Home > Ask the SQL Server Experts > Archive: Security Questions & Answers > Securing IIS and SQL Server as part of an online platform
Ask The SQL Server Expert: Questions & Answers
EMAIL THIS

Securing IIS and SQL Server as part of an online platform

Steven Andres EXPERT RESPONSE FROM: Steven Andres

Pose a Question
Other SQL Server Categories
Meet all SQL Server Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 May 2006
How would you secure Internet Information Server (IIS) and SQL Server as part of new online banking platform? Members will connect to the Web server to conduct their online banking transactions. The SQL Server databases will contain member data as well as other sensitive data. The Web server will be in its own demilitarized zone (DMZ) and it will be a standalone server. However, the SQL Server servers (and one middleware server) will be in our DMZ. I wasn't sure what the common practice is for domain membership for servers in DMZs. Just a high-level response would be okay. Should SQL be behind two firewalls and should Internet Protocol Security (IPsec) be used between IIS and SQL Server?

>
I personally would keep the DMZ machines as distant from your internal domain as possible. That means NOT putting them into the domain. Secure your IIS 5 server using the IIS Lockdown script from Microsoft. If you're using IIS 6, you're a lot more protected "out of the box". If you can upgrade the Web servers to IIS 6, go ahead and do so. The folks over at eEye have a nice little product called SecureIIS that adds some protection and rudimentary IPS abilities to IIS. I've used it on IIS 5 but have no experience with that product on IIS 6.

If you have some dollars to spend, I would look at Entercept (now owned by McAfee). Their host-based IPS is really top notch, and will prevent known and anomalous (unknown) attacks. Check out SQLSecurity.com for help locking down your database. The site's maintainer, Chip Andrews, is the person who coined the phrase "SQL injection" and has been an authority on securing databases for almost a decade.

IPsec between the Web and the database is a fantastic idea but realize this only protects against someone sniffing traffic between the two. If someone compromises the Web server, the IPsec tunneled between it and the database will still be intact. In fact, it will aid in cloaking the activities of the attacker from any network signature-based IDS that you may have in the DMZ (such as Snort).


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Archive: Security
Creating a SQL Server user authentication schema
Could a join of encrypted SQL Server data have a problem?
SQL Server connection lost when SA password is changed
How to set SQL Server password for SA login
Creating a login in SQL Server 2000 Enterprise Manager
Code to connect SQL Server 7.0 to Visual Basic 6.0
Set SQL Server password on database in version 7.0
Solve SQL Server permissions and authentication problems
Create username and password for new SQL Server database
Recover password in SQL Server 2000

SQL Server Security
Meet compliance requirements with improved database security practices
Hardening the network and OS for SQL Server security
Securing the server and database in SQL Server
SQL Server security made simple and sensible
Blog: Protect your databases from the internal threat
Setting up SQL Server Service Broker for secure communication
The keys to database backup protection for SQL Server
Understanding transparent data encryption in SQL Server 2008
The fine line between not encrypting your databases and breach notification
Securing SQL Server with access control, login monitoring and DDL triggers

Microsoft SQL Server Tools and Utilities
Microsoft SQL Server Tools Guide
How SQL Server 2008 components impact SharePoint implementations
SQL Server Mailbag: Data restoration and DB property management
SQL language crash course (just enough to be dangerous)
Setting up SQL Server Service Broker for secure communication
Microsoft SQL Server 2008 Resource Governor primer
The sqlcmd utility in SQL Server
Performance analysis tools for SQL Server
Software security tools to improve your skills in a single day
Surface Area Configuration and other security tools in SQL Server 2005

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
data corruption  (SearchSQLServer.com)
data hiding  (SearchSQLServer.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



SQL Solutions - SQL Database Design
HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2005 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts