you do.  If MS SQL decides they need a new protocol and port, the default deny will maintain your protection from outside.

David Jones
Thursday, April 8, 2004

amen, brother!

Michael Kale
Thursday, April 8, 2004

*  Recent Topics

*  Fog Creek Home