Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Microsoft SQL and IIS on the same server

  1. #1

    Microsoft SQL and IIS on the same server

    Hi everyone
    I have heard this said by people in passing but am trying to confirm it. Are there any security issues with putting MS SQL 2000 on the same server as IIS (current version)? I have googled around and checked out some other sources and haven't been able to find out a definitive answer. The best I have been able to determine that there is a may be problems based upon the patching level and the particular configuration.

    What I would like to determine is:
    1. Firstly is it best practice to undertake this sort of configuration or is it something to be avoided at all costs

    2. Is it simply a case of maintaining current patching levels and careful configuration to avoid any problems.

    Regards

    Tek

  2. #2
    Junior Member
    Join Date
    Mar 2003
    Posts
    5
    It's a matter of how much risk you are willing to take. IIS servers are in general more likely to be hacked than non-web servers. Remember when several exploits were discovered that allowed the attacker to often having a command console with SYSTEM priviledes on the server by simply typing the MSDOS command in a browser's URL? IIS has a very bad history of being vulnerable to several exploits...
    When an IIS server is hacked, usually the attacker will have either SYSTEM rights on the server, or (hopefully) the lower rights of one of the IUSR accounts. These are all local accounts and thus have very limited access to the network. However if you have a SQL server running on the same server, that would make it much easier for the attacker to gain access to it than if it was hosted on a separate server.

    Roberto

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Best practice is to separate them if the IIS server is publicly available.

    Now.... This is my opinion.... Even if you separate them do not put the SQL server on the trusted network. If your internal clients need access to it place it in the DMZ and set appropriate ACLs at the firewall to only allow connections from the private to the DMZ on the appropriate ports.

    From a security POV I really dislike making databases available publicly. They are a significant additional layer of complexity that are very difficult to assure they are secure. The more confidential data you put in there the more you raise the stakes and put a big fat target on your organization. It's ok if you are running a BBS for Tortoise Husbandry but once you start putting personal data on it then you attract the seamier people's attention out there.

    I have a sister organization that wants to put it's membership data on a public web site yet keep the server back in his facility to make it easier for their customers. I asked what data was held in that database. Name, address, credit card number.... was as far as the admin got.... "Sorry, but you aren't doing that inside my network" was my response. With all the injection techniques etc. neither he nor myself are qualified to sit here and say "Oh yeah, I can secure it, test it and monitor it effectively" and I really don't trust the sales guy from the company selling the product if he tells me "No problem - the code is bulletproof".
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    haha....you said 'sales guy' 'no problem' and 'bulletproof' in the same sentence.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  5. #5
    Great response, Tiger, and astute obeservation, Juridian. Keep in mind that Microsoft Windows Small Business Server, is designed to have all those things in one box. That is not good practice and not the best way to protect your business, but that is what that particular version of the server does. I've seen them set up with IIS, ISA, SQL, and Exchange all running on the same system. Slowly, yes, but running. I haven't dug deeply into SB server to determine how that is done (I suspect virtual machines), but it is done and the course materials (Microsoft Official Curriculum) follow that path. Of course, this is for small office/home office networks where one server may be the norm and there might only be a handfull of client workstations. Putting a public face on that, though, is just plain scarey.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Your web application needs access to the database server anyway (well, some level fo access to some database). Even if you put it on a separate machine, if the web server is compromised, an attacker gains whatever level of access the web application had.

    Therefore, unless you had some other, non-web related database on the same machine, I can't see how it improves security (much) to separate them.

    So - yes, do put MSSQL server on the same box as IIS, but no, don't put your accounts database on the same machine when MSSQL is just used for some small membership system or something.

    Putting the database on another machine will seriously reduce the performance of your web app.

    Slarty

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I have a couple sites that run the SBS....and if you throw good hardware at it...there are no performance issues.....

    Really depends what you are doing with it.....one thing is the SQL and Exchange regularly fight for resources...

    So if the site is heavy on exchange and SQL both ...I would consider breaking them apart...depending on user base

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    And, so, TechGrunt, you find that there are numeous opinions. I think the key, if you are looking at your own setup, is making sure you have adequate controls and security for the OS, applications and connections to make sure that everything stays _yours_ and the data is safe.

    I like MLF's "throw good hardware at it" response. Just make sure others are out of the way.


  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm familiar with SBS - a bit.... The wonderful thing about SBS is that MS has decided that if you are a "small business" you can't afford the hardware for the second server - so they bundle everything in one system, (SBS), and make it bloody impossible to join that server to an existing domain and almost bloody impossible to join another server the the spanking new SBS domain it insists on creating for itself..... Utterly godlike in it's narcissism... But it can be done....

    As far as placing the SQL server on the same server as the IIS or not:-

    If you run them both on the same machine then _either_ could be exploited and the _single_ server is compromised. If you separate them then an exploit on one box does not necessarily compromise the other box. If the IIS server is the only publicly available server and the SQL server properly sanitizes the input then the SQL server _should_ be very difficult to compromise even if the IIS server is. With them separated the attacker needs two exploits that work, with them together he can gain a foothold on the single box and even if it is a low level user context - but we have all heard of privilege escalation.

    That's my position - two "major" systems on the same box complicate the box... The more complicated the box the more vulnerable it is..... Thus separation _without_ trust is the way to go....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Thanks for the responses everyone. Given me a bit to go on

    Tek

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •