| |
|
Syteview will run on either SQL Server Version 7.0 or SQL Server 2000. If you are installing a new instance of
SQL Server make sure to install it on an NTFS partition so that you can lock down the program files and database files using
NTFS permissions. During the installation process select all of the default installation options and then follow
the steps listed below to lock down your SQL Server.
Note: If you are installing SQL Server Version 7.0 and will be using the same server for your Internet Information
Server will need to install the IIS Server before installing the SQL Server.
The following links on the Microsoft web site can assist you in the installation process:
Installing SQL Server Version 7.0
Installing SQL Server 2000
Once SQL Server is installed on your server particular care must be taken to configure the SQL Server permissions and the
NTFS (file system) permissions properly. Since Syteview publishes your data to web browsers anywhere on the
internet care must be taken to authenticate every user and restrict their access to only the data, files and stored procedures
that you permit.
Note: We recommend that your SQL Server be isolated from the internet by configuring it with a private, non-routable
IP number. Further isolation can be achieved by using a properly configured router and/or a VLAN on your network
switch.
Note: Your SQL Server should always be located behind a properly configured firewall.
An unsecured SQL Server leaves not only your server open to attack, but through it your entire network.
Here are the minimum steps that should be taken to secure your server.
- Microsoft’s SQL Server provides you with three methods that you can use to authenticate users. Database Authentication, Windows Authentication or a combination of both. ALWAYS try to use Windows Authentication alone. Database authentication is not nearly as secure and is harder to manage and to monitor. Syteview uses only Windows Authentication, but if absolutely necessary it will run on a SQL Server that is using both Windows Authentication and Database Authentication.
- Set up a dedicated Local User account on your SQL Server and use it to start and run the SQL Server process. Restrict the NTFS permissions of this account to only the SQL Server’s installation directory and the physical database and database log files.
- Setup Auditing on your SQL Server using the Sever Enterprise Manager program. Under Audit level you will want to audit at least authentication failures.
- If your SQL Server is running on a computer separate from your IIS Server and you are using the special Syteview data
control (ASP2RemoteSQL.dll) remove all internet routable IP numbers from the SQL Server.
- In all cases, disable the Multiprotocol over TCP/IP protocol under SQL Server Network Utilites on your SQL Server
- If you are running SQL Server 2000 (SP3 required) on the same computer as your IIS Server Disable all Network
Protocols in your SQL Server configuration to prevent your SQL Server from responding to network requests.
Your IIS Server will still be able to request and receive data from your SQL Server. This is a new feature
available with SQL Server 2000 Service Pack 3 or greater.
- If your SQL Server is running on a computer separate from your IIS Server and you are using Windows 2000 Message Digest
Authentication or are using Certificates for authentication remove or disable the TCP/IP network protocol on your server.
- Use a switched (or dedicated) network connection between your SQL Server and the IIS Server. Setup a VLAN between your
SQL Server and the IIS Server if your network switch supports them. Do not use a hub or other shared network
device that could allow another user or system to listen in on the network traffic between your SQL and IIS Servers.
- Make sure your SQL Server is installed on an NTFS partition and lock down access to the physical database and database
log files using NTFS permissions.
- Keep all Service Packs and hotfixes up to date on your system.
- Never place an unsecured SQL Server on your network.
|
|
|