Obscurity is not Security

Published On: 2016-10-19By:

AndyWe’ve all heard the argument that using a different TCP port number for SQL, other than 1433, is more secure.  Here’s the truth, it isn’t.  Andy said it best here in a conversation on Twitter that happened in the #sqlhelp hash tag.  If you think that hiding your SQL Servers on a different TCP port number is going to make them harder to break into you are sadly mistaken.

The two most common ways of a data breach are employees and SQL Injection.  Employees already know what port the SQL Server is listening on, as they know how to connect to it already.  If not, they can easily download a port scanner and scan the SQL Server for open ports.  The ones that are open they’ll connect to.  If it’s a decent port scanner it’ll tell them which port is SQL and what all the other open ports are so they’ll know which one to connect to. You’ve slowed the attacker down by about 5-10 seconds, maybe.

If the attacker is using SQL injection then they don’t care what port the SQL Server is running on. They are connecting to the web/app tier and just using whatever SQL Server connection information that the application has to get access to your database.  By changing the TCP port number you haven’t slowed them down at all.

Proper security requires understand user/business requirements and building a solution which will meet those requirements while building proper secure protections into the system so that if something does go wrong the exposure is limited.

Pretending that hiding the servers and making them harder to find is making them more secure isn’t.  Spend time doing things which will make the environment actually secure so that when the system is breached the data isn’t all lost.  And if possible do this without making the environment harder to manage, which is all that you are doing by changing the TCP port numbers.

Denny

The post Obscurity is not Security appeared first on SQL Server with Mr. Denny.


Contact the Author | Contact DCAC

Obscurity is not Security

Published On: By:

AndyWe’ve all heard the argument that using a different TCP port number for SQL, other than 1433, is more secure.  Here’s the truth, it isn’t.  Andy said it best here in a conversation on Twitter that happened in the #sqlhelp hash tag.  If you think that hiding your SQL Servers on a different TCP port number is going to make them harder to break into you are sadly mistaken.

The two most common ways of a data breach are employees and SQL Injection.  Employees already know what port the SQL Server is listening on, as they know how to connect to it already.  If not, they can easily download a port scanner and scan the SQL Server for open ports.  The ones that are open they’ll connect to.  If it’s a decent port scanner it’ll tell them which port is SQL and what all the other open ports are so they’ll know which one to connect to. You’ve slowed the attacker down by about 5-10 seconds, maybe.

If the attacker is using SQL injection then they don’t care what port the SQL Server is running on. They are connecting to the web/app tier and just using whatever SQL Server connection information that the application has to get access to your database.  By changing the TCP port number you haven’t slowed them down at all.

Proper security requires understand user/business requirements and building a solution which will meet those requirements while building proper secure protections into the system so that if something does go wrong the exposure is limited.

Pretending that hiding the servers and making them harder to find is making them more secure isn’t.  Spend time doing things which will make the environment actually secure so that when the system is breached the data isn’t all lost.  And if possible do this without making the environment harder to manage, which is all that you are doing by changing the TCP port numbers.

Denny

The post Obscurity is not Security appeared first on SQL Server with Mr. Denny.


Contact the Author | Contact DCAC

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner    Microsoft MVP    Microsoft Certified Master    VMWare Partner    VMWare vExpert
   Best Full-Service Cloud Technology Consulting Company    Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers
Share via
Copy link