Re: SQL DBA Client
From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 03/06/04
- Next message: Ray Fong [MSFT]: "Re: SBS 2k to 2k3 Migration"
- Previous message: Chriss3: "Re: SBS 2k to 2k3 Migration"
- In reply to: Henry Craven: "Re: SQL DBA Client"
- Next in thread: Steve Foster [SBS MVP]: "Re: SQL DBA Client"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 6 Mar 2004 14:17:20 -0800
Hello Michael,
Yes, what you're asking for is quite reasonable.
What is required depends on how you expose your SQL... you
can either simply open up the appropriate ports or Server
Publish.
So, here is a short list of what you need to do...
First, consult SQL deployment "best practices" because all
databases are enticing hacking targets. A couple of
measures you should consider are changing the port number
you're using and using a User account with minimal
permissions instead of Local System for your Service
account... but be aware that some changes like changing
the TCP/IP port may affect applications (recommend
implementing alternate non-TCP/IP connectivity if
possible). Remove your Windows Administrators (and other
higher level) account as permitted Users after ensuring
that some account or few accounts have sufficient
privileges to manage your SQL. Ensure all accounts,
particularly any that have adminstrative functionality
(especially SA) are using strong passwords.
Second, Use the Server Utility if necessary to define or
redefine your DSN.
Then, configure ISA according to how you set up your
SQL... either Server Publish your LAN DSN or open up
packet filters to a WAN DSN. Consider whether you wish to
open port 1434 or not, it's not critical for connectivity
and allows a remote client to browse your SQL instances...
but is also a favorite target for DoS attacks. Until MS
creates an application filter for SQL like Checkpoint,
this is an unaddressed issue ISA may have difficulties
guarding against (although some types of attacks will trip
ISA IDS).
>From that point on, you then only need to configure your
Enterprise Manager accordingly (configuring the Client
Utility first).
Remember, if your client using Enterprise Manager is
itself behind ISA, you need to create a Protocol Rule
permitting outbound traffic on the SQL port you chose
(1433 default).
Tony Su
>-----Original Message-----
>A -remote- Client. ?
>Never really thought about it. Personally I/we just TS in
to the server
>and use the Admin tools from there, but that normally
doesn't involve
>creating tables/queries etc, just minor maintenance and
emergency repair
>work if/when a user hoses a record.
>
>I suppose it's feasible to create a VPN and run the tools
from a remote
>location, but I don't know for sure.
>
>Any real changes to the DB we do offsite with our copy of
the Model and
>test data, and script the changes to be applied onsite.
>
>If you do try the VPN path, I'd certainly pick an obscure
Port other
>than 1433 and make sure your security was damn tight.
>The very idea bothers me though.
>
>--
>Henry Craven. SBS-MVP
>
>============ Post It Appropriately: =========
>SBS 4/4.5 : microsoft.public.backoffice.smallbiz
>SBS 2000 : microsoft.public.backoffice.smallbiz2000
>SBS 2003 : microsoft.public.windows.server.sbs
>News Server : news.microsoft.com
>=====================================
>"Michaek" <anonymous@discussions.microsoft.com> wrote in
message
>news:7d2e01c4032f$29819180$a301280a@phx.gbl...
>>
>> Henry,
>>
>> Can the Client Utilities be used from a remote client to
>> perform Enterprise Manager, Query Analyser tasks? If so
>> does ISA ports needs to be opened to allow this?
>>
>> Cheers
>>
>> Michael
>
>
>.
>
- Next message: Ray Fong [MSFT]: "Re: SBS 2k to 2k3 Migration"
- Previous message: Chriss3: "Re: SBS 2k to 2k3 Migration"
- In reply to: Henry Craven: "Re: SQL DBA Client"
- Next in thread: Steve Foster [SBS MVP]: "Re: SQL DBA Client"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
