IMO if you are so serious about security you should a) put your DB servers on their own network with a firewall between them everything else and b) use Oracle.
Contracting a virus or having your server turned into a porn FTP server are the least of concerns in the corporate world. Worst case scenario there is a temporary loss of service until the servers can be rebuilt. The primary concern should be in preventing hack attempts where private information and trade secrets can be stolen. This is where the result can cost the company money. These vulnerabilities reside in the applications themselves. Your firewall will do little to prevent this. Even if someone broke in to our datacenter, and managed to log on as an administrator to our web servers or database server, they could do nothing more because the applications themselves are secure. Application security is the cornerstone of information security. Not firewalls and routers. -Adam On Tue, 1 Mar 2005 16:52:40 -0500, John Paul Ashenfelter <[EMAIL PROTECTED]> wrote: > On Tue, 1 Mar 2005 20:53:13 -0000, Robertson-Ravo, Neil (RX) > <[EMAIL PROTECTED]> wrote: > > I would say NONE - all of the SQL boxes we have (and we have thousands) are > > a) protected with hardware and software security. They are all patched to > > the highest degree (where needs be, as not all servers require all patches > > for loopholes and indeed some cannot have them). > > Great! So by hardware and software security I'll take a stab at > translating that as at least a firewall. So far we're in agreement. > Remember, this started b/c I said anyone who left port 1433 open was > an idiot -- now we're into discussing how to assess the risk from a > specific vulnerability (choosing which patches to apply) and which > service pack which *are* (potentially) past the normal desktop user's > area of responsibility. > > > Let me ask you, what version of SQL are you running? 8.00.818? > > Actually, yes I am on my production servers. My clients are a mix of > ..818 (post-SP3 hotfix) and .760 (SP3). And to be completely fair, my > laptop actually runs 8.00.760 (with Named Pipes disabled). > > > Note you do not have to patch all risks if the risk is low - for example > > there may be an issue where a maliscious user could access your server but > > its only a problem/issue if the maliscious user can gain access to it... > > Agreed -- whether it's MS-SQL or Windows (or Linux or CF or whatever) > you don't have to immediately apply patches if you're not vulnerable > to the issue. As I've said, I run my laptop in *horrors* SP3 instead > of the post-SP3 hotfix -- upgrading wasn't worth the risk (though when > I build a new box, it goes to .818 by default) > > > -- > John Paul Ashenfelter > CTO/Transitionpoint > (blog) http://www.ashenfelter.com > (email) [EMAIL PROTECTED] > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197029 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
