Security Recommondation for enabling endpoint in SQL Server and not using IIS on SQL Box
Following are the recommendations when using Handler(ISAPI) to interact with the backend SQL, the same applies
We have to take care of following
End Point Authentication(try to use INTEGRATED if the application is internal)
Input validation
No Dynamic SQL in SP’s, UDF etc.
Low privileged account
Information Disclosure-Error Handling
If the Data transfer is classified as HBI then Communication Channel Encryption (Like SSL)
Exposing SQL Server over the Internet is not a good choice (even with tight security). Thus, the native HTTP access model is ideally suited for intranet types of applications
We have to take care of following
End Point Authentication(try to use INTEGRATED if the application is internal)
Input validation
No Dynamic SQL in SP’s, UDF etc.
Low privileged account
Information Disclosure-Error Handling
If the Data transfer is classified as HBI then Communication Channel Encryption (Like SSL)
Exposing SQL Server over the Internet is not a good choice (even with tight security). Thus, the native HTTP access model is ideally suited for intranet types of applications
Labels: Endpoint security, SQL Security 2005
posted by Mahavir Sancheti at
2:04 PM
0 Comments:
Post a Comment
<< Home