Create Secure External Connection To Sql Server

Question

I run a little 1&1 web server with quite a few sites all powered by SQL Express Db's and have never allowed connections to SQL Express from an external resource (Anything not on the server), as I am paranoid of the databases getting hacked if I allow external access.

What is the most secure way for me to allow a local program on my computer here to connect to my SQL Server on my 1&1 server? A step by step guide would be excellent :|

I am showing my ignorance here - what is a 1 & 1 web server? — jl., Oct 19 '10 at 14:51
Its just the name of the hosting company I rent the server from — YodasMyDad, Oct 19 '10 at 15:01
Do you have a static IP at the location where your local computer is? — Dave Holland, Oct 19 '10 at 15:09
Yes I do have a static IP here where I am located and obviously on the server :) — YodasMyDad, Oct 22 '10 at 13:33

score 2 · Accepted Answer · answered Oct 19 '10 at 15:35

2

You can use SSL to encrypt the SQL connection. If possible (depending on your hosting environment), you could set up a VPN tunnel between your local network and your server.

answered Oct 19 '10 at 15:35

phoebus

8,380
1
31
30

Whats a VPN tunnel? – YodasMyDad Oct 22 '10 at 13:35
A VPN tunnel is an encrypted connection between you and your server, which allows for transparent network access, as though both sides were on the same LAN. Site-to-site VPNs go from firewall to firewall, while a client-based VPN would involve you using a piece of software on your workstation to connect to the remote VPN on the server side. – phoebus Oct 22 '10 at 14:14

score 1 · Answer 2 · answered Oct 20 '10 at 16:30

Don't use 1433, change the listening port to something else
Don't run the browser service
Use a named instance rather than the default instance, with a non-obvious instance name
Audit failed login attempts
Use complex passwords with minimum rights required, change passwords often

All of the above is just security through obscurity, a VPN would be best.

score 0 · Answer 3 · answered Oct 19 '10 at 15:52

0

If you have an external IP I suggest that you have the hosting company open port 1433 allowed only from your home IP address. If you are worried about further encrypting it past that, then phobeus' post is a good one to follow.

I would, however, be very hesitant to open up SQL server access to "the world" and not just to a subset of IP addresses if I were you.

answered Oct 19 '10 at 15:52

Dave Holland

1,898
1
13
18

There is no hosting company, we control the server and the firewall (Well we only access to a UI for a CISCO firewall) - So am unable to ask them to do this. How would I go about making sure only my IP address could access port 1433 on my server? Using the firewall? Or is there another way? – YodasMyDad Oct 22 '10 at 13:35
Yes if you have a static IP at your home you would do this at the firewall level. I assume you have external IP addresses to use where you host your servers? You would first create a mapping between an external IP, to the internal IP of your SQL server - or alternatively - a mapping from an external ip/port 1433 to your internal ip of your sql server/port1433. Up to you which one you choose - either a full 1 to 1 mapping or just a port forward. Secondly you'd want to make sure you have a rule to deny all traffic in. Thirdly you'd create a rule to allow your IP. All of this is firewall. – Dave Holland Oct 22 '10 at 14:32

Create Secure External Connection To Sql Server

3 Answers3