Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Kristen
Test
22859 Posts |
 Posted - 2010-06-02 : 06:09:02
|
| We have a SQL box at our web hosts, also an IIS box; both are behind our own firewall.Firewall is open to specific IP addresses for our office and client's office. That's it.I suggested moving SQL Server listening port from 1433 to 10,000+ (as most port scanners don't bother than high)My network guys are confident that this is as tight as a Duck's *** :) and thus we don't need extra hassle of non standard ports etc.I can see the sense in not continuously looking for doors to double-bolt ... but I'm not sure where to draw the line.What's your opinion? |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2010-06-02 : 12:22:19
|
| I recently went through a discussion about this. The developers said that 1433 would be as secure as a non-standard port. They also said that a port over 10000 is not any more secure than one with 4 digits. My stance is to follow the industry standard to use a port that is 5 digits. It's a standard for a reason. I don't have any access to the firewalls to see if the network admins locked down 1433 properly, so can I trust them? Sure I can trust them, but it's safer to use 5 digits.Tara KizerMicrosoft MVP for Windows Server System - SQL Serverhttp://weblogs.sqlteam.com/tarad/Subscribe to my blog |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2010-06-02 : 12:54:08
|
"so can I trust them?" Useful, thanks Tara. I think I'm talking to an immoveable object, but I'd hate to be in a position to say "I told you so" in 6 months time. |
|
|
|
sqlserverport
Starting Member
2 Posts |
Posted - 2011-09-02 : 12:03:48
|
| Kristen, the firewall should be dropping all packets on all ports that aren't required, so 1433 is safe.No port scanners will find 1433 from the outside world anyway, the port forwarding/NAT on the router should be set to only allow connections from the IP's of the remote offices. ( I'm assuming your client has a static IP).http://www.sqlserverport.net |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2011-09-02 : 12:37:36
|
| We've had a hack-attack virus find our server from a consultant visiting and being given a network login for his laptop.Not a threat that would effect our hosted servers, as they are behind our firewall and there is only the firewall and the servers "on the LAN"But I still don't trust that there is no way for a straw-man to get between the server and the firewall. Cabling mistake in the rack would do it ...I'm keeping our SQL boxes on non-standard, high-numbered, ports. |
|
|
|
|
|
|
|
|
Non Standard SQL Server Port "Overkill"?