[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Re: A Little OT: Server Security
- To: <ukha_d@xxxxxxx>
- Subject: Re: A Little OT: Server Security
- From: "Adam Stevens" <adam@xxxxxxx>
- Date: Wed, 18 Jun 2003 16:06:18 +0100
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
If you don't need remote access to enterprise manager then the best
solution is to firewall the SQL box, and only allow traffic on port 1433
>from
different machines - Otherwise just lockdown 1433).
If you do need enterprise manager access, you could still firewall the
SQL box to disallow access from unknown IPs, and just allow your gateway
access.
Either way though, do make sure you've got SQL service pack 3 installed
- When the Slammer worm was around a few months ago we were finding that
because of the *huge* number of infected machines out there, non-patched
SQL boxes were getting re-infected within about 90 seconds of being
switched on... That was a fun way to spend a Saturday morning :-)
FWIW, SSL is only needed if you want to protect data transferred between
the web client and the server (eg, credit card details). General server
security and SSL is slightly different, although both may be valid in
your case.
It might be worth getting hold of "Hacking Exposed Windows 2000"
(http://www.amazon.co.uk/exec/obidos/ASIN/0072192623/).
It's more a
book about how to hack w2k, but if you know how to hack it, you also
know how to protect it.
HTH,
A.
"Alex Monaghan" <ha@xxxxxxx> wrote in message
news:<NABBJJKOFMKNKCMGPJFBGEPEIGAA.alex@xxxxxxx>...
> Make sure you guard against SQL exploits, try googling for "SQL
> Injection" as you can potentially do lots of "nasty
things" to your
> database and / or server even if you're going over a secure link :-)
>
> The basic HTTPS setup should be straightforward, you can create your
> own certificate, but if you accepting beer tokens, then you'll
> probably want to go with something like verisign.
>
>
>
> > -----Original Message-----
> > From: Rob Mouser [mailto:rmouser@xxxxxxx]
> > Sent: 18 June 2003 15:19
> > To: ukha_d@xxxxxxx
> > Subject: [ukha_d] A Little OT: Server Security
> >
> >
> > Here at work we are developing an on-line ordering system which
will
> > link directly to our SQL server (We are populating our own web
> > server at present.). Can anyone point me in the direction of a
good
> > source of information (Basics upwards!) on the implementation of
a
> > secure site (I.e. HTTPS) as we seem to have something of a hole
in
> > our knowledge here :-( and I don't fancy a hole in our security
> > (Ouch!)
> >
> >
> >
> > Thanks for all your time.
> >
> >
> >
> > Many thanks
> >
> >
> >
> > Rob
> >
> > _____
> >
> > Rob Mouser
> > Director
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _____
> >
> > The information contained in or attached to this email is
intended
> > only for the use of the individual or entity to which it is
> > addressed. If an addressing or transmission error has misdirected
> > this e-mail and you are not the intended recipient, or a person
> > responsible for delivering it to the intended recipient, you are
not
> > authorised to and must not disclose, copy, distribute, print or
> > retain this message or any part of it. It may contain information
> > which is confidential and/or covered by legal professional or
other
> > privilege (or other rules or laws with similar effect in
> > jurisdictions outside England and Wales).
> >
> > The views expressed in this email are not necessarily the views
of
> > Chamaeleo Ltd, and the company, its directors, officers or
employees
> > make no representation or accept any liability for its accuracy
or
> > completeness unless expressly stated to the contrary.
> >
> >
> >
> >
> >
> > [Non-text portions of this message have been removed]
> >
> >
> >
> > ** UKHA2004 BE THERE! ** - start planning now.
> >
> > http://www.automatedhome.co.uk
> > Post message: ukha_d@xxxxxxx
> > Subscribe: ukha_d-subscribe@xxxxxxx
> > Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> > List owner: ukha_d-owner@xxxxxxx
> >
> > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> >
> >
>
>
> ------------------------ Yahoo! Groups Sponsor
> ---------------------~--> Get A Free Psychic Reading! Your Online
> Answer To Life's Important Questions.
> http://us.click.yahoo.com/Lj3uPC/Me7FAA/ySSFAA/IBOolB/TM
>
---------------------------------------------------------------------~->
>
> ** UKHA2004 BE THERE! ** - start planning now.
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>
>
Home |
Main Index |
Thread Index
|